wroclaw-git-backups/nix
1
0
Fork 0
mirror of https://github.com/NixOS/nix synced 2025-07-07 22:33:57 +02:00
Code Activity

Don't block while waiting for build users

Browse source 
(cherry picked from commit 14073fb76b)
This commit is contained in:
Alexander Bantyev 2020-05-08 12:22:39 +03:00 committed by Florian Klink
parent a1469cc8f4
commit 849f9b83a8
1 changed files with 28 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

53
src/libstore/build.cc
View file

@ -508,9 +508,6 @@ private:
Path fnUserLock;
AutoCloseFD fdUserLock;
bool findFreeUser();
string user;
uid_t uid;
gid_t gid;
@ -527,6 +524,8 @@ public:
uid_t getGID() { assert(gid); return gid; }
std::vector<gid_t> getSupplementaryGIDs() { return supplementaryGIDs; }
bool findFreeUser();
bool enabled() { return uid != 0; }
};
@ -538,12 +537,8 @@ UserLock::UserLock()
{
assert(settings.buildUsersGroup != "");
createDirs(settings.nixStateDir + "/userpool");
if (findFreeUser()) return;
printError("waiting for build users");
do std::this_thread::sleep_for(std::chrono::seconds(2)); while (! findFreeUser());
/* Mark that user is not enabled by default */
uid = 0;
}
bool UserLock::findFreeUser() {
@ -1422,6 +1417,30 @@ void DerivationGoal::tryToBuild()
{
trace("trying to build");
/* If `build-users-group' is not empty, then we have to build as
one of the members of that group. */
if (settings.buildUsersGroup != "" && getuid() == 0) {
#if defined(__linux__) || defined(__APPLE__)
if (!buildUser) buildUser = std::make_unique<UserLock>();
if (!buildUser->enabled()) {
if (!buildUser->findFreeUser()) {
debug("waiting for build users");
worker.waitForAWhile(shared_from_this());
return;
}
/* Make sure that no other processes are executing under this
uid. */
buildUser->kill();
}
#else
/* Don't know how to block the creation of setuid/setgid
binaries on this platform. */
throw Error("build users are not supported on this platform for security reasons");
#endif
}
/* Obtain locks on all output paths. The locks are automatically
released when we exit this function or Nix crashes. If we
can't acquire the lock, then continue; hopefully some other
@ -1938,22 +1957,6 @@ void DerivationGoal::startBuilder()
#endif
}
/* If `build-users-group' is not empty, then we have to build as
one of the members of that group. */
if (settings.buildUsersGroup != "" && getuid() == 0) {
#if defined(__linux__) || defined(__APPLE__)
buildUser = std::make_unique<UserLock>();
/* Make sure that no other processes are executing under this
uid. */
buildUser->kill();
#else
/* Don't know how to block the creation of setuid/setgid
binaries on this platform. */
throw Error("build users are not supported on this platform for security reasons");
#endif
}
/* Create a temporary directory where the build will take
place. */
auto drvName = storePathToName(drvPath);