Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Port the flags of nix-daemon to nix daemon #8788

Merged
merged 9 commits into from
Aug 28, 2023
Merged

Port the flags of nix-daemon to nix daemon #8788

Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
2c94ac5
chore(nix/daemon): port the flags of nix-daemon to nix daemon
bryanhonof Aug 4, 2023
3bb079e
Update src/nix/daemon.cc
bryanhonof Aug 7, 2023
a96d63f
Update src/nix/daemon.cc
bryanhonof Aug 8, 2023
747da01
Update src/nix/daemon.cc
bryanhonof Aug 8, 2023
a29afa7
Update src/nix/daemon.cc
bryanhonof Aug 8, 2023
7649cac
docs(daemon): clarify the daemon trust override flags
bryanhonof Aug 8, 2023
f84c8d5
fix: change decleration order
bryanhonof Aug 9, 2023
39add5e
docs: add examples of nix daemon usage
bryanhonof Aug 9, 2023
2787820
Apply suggestions from code review
tomberek Aug 28, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
41 changes: 40 additions & 1 deletion src/nix/daemon.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -500,6 +500,45 @@ static RegisterLegacyCommand r_nix_daemon("nix-daemon", main_nix_daemon);

struct CmdDaemon : StoreCommand
{
bool stdio = false;
std::optional<TrustedFlag> isTrustedOpt = std::nullopt;

CmdDaemon()
{
addFlag({
.longName = "stdio",
.description = "Attach to standard I/O, instead of trying to bind to a UNIX socket.",
.handler = {&stdio, true},
});

addFlag({
.longName = "force-trusted",
.description = "Forces the daemon to trust connecting clients, forwarding the connection without the receiving daemon processing it.",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this actually forward the connection? I assume that depends on nix daemon's own --store parameter: If it's "local", then it won't forward to another daemon.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is true. Forcing untrusted does make not force in the --stdio case when --store is a RemoteStore subclass, but forcing trusted (if I am reading the code above right) doesn't seem to affect when forwarding happens.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, just "Forces the daemon to trust connecting clients." would be enough as a description in this case?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes I think that is good

tomberek marked this conversation as resolved.
Show resolved Hide resolved
.handler = {[&]() {
isTrustedOpt = Trusted;
}},
.experimentalFeature = Xp::DaemonTrustOverride,
});

addFlag({
.longName = "force-untrusted",
.description = "Forces the daemon to not trust connecting clients, the connection will be processed by the receiving daemon before forwarding commands.",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
.description = "Forces the daemon to not trust connecting clients, the connection will be processed by the receiving daemon before forwarding commands.",
.description = "Force the daemon to not trust connecting clients. The connection will be processed by the receiving daemon before forwarding commands.",

tomberek marked this conversation as resolved.
Show resolved Hide resolved
.handler = {[&]() {
isTrustedOpt = NotTrusted;
}},
.experimentalFeature = Xp::DaemonTrustOverride,
});

addFlag({
.longName = "default-trust",
.description = "Use Nix's default trust.",
.handler = {[&]() {
isTrustedOpt = std::nullopt;
}},
.experimentalFeature = Xp::DaemonTrustOverride,
});
}

std::string description() override
{
return "daemon to perform store operations on behalf of non-root clients";
Expand All @@ -516,7 +555,7 @@ struct CmdDaemon : StoreCommand

void run(ref<Store> store) override
{
runDaemon(false, std::nullopt);
runDaemon(stdio, isTrustedOpt);
}
};

Expand Down
30 changes: 27 additions & 3 deletions src/nix/daemon.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,20 +1,44 @@
R""(

# Example
# Examples

* Run the daemon in the foreground:
* Run the daemon:

```console
# nix daemon
```

* Run the daemon and listen on standard I/O instead of binding to a UNIX socket:

```console
# nix daemon --stdio
```

* Run the daemon and force all connections to be trusted:

```console
# nix daemon --force-trusted
```

* Run the daemon and force all connections to be untrusted:

```console
# nix daemon --force-untrusted
```

* Run the daemon, listen on standard I/O, and force all connections to use Nix's default trust:

```console
# nix daemon --stdio --default-trust
```

# Description

This command runs the Nix daemon, which is a required component in
multi-user Nix installations. It runs build tasks and other
operations on the Nix store on behalf of non-root users. Usually you
don't run the daemon directly; instead it's managed by a service
management framework such as `systemd`.
management framework such as `systemd` on Linux, or `launchctl` on Darwin.

Note that this daemon does not fork into the background.

Expand Down