From e194e27f8574c193b1979cad8beef9ba5d7d584d Mon Sep 17 00:00:00 2001 From: WxNzEMof <143541718+WxNzEMof@users.noreply.github.com> Date: Thu, 25 Jan 2024 21:56:09 +0000 Subject: [PATCH 01/18] docker: Allow building for non-root user Add options uid, gid, uname, and gname to docker.nix. Setting these to e.g. 1000, 1000, "user", "user" will build an image which runs and allows using Nix as that user. --- docker.nix | 50 +++++++++++++++++++++++++++++++++++--------------- 1 file changed, 35 insertions(+), 15 deletions(-) diff --git a/docker.nix b/docker.nix index bd16b71cd71..19479e57c18 100644 --- a/docker.nix +++ b/docker.nix @@ -9,6 +9,10 @@ , maxLayers ? 100 , nixConf ? {} , flake-registry ? null +, uid ? 0 +, gid ? 0 +, uname ? "root" +, gname ? "root" }: let defaultPkgs = with pkgs; [ @@ -50,6 +54,15 @@ let description = "Unprivileged account (don't use!)"; }; + } // lib.optionalAttrs (uid != 0) { + "${uname}" = { + uid = uid; + shell = "${pkgs.bashInteractive}/bin/bash"; + home = "/home/${uname}"; + gid = gid; + groups = [ "${gname}" ]; + description = "Nix user"; + }; } // lib.listToAttrs ( map ( @@ -70,6 +83,8 @@ let root.gid = 0; nixbld.gid = 30000; nobody.gid = 65534; + } // lib.optionalAttrs (gid != 0) { + "${gname}".gid = gid; }; userToPasswd = ( @@ -150,6 +165,8 @@ let in "${n} = ${vStr}") (defaultNixConf // nixConf))) + "\n"; + userHome = if uid == 0 then "/root" else "/home/${uname}"; + baseSystem = let nixpkgs = pkgs.path; @@ -237,26 +254,26 @@ let mkdir -p $out/etc/nix cat $nixConfContentsPath > $out/etc/nix/nix.conf - mkdir -p $out/root - mkdir -p $out/nix/var/nix/profiles/per-user/root + mkdir -p $out${userHome} + mkdir -p $out/nix/var/nix/profiles/per-user/${uname} ln -s ${profile} $out/nix/var/nix/profiles/default-1-link ln -s $out/nix/var/nix/profiles/default-1-link $out/nix/var/nix/profiles/default - ln -s /nix/var/nix/profiles/default $out/root/.nix-profile + ln -s /nix/var/nix/profiles/default $out${userHome}/.nix-profile - ln -s ${channel} $out/nix/var/nix/profiles/per-user/root/channels-1-link - ln -s $out/nix/var/nix/profiles/per-user/root/channels-1-link $out/nix/var/nix/profiles/per-user/root/channels + ln -s ${channel} $out/nix/var/nix/profiles/per-user/${uname}/channels-1-link + ln -s $out/nix/var/nix/profiles/per-user/${uname}/channels-1-link $out/nix/var/nix/profiles/per-user/${uname}/channels - mkdir -p $out/root/.nix-defexpr - ln -s $out/nix/var/nix/profiles/per-user/root/channels $out/root/.nix-defexpr/channels - echo "${channelURL} ${channelName}" > $out/root/.nix-channels + mkdir -p $out${userHome}/.nix-defexpr + ln -s $out/nix/var/nix/profiles/per-user/${uname}/channels $out${userHome}/.nix-defexpr/channels + echo "${channelURL} ${channelName}" > $out${userHome}/.nix-channels mkdir -p $out/bin $out/usr/bin ln -s ${pkgs.coreutils}/bin/env $out/usr/bin/env ln -s ${pkgs.bashInteractive}/bin/bash $out/bin/sh '' + (lib.optionalString (flake-registry-path != null) '' - nixCacheDir="/root/.cache/nix" + nixCacheDir="${userHome}/.cache/nix" mkdir -p $out$nixCacheDir globalFlakeRegistryPath="$nixCacheDir/flake-registry.json" ln -s ${flake-registry-path} $out$globalFlakeRegistryPath @@ -268,7 +285,7 @@ let in pkgs.dockerTools.buildLayeredImageWithNixDb { - inherit name tag maxLayers; + inherit name tag maxLayers uid gid uname gname; contents = [ baseSystem ]; @@ -279,25 +296,28 @@ pkgs.dockerTools.buildLayeredImageWithNixDb { fakeRootCommands = '' chmod 1777 tmp chmod 1777 var/tmp + chown -R ${toString uid}:${toString gid} .${userHome} + chown -R ${toString uid}:${toString gid} nix ''; config = { - Cmd = [ "/root/.nix-profile/bin/bash" ]; + Cmd = [ "${userHome}/.nix-profile/bin/bash" ]; + User = "${toString uid}:${toString gid}"; Env = [ - "USER=root" + "USER=${uname}" "PATH=${lib.concatStringsSep ":" [ - "/root/.nix-profile/bin" + "${userHome}/.nix-profile/bin" "/nix/var/nix/profiles/default/bin" "/nix/var/nix/profiles/default/sbin" ]}" "MANPATH=${lib.concatStringsSep ":" [ - "/root/.nix-profile/share/man" + "${userHome}/.nix-profile/share/man" "/nix/var/nix/profiles/default/share/man" ]}" "SSL_CERT_FILE=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt" "GIT_SSL_CAINFO=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt" "NIX_SSL_CERT_FILE=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt" - "NIX_PATH=/nix/var/nix/profiles/per-user/root/channels:/root/.nix-defexpr/channels" + "NIX_PATH=/nix/var/nix/profiles/per-user/${uname}/channels:${userHome}/.nix-defexpr/channels" ]; }; From 1cfb226b7269b14c34b2ef42e4c501e1ba851bb4 Mon Sep 17 00:00:00 2001 From: WxNzEMof <143541718+WxNzEMof@users.noreply.github.com> Date: Sun, 10 Nov 2024 21:31:02 +0000 Subject: [PATCH 02/18] tests/nixos: add nix-docker test --- tests/nixos/default.nix | 2 ++ tests/nixos/nix-docker.nix | 39 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+) create mode 100644 tests/nixos/nix-docker.nix diff --git a/tests/nixos/default.nix b/tests/nixos/default.nix index 17bfdea3822..c5f4a23aa08 100644 --- a/tests/nixos/default.nix +++ b/tests/nixos/default.nix @@ -124,6 +124,8 @@ in nix-copy = runNixOSTestFor "x86_64-linux" ./nix-copy.nix; + nix-docker = runNixOSTestFor "x86_64-linux" ./nix-docker.nix; + nssPreload = runNixOSTestFor "x86_64-linux" ./nss-preload.nix; githubFlakes = runNixOSTestFor "x86_64-linux" ./github-flakes.nix; diff --git a/tests/nixos/nix-docker.nix b/tests/nixos/nix-docker.nix new file mode 100644 index 00000000000..5c21dfff6dc --- /dev/null +++ b/tests/nixos/nix-docker.nix @@ -0,0 +1,39 @@ +# Test the container built by ../../docker.nix. + +{ lib, config, nixpkgs, hostPkgs, ... }: + +let + pkgs = config.nodes.machine.nixpkgs.pkgs; + + nixImage = import ../../docker.nix { + inherit (config.nodes.machine.nixpkgs) pkgs; + }; + nixUserImage = import ../../docker.nix { + inherit (config.nodes.machine.nixpkgs) pkgs; + name = "nix-user"; + uid = 1000; + gid = 1000; + uname = "user"; + gname = "user"; + }; + +in { + name = "nix-docker"; + + nodes.machine = + { config, lib, pkgs, ... }: + { virtualisation.diskSize = 4096; + }; + + testScript = { nodes }: '' + machine.succeed("mkdir -p /etc/containers") + machine.succeed("""echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /etc/containers/policy.json""") + + machine.succeed("${pkgs.podman}/bin/podman load -i ${nixImage}") + machine.succeed("${pkgs.podman}/bin/podman run --rm nix nix --version") + + machine.succeed("${pkgs.podman}/bin/podman load -i ${nixUserImage}") + machine.succeed("${pkgs.podman}/bin/podman run --rm nix-user nix --version") + machine.succeed("[[ $(${pkgs.podman}/bin/podman run --rm nix-user stat -c %u /nix/store) = 1000 ]]") + ''; +} From 1dda18ef0a3c6d109b6e9fc2e1c7f93c9c1a4471 Mon Sep 17 00:00:00 2001 From: WxNzEMof <143541718+WxNzEMof@users.noreply.github.com> Date: Sun, 10 Nov 2024 21:31:32 +0000 Subject: [PATCH 03/18] doc/manual: add documentation for non-root container images --- .../source/installation/installing-docker.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/doc/manual/source/installation/installing-docker.md b/doc/manual/source/installation/installing-docker.md index 6f77d6a5708..9354c1a7228 100644 --- a/doc/manual/source/installation/installing-docker.md +++ b/doc/manual/source/installation/installing-docker.md @@ -57,3 +57,21 @@ $ nix build ./\#hydraJobs.dockerImage.x86_64-linux $ docker load -i ./result/image.tar.gz $ docker run -ti nix:2.5pre20211105 ``` + +# Docker image with non-root Nix + +If you would like to run Nix in a container under a user other than `root`, +you can build an image with a non-root single-user installation of Nix +by specifying the `uid`, `gid`, `uname`, and `gname` arguments to `docker.nix`: + +```console +$ nix build --file docker.nix \ + --arg uid 1000 \ + --arg gid 1000 \ + --argstr uname user \ + --argstr gname user \ + --argstr name nix-user \ + --out-link nix-user.tar.gz +$ docker load -i nix-user.tar.gz +$ docker run -ti nix-user +``` From 11d3b017cfdce506bf46edf7f11ba923a67adee9 Mon Sep 17 00:00:00 2001 From: WxNzEMof <143541718+WxNzEMof@users.noreply.github.com> Date: Sun, 10 Nov 2024 23:20:31 +0000 Subject: [PATCH 04/18] tests/nixos: add more thorough nix-docker tests --- tests/nixos/nix-docker-test.sh | 47 ++++++++++++++++++++++++++++++++++ tests/nixos/nix-docker.nix | 20 ++++++++++++--- 2 files changed, 64 insertions(+), 3 deletions(-) create mode 100644 tests/nixos/nix-docker-test.sh diff --git a/tests/nixos/nix-docker-test.sh b/tests/nixos/nix-docker-test.sh new file mode 100644 index 00000000000..1f65e1a9446 --- /dev/null +++ b/tests/nixos/nix-docker-test.sh @@ -0,0 +1,47 @@ +#!/usr/bin/env bash +# docker.nix test script. Runs inside a built docker.nix container. + +set -eEuo pipefail + +export NIX_CONFIG='substituters = http://cache:5000?trusted=1' + +cd /tmp + +# Test getting a fetched derivation +test "$("$(nix-build -E '(import {}).hello')"/bin/hello)" = "Hello, world!" + +# Test building a simple derivation +# shellcheck disable=SC2016 +nix-build -E ' +let + pkgs = import {}; +in +builtins.derivation { + name = "test"; + system = builtins.currentSystem; + builder = "${pkgs.bash}/bin/bash"; + args = ["-c" "echo OK > $out"]; +}' +test "$(cat result)" = OK + +# Ensure #!/bin/sh shebang works +echo '#!/bin/sh' > ./shebang-test +echo 'echo OK' >> ./shebang-test +chmod +x ./shebang-test +test "$(./shebang-test)" = OK + +# Ensure #!/usr/bin/env shebang works +echo '#!/usr/bin/env bash' > ./shebang-test +echo 'echo OK' >> ./shebang-test +chmod +x ./shebang-test +test "$(./shebang-test)" = OK + +# Test nix-shell +{ + echo '#!/usr/bin/env nix-shell' + echo '#! nix-shell -i bash' + echo '#! nix-shell -p hello' + echo 'hello' +} > ./nix-shell-test +chmod +x ./nix-shell-test +test "$(./nix-shell-test)" = "Hello, world!" diff --git a/tests/nixos/nix-docker.nix b/tests/nixos/nix-docker.nix index 5c21dfff6dc..dfd50898894 100644 --- a/tests/nixos/nix-docker.nix +++ b/tests/nixos/nix-docker.nix @@ -17,23 +17,37 @@ let gname = "user"; }; + containerTestScript = ./nix-docker-test.sh; + in { name = "nix-docker"; - nodes.machine = - { config, lib, pkgs, ... }: - { virtualisation.diskSize = 4096; + nodes = + { machine = + { config, lib, pkgs, ... }: + { virtualisation.diskSize = 4096; + }; + cache = + { config, lib, pkgs, ... }: + { virtualisation.additionalPaths = [ pkgs.stdenv pkgs.hello ]; + services.harmonia.enable = true; + networking.firewall.allowedTCPPorts = [ 5000 ]; + }; }; testScript = { nodes }: '' + cache.wait_for_unit("harmonia.service") + machine.succeed("mkdir -p /etc/containers") machine.succeed("""echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /etc/containers/policy.json""") machine.succeed("${pkgs.podman}/bin/podman load -i ${nixImage}") machine.succeed("${pkgs.podman}/bin/podman run --rm nix nix --version") + machine.succeed("${pkgs.podman}/bin/podman run --rm -i nix < ${containerTestScript}") machine.succeed("${pkgs.podman}/bin/podman load -i ${nixUserImage}") machine.succeed("${pkgs.podman}/bin/podman run --rm nix-user nix --version") + machine.succeed("${pkgs.podman}/bin/podman run --rm -i nix-user < ${containerTestScript}") machine.succeed("[[ $(${pkgs.podman}/bin/podman run --rm nix-user stat -c %u /nix/store) = 1000 ]]") ''; } From a2e4a4c2384789d92b300959995a7d9d0e9d725f Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Tue, 12 Nov 2024 19:26:39 +0100 Subject: [PATCH 05/18] callFunction: Use std::span This is a bit safer than having a separate nrArgs argument. --- src/libexpr-c/nix_api_expr.cc | 2 +- src/libexpr/eval.cc | 32 ++++++++++++++------------------ src/libexpr/eval.hh | 5 ++--- src/libexpr/primops.cc | 8 ++++---- src/libflake/flake/flake.cc | 2 +- 5 files changed, 22 insertions(+), 27 deletions(-) diff --git a/src/libexpr-c/nix_api_expr.cc b/src/libexpr-c/nix_api_expr.cc index 333e99460ba..6144a7986c4 100644 --- a/src/libexpr-c/nix_api_expr.cc +++ b/src/libexpr-c/nix_api_expr.cc @@ -67,7 +67,7 @@ nix_err nix_value_call_multi(nix_c_context * context, EvalState * state, nix_val if (context) context->last_err_code = NIX_OK; try { - state->state.callFunction(fn->value, nargs, (nix::Value * *)args, value->value, nix::noPos); + state->state.callFunction(fn->value, {(nix::Value * *) args, nargs}, value->value, nix::noPos); state->state.forceValue(value->value, nix::noPos); } NIXC_CATCH_ERRS diff --git a/src/libexpr/eval.cc b/src/libexpr/eval.cc index e21f70553a7..6e82af1d8d8 100644 --- a/src/libexpr/eval.cc +++ b/src/libexpr/eval.cc @@ -588,14 +588,14 @@ std::optional EvalState::getDoc(Value & v) if (isFunctor(v)) { try { Value & functor = *v.attrs()->find(sFunctor)->value; - Value * vp = &v; + Value * vp[] = {&v}; Value partiallyApplied; // The first paramater is not user-provided, and may be // handled by code that is opaque to the user, like lib.const = x: y: y; // So preferably we show docs that are relevant to the // "partially applied" function returned by e.g. `const`. // We apply the first argument: - callFunction(functor, 1, &vp, partiallyApplied, noPos); + callFunction(functor, vp, partiallyApplied, noPos); auto _level = addCallDepth(noPos); return getDoc(partiallyApplied); } @@ -1460,7 +1460,7 @@ void ExprLambda::eval(EvalState & state, Env & env, Value & v) v.mkLambda(&env, this); } -void EvalState::callFunction(Value & fun, size_t nrArgs, Value * * args, Value & vRes, const PosIdx pos) +void EvalState::callFunction(Value & fun, std::span args, Value & vRes, const PosIdx pos) { auto _level = addCallDepth(pos); @@ -1475,7 +1475,7 @@ void EvalState::callFunction(Value & fun, size_t nrArgs, Value * * args, Value & auto makeAppChain = [&]() { vRes = vCur; - for (size_t i = 0; i < nrArgs; ++i) { + for (size_t i = 0; i < args.size(); ++i) { auto fun2 = allocValue(); *fun2 = vRes; vRes.mkPrimOpApp(fun2, args[i]); @@ -1484,7 +1484,7 @@ void EvalState::callFunction(Value & fun, size_t nrArgs, Value * * args, Value & const Attr * functor; - while (nrArgs > 0) { + while (args.size() > 0) { if (vCur.isLambda()) { @@ -1587,15 +1587,14 @@ void EvalState::callFunction(Value & fun, size_t nrArgs, Value * * args, Value & throw; } - nrArgs--; - args += 1; + args = args.subspan(1); } else if (vCur.isPrimOp()) { size_t argsLeft = vCur.primOp()->arity; - if (nrArgs < argsLeft) { + if (args.size() < argsLeft) { /* We don't have enough arguments, so create a tPrimOpApp chain. */ makeAppChain(); return; @@ -1607,15 +1606,14 @@ void EvalState::callFunction(Value & fun, size_t nrArgs, Value * * args, Value & if (countCalls) primOpCalls[fn->name]++; try { - fn->fun(*this, vCur.determinePos(noPos), args, vCur); + fn->fun(*this, vCur.determinePos(noPos), args.data(), vCur); } catch (Error & e) { if (fn->addTrace) addErrorTrace(e, pos, "while calling the '%1%' builtin", fn->name); throw; } - nrArgs -= argsLeft; - args += argsLeft; + args = args.subspan(argsLeft); } } @@ -1631,7 +1629,7 @@ void EvalState::callFunction(Value & fun, size_t nrArgs, Value * * args, Value & auto arity = primOp->primOp()->arity; auto argsLeft = arity - argsDone; - if (nrArgs < argsLeft) { + if (args.size() < argsLeft) { /* We still don't have enough arguments, so extend the tPrimOpApp chain. */ makeAppChain(); return; @@ -1663,8 +1661,7 @@ void EvalState::callFunction(Value & fun, size_t nrArgs, Value * * args, Value & throw; } - nrArgs -= argsLeft; - args += argsLeft; + args = args.subspan(argsLeft); } } @@ -1675,13 +1672,12 @@ void EvalState::callFunction(Value & fun, size_t nrArgs, Value * * args, Value & Value * args2[] = {allocValue(), args[0]}; *args2[0] = vCur; try { - callFunction(*functor->value, 2, args2, vCur, functor->pos); + callFunction(*functor->value, args2, vCur, functor->pos); } catch (Error & e) { e.addTrace(positions[pos], "while calling a functor (an attribute set with a '__functor' attribute)"); throw; } - nrArgs--; - args++; + args = args.subspan(1); } else @@ -1724,7 +1720,7 @@ void ExprCall::eval(EvalState & state, Env & env, Value & v) for (size_t i = 0; i < args.size(); ++i) vArgs[i] = args[i]->maybeThunk(state, env); - state.callFunction(vFun, args.size(), vArgs.data(), v, pos); + state.callFunction(vFun, vArgs, v, pos); } diff --git a/src/libexpr/eval.hh b/src/libexpr/eval.hh index 7fe70af31b6..b0c79ab869c 100644 --- a/src/libexpr/eval.hh +++ b/src/libexpr/eval.hh @@ -690,13 +690,12 @@ public: bool isFunctor(Value & fun); - // FIXME: use std::span - void callFunction(Value & fun, size_t nrArgs, Value * * args, Value & vRes, const PosIdx pos); + void callFunction(Value & fun, std::span args, Value & vRes, const PosIdx pos); void callFunction(Value & fun, Value & arg, Value & vRes, const PosIdx pos) { Value * args[] = {&arg}; - callFunction(fun, 1, args, vRes, pos); + callFunction(fun, args, vRes, pos); } /** diff --git a/src/libexpr/primops.cc b/src/libexpr/primops.cc index 45d9f86ac05..aea623435bf 100644 --- a/src/libexpr/primops.cc +++ b/src/libexpr/primops.cc @@ -724,7 +724,7 @@ static void prim_genericClosure(EvalState & state, const PosIdx pos, Value * * a /* Call the `operator' function with `e' as argument. */ Value newElements; - state.callFunction(*op->value, 1, &e, newElements, noPos); + state.callFunction(*op->value, {&e, 1}, newElements, noPos); state.forceList(newElements, noPos, "while evaluating the return value of the `operator` passed to builtins.genericClosure"); /* Add the values returned by the operator to the work set. */ @@ -2450,7 +2450,7 @@ bool EvalState::callPathFilter( // assert that type is not "unknown" Value * args []{&arg1, fileTypeToString(*this, st.type)}; Value res; - callFunction(*filterFun, 2, args, res, pos); + callFunction(*filterFun, args, res, pos); return forceBool(res, pos, "while evaluating the return value of the path filter function"); } @@ -3487,7 +3487,7 @@ static void prim_foldlStrict(EvalState & state, const PosIdx pos, Value * * args for (auto [n, elem] : enumerate(args[2]->listItems())) { Value * vs []{vCur, elem}; vCur = n == args[2]->listSize() - 1 ? &v : state.allocValue(); - state.callFunction(*args[0], 2, vs, *vCur, pos); + state.callFunction(*args[0], vs, *vCur, pos); } state.forceValue(v, pos); } else { @@ -3637,7 +3637,7 @@ static void prim_sort(EvalState & state, const PosIdx pos, Value * * args, Value Value * vs[] = {a, b}; Value vBool; - state.callFunction(*args[0], 2, vs, vBool, noPos); + state.callFunction(*args[0], vs, vBool, noPos); return state.forceBool(vBool, pos, "while evaluating the return value of the sorting function passed to builtins.sort"); }; diff --git a/src/libflake/flake/flake.cc b/src/libflake/flake/flake.cc index edb76f86154..19b622a34af 100644 --- a/src/libflake/flake/flake.cc +++ b/src/libflake/flake/flake.cc @@ -816,7 +816,7 @@ void callFlake(EvalState & state, assert(vFetchFinalTree); Value * args[] = {vLocks, &vOverrides, *vFetchFinalTree}; - state.callFunction(*vCallFlake, 3, args, vRes, noPos); + state.callFunction(*vCallFlake, args, vRes, noPos); } void initLib(const Settings & settings) From 3e4a83f53b343a7fe2ba4faaf4e3932c99ee438b Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Thu, 14 Nov 2024 16:12:14 +0100 Subject: [PATCH 06/18] Use range-based for --- src/libexpr/eval.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/libexpr/eval.cc b/src/libexpr/eval.cc index 6e82af1d8d8..0283a14d63d 100644 --- a/src/libexpr/eval.cc +++ b/src/libexpr/eval.cc @@ -1475,10 +1475,10 @@ void EvalState::callFunction(Value & fun, std::span args, Value & vRes, auto makeAppChain = [&]() { vRes = vCur; - for (size_t i = 0; i < args.size(); ++i) { + for (auto arg : args) { auto fun2 = allocValue(); *fun2 = vRes; - vRes.mkPrimOpApp(fun2, args[i]); + vRes.mkPrimOpApp(fun2, arg); } }; From 2f3764acbb96ab687e612fdd81bdf58ac5f0e605 Mon Sep 17 00:00:00 2001 From: Robert Hensing Date: Fri, 15 Nov 2024 11:35:27 +0100 Subject: [PATCH 07/18] .github/ci: Add nix-docker test We still have room to spare in vm_tests, as it's quicker than `nix flake check` --- .github/workflows/ci.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 27f60574e0c..a3b7b06d4b3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -194,7 +194,13 @@ jobs: - uses: actions/checkout@v4 - uses: DeterminateSystems/nix-installer-action@main - uses: DeterminateSystems/magic-nix-cache-action@main - - run: nix build -L .#hydraJobs.tests.githubFlakes .#hydraJobs.tests.tarballFlakes .#hydraJobs.tests.functional_user + - run: | + nix build -L \ + .#hydraJobs.tests.functional_user \ + .#hydraJobs.tests.githubFlakes \ + .#hydraJobs.tests.nix-docker \ + .#hydraJobs.tests.tarballFlakes \ + ; flake_regressions: needs: vm_tests From c9433c0d1834362305c4f5ca2802fca97d999044 Mon Sep 17 00:00:00 2001 From: Robert Hensing Date: Fri, 15 Nov 2024 11:37:17 +0100 Subject: [PATCH 08/18] .github/ci: Push docker only when test succeeds --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a3b7b06d4b3..cb97fd211dd 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -128,7 +128,7 @@ jobs: - run: exec bash -c "nix-channel --update && nix-env -iA nixpkgs.hello && hello" docker_push_image: - needs: [check_secrets, tests] + needs: [check_secrets, tests, vm_tests] permissions: contents: read packages: write From d65fac0fc461e5b62373b86401b845df6c698177 Mon Sep 17 00:00:00 2001 From: Robert Hensing Date: Mon, 18 Nov 2024 15:08:32 +0100 Subject: [PATCH 09/18] Add --print-errorlogs to mesonCheckFlags This prints the error logs in the tests, including when they're run with `checkPhase` in the dev shell. --- packaging/dependencies.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/packaging/dependencies.nix b/packaging/dependencies.nix index 13766f2c040..a8005ce16c9 100644 --- a/packaging/dependencies.nix +++ b/packaging/dependencies.nix @@ -70,6 +70,9 @@ let pkgs.buildPackages.meson pkgs.buildPackages.ninja ] ++ prevAttrs.nativeBuildInputs or []; + mesonCheckFlags = prevAttrs.mesonCheckFlags or [] ++ [ + "--print-errorlogs" + ]; }; mesonBuildLayer = finalAttrs: prevAttrs: From 428af8c66f0918f5852080b06268498e5021bfe8 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Mon, 18 Nov 2024 16:28:12 +0100 Subject: [PATCH 10/18] tests/functional/flakes/develop.sh: Don't hang The bash shell started by `nix develop` waited forever for stdin input. Fixes #11827. --- tests/functional/flakes/develop.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/functional/flakes/develop.sh b/tests/functional/flakes/develop.sh index b3e438e99d6..c222f0fbbeb 100755 --- a/tests/functional/flakes/develop.sh +++ b/tests/functional/flakes/develop.sh @@ -122,7 +122,7 @@ expectStderr 1 nix develop --unset-env-var FOO --set-env-var FOO 'BAR' --no-writ grepQuiet "error: Cannot set environment variable 'FOO' that is unset with '--unset-env-var'" # Check that multiple `--ignore-env`'s are okay. -expectStderr 0 nix develop --ignore-env --set-env-var FOO 'BAR' --ignore-env .#hello +expectStderr 0 nix develop --ignore-env --set-env-var FOO 'BAR' --ignore-env .#hello < /dev/null # Determine the bashInteractive executable. nix build --no-write-lock-file './nixpkgs#bashInteractive' --out-link ./bash-interactive From c4b95dbdd1fb45bbc7ad1fc921ebdf81789e22b3 Mon Sep 17 00:00:00 2001 From: Robert Hensing Date: Mon, 18 Nov 2024 16:45:18 +0100 Subject: [PATCH 11/18] Fix issue 11892 It seems that I copied the expression for baseDir thoughtlessly and did not come back to it. - `baseDir` was only used in the `fromArgs` branch. - `fromArgs` is true when `packages` is true. --- src/nix-build/nix-build.cc | 10 ++++++---- tests/functional/nix-shell.sh | 29 +++++++++++++++++++++++++++++ tests/functional/shell.nix | 6 +++++- 3 files changed, 40 insertions(+), 5 deletions(-) diff --git a/src/nix-build/nix-build.cc b/src/nix-build/nix-build.cc index c394836da2f..de01e1afcde 100644 --- a/src/nix-build/nix-build.cc +++ b/src/nix-build/nix-build.cc @@ -340,13 +340,15 @@ static void main_nix_build(int argc, char * * argv) exprs = {state->parseStdin()}; else for (auto i : remainingArgs) { - auto baseDir = inShebang && !packages ? absPath(dirOf(script)) : i; - - if (fromArgs) + if (fromArgs) { + auto shebangBaseDir = absPath(dirOf(script)); exprs.push_back(state->parseExprFromString( std::move(i), - (inShebang && compatibilitySettings.nixShellShebangArgumentsRelativeToScript) ? lookupFileArg(*state, baseDir) : state->rootPath(".") + (inShebang && compatibilitySettings.nixShellShebangArgumentsRelativeToScript) + ? lookupFileArg(*state, shebangBaseDir) + : state->rootPath(".") )); + } else { auto absolute = i; try { diff --git a/tests/functional/nix-shell.sh b/tests/functional/nix-shell.sh index 2b78216f452..b054b7f7519 100755 --- a/tests/functional/nix-shell.sh +++ b/tests/functional/nix-shell.sh @@ -167,6 +167,35 @@ EOF chmod a+x $TEST_ROOT/marco/polo/default.nix (cd $TEST_ROOT/marco && ./polo/default.nix | grepQuiet "Polo") +# https://github.com/NixOS/nix/issues/11892 +mkdir $TEST_ROOT/issue-11892 +cat >$TEST_ROOT/issue-11892/shebangscript <$TEST_ROOT/issue-11892/my_package.nix < \$out/bin/my_package + cat \$out/bin/my_package + chmod a+x \$out/bin/my_package + ''; +} +EOF +chmod a+x $TEST_ROOT/issue-11892/shebangscript +$TEST_ROOT/issue-11892/shebangscript \ + | tee /dev/stderr \ + | grepQuiet "ok baz11892" + ##################### # Flake equivalents # diff --git a/tests/functional/shell.nix b/tests/functional/shell.nix index 9cae14b780f..4b1a0623a81 100644 --- a/tests/functional/shell.nix +++ b/tests/functional/shell.nix @@ -37,7 +37,7 @@ let pkgs = rec { mkdir -p $out ln -s ${setupSh} $out/setup ''; - }; + } // { inherit mkDerivation; }; shellDrv = mkDerivation { name = "shellDrv"; @@ -94,5 +94,9 @@ let pkgs = rec { chmod a+rx $out/bin/ruby ''; + inherit (cfg) shell; + + callPackage = f: args: f (pkgs // args); + inherit pkgs; }; in pkgs From e224a35a77b588aed2bc29bf36cc4274098e7a5f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Tue, 19 Nov 2024 11:25:26 +0100 Subject: [PATCH 12/18] docs/flake: document how to build a pull request It's not so common knowledge that forges also expose pull requests as git refs. But it's actually a cool way of quickly testing someones contribution, so I found it worth specifically mentioning it. --- src/nix/flake.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/nix/flake.md b/src/nix/flake.md index 2b999431ccf..8f0f9936c13 100644 --- a/src/nix/flake.md +++ b/src/nix/flake.md @@ -84,6 +84,8 @@ Here are some examples of flake references in their URL-like representation: repository on GitHub. * `github:NixOS/nixpkgs/nixos-20.09`: The `nixos-20.09` branch of the `nixpkgs` repository. +* `github:NixOS/nixpkgs/pull/357207/head`: The `357207` pull request + of the nixpkgs repository. * `github:NixOS/nixpkgs/a3a3dda3bacf61e8a39258a0ed9c924eeca8e293`: A specific revision of the `nixpkgs` repository. * `github:edolstra/nix-warez?dir=blender`: A flake in a subdirectory From 868b4d37ea8e59d76afbaef4c82315e23b5fa8f4 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Tue, 19 Nov 2024 16:59:38 +0100 Subject: [PATCH 13/18] nix flake init: Operate on a SourcePath Cherry-picked from lazy-trees. --- src/nix/flake.cc | 45 ++++++++++++++++++++------------------------- 1 file changed, 20 insertions(+), 25 deletions(-) diff --git a/src/nix/flake.cc b/src/nix/flake.cc index 3a54763a199..ce2faacb034 100644 --- a/src/nix/flake.cc +++ b/src/nix/flake.cc @@ -891,37 +891,32 @@ struct CmdFlakeInitCommon : virtual Args, EvalCommand auto cursor = installable.getCursor(*evalState); - auto templateDirAttr = cursor->getAttr("path"); - auto templateDir = templateDirAttr->getString(); - - if (!store->isInStore(templateDir)) - evalState->error( - "'%s' was not found in the Nix store\n" - "If you've set '%s' to a string, try using a path instead.", - templateDir, templateDirAttr->getAttrPathStr()).debugThrow(); + auto templateDirAttr = cursor->getAttr("path")->forceValue(); + NixStringContext context; + auto templateDir = evalState->coerceToPath(noPos, templateDirAttr, context, ""); std::vector changedFiles; std::vector conflictedFiles; - std::function copyDir; - copyDir = [&](const fs::path & from, const fs::path & to) + std::function copyDir; + copyDir = [&](const SourcePath & from, const fs::path & to) { fs::create_directories(to); - for (auto & entry : fs::directory_iterator{from}) { + for (auto & [name, entry] : from.readDirectory()) { checkInterrupt(); - auto from2 = entry.path(); - auto to2 = to / entry.path().filename(); - auto st = entry.symlink_status(); + auto from2 = from / name; + auto to2 = to / name; + auto st = from2.lstat(); auto to_st = fs::symlink_status(to2); - if (fs::is_directory(st)) + if (st.type == SourceAccessor::tDirectory) copyDir(from2, to2); - else if (fs::is_regular_file(st)) { - auto contents = readFile(from2.string()); + else if (st.type == SourceAccessor::tRegular) { + auto contents = from2.readFile(); if (fs::exists(to_st)) { auto contents2 = readFile(to2.string()); if (contents != contents2) { - printError("refusing to overwrite existing file '%s'\n please merge it manually with '%s'", to2.string(), from2.string()); + printError("refusing to overwrite existing file '%s'\n please merge it manually with '%s'", to2.string(), from2); conflictedFiles.push_back(to2); } else { notice("skipping identical file: %s", from2); @@ -930,18 +925,18 @@ struct CmdFlakeInitCommon : virtual Args, EvalCommand } else writeFile(to2, contents); } - else if (fs::is_symlink(st)) { - auto target = fs::read_symlink(from2); + else if (st.type == SourceAccessor::tSymlink) { + auto target = from2.readLink(); if (fs::exists(to_st)) { if (fs::read_symlink(to2) != target) { - printError("refusing to overwrite existing file '%s'\n please merge it manually with '%s'", to2.string(), from2.string()); + printError("refusing to overwrite existing file '%s'\n please merge it manually with '%s'", to2.string(), from2); conflictedFiles.push_back(to2); } else { notice("skipping identical file: %s", from2); } continue; } else - fs::create_symlink(target, to2); + fs::create_symlink(target, to2); } else throw Error("file '%s' has unsupported type", from2); @@ -957,14 +952,14 @@ struct CmdFlakeInitCommon : virtual Args, EvalCommand for (auto & s : changedFiles) args.emplace_back(s.string()); runProgram("git", true, args); } - auto welcomeText = cursor->maybeGetAttr("welcomeText"); - if (welcomeText) { + + if (auto welcomeText = cursor->maybeGetAttr("welcomeText")) { notice("\n"); notice(renderMarkdownToTerminal(welcomeText->getString())); } if (!conflictedFiles.empty()) - throw Error("Encountered %d conflicts - see above", conflictedFiles.size()); + throw Error("encountered %d conflicts - see above", conflictedFiles.size()); } }; From f1b4f14055077e660b7aa5b4859ce6965b62b886 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Tue, 19 Nov 2024 17:30:38 +0100 Subject: [PATCH 14/18] Trivial changes from lazy-trees --- src/libexpr/primops.cc | 7 ++++--- src/libfetchers/fetch-to-store.cc | 2 ++ src/libfetchers/meson.build | 6 +++--- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/src/libexpr/primops.cc b/src/libexpr/primops.cc index aea623435bf..42136b467af 100644 --- a/src/libexpr/primops.cc +++ b/src/libexpr/primops.cc @@ -1603,7 +1603,8 @@ static RegisterPrimOp primop_placeholder({ *************************************************************/ -/* Convert the argument to a path. !!! obsolete? */ +/* Convert the argument to a path and then to a string (confusing, + eh?). !!! obsolete? */ static void prim_toPath(EvalState & state, const PosIdx pos, Value * * args, Value & v) { NixStringContext context; @@ -2614,13 +2615,13 @@ static void prim_path(EvalState & state, const PosIdx pos, Value * * args, Value expectedHash = newHashAllowEmpty(state.forceStringNoCtx(*attr.value, attr.pos, "while evaluating the `sha256` attribute passed to builtins.path"), HashAlgorithm::SHA256); else state.error( - "unsupported argument '%1%' to 'addPath'", + "unsupported argument '%1%' to 'builtins.path'", state.symbols[attr.name] ).atPos(attr.pos).debugThrow(); } if (!path) state.error( - "missing required 'path' attribute in the first argument to builtins.path" + "missing required 'path' attribute in the first argument to 'builtins.path'" ).atPos(pos).debugThrow(); if (name.empty()) name = path->baseName(); diff --git a/src/libfetchers/fetch-to-store.cc b/src/libfetchers/fetch-to-store.cc index 65aa72a6c36..fe347a59d5b 100644 --- a/src/libfetchers/fetch-to-store.cc +++ b/src/libfetchers/fetch-to-store.cc @@ -44,6 +44,8 @@ StorePath fetchToStore( : store.addToStore( name, path, method, HashAlgorithm::SHA256, {}, filter2, repair); + debug(mode == FetchMode::DryRun ? "hashed '%s'" : "copied '%s' to '%s'", path, store.printStorePath(storePath)); + if (cacheKey && mode == FetchMode::Copy) fetchers::getCache()->upsert(*cacheKey, store, {}, storePath); diff --git a/src/libfetchers/meson.build b/src/libfetchers/meson.build index d4f202796e4..ff638578d18 100644 --- a/src/libfetchers/meson.build +++ b/src/libfetchers/meson.build @@ -52,15 +52,15 @@ sources = files( 'fetch-to-store.cc', 'fetchers.cc', 'filtering-source-accessor.cc', - 'git.cc', 'git-utils.cc', + 'git.cc', 'github.cc', 'indirect.cc', 'mercurial.cc', 'mounted-source-accessor.cc', 'path.cc', - 'store-path-accessor.cc', 'registry.cc', + 'store-path-accessor.cc', 'tarball.cc', ) @@ -71,10 +71,10 @@ headers = files( 'cache.hh', 'fetch-settings.hh', 'fetch-to-store.hh', + 'fetchers.hh', 'filtering-source-accessor.hh', 'git-utils.hh', 'mounted-source-accessor.hh', - 'fetchers.hh', 'registry.hh', 'store-path-accessor.hh', 'tarball.hh', From a58e38dab7f6a9b9d217f6163fe8b565f19a6405 Mon Sep 17 00:00:00 2001 From: Robert Hensing Date: Tue, 19 Nov 2024 17:30:58 +0100 Subject: [PATCH 15/18] Make EvalState::getBuiltin safe for missing attr --- src/libexpr/eval.cc | 6 +++++- src/libexpr/eval.hh | 5 +++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/src/libexpr/eval.cc b/src/libexpr/eval.cc index 0283a14d63d..dd14f485e31 100644 --- a/src/libexpr/eval.cc +++ b/src/libexpr/eval.cc @@ -525,7 +525,11 @@ Value * EvalState::addPrimOp(PrimOp && primOp) Value & EvalState::getBuiltin(const std::string & name) { - return *baseEnv.values[0]->attrs()->find(symbols.create(name))->value; + auto it = baseEnv.values[0]->attrs()->get(symbols.create(name)); + if (it) + return *it->value; + else + throw EvalError("builtin '%1%' not found", name); } diff --git a/src/libexpr/eval.hh b/src/libexpr/eval.hh index 742f1cafe25..01c725930f5 100644 --- a/src/libexpr/eval.hh +++ b/src/libexpr/eval.hh @@ -623,6 +623,11 @@ private: public: + /** + * Retrieve a specific builtin, equivalent to evaluating `builtins.${name}`. + * @param name The attribute name of the builtin to retrieve. + * @throws EvalError if the builtin does not exist. + */ Value & getBuiltin(const std::string & name); struct Doc From af07f33d37410de8c97bb64f2d77214c1f4640b4 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Tue, 19 Nov 2024 18:03:31 +0100 Subject: [PATCH 16/18] resolveLookupPathPath(): Return a SourcePath instead of a string Cherry-picked from lazy-trees. --- src/libcmd/common-eval-args.cc | 6 +++--- src/libexpr/eval-settings.hh | 8 +++----- src/libexpr/eval.cc | 23 +++++++++++------------ src/libexpr/eval.hh | 6 +++--- tests/functional/restricted.sh | 2 +- 5 files changed, 21 insertions(+), 24 deletions(-) diff --git a/src/libcmd/common-eval-args.cc b/src/libcmd/common-eval-args.cc index ccbf957d97e..de967e3fe49 100644 --- a/src/libcmd/common-eval-args.cc +++ b/src/libcmd/common-eval-args.cc @@ -29,13 +29,13 @@ EvalSettings evalSettings { { { "flake", - [](ref store, std::string_view rest) { + [](EvalState & state, std::string_view rest) { experimentalFeatureSettings.require(Xp::Flakes); // FIXME `parseFlakeRef` should take a `std::string_view`. auto flakeRef = parseFlakeRef(fetchSettings, std::string { rest }, {}, true, false); debug("fetching flake search path element '%s''", rest); - auto storePath = flakeRef.resolve(store).fetchTree(store).first; - return store->toRealPath(storePath); + auto storePath = flakeRef.resolve(state.store).fetchTree(state.store).first; + return state.rootPath(state.store->toRealPath(storePath)); }, }, }, diff --git a/src/libexpr/eval-settings.hh b/src/libexpr/eval-settings.hh index 115e3ee501b..a8fcce539d7 100644 --- a/src/libexpr/eval-settings.hh +++ b/src/libexpr/eval-settings.hh @@ -3,10 +3,11 @@ #include "config.hh" #include "ref.hh" +#include "source-path.hh" namespace nix { -class Store; +class EvalState; struct EvalSettings : Config { @@ -18,11 +19,8 @@ struct EvalSettings : Config * * The return value is (a) whether the entry was valid, and, if so, * what does it map to. - * - * @todo Return (`std::optional` of) `SourceAccssor` or something - * more structured instead of mere `std::string`? */ - using LookupPathHook = std::optional(ref store, std::string_view); + using LookupPathHook = std::optional(EvalState & state, std::string_view); /** * Map from "scheme" to a `LookupPathHook`. diff --git a/src/libexpr/eval.cc b/src/libexpr/eval.cc index 0283a14d63d..83a1cf4e910 100644 --- a/src/libexpr/eval.cc +++ b/src/libexpr/eval.cc @@ -3025,8 +3025,8 @@ SourcePath EvalState::findFile(const LookupPath & lookupPath, const std::string_ if (!rOpt) continue; auto r = *rOpt; - Path res = suffix == "" ? r : concatStrings(r, "/", suffix); - if (pathExists(res)) return rootPath(CanonPath(canonPath(res))); + auto res = (r / CanonPath(suffix)).resolveSymlinks(); + if (res.pathExists()) return res; } if (hasPrefix(path, "nix/")) @@ -3041,13 +3041,13 @@ SourcePath EvalState::findFile(const LookupPath & lookupPath, const std::string_ } -std::optional EvalState::resolveLookupPathPath(const LookupPath::Path & value0, bool initAccessControl) +std::optional EvalState::resolveLookupPathPath(const LookupPath::Path & value0, bool initAccessControl) { auto & value = value0.s; auto i = lookupPathResolved.find(value); if (i != lookupPathResolved.end()) return i->second; - auto finish = [&](std::string res) { + auto finish = [&](SourcePath res) { debug("resolved search path element '%s' to '%s'", value, res); lookupPathResolved.emplace(value, res); return res; @@ -3060,7 +3060,7 @@ std::optional EvalState::resolveLookupPathPath(const LookupPath::Pa fetchSettings, EvalSettings::resolvePseudoUrl(value)); auto storePath = fetchToStore(*store, SourcePath(accessor), FetchMode::Copy); - return finish(store->toRealPath(storePath)); + return finish(rootPath(store->toRealPath(storePath))); } catch (Error & e) { logWarning({ .msg = HintFmt("Nix search path entry '%1%' cannot be downloaded, ignoring", value) @@ -3072,29 +3072,29 @@ std::optional EvalState::resolveLookupPathPath(const LookupPath::Pa auto scheme = value.substr(0, colPos); auto rest = value.substr(colPos + 1); if (auto * hook = get(settings.lookupPathHooks, scheme)) { - auto res = (*hook)(store, rest); + auto res = (*hook)(*this, rest); if (res) return finish(std::move(*res)); } } { - auto path = absPath(value); + auto path = rootPath(value); /* Allow access to paths in the search path. */ if (initAccessControl) { - allowPath(path); - if (store->isInStore(path)) { + allowPath(path.path.abs()); + if (store->isInStore(path.path.abs())) { try { StorePathSet closure; - store->computeFSClosure(store->toStorePath(path).first, closure); + store->computeFSClosure(store->toStorePath(path.path.abs()).first, closure); for (auto & p : closure) allowPath(p); } catch (InvalidPath &) { } } } - if (pathExists(path)) + if (path.pathExists()) return finish(std::move(path)); else { logWarning({ @@ -3105,7 +3105,6 @@ std::optional EvalState::resolveLookupPathPath(const LookupPath::Pa debug("failed to resolve search path element '%s'", value); return std::nullopt; - } diff --git a/src/libexpr/eval.hh b/src/libexpr/eval.hh index 742f1cafe25..6c0bae45134 100644 --- a/src/libexpr/eval.hh +++ b/src/libexpr/eval.hh @@ -347,7 +347,7 @@ private: LookupPath lookupPath; - std::map> lookupPathResolved; + std::map> lookupPathResolved; /** * Cache used by prim_match(). @@ -452,9 +452,9 @@ public: * * If the specified search path element is a URI, download it. * - * If it is not found, return `std::nullopt` + * If it is not found, return `std::nullopt`. */ - std::optional resolveLookupPathPath( + std::optional resolveLookupPathPath( const LookupPath::Path & elem, bool initAccessControl = false); diff --git a/tests/functional/restricted.sh b/tests/functional/restricted.sh index 00ee4ddc8c2..a92a9b8a3a2 100755 --- a/tests/functional/restricted.sh +++ b/tests/functional/restricted.sh @@ -23,7 +23,7 @@ nix-instantiate --restrict-eval ./simple.nix -I src1=./simple.nix -I src2=./conf (! nix-instantiate --restrict-eval --eval -E 'builtins.readFile ./simple.nix') nix-instantiate --restrict-eval --eval -E 'builtins.readFile ./simple.nix' -I src=../.. -expectStderr 1 nix-instantiate --restrict-eval --eval -E 'let __nixPath = [ { prefix = "foo"; path = ./.; } ]; in builtins.readFile ' | grepQuiet "forbidden in restricted mode" +expectStderr 1 nix-instantiate --restrict-eval --eval -E 'let __nixPath = [ { prefix = "foo"; path = ./.; } ]; in builtins.readFile ' | grepQuiet "was not found in the Nix search path" nix-instantiate --restrict-eval --eval -E 'let __nixPath = [ { prefix = "foo"; path = ./.; } ]; in builtins.readFile ' -I src=. p=$(nix eval --raw --expr "builtins.fetchurl file://${_NIX_TEST_SOURCE_DIR}/restricted.sh" --impure --restrict-eval --allowed-uris "file://${_NIX_TEST_SOURCE_DIR}") From 8a36d2d8a77dc3f3214ac6f7fd67cbe15ec6c706 Mon Sep 17 00:00:00 2001 From: Robert Hensing Date: Tue, 19 Nov 2024 18:23:05 +0100 Subject: [PATCH 17/18] Add EvalState::getBuiltins --- src/libexpr-test-support/tests/libexpr.hh | 6 ++++++ src/libexpr-tests/eval.cc | 25 ++++++++++++++++++++++- src/libexpr/eval.cc | 8 +++++++- src/libexpr/eval.hh | 6 ++++++ 4 files changed, 43 insertions(+), 2 deletions(-) diff --git a/src/libexpr-test-support/tests/libexpr.hh b/src/libexpr-test-support/tests/libexpr.hh index 045607e875e..095ea1d0e4b 100644 --- a/src/libexpr-test-support/tests/libexpr.hh +++ b/src/libexpr-test-support/tests/libexpr.hh @@ -40,6 +40,12 @@ namespace nix { return v; } + Value * maybeThunk(std::string input, bool forceValue = true) { + Expr * e = state.parseExprFromString(input, state.rootPath(CanonPath::root)); + assert(e); + return e->maybeThunk(state, state.baseEnv); + } + Symbol createSymbol(const char * value) { return state.symbols.create(value); } diff --git a/src/libexpr-tests/eval.cc b/src/libexpr-tests/eval.cc index 93d3f658f52..61f6be0db6f 100644 --- a/src/libexpr-tests/eval.cc +++ b/src/libexpr-tests/eval.cc @@ -138,4 +138,27 @@ TEST(nix_isAllowedURI, non_scheme_colon) { ASSERT_FALSE(isAllowedURI("https://foo/bar:baz", allowed)); } -} // namespace nix \ No newline at end of file +class EvalStateTest : public LibExprTest {}; + +TEST_F(EvalStateTest, getBuiltins_ok) { + auto evaled = maybeThunk("builtins"); + auto & builtins = state.getBuiltins(); + ASSERT_TRUE(builtins.type() == nAttrs); + ASSERT_EQ(evaled, &builtins); +} + +TEST_F(EvalStateTest, getBuiltin_ok) { + auto & builtin = state.getBuiltin("toString"); + ASSERT_TRUE(builtin.type() == nFunction); + // FIXME + // auto evaled = maybeThunk("builtins.toString"); + // ASSERT_EQ(evaled, &builtin); + auto & builtin2 = state.getBuiltin("true"); + ASSERT_EQ(state.forceBool(builtin2, noPos, "in unit test"), true); +} + +TEST_F(EvalStateTest, getBuiltin_fail) { + ASSERT_THROW(state.getBuiltin("nonexistent"), EvalError); +} + +} // namespace nix diff --git a/src/libexpr/eval.cc b/src/libexpr/eval.cc index dd14f485e31..b1b7a0fe6c7 100644 --- a/src/libexpr/eval.cc +++ b/src/libexpr/eval.cc @@ -523,13 +523,19 @@ Value * EvalState::addPrimOp(PrimOp && primOp) } +Value & EvalState::getBuiltins() +{ + return *baseEnv.values[0]; +} + + Value & EvalState::getBuiltin(const std::string & name) { auto it = baseEnv.values[0]->attrs()->get(symbols.create(name)); if (it) return *it->value; else - throw EvalError("builtin '%1%' not found", name); + error("builtin '%1%' not found", name).debugThrow(); } diff --git a/src/libexpr/eval.hh b/src/libexpr/eval.hh index 01c725930f5..a14e88f0e39 100644 --- a/src/libexpr/eval.hh +++ b/src/libexpr/eval.hh @@ -630,6 +630,12 @@ public: */ Value & getBuiltin(const std::string & name); + /** + * Retrieve the `builtins` attrset, equivalent to evaluating the reference `builtins`. + * Always returns an attribute set value. + */ + Value & getBuiltins(); + struct Doc { Pos pos; From 5c258d7e255946c5d78ca8116966160e07455347 Mon Sep 17 00:00:00 2001 From: Robert Hensing Date: Tue, 19 Nov 2024 18:32:09 +0100 Subject: [PATCH 18/18] refactor: Use EvalState::getBuiltins() --- src/libexpr/eval.cc | 6 +++--- src/libexpr/primops.cc | 2 +- src/nix/main.cc | 3 ++- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/src/libexpr/eval.cc b/src/libexpr/eval.cc index b1b7a0fe6c7..63c2e8a7194 100644 --- a/src/libexpr/eval.cc +++ b/src/libexpr/eval.cc @@ -448,7 +448,7 @@ void EvalState::addConstant(const std::string & name, Value * v, Constant info) /* Install value the base environment. */ staticBaseEnv->vars.emplace_back(symbols.create(name), baseEnvDispl); baseEnv.values[baseEnvDispl++] = v; - baseEnv.values[0]->payload.attrs->push_back(Attr(symbols.create(name2), v)); + getBuiltins().payload.attrs->push_back(Attr(symbols.create(name2), v)); } } @@ -516,7 +516,7 @@ Value * EvalState::addPrimOp(PrimOp && primOp) else { staticBaseEnv->vars.emplace_back(envName, baseEnvDispl); baseEnv.values[baseEnvDispl++] = v; - baseEnv.values[0]->payload.attrs->push_back(Attr(symbols.create(primOp.name), v)); + getBuiltins().payload.attrs->push_back(Attr(symbols.create(primOp.name), v)); } return v; @@ -531,7 +531,7 @@ Value & EvalState::getBuiltins() Value & EvalState::getBuiltin(const std::string & name) { - auto it = baseEnv.values[0]->attrs()->get(symbols.create(name)); + auto it = getBuiltins().attrs()->get(symbols.create(name)); if (it) return *it->value; else diff --git a/src/libexpr/primops.cc b/src/libexpr/primops.cc index aea623435bf..50709b18a1a 100644 --- a/src/libexpr/primops.cc +++ b/src/libexpr/primops.cc @@ -4937,7 +4937,7 @@ void EvalState::createBaseEnv() /* Now that we've added all primops, sort the `builtins' set, because attribute lookups expect it to be sorted. */ - baseEnv.values[0]->payload.attrs->sort(); + getBuiltins().payload.attrs->sort(); staticBaseEnv->sort(); diff --git a/src/nix/main.cc b/src/nix/main.cc index eff2d60a473..b0e26e093f1 100644 --- a/src/nix/main.cc +++ b/src/nix/main.cc @@ -435,7 +435,8 @@ void mainWrapped(int argc, char * * argv) evalSettings.pureEval = false; EvalState state({}, openStore("dummy://"), fetchSettings, evalSettings); auto builtinsJson = nlohmann::json::object(); - for (auto & builtin : *state.baseEnv.values[0]->attrs()) { + for (auto & builtinPtr : state.getBuiltins().attrs()->lexicographicOrder(state.symbols)) { + auto & builtin = *builtinPtr; auto b = nlohmann::json::object(); if (!builtin.value->isPrimOp()) continue; auto primOp = builtin.value->primOp();