From d7fc00b5770a7d194c0ba9e70a4cdb2ece621d5b Mon Sep 17 00:00:00 2001 From: Astro Date: Mon, 5 Oct 2020 14:18:59 +0200 Subject: [PATCH] networked derivations --- src/libstore/build.cc | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/src/libstore/build.cc b/src/libstore/build.cc index 0499273a4..40fe4e859 100644 --- a/src/libstore/build.cc +++ b/src/libstore/build.cc @@ -845,9 +845,16 @@ private: /* The sort of derivation we are building. */ DerivationType derivationType; + bool networked; + /* Whether to run the build in a private network namespace. */ bool privateNetwork = false; + bool allowNetwork() + { + return derivationIsFixed(drv->type()) || networked; + } + typedef void (DerivationGoal::*GoalState)(); GoalState state; @@ -1293,6 +1300,8 @@ void DerivationGoal::haveDerivation() parsedDrv = std::make_unique(drvPath, *drv); + networked = parsedDrv->getBoolAttr("__networked"); + /* We are first going to try to create the invalid output paths through substitutes. If that doesn't work, we'll build them. */ @@ -2210,7 +2219,7 @@ void DerivationGoal::startBuilder() else if (settings.sandboxMode == smDisabled) useChroot = false; else if (settings.sandboxMode == smRelaxed) - useChroot = !(derivationIsImpure(derivationType)) && !noChroot; + useChroot = !allowNetwork() && !(derivationIsImpure(derivationType)) && !noChroot; } if (worker.store.storeDir != worker.store.realStoreDir) { @@ -2434,7 +2443,7 @@ void DerivationGoal::startBuilder() "nogroup:x:65534:\n") % sandboxGid).str()); /* Create /etc/hosts with localhost entry. */ - if (!(derivationIsImpure(derivationType))) + if (!allowNetwork()) writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n::1 localhost\n"); /* Make the closure of the inputs available in the chroot, @@ -2621,7 +2630,7 @@ void DerivationGoal::startBuilder() us. */ - if (!(derivationIsImpure(derivationType))) + if (!allowNetwork()) privateNetwork = true; userNamespaceSync.create(); @@ -2833,7 +2842,7 @@ void DerivationGoal::initEnv() to the builder is generally impure, but the output of fixed-output derivations is by definition pure (since we already know the cryptographic hash of the output). */ - if (derivationIsImpure(derivationType)) { + if (allowNetwork()) { for (auto & i : parsedDrv->getStringsAttr("impureEnvVars").value_or(Strings())) env[i] = getEnv(i).value_or(""); } @@ -3447,7 +3456,7 @@ void DerivationGoal::runChild() /* Fixed-output derivations typically need to access the network, so give them access to /etc/resolv.conf and so on. */ - if (derivationIsImpure(derivationType)) { + if (allowNetwork()) { ss.push_back("/etc/resolv.conf"); // Only use nss functions to resolve hosts and -- 2.28.0