Revision - df716c9 - In chroot builds, use a private network namespace

Revision df716c98d203ab64cdf05f9c17fdae565b7daa1c authored by Eelco Dolstra on 23 June 2012, 04:28:35 UTC, committed by Eelco Dolstra on 23 June 2012, 04:28:35 UTC

In chroot builds, use a private network namespace

On Linux it's possible to run a process in its own network namespace,
meaning that it gets its own set of network interfaces, disjunct from
the rest of the system.  We use this to completely remove network
access to chroot builds, except that they get a private loopback
interface.  This means that:

- Builders cannot connect to the outside network or to other processes
  on the same machine, except processes within the same build.

- Vice versa, other processes cannot connect to processes in a chroot
  build, and open ports/connections do not show up in "netstat".

- If two concurrent builders try to listen on the same port (e.g. as
  part of a test), they no longer conflict with each other.

This was inspired by the "PrivateNetwork" flag in systemd.

1 parent 2f3f413

Files
Changes

nix-install-package.in

#! @perl@ -w @perlFlags@

use strict;
use File::Temp qw(tempdir);
use Nix::Config;


sub usageError {
    print STDERR <<EOF;
Usage: nix-install-package (FILE | --url URL)

Install a Nix Package (.nixpkg) either directly from FILE or by
downloading it from URL.

Flags:
  --profile / -p LINK: install into the specified profile
  --non-interactive: don't run inside a new terminal
EOF
    ; # '
    exit 1;
}


# Parse the command line arguments.
my @args = @ARGV;
usageError if scalar @args == 0;

my $source;
my $fromURL = 0;
my @extraNixEnvArgs = ();
my $interactive = 1;

while (scalar @args) {
    my $arg = shift @args;
    if ($arg eq "--help") {
        usageError;
    }
    elsif ($arg eq "--url") {
        $fromURL = 1;
    }
    elsif ($arg eq "--profile" || $arg eq "-p") {
        my $profile = shift @args;
        usageError if !defined $profile;
        push @extraNixEnvArgs, "-p", $profile;
    }
    elsif ($arg eq "--non-interactive") {
        $interactive = 0;
    }
    else {
        $source = $arg;
    }
}

usageError unless defined $source;


# Re-execute in a terminal, if necessary, so that if we're executed
# from a web browser, the user gets to see us.
if ($interactive && !defined $ENV{"NIX_HAVE_TERMINAL"}) {
    $ENV{"NIX_HAVE_TERMINAL"} = "1";
    $ENV{"LD_LIBRARY_PATH"} = "";
    foreach my $term ("xterm", "konsole", "gnome-terminal", "xterm") {
        exec($term, "-e", "$Nix::Config::binDir/nix-install-package", @ARGV);
    }
    die "cannot execute `xterm'";
}


my $tmpDir = tempdir("nix-install-package.XXXXXX", CLEANUP => 1, TMPDIR => 1)
    or die "cannot create a temporary directory";


sub barf {
    my $msg = shift;
    print "$msg\n";
    <STDIN> if $interactive;
    exit 1;
}


# Download the package description, if necessary.
my $pkgFile = $source;
if ($fromURL) {
    $pkgFile = "$tmpDir/tmp.nixpkg";
    system("@curl@", "--silent", $source, "-o", $pkgFile) == 0
        or barf "curl failed: $?";
}


# Read and parse the package file.
open PKGFILE, "<$pkgFile" or barf "cannot open `$pkgFile': $!";
my $contents = <PKGFILE>;
close PKGFILE;

my $urlRE = "(?: [a-zA-Z][a-zA-Z0-9\+\-\.]*\:[a-zA-Z0-9\%\/\?\:\@\&\=\+\$\,\-\_\.\!\~\*\']+ )";
my $nameRE = "(?: [A-Za-z0-9\+\-\.\_\?\=]+ )"; # see checkStoreName()
my $systemRE = "(?: [A-Za-z0-9\+\-\_]+ )";
my $pathRE = "(?: \/ [\/A-Za-z0-9\+\-\.\_\?\=]* )";

# Note: $pathRE doesn't check that whether we're looking at a valid
# store path.  We'll let nix-env do that.

$contents =~
    / ^ \s* (\S+) \s+ ($urlRE) \s+ ($nameRE) \s+ ($systemRE) \s+ ($pathRE) \s+ ($pathRE) /x
    or barf "invalid package contents";
my $version = $1;
my $manifestURL = $2;
my $drvName = $3;
my $system = $4;
my $drvPath = $5;
my $outPath = $6;

barf "invalid package version `$version'" unless $version eq "NIXPKG1";


if ($interactive) {
    # Ask confirmation.
    print "Do you want to install `$drvName' (Y/N)? ";
    my $reply = <STDIN>;
    chomp $reply;
    exit if $reply ne "y" && $reply ne "Y";
}


# Store the manifest in the temporary directory so that we don't
# pollute /nix/var/nix/manifests.  This also requires that we don't
# use the Nix daemon (because otherwise download-using-manifests won't
# see our NIX_MANIFESTS_DIRS environment variable).
$ENV{NIX_MANIFESTS_DIR} = $tmpDir;
$ENV{NIX_REMOTE} = "";


print "\nPulling manifests...\n";
system("$Nix::Config::binDir/nix-pull", $manifestURL) == 0
    or barf "nix-pull failed: $?";


print "\nInstalling package...\n";
system("$Nix::Config::binDir/nix-env", "--install", $outPath, "--force-name", $drvName, @extraNixEnvArgs) == 0
    or barf "nix-env failed: $?";


if ($interactive) {
    print "\nInstallation succeeded! Press Enter to continue.\n";
    <STDIN>;
}

Showing with 0 additions and 0 deletions (0 / 0 diffs computed)

Computing file changes ...