Update Nix 1.1 release notes
This commit is contained in:
parent
53b24f3518
commit
6c01fb4d68
2 changed files with 70 additions and 8 deletions
|
@ -15,24 +15,83 @@
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Builds in chroots are now executed in a private network
|
<para>On Linux, when doing a chroot build, Nix now uses various
|
||||||
namespace, meaning that they do not see any network interfaces
|
namespace features provided by the Linux kernel to improve
|
||||||
except a private loopback interface. This ensures that builds
|
build isolation. Namely:
|
||||||
cannot communicate with processes outside of the chroot, or clash
|
<itemizedlist>
|
||||||
with other builds by listening on an identical port number.</para>
|
<listitem><para>The private network namespace ensures that
|
||||||
|
builders cannot talk to the outside world (or vice versa): each
|
||||||
|
build only sees a private loopback interface. This also means
|
||||||
|
that two concurrent builds can listen on the same port (e.g. as
|
||||||
|
part of a test) without conflicting with each
|
||||||
|
other.</para></listitem>
|
||||||
|
<listitem><para>The PID namespace causes each build to start as
|
||||||
|
PID 1. Processes outside of the chroot are not visible to those
|
||||||
|
on the inside. On the other hand, processes inside the chroot
|
||||||
|
<emphasis>are</emphasis> visible from the outside (though with
|
||||||
|
different PIDs).</para></listitem>
|
||||||
|
<listitem><para>The IPC namespace prevents the builder from
|
||||||
|
communicating with outside processes using SysV IPC mechanisms
|
||||||
|
(shared memory, message queues, semaphores). It also ensures
|
||||||
|
that all IPC objects are destroyed when the builder
|
||||||
|
exits.</para></listitem>
|
||||||
|
<listitem><para>The UTS namespace ensures that builders see a
|
||||||
|
hostname of <literal>localhost</literal> rather than the actual
|
||||||
|
hostname.</para></listitem>
|
||||||
|
<listitem><para>The private mount namespace was already used by
|
||||||
|
Nix to ensure that the bind-mounts used to set up the chroot are
|
||||||
|
cleaned up automatically.</para></listitem>
|
||||||
|
</itemizedlist>
|
||||||
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Build logs are now compressed using
|
<para>Build logs are now compressed using
|
||||||
<command>bzip2</command>. The command <command>nix-store
|
<command>bzip2</command>. The command <command>nix-store
|
||||||
-l</command> decompresses them on the fly.</para>
|
-l</command> decompresses them on the fly. This can be disabled
|
||||||
|
by setting the option <literal>build-compress-log</literal> to
|
||||||
|
<literal>false</literal>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The creation of build logs in
|
<para>The creation of build logs in
|
||||||
<filename>/nix/var/log/nix/drvs</filename> can be disabled by
|
<filename>/nix/var/log/nix/drvs</filename> can be disabled by
|
||||||
setting the new option <literal>build-keep-log</literal> to
|
setting the new option <literal>build-keep-log</literal> to
|
||||||
<literal>false</literal>.</para>
|
<literal>false</literal>. This is useful, for instance, for Hydra
|
||||||
|
build machines.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Nix now reserves some space in
|
||||||
|
<filename>/nix/var/nix/db/reserved</filename> to ensure that the
|
||||||
|
garbage collector can run successfully if the disk is full. This
|
||||||
|
is necessary because SQLite transactions fail if the disk is
|
||||||
|
full.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Added a basic <function>fetchurl</function> function. This
|
||||||
|
is not intended to replace the <function>fetchurl</function> in
|
||||||
|
Nixpkgs, but is useful for bootstrapping; e.g., it will allow us
|
||||||
|
to get rid of the bootstrap binaries in the Nixpkgs source tree
|
||||||
|
and download them instead. You can use it by doing
|
||||||
|
<literal>import <nix/fetchurl.nix> { url =
|
||||||
|
<replaceable>url</replaceable>; sha256 =
|
||||||
|
"<replaceable>hash</replaceable>"; }</literal>. (Shea Levy)</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Improved RPM spec file. (Michel Alexandre Salim)</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Support for on-demand socket-based activation in the Nix
|
||||||
|
daemon with <command>systemd</command>.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Added a manpage for
|
||||||
|
<citerefentry><refentrytitle>nix.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
|
@ -1796,6 +1796,9 @@ void DerivationGoal::startBuilder()
|
||||||
with outside processes using SysV IPC mechanisms (shared
|
with outside processes using SysV IPC mechanisms (shared
|
||||||
memory, message queues, semaphores). It also ensures that
|
memory, message queues, semaphores). It also ensures that
|
||||||
all IPC objects are destroyed when the builder exits.
|
all IPC objects are destroyed when the builder exits.
|
||||||
|
|
||||||
|
- The UTS namespace ensures that builders see a hostname of
|
||||||
|
localhost rather than the actual hostname.
|
||||||
*/
|
*/
|
||||||
#if CHROOT_ENABLED
|
#if CHROOT_ENABLED
|
||||||
if (useChroot) {
|
if (useChroot) {
|
||||||
|
|
Loading…
Reference in a new issue