diff --git a/nixbld-etc-nixos/configuration.nix b/nixbld-etc-nixos/configuration.nix index efaee97d..96691d50 100644 --- a/nixbld-etc-nixos/configuration.nix +++ b/nixbld-etc-nixos/configuration.nix @@ -497,6 +497,9 @@ in }; nixpkgs.config.packageOverrides = super: let self = super.pkgs; in { + nix = super.nix.overrideAttrs(oa: { + patches = oa.patches or [] ++ [ ./nix-28-networked-derivations.patch ]; + }); hydra_unstable = super.hydra_unstable.overrideAttrs(oa: { patches = oa.patches or [] ++ [ ./hydra-conda.patch diff --git a/nixbld-etc-nixos/nix-28-networked-derivations.patch b/nixbld-etc-nixos/nix-28-networked-derivations.patch new file mode 100644 index 00000000..3575f0de --- /dev/null +++ b/nixbld-etc-nixos/nix-28-networked-derivations.patch @@ -0,0 +1,80 @@ +diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc +index 4c91fa4fb..e2139d6c6 100644 +--- a/src/libstore/build/local-derivation-goal.cc ++++ b/src/libstore/build/local-derivation-goal.cc +@@ -378,6 +378,8 @@ void LocalDerivationGoal::startBuilder() + additionalSandboxProfile = parsedDrv->getStringAttr("__sandboxProfile").value_or(""); + #endif + ++ networked = parsedDrv->getBoolAttr("__networked"); ++ + /* Are we doing a chroot build? */ + { + auto noChroot = parsedDrv->getBoolAttr("__noChroot"); +@@ -395,7 +397,7 @@ void LocalDerivationGoal::startBuilder() + else if (settings.sandboxMode == smDisabled) + useChroot = false; + else if (settings.sandboxMode == smRelaxed) +- useChroot = derivationType.isSandboxed() && !noChroot; ++ useChroot = !networked && derivationType.isSandboxed() && !noChroot; + } + + auto & localStore = getLocalStore(); +@@ -608,7 +610,7 @@ void LocalDerivationGoal::startBuilder() + "nogroup:x:65534:\n", sandboxGid())); + + /* Create /etc/hosts with localhost entry. */ +- if (derivationType.isSandboxed()) ++ if (!networked && derivationType.isSandboxed()) + writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n::1 localhost\n"); + + /* Make the closure of the inputs available in the chroot, +@@ -799,7 +801,7 @@ void LocalDerivationGoal::startBuilder() + us. + */ + +- if (derivationType.isSandboxed()) ++ if (!networked && derivationType.isSandboxed()) + privateNetwork = true; + + userNamespaceSync.create(); +@@ -1063,7 +1065,7 @@ void LocalDerivationGoal::initEnv() + to the builder is generally impure, but the output of + fixed-output derivations is by definition pure (since we + already know the cryptographic hash of the output). */ +- if (!derivationType.isSandboxed()) { ++ if (networked || !derivationType.isSandboxed()) { + for (auto & i : parsedDrv->getStringsAttr("impureEnvVars").value_or(Strings())) + env[i] = getEnv(i).value_or(""); + } +@@ -1677,7 +1679,7 @@ void LocalDerivationGoal::runChild() + /* Fixed-output derivations typically need to access the + network, so give them access to /etc/resolv.conf and so + on. */ +- if (!derivationType.isSandboxed()) { ++ if (networked || !derivationType.isSandboxed()) { + // Only use nss functions to resolve hosts and + // services. Don’t use it for anything else that may + // be configured for this system. This limits the +@@ -1921,7 +1923,7 @@ void LocalDerivationGoal::runChild() + + sandboxProfile += "(import \"sandbox-defaults.sb\")\n"; + +- if (!derivationType.isSandboxed()) ++ if (networked || !derivationType.isSandboxed()) + sandboxProfile += "(import \"sandbox-network.sb\")\n"; + + /* Add the output paths we'll use at build-time to the chroot */ +diff --git a/src/libstore/build/local-derivation-goal.hh b/src/libstore/build/local-derivation-goal.hh +index d456e9cae..0b43a6bd4 100644 +--- a/src/libstore/build/local-derivation-goal.hh ++++ b/src/libstore/build/local-derivation-goal.hh +@@ -41,6 +41,8 @@ struct LocalDerivationGoal : public DerivationGoal + + Path chrootRootDir; + ++ bool networked; ++ + /* RAII object to delete the chroot directory. */ + std::shared_ptr autoDelChroot; +