Merge branch 'rework-options' of https://github.com/copumpkin/nix

2025-07-02 17:41:48 +02:00 · 2017-04-13 16:15:51 +02:00 · 2017-04-13 16:15:51 +02:00 · 1860070548
commit 1860070548
parent 2040240e23 e7cb2847ab
11 changed files with 222 additions and 93 deletions
--- a/src/libstore/globals.cc
+++ b/src/libstore/globals.cc
@ -17,12 +17,23 @@ namespace nix {
   must be deleted and recreated on startup.) */
 #define DEFAULT_SOCKET_PATH "/daemon-socket/socket"

+/* chroot-like behavior from Apple's sandbox */
+#if __APPLE__
+    #define DEFAULT_ALLOWED_IMPURE_PREFIXES "/System/Library /usr/lib /dev /bin/sh"
+#else
+    #define DEFAULT_ALLOWED_IMPURE_PREFIXES ""
+#endif

 Settings settings;


 Settings::Settings()
 {
+    deprecatedOptions = StringSet({
+        "build-use-chroot", "build-chroot-dirs", "build-extra-chroot-dirs",
+        "this-option-never-existed-but-who-will-know"
+    });
+
    nixPrefix = NIX_PREFIX;
    nixStore = canonPath(getEnv("NIX_STORE_DIR", getEnv("NIX_STORE", NIX_STORE_DIR)));
    nixDataDir = canonPath(getEnv("NIX_DATA_DIR", NIX_DATA_DIR));
@ -71,6 +82,32 @@ Settings::Settings()
    netrcFile = fmt("%s/%s", nixConfDir, "netrc");
    caFile = getEnv("NIX_SSL_CERT_FILE", getEnv("SSL_CERT_FILE", "/etc/ssl/certs/ca-certificates.crt"));
    enableImportFromDerivation = true;
+    useSandbox = "false"; // TODO: make into an enum
+
+#if __linux__
+    sandboxPaths = tokenizeString<StringSet>("/bin/sh=" BASH_PATH);
+#endif
+
+    restrictEval = false;
+    buildRepeat = 0;
+    allowedImpureHostPrefixes = tokenizeString<StringSet>(DEFAULT_ALLOWED_IMPURE_PREFIXES);
+    sandboxShmSize = "50%";
+    darwinLogSandboxViolations = false;
+    runDiffHook = false;
+    diffHook = "";
+    enforceDeterminism = true;
+    binaryCachePublicKeys = Strings{"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="};
+    secretKeyFiles = Strings();
+    binaryCachesParallelConnections = 25;
+    enableHttp2 = true;
+    tarballTtl = 60 * 60;
+    signedBinaryCaches = "";
+    substituters = Strings();
+    binaryCaches = nixStore == "/nix/store" ? Strings{"https://cache.nixos.org/"} : Strings();
+    extraBinaryCaches = Strings();
+    trustedUsers = Strings({"root"});
+    allowedUsers = Strings({"*"});
+    printMissing = true;
 }


@ -113,44 +150,12 @@ void Settings::set(const string & name, const string & value)
    overrides[name] = value;
 }

-
-string Settings::get(const string & name, const string & def)
-{
-    auto i = settings.find(name);
-    if (i == settings.end()) return def;
-    return i->second;
-}
-
-
-Strings Settings::get(const string & name, const Strings & def)
-{
-    auto i = settings.find(name);
-    if (i == settings.end()) return def;
-    return tokenizeString<Strings>(i->second);
-}
-
-
-bool Settings::get(const string & name, bool def)
-{
-    bool res = def;
-    _get(res, name);
-    return res;
-}
-
-
-int Settings::get(const string & name, int def)
-{
-    int res = def;
-    _get(res, name);
-    return res;
-}
-
-
 void Settings::update()
 {
    _get(tryFallback, "build-fallback");

-    auto s = get("build-max-jobs", std::string("1"));
+    std::string s = "1";
+    _get(s, "build-max-jobs");
    if (s == "auto")
        maxBuildJobs = std::max(1U, std::thread::hardware_concurrency());
    else
@ -186,13 +191,71 @@ void Settings::update()
    _get(keepFailed, "keep-failed");
    _get(netrcFile, "netrc-file");
    _get(enableImportFromDerivation, "allow-import-from-derivation");
+    _get(useSandbox, "build-use-sandbox", "build-use-chroot");
+    _get(sandboxPaths, "build-sandbox-paths", "build-chroot-dirs");
+    _get(extraSandboxPaths, "build-extra-sandbox-paths", "build-extra-chroot-dirs");
+    _get(restrictEval, "restrict-eval");
+    _get(buildRepeat, "build-repeat");
+    _get(allowedImpureHostPrefixes, "allowed-impure-host-deps");
+    _get(sandboxShmSize, "sandbox-dev-shm-size");
+    _get(darwinLogSandboxViolations, "darwin-log-sandbox-violations");
+    _get(runDiffHook, "run-diff-hook");
+    _get(diffHook, "diff-hook");
+    _get(enforceDeterminism, "enforce-determinism");
+    _get(binaryCachePublicKeys, "binary-cache-public-keys");
+    _get(secretKeyFiles, "secret-key-files");
+    _get(binaryCachesParallelConnections, "binary-caches-parallel-connections");
+    _get(enableHttp2, "enable-http2");
+    _get(tarballTtl, "tarball-ttl");
+    _get(signedBinaryCaches, "signed-binary-caches");
+    _get(substituters, "substituters");
+    _get(binaryCaches, "binary-caches");
+    _get(extraBinaryCaches, "extra-binary-caches");
+    _get(trustedUsers, "trusted-users");
+    _get(allowedUsers, "allowed-users");
+    _get(printMissing, "print-missing");
+
+    /* Clear out any deprecated options that might be left, so users know we recognize the option
+       but aren't processing it anymore */
+    for (auto &i : deprecatedOptions) {
+        if (settings.find(i) != settings.end()) {
+            printError(format("warning: deprecated option '%1%' is no longer supported and will be ignored") % i);
+            settings.erase(i);
+        }
+    }
+
+    if (settings.size() != 0) {
+        string bad;
+        for (auto &i : settings)
+            bad += "'" + i.first + "', ";
+        bad.pop_back();
+        bad.pop_back();
+        throw Error(format("unrecognized options: %s") % bad);
+    }
 }

+void Settings::checkDeprecated(const string & name)
+{
+    if (deprecatedOptions.find(name) != deprecatedOptions.end())
+        printError(format("warning: deprecated option '%1%' will soon be unsupported") % name);
+}

 void Settings::_get(string & res, const string & name)
 {
    SettingsMap::iterator i = settings.find(name);
    if (i == settings.end()) return;
+    checkDeprecated(i->first);
+    settings.erase(i);
+    res = i->second;
+}
+
+void Settings::_get(string & res, const string & name1, const string & name2)
+{
+    SettingsMap::iterator i = settings.find(name1);
+    if (i == settings.end()) i = settings.find(name2);
+    if (i == settings.end()) return;
+    checkDeprecated(i->first);
+    settings.erase(i);
    res = i->second;
 }

@ -201,6 +264,8 @@ void Settings::_get(bool & res, const string & name)
 {
    SettingsMap::iterator i = settings.find(name);
    if (i == settings.end()) return;
+    checkDeprecated(i->first);
+    settings.erase(i);
    if (i->second == "true") res = true;
    else if (i->second == "false") res = false;
    else throw Error(format("configuration option ‘%1%’ should be either ‘true’ or ‘false’, not ‘%2%’")
@ -212,6 +277,20 @@ void Settings::_get(StringSet & res, const string & name)
 {
    SettingsMap::iterator i = settings.find(name);
    if (i == settings.end()) return;
+    checkDeprecated(i->first);
+    settings.erase(i);
+    res.clear();
+    Strings ss = tokenizeString<Strings>(i->second);
+    res.insert(ss.begin(), ss.end());
+}
+
+void Settings::_get(StringSet & res, const string & name1, const string & name2)
+{
+    SettingsMap::iterator i = settings.find(name1);
+    if (i == settings.end()) i = settings.find(name2);
+    if (i == settings.end()) return;
+    checkDeprecated(i->first);
+    settings.erase(i);
    res.clear();
    Strings ss = tokenizeString<Strings>(i->second);
    res.insert(ss.begin(), ss.end());
@ -221,6 +300,8 @@ void Settings::_get(Strings & res, const string & name)
 {
    SettingsMap::iterator i = settings.find(name);
    if (i == settings.end()) return;
+    checkDeprecated(i->first);
+    settings.erase(i);
    res = tokenizeString<Strings>(i->second);
 }

@ -229,6 +310,8 @@ template<class N> void Settings::_get(N & res, const string & name)
 {
    SettingsMap::iterator i = settings.find(name);
    if (i == settings.end()) return;
+    checkDeprecated(i->first);
+    settings.erase(i);
    if (!string2Int(i->second, res))
        throw Error(format("configuration setting ‘%1%’ should have an integer value") % name);
 }