diff --git a/nixbld-etc-nixos/configuration.nix b/nixbld-etc-nixos/configuration.nix index cb4ca28..0b82fc8 100644 --- a/nixbld-etc-nixos/configuration.nix +++ b/nixbld-etc-nixos/configuration.nix @@ -406,7 +406,7 @@ in patches = oa.patches or [] ++ [ ./nix-networked-derivations.diff ]; }); nixFlakes = super.nixFlakes.overrideAttrs(oa: { - patches = oa.patches or [] ++ [ ./nix-networked-derivations.diff ]; + patches = oa.patches or [] ++ [ ./nix-3-networked-derivations.patch ]; }); hydra-unstable = super.hydra-unstable.overrideAttrs(oa: { patches = oa.patches or [] ++ [ diff --git a/nixbld-etc-nixos/nix-3-networked-derivations.patch b/nixbld-etc-nixos/nix-3-networked-derivations.patch new file mode 100644 index 0000000..5000f13 --- /dev/null +++ b/nixbld-etc-nixos/nix-3-networked-derivations.patch @@ -0,0 +1,87 @@ +From d7fc00b5770a7d194c0ba9e70a4cdb2ece621d5b Mon Sep 17 00:00:00 2001 +From: Astro +Date: Mon, 5 Oct 2020 14:18:59 +0200 +Subject: [PATCH] networked derivations + +--- + src/libstore/build.cc | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/src/libstore/build.cc b/src/libstore/build.cc +index 0499273a4..40fe4e859 100644 +--- a/src/libstore/build.cc ++++ b/src/libstore/build.cc +@@ -845,9 +845,16 @@ private: + /* The sort of derivation we are building. */ + DerivationType derivationType; + ++ bool networked; ++ + /* Whether to run the build in a private network namespace. */ + bool privateNetwork = false; + ++ bool allowNetwork() ++ { ++ return derivationIsFixed(drv->type()) || networked; ++ } ++ + typedef void (DerivationGoal::*GoalState)(); + GoalState state; + +@@ -1293,6 +1300,8 @@ void DerivationGoal::haveDerivation() + parsedDrv = std::make_unique(drvPath, *drv); + + ++ networked = parsedDrv->getBoolAttr("__networked"); ++ + /* We are first going to try to create the invalid output paths + through substitutes. If that doesn't work, we'll build + them. */ +@@ -2210,7 +2219,7 @@ void DerivationGoal::startBuilder() + else if (settings.sandboxMode == smDisabled) + useChroot = false; + else if (settings.sandboxMode == smRelaxed) +- useChroot = !(derivationIsImpure(derivationType)) && !noChroot; ++ useChroot = !allowNetwork() && !(derivationIsImpure(derivationType)) && !noChroot; + } + + if (worker.store.storeDir != worker.store.realStoreDir) { +@@ -2434,7 +2443,7 @@ void DerivationGoal::startBuilder() + "nogroup:x:65534:\n") % sandboxGid).str()); + + /* Create /etc/hosts with localhost entry. */ +- if (!(derivationIsImpure(derivationType))) ++ if (!allowNetwork()) + writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n::1 localhost\n"); + + /* Make the closure of the inputs available in the chroot, +@@ -2621,7 +2630,7 @@ void DerivationGoal::startBuilder() + us. + */ + +- if (!(derivationIsImpure(derivationType))) ++ if (!allowNetwork()) + privateNetwork = true; + + userNamespaceSync.create(); +@@ -2833,7 +2842,7 @@ void DerivationGoal::initEnv() + to the builder is generally impure, but the output of + fixed-output derivations is by definition pure (since we + already know the cryptographic hash of the output). */ +- if (derivationIsImpure(derivationType)) { ++ if (allowNetwork()) { + for (auto & i : parsedDrv->getStringsAttr("impureEnvVars").value_or(Strings())) + env[i] = getEnv(i).value_or(""); + } +@@ -3447,7 +3456,7 @@ void DerivationGoal::runChild() + /* Fixed-output derivations typically need to access the + network, so give them access to /etc/resolv.conf and so + on. */ +- if (derivationIsImpure(derivationType)) { ++ if (allowNetwork()) { + ss.push_back("/etc/resolv.conf"); + + // Only use nss functions to resolve hosts and +-- +2.28.0 +