Update Nix 1.1 release notes
This commit is contained in:
Eelco Dolstra
parent
53b24f3518
commit
6c01fb4d68
2 changed files with 70 additions and 8 deletions
|
|
@ -15,24 +15,83 @@
|
|||
<itemizedlist>
|
||||
|
||||
<listitem>
|
||||
<para>Builds in chroots are now executed in a private network
|
||||
namespace, meaning that they do not see any network interfaces
|
||||
except a private loopback interface. This ensures that builds
|
||||
cannot communicate with processes outside of the chroot, or clash
|
||||
with other builds by listening on an identical port number.</para>
|
||||
<para>On Linux, when doing a chroot build, Nix now uses various
|
||||
namespace features provided by the Linux kernel to improve
|
||||
build isolation. Namely:
|
||||
<itemizedlist>
|
||||
<listitem><para>The private network namespace ensures that
|
||||
builders cannot talk to the outside world (or vice versa): each
|
||||
build only sees a private loopback interface. This also means
|
||||
that two concurrent builds can listen on the same port (e.g. as
|
||||
part of a test) without conflicting with each
|
||||
other.</para></listitem>
|
||||
<listitem><para>The PID namespace causes each build to start as
|
||||
PID 1. Processes outside of the chroot are not visible to those
|
||||
on the inside. On the other hand, processes inside the chroot
|
||||
<emphasis>are</emphasis> visible from the outside (though with
|
||||
different PIDs).</para></listitem>
|
||||
<listitem><para>The IPC namespace prevents the builder from
|
||||
communicating with outside processes using SysV IPC mechanisms
|
||||
(shared memory, message queues, semaphores). It also ensures
|
||||
that all IPC objects are destroyed when the builder
|
||||
exits.</para></listitem>
|
||||
<listitem><para>The UTS namespace ensures that builders see a
|
||||
hostname of <literal>localhost</literal> rather than the actual
|
||||
hostname.</para></listitem>
|
||||
<listitem><para>The private mount namespace was already used by
|
||||
Nix to ensure that the bind-mounts used to set up the chroot are
|
||||
cleaned up automatically.</para></listitem>
|
||||
</itemizedlist>
|
||||
</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Build logs are now compressed using
|
||||
<command>bzip2</command>. The command <command>nix-store
|
||||
-l</command> decompresses them on the fly.</para>
|
||||
-l</command> decompresses them on the fly. This can be disabled
|
||||
by setting the option <literal>build-compress-log</literal> to
|
||||
<literal>false</literal>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The creation of build logs in
|
||||
<filename>/nix/var/log/nix/drvs</filename> can be disabled by
|
||||
setting the new option <literal>build-keep-log</literal> to
|
||||
<literal>false</literal>.</para>
|
||||
<literal>false</literal>. This is useful, for instance, for Hydra
|
||||
build machines.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Nix now reserves some space in
|
||||
<filename>/nix/var/nix/db/reserved</filename> to ensure that the
|
||||
garbage collector can run successfully if the disk is full. This
|
||||
is necessary because SQLite transactions fail if the disk is
|
||||
full.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Added a basic <function>fetchurl</function> function. This
|
||||
is not intended to replace the <function>fetchurl</function> in
|
||||
Nixpkgs, but is useful for bootstrapping; e.g., it will allow us
|
||||
to get rid of the bootstrap binaries in the Nixpkgs source tree
|
||||
and download them instead. You can use it by doing
|
||||
<literal>import <nix/fetchurl.nix> { url =
|
||||
<replaceable>url</replaceable>; sha256 =
|
||||
"<replaceable>hash</replaceable>"; }</literal>. (Shea Levy)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Improved RPM spec file. (Michel Alexandre Salim)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Support for on-demand socket-based activation in the Nix
|
||||
daemon with <command>systemd</command>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Added a manpage for
|
||||
<citerefentry><refentrytitle>nix.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
|
||||
</listitem>
|
||||
|
||||
</itemizedlist>
|
||||
|
|
|
|||
|
|
@ -1796,6 +1796,9 @@ void DerivationGoal::startBuilder()
|
|||
with outside processes using SysV IPC mechanisms (shared
|
||||
memory, message queues, semaphores). It also ensures that
|
||||
all IPC objects are destroyed when the builder exits.
|
||||
|
||||
- The UTS namespace ensures that builders see a hostname of
|
||||
localhost rather than the actual hostname.
|
||||
*/
|
||||
#if CHROOT_ENABLED
|
||||
if (useChroot) {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue