1
0
Fork 0
mirror of https://github.com/NixOS/nix synced 2025-07-07 22:33:57 +02:00

Trustless remote building

Co-authored-by: Matthew Bauer <mjbauer95@gmail.com>
This commit is contained in:
John Ericson 2020-08-12 03:47:36 +00:00
parent 53f92c779a
commit cbc4344297
15 changed files with 181 additions and 12 deletions

52
tests/build-hook-ca.nix Normal file
View file

@ -0,0 +1,52 @@
{ busybox }:
with import ./config.nix;
let
mkDerivation = args:
derivation ({
inherit system;
builder = busybox;
args = ["sh" "-e" args.builder or (builtins.toFile "builder-${args.name}.sh" "if [ -e .attrs.sh ]; then source .attrs.sh; fi; eval \"$buildCommand\"")];
outputHashMode = "recursive";
outputHashAlgo = "sha256";
} // removeAttrs args ["builder" "meta"])
// { meta = args.meta or {}; };
input1 = mkDerivation {
shell = busybox;
name = "build-remote-input-1";
buildCommand = "echo FOO > $out";
outputHash = "sha256-FePFYIlMuycIXPZbWi7LGEiMmZSX9FMbaQenWBzm1Sc=";
};
input2 = mkDerivation {
shell = busybox;
name = "build-remote-input-2";
buildCommand = "echo BAR > $out";
outputHash = "sha256-XArauVH91AVwP9hBBQNlkX9ccuPpSYx9o0zeIHb6e+Q=";
};
input3 = mkDerivation {
shell = busybox;
name = "build-remote-input-3";
buildCommand = ''
read x < ${input2}
echo $x BAZ > $out
'';
outputHash = "sha256-daKAcPp/+BYMQsVi/YYMlCKoNAxCNDsaivwSHgQqD2s=";
};
in
mkDerivation {
shell = busybox;
name = "build-remote";
buildCommand = ''
read x < ${input1}
read y < ${input3}
echo "$x $y" > $out
'';
outputHash = "sha256-5SxbkUw6xe2l9TE1uwCvTtTDysD1vhRor38OtDF0LqQ=";
}

View file

@ -0,0 +1,11 @@
source common.sh
# We act as if remote trusts us, but it doesn't. This fails since we are
# building input-addressed derivations with `buildDerivation`, which
# depends on trust.
file=build-hook.nix
prog=$(readlink -e ./nix-daemon-untrusting.sh)
proto=ssh-ng
trusting=true
! source build-remote-trustless.sh

View file

@ -0,0 +1,9 @@
source common.sh
# Remote trusts us but we pretend it doesn't.
file=build-hook.nix
prog=nix-store
proto=ssh
trusting=false
source build-remote-trustless.sh

View file

@ -0,0 +1,9 @@
source common.sh
# Remote trusts us but we pretend it doesn't.
file=build-hook.nix
prog=nix-daemon
proto=ssh-ng
trusting=false
source build-remote-trustless.sh

View file

@ -0,0 +1,9 @@
source common.sh
# Remote doesn't trust us nor do we think it does
file=build-hook.nix
prog=$(readlink -e ./nix-daemon-untrusting.sh)
proto=ssh-ng
trusting=false
source build-remote-trustless.sh

View file

@ -0,0 +1,10 @@
source common.sh
# We act as if remote trusts us, but it doesn't. This is fine because we
# are only building (fixed) CA derivations.
file=build-hook-ca.nix
prog=$(readlink -e ./nix-daemon-untrusting.sh)
proto=ssh-ng
trusting=true
source build-remote-trustless.sh

View file

@ -0,0 +1,18 @@
if ! canUseSandbox; then exit; fi
if ! [[ $busybox =~ busybox ]]; then exit; fi
unset NIX_STORE_DIR
unset NIX_STATE_DIR
# Note: ssh://localhost bypasses ssh, directly invoking nix-store as a
# child process. This allows us to test LegacySSHStore::buildDerivation().
# ssh-ng://... likewise allows us to test RemoteStore::buildDerivation().
nix build -L -v -f $file -o $TEST_ROOT/result --max-jobs 0 \
--arg busybox $busybox \
--store $TEST_ROOT/local \
--builders "$proto://localhost?remote-program=$prog&trusting=$trusting&remote-store=$TEST_ROOT/remote%3Fsystem-features=foo%20bar%20baz - - 1 1 foo,bar,baz"
outPath=$(readlink -f $TEST_ROOT/result)
grep 'FOO BAR BAZ' $TEST_ROOT/${subDir}/local${outPath}

View file

@ -17,7 +17,7 @@ cat > "$NIX_CONF_DIR"/nix.conf <<EOF
build-users-group =
keep-derivations = false
sandbox = false
experimental-features = nix-command flakes
experimental-features = nix-command flakes nix-testing
gc-reserved-space = 0
flake-registry = $TEST_ROOT/registry.json
include nix.conf.extra

View file

@ -15,6 +15,10 @@ nix_tests = \
linux-sandbox.sh \
build-dry.sh \
build-remote.sh \
build-remote-trustless-should-pass-1.sh \
build-remote-trustless-should-pass-2.sh \
build-remote-trustless-should-pass-3.sh \
build-remote-trustless-should-fail-0.sh \
nar-access.sh \
structured-attrs.sh \
fetchGit.sh \
@ -34,6 +38,7 @@ nix_tests = \
recursive.sh \
flakes.sh
# parallel.sh
# build-remote-trustless-should-pass-0.sh # problem with legacy ssh-store only
install-tests += $(foreach x, $(nix_tests), tests/$(x))

3
tests/nix-daemon-untrusting.sh Executable file
View file

@ -0,0 +1,3 @@
#!/bin/sh
exec nix-daemon --no-trust "$@"