Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove restricted eval mode #1701

Open
edolstra opened this issue Nov 27, 2017 · 5 comments
Open

Remove restricted eval mode #1701

edolstra opened this issue Nov 27, 2017 · 5 comments

Comments

@edolstra
Copy link
Member

This feature was added to ensure that Hydra jobs don't access files they're not supposed to touch. However, it would be a lot easier and more secure to just have hydra-eval-jobset run hydra-eval-jobs in a mount namespace containing only the input directories.

The allowed-uris option should be kept though, since that cannot be easily enforced via sandboxing.
@edolstra edolstra self-assigned this Nov 27, 2017
@FRidh
Copy link
Member

FRidh commented Feb 11, 2018

in a mount namespace containing only the input directories

Will paths obtained with fetchTarball and fetchGit also be added recursively to the mount namespace as they become available?

@shlevy shlevy added the triaged label Apr 1, 2018
@FRidh FRidh mentioned this issue Jun 13, 2019
Open
@domenkozar
Copy link
Member

Point: this will limit CIs to always only evaluate on linux, which may or may not be desired.

@stale
Copy link

stale bot commented Feb 16, 2021

I marked this as stale due to inactivity. → More info

@stale stale bot added the stale label Feb 16, 2021
@stale
Copy link

stale bot commented Apr 29, 2022

I closed this issue due to inactivity. → More info

@stale stale bot closed this as completed Apr 29, 2022
@thufschmitt thufschmitt reopened this Feb 24, 2023
@nixos-discourse
Copy link

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/what-is-restricted-evaluation-mode-in-nix/26578/1

@toraritte toraritte mentioned this issue Mar 21, 2023
Closed
2 tasks
@puffnfresh puffnfresh mentioned this issue Nov 6, 2023
Open
@edolstra edolstra removed their assignment Apr 26, 2024
@stale stale bot removed the stale label Apr 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@domenkozar @shlevy @edolstra @FRidh @thufschmitt @nixos-discourse