forked from LnL7/nix
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Experimentally allow forcing
nix-daemon
trust; use this to test
We finally test the status quo of remote build trust in a number of ways. We create a new experimental feature on `nix-daemon` to do so. PR NixOS#3921, which improves the situation with trustless remote building, will build upon these changes. This code / tests was pull out of there to make this, so everything is easier to review, and in particular we test before and after so the new behavior in that PR is readily apparent from the testsuite diff alone.
- Loading branch information
1 parent
3f9589f
commit d41e1be
Showing
12 changed files
with
145 additions
and
17 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
outPath=$(readlink -f $TEST_ROOT/result) | ||
grep 'FOO BAR BAZ' ${remoteDir}/${outPath} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
source common.sh | ||
|
||
enableFeatures "daemon-trust-override" | ||
|
||
restartDaemon | ||
|
||
[[ $busybox =~ busybox ]] || skipTest "no busybox" | ||
|
||
unset NIX_STORE_DIR | ||
unset NIX_STATE_DIR | ||
|
||
# We first build a dependency of the derivation we eventually want to | ||
# build. | ||
nix-build build-hook.nix -A passthru.input2 \ | ||
-o "$TEST_ROOT/input2" \ | ||
--arg busybox "$busybox" \ | ||
--store "$TEST_ROOT/local" \ | ||
--option system-features bar | ||
|
||
# Now when we go to build that downstream derivation, Nix will fail | ||
# because we cannot trustlessly build input-addressed derivations with | ||
# `inputDrv` dependencies. | ||
|
||
file=build-hook.nix | ||
prog=$(readlink -e ./nix-daemon-untrusting.sh) | ||
proto=ssh-ng | ||
|
||
expectStderr 1 source build-remote-trustless.sh \ | ||
| grepQuiet "you are not privileged to build input-addressed derivations" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
source common.sh | ||
|
||
# Remote trusts us | ||
file=build-hook.nix | ||
prog=nix-store | ||
proto=ssh | ||
|
||
source build-remote-trustless.sh | ||
source build-remote-trustless-after.sh |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
source common.sh | ||
|
||
# Remote trusts us | ||
file=build-hook.nix | ||
prog=nix-daemon | ||
proto=ssh-ng | ||
|
||
source build-remote-trustless.sh | ||
source build-remote-trustless-after.sh |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
source common.sh | ||
|
||
enableFeatures "daemon-trust-override" | ||
|
||
restartDaemon | ||
|
||
# Remote doesn't trusts us, but this is fine because we are only | ||
# building (fixed) CA derivations. | ||
file=build-hook-ca-fixed.nix | ||
prog=$(readlink -e ./nix-daemon-untrusting.sh) | ||
proto=ssh-ng | ||
|
||
source build-remote-trustless.sh | ||
source build-remote-trustless-after.sh |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
requireSandboxSupport | ||
[[ $busybox =~ busybox ]] || skipTest "no busybox" | ||
|
||
unset NIX_STORE_DIR | ||
unset NIX_STATE_DIR | ||
|
||
remoteDir=$TEST_ROOT/remote | ||
|
||
# Note: ssh{-ng}://localhost bypasses ssh. See tests/build-remote.sh for | ||
# more details. | ||
nix-build $file -o $TEST_ROOT/result --max-jobs 0 \ | ||
--arg busybox $busybox \ | ||
--store $TEST_ROOT/local \ | ||
--builders "$proto://localhost?remote-program=$prog&remote-store=${remoteDir}%3Fsystem-features=foo%20bar%20baz - - 1 1 foo,bar,baz" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
#!/bin/sh | ||
|
||
exec nix-daemon --force-untrusted "$@" |