mirror of
https://github.com/NixOS/nix
synced 2025-07-07 22:33:57 +02:00
Trustless remote building
Co-authored-by: Matthew Bauer <mjbauer95@gmail.com>
This commit is contained in:
parent
53f92c779a
commit
cbc4344297
15 changed files with 181 additions and 12 deletions
52
tests/build-hook-ca.nix
Normal file
52
tests/build-hook-ca.nix
Normal file
|
@ -0,0 +1,52 @@
|
|||
{ busybox }:
|
||||
|
||||
with import ./config.nix;
|
||||
|
||||
let
|
||||
|
||||
mkDerivation = args:
|
||||
derivation ({
|
||||
inherit system;
|
||||
builder = busybox;
|
||||
args = ["sh" "-e" args.builder or (builtins.toFile "builder-${args.name}.sh" "if [ -e .attrs.sh ]; then source .attrs.sh; fi; eval \"$buildCommand\"")];
|
||||
outputHashMode = "recursive";
|
||||
outputHashAlgo = "sha256";
|
||||
} // removeAttrs args ["builder" "meta"])
|
||||
// { meta = args.meta or {}; };
|
||||
|
||||
input1 = mkDerivation {
|
||||
shell = busybox;
|
||||
name = "build-remote-input-1";
|
||||
buildCommand = "echo FOO > $out";
|
||||
outputHash = "sha256-FePFYIlMuycIXPZbWi7LGEiMmZSX9FMbaQenWBzm1Sc=";
|
||||
};
|
||||
|
||||
input2 = mkDerivation {
|
||||
shell = busybox;
|
||||
name = "build-remote-input-2";
|
||||
buildCommand = "echo BAR > $out";
|
||||
outputHash = "sha256-XArauVH91AVwP9hBBQNlkX9ccuPpSYx9o0zeIHb6e+Q=";
|
||||
};
|
||||
|
||||
input3 = mkDerivation {
|
||||
shell = busybox;
|
||||
name = "build-remote-input-3";
|
||||
buildCommand = ''
|
||||
read x < ${input2}
|
||||
echo $x BAZ > $out
|
||||
'';
|
||||
outputHash = "sha256-daKAcPp/+BYMQsVi/YYMlCKoNAxCNDsaivwSHgQqD2s=";
|
||||
};
|
||||
|
||||
in
|
||||
|
||||
mkDerivation {
|
||||
shell = busybox;
|
||||
name = "build-remote";
|
||||
buildCommand = ''
|
||||
read x < ${input1}
|
||||
read y < ${input3}
|
||||
echo "$x $y" > $out
|
||||
'';
|
||||
outputHash = "sha256-5SxbkUw6xe2l9TE1uwCvTtTDysD1vhRor38OtDF0LqQ=";
|
||||
}
|
11
tests/build-remote-trustless-should-fail-0.sh
Normal file
11
tests/build-remote-trustless-should-fail-0.sh
Normal file
|
@ -0,0 +1,11 @@
|
|||
source common.sh
|
||||
|
||||
# We act as if remote trusts us, but it doesn't. This fails since we are
|
||||
# building input-addressed derivations with `buildDerivation`, which
|
||||
# depends on trust.
|
||||
file=build-hook.nix
|
||||
prog=$(readlink -e ./nix-daemon-untrusting.sh)
|
||||
proto=ssh-ng
|
||||
trusting=true
|
||||
|
||||
! source build-remote-trustless.sh
|
9
tests/build-remote-trustless-should-pass-0.sh
Normal file
9
tests/build-remote-trustless-should-pass-0.sh
Normal file
|
@ -0,0 +1,9 @@
|
|||
source common.sh
|
||||
|
||||
# Remote trusts us but we pretend it doesn't.
|
||||
file=build-hook.nix
|
||||
prog=nix-store
|
||||
proto=ssh
|
||||
trusting=false
|
||||
|
||||
source build-remote-trustless.sh
|
9
tests/build-remote-trustless-should-pass-1.sh
Normal file
9
tests/build-remote-trustless-should-pass-1.sh
Normal file
|
@ -0,0 +1,9 @@
|
|||
source common.sh
|
||||
|
||||
# Remote trusts us but we pretend it doesn't.
|
||||
file=build-hook.nix
|
||||
prog=nix-daemon
|
||||
proto=ssh-ng
|
||||
trusting=false
|
||||
|
||||
source build-remote-trustless.sh
|
9
tests/build-remote-trustless-should-pass-2.sh
Normal file
9
tests/build-remote-trustless-should-pass-2.sh
Normal file
|
@ -0,0 +1,9 @@
|
|||
source common.sh
|
||||
|
||||
# Remote doesn't trust us nor do we think it does
|
||||
file=build-hook.nix
|
||||
prog=$(readlink -e ./nix-daemon-untrusting.sh)
|
||||
proto=ssh-ng
|
||||
trusting=false
|
||||
|
||||
source build-remote-trustless.sh
|
10
tests/build-remote-trustless-should-pass-3.sh
Normal file
10
tests/build-remote-trustless-should-pass-3.sh
Normal file
|
@ -0,0 +1,10 @@
|
|||
source common.sh
|
||||
|
||||
# We act as if remote trusts us, but it doesn't. This is fine because we
|
||||
# are only building (fixed) CA derivations.
|
||||
file=build-hook-ca.nix
|
||||
prog=$(readlink -e ./nix-daemon-untrusting.sh)
|
||||
proto=ssh-ng
|
||||
trusting=true
|
||||
|
||||
source build-remote-trustless.sh
|
18
tests/build-remote-trustless.sh
Normal file
18
tests/build-remote-trustless.sh
Normal file
|
@ -0,0 +1,18 @@
|
|||
if ! canUseSandbox; then exit; fi
|
||||
if ! [[ $busybox =~ busybox ]]; then exit; fi
|
||||
|
||||
unset NIX_STORE_DIR
|
||||
unset NIX_STATE_DIR
|
||||
|
||||
# Note: ssh://localhost bypasses ssh, directly invoking nix-store as a
|
||||
# child process. This allows us to test LegacySSHStore::buildDerivation().
|
||||
# ssh-ng://... likewise allows us to test RemoteStore::buildDerivation().
|
||||
|
||||
nix build -L -v -f $file -o $TEST_ROOT/result --max-jobs 0 \
|
||||
--arg busybox $busybox \
|
||||
--store $TEST_ROOT/local \
|
||||
--builders "$proto://localhost?remote-program=$prog&trusting=$trusting&remote-store=$TEST_ROOT/remote%3Fsystem-features=foo%20bar%20baz - - 1 1 foo,bar,baz"
|
||||
|
||||
outPath=$(readlink -f $TEST_ROOT/result)
|
||||
|
||||
grep 'FOO BAR BAZ' $TEST_ROOT/${subDir}/local${outPath}
|
|
@ -17,7 +17,7 @@ cat > "$NIX_CONF_DIR"/nix.conf <<EOF
|
|||
build-users-group =
|
||||
keep-derivations = false
|
||||
sandbox = false
|
||||
experimental-features = nix-command flakes
|
||||
experimental-features = nix-command flakes nix-testing
|
||||
gc-reserved-space = 0
|
||||
flake-registry = $TEST_ROOT/registry.json
|
||||
include nix.conf.extra
|
||||
|
|
|
@ -15,6 +15,10 @@ nix_tests = \
|
|||
linux-sandbox.sh \
|
||||
build-dry.sh \
|
||||
build-remote.sh \
|
||||
build-remote-trustless-should-pass-1.sh \
|
||||
build-remote-trustless-should-pass-2.sh \
|
||||
build-remote-trustless-should-pass-3.sh \
|
||||
build-remote-trustless-should-fail-0.sh \
|
||||
nar-access.sh \
|
||||
structured-attrs.sh \
|
||||
fetchGit.sh \
|
||||
|
@ -34,6 +38,7 @@ nix_tests = \
|
|||
recursive.sh \
|
||||
flakes.sh
|
||||
# parallel.sh
|
||||
# build-remote-trustless-should-pass-0.sh # problem with legacy ssh-store only
|
||||
|
||||
install-tests += $(foreach x, $(nix_tests), tests/$(x))
|
||||
|
||||
|
|
3
tests/nix-daemon-untrusting.sh
Executable file
3
tests/nix-daemon-untrusting.sh
Executable file
|
@ -0,0 +1,3 @@
|
|||
#!/bin/sh
|
||||
|
||||
exec nix-daemon --no-trust "$@"
|
Loading…
Add table
Add a link
Reference in a new issue