From ea30130943944c7ceeef56faf5e445b69d940e86 Mon Sep 17 00:00:00 2001 From: Moritz Kiefer Date: Wed, 28 Jan 2015 08:59:40 +0100 Subject: [PATCH 01/12] Fix openjdk8 build for i686 see http://mail.openjdk.java.net/pipermail/core-libs-dev/2013-July/019203.html --- pkgs/development/compilers/openjdk/openjdk8.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/compilers/openjdk/openjdk8.nix b/pkgs/development/compilers/openjdk/openjdk8.nix index 98bf5bbad2c5..58cec16165b1 100644 --- a/pkgs/development/compilers/openjdk/openjdk8.nix +++ b/pkgs/development/compilers/openjdk/openjdk8.nix @@ -78,7 +78,7 @@ stdenv.mkDerivation { "--with-build-number=b${build}" "--with-milestone=fcs" ]; - buildFlags = "all"; + buildFlags = "DEBUG_BINARIES=true all"; installPhase = '' mkdir -p $out/lib/openjdk $out/share $jre/lib/openjdk From 7c40fe361a4b752cd4f4478c0feb73331bf9db29 Mon Sep 17 00:00:00 2001 From: Moritz Kiefer Date: Sun, 25 Jan 2015 22:58:18 +0100 Subject: [PATCH 02/12] Update to openjdk8u31b13 --- .../compilers/openjdk/openjdk8.nix | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/pkgs/development/compilers/openjdk/openjdk8.nix b/pkgs/development/compilers/openjdk/openjdk8.nix index 58cec16165b1..fa9c64a6ea6c 100644 --- a/pkgs/development/compilers/openjdk/openjdk8.nix +++ b/pkgs/development/compilers/openjdk/openjdk8.nix @@ -1,41 +1,41 @@ { stdenv, fetchurl, cpio, file, which, unzip, zip, xorg, cups, freetype, alsaLib, openjdk, cacert, perl } : let - update = "25"; - build = "18"; + update = "31"; + build = "13"; baseurl = "http://hg.openjdk.java.net/jdk8u/jdk8u"; repover = "jdk8u${update}-b${build}"; paxflags = if stdenv.isi686 then "msp" else "m"; jdk8 = fetchurl { url = "${baseurl}/archive/${repover}.tar.gz"; - sha256 = "90eb3f3cb7094e609686168ec52ba462ef0f9832a4264bd1575e5896a6dd85c3"; + sha256 = "824b28c554ce32edbdaa77cc4f21f8ed57542c74c8748b89cd06be43a1537b34"; }; langtools = fetchurl { url = "${baseurl}/langtools/archive/${repover}.tar.gz"; - sha256 = "f292afe8540436090489841771259b274e3c36d42f11d0f58ba8082cd24fcc66"; + sha256 = "3e09a644d2fb38970acf78c72bc201c031d43574b5a3f7e00bec1b11bffec9c4"; }; hotspot = fetchurl { url = "${baseurl}/hotspot/archive/${repover}.tar.gz"; - sha256 = "e574567b48f57c5cdeebae6fa22e2482c05446dbf9133e820f2d95e99459ddf2"; + sha256 = "485b1a88b4b44b468e96211de238a5eed80f7472f91977fc27e2f443a8ab8ed3"; }; corba = fetchurl { url = "${baseurl}/corba/archive/${repover}.tar.gz"; - sha256 = "61d0bba710d6803b0368c93bc9182b0b40348eed81d578886a03904baf61ba6f"; + sha256 = "47b07945d3f534e6b87dc273676b8bcb493292e8769667493bb5febfb5c9f347"; }; jdk = fetchurl { url = "${baseurl}/jdk/archive/${repover}.tar.gz"; - sha256 = "8ef05535a0e03c4262d55cc67887e884f3fda8e4872cbc2941dcb216ef1460ca"; + sha256 = "b3801935199973cc02df02ac2f2587ff0f1989f98af5bf6fe46520a8108c8d6a"; }; jaxws = fetchurl { url = "${baseurl}/jaxws/archive/${repover}.tar.gz"; - sha256 = "afbdf119af2ffc0f9cd6eb93e6dac8e6a56a4ed4b68c7ff07f9b0c1a6bd56a8f"; + sha256 = "04bb35fd8b071f65014fa1d3b9816886b88e06548eeda27181993b80efb6a0bf"; }; jaxp = fetchurl { url = "${baseurl}/jaxp/archive/${repover}.tar.gz"; - sha256 = "2e91c958024e6b64f7484b8225e07edce3bd3bcde43081fb73f32e4b73ef7b87"; + sha256 = "74bb7a376fa706e4283e235caebbcf9736974a6a4cf97b8c8335d389581965e2"; }; nashorn = fetchurl { url = "${baseurl}/nashorn/archive/${repover}.tar.gz"; - sha256 = "98b4fc2d448920b81404ce745d9c00e9a33b58e123176dec4074caf611c3f9c2"; + sha256 = "2fbdcb016506de4e86db5813c78b28382df5b601f0e73ffd5465c12519b75fd3"; }; in stdenv.mkDerivation { From f215189d1d47f580e018c6153d0cee19d53e883a Mon Sep 17 00:00:00 2001 From: Moritz Kiefer Date: Wed, 28 Jan 2015 09:20:00 +0100 Subject: [PATCH 03/12] Make openjdk work with nonreparenting wms --- .../compilers/openjdk/nonreparenting-wm.patch | 39 +++++++++++++++++++ .../compilers/openjdk/openjdk8.nix | 1 + 2 files changed, 40 insertions(+) create mode 100644 pkgs/development/compilers/openjdk/nonreparenting-wm.patch diff --git a/pkgs/development/compilers/openjdk/nonreparenting-wm.patch b/pkgs/development/compilers/openjdk/nonreparenting-wm.patch new file mode 100644 index 000000000000..49db6fb1ea6f --- /dev/null +++ b/pkgs/development/compilers/openjdk/nonreparenting-wm.patch @@ -0,0 +1,39 @@ +--- a/jdk/src/solaris/classes/sun/awt/X11/XWM.java 2014-09-06 18:41:39.018530981 -0400 ++++ b/jdk/src/solaris/classes/sun/awt/X11/XWM.java 2014-09-06 18:46:43.098540372 -0400 +@@ -104,7 +104,8 @@ + COMPIZ_WM = 12, + LG3D_WM = 13, + CWM_WM = 14, +- MUTTER_WM = 15; ++ MUTTER_WM = 15, ++ OTHER_NONREPARENTING_WM = 16; + public String toString() { + switch (WMID) { + case NO_WM: +@@ -596,7 +597,7 @@ + } + + static boolean isNonReparentingWM() { +- return (XWM.getWMID() == XWM.COMPIZ_WM || XWM.getWMID() == XWM.LG3D_WM || XWM.getWMID() == XWM.CWM_WM); ++ return (XWM.getWMID() == XWM.COMPIZ_WM || XWM.getWMID() == XWM.LG3D_WM || XWM.getWMID() == XWM.CWM_WM || XWM.getWMID() == XWM.OTHER_NONREPARENTING_WM); + } + + /* +@@ -786,6 +787,9 @@ + } else if (doIsIceWM && isIceWM()) { + awt_wmgr = XWM.ICE_WM; + } ++ else if (XToolkit.getEnv("_JAVA_AWT_WM_NONREPARENTING") != null) { ++ awt_wmgr = XWM.OTHER_NONREPARENTING_WM; ++ } + /* + * We don't check for legacy WM when we already know that WM + * supports WIN or _NET wm spec. +@@ -1332,6 +1336,7 @@ + res = new Insets(28, 6, 6, 6); + break; + case NO_WM: ++ case OTHER_NONREPARENTING_WM: + case LG3D_WM: + res = zeroInsets; + break; \ No newline at end of file diff --git a/pkgs/development/compilers/openjdk/openjdk8.nix b/pkgs/development/compilers/openjdk/openjdk8.nix index fa9c64a6ea6c..7ef238e03bc3 100644 --- a/pkgs/development/compilers/openjdk/openjdk8.nix +++ b/pkgs/development/compilers/openjdk/openjdk8.nix @@ -58,6 +58,7 @@ stdenv.mkDerivation { ./fix-java-home.patch ./read-truststore-from-env-jdk8.patch ./currency-date-range-jdk8.patch + ./nonreparenting-wm.patch ]; preConfigure = '' chmod +x configure From 7ccede4aabe0ff686d748f6550a9eca4d2bb7b2d Mon Sep 17 00:00:00 2001 From: koral Date: Thu, 5 Feb 2015 16:58:21 +0100 Subject: [PATCH 04/12] cppcheck: 1.67 -> 1.68 --- pkgs/development/tools/analysis/cppcheck/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/tools/analysis/cppcheck/default.nix b/pkgs/development/tools/analysis/cppcheck/default.nix index d65500d9d50c..d94d44836820 100644 --- a/pkgs/development/tools/analysis/cppcheck/default.nix +++ b/pkgs/development/tools/analysis/cppcheck/default.nix @@ -4,14 +4,14 @@ let name = "cppcheck"; - version = "1.67"; + version = "1.68"; in stdenv.mkDerivation { name = "${name}-${version}"; src = fetchurl { url = "mirror://sourceforge/${name}/${name}-${version}.tar.bz2"; - sha256 = "1f9azv714mk37mjij29nfyd3hizsnj6wry1mmv7kxj0i1k7w0532"; + sha256 = "1ca9fdhrrxfyzd6kn67gxbfszp70191cf3ndasrh5jh55ghybmmd"; }; configurePhase = '' From 654d1f21b2487cdfdf5e23bbb704b8043969d0b2 Mon Sep 17 00:00:00 2001 From: Emil Rangden Date: Thu, 5 Feb 2015 17:35:10 +0100 Subject: [PATCH 05/12] despotify source moved --- pkgs/development/libraries/despotify/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/libraries/despotify/default.nix b/pkgs/development/libraries/despotify/default.nix index 8e679221a486..172a823cfdc5 100644 --- a/pkgs/development/libraries/despotify/default.nix +++ b/pkgs/development/libraries/despotify/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { name = "despotify-svn521"; src = fetchsvn { - url = "https://despotify.svn.sourceforge.net/svnroot/despotify"; + url = "http://svn.code.sf.net/p/despotify/code"; rev = "521"; }; From b3ee378f5038886d08b2a17eb4ab5130ba7f77b8 Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Thu, 5 Feb 2015 18:12:14 +0300 Subject: [PATCH 06/12] buildFHSChrootEnv: split environment and chroot scripts --- .../build-fhs-chrootenv/default.nix | 185 +----------------- .../build-fhs-chrootenv/destroy.sh.in | 4 +- .../build-support/build-fhs-chrootenv/env.nix | 176 +++++++++++++++++ .../build-fhs-chrootenv/init.sh.in | 6 +- pkgs/top-level/all-packages.nix | 14 +- 5 files changed, 194 insertions(+), 191 deletions(-) create mode 100644 pkgs/build-support/build-fhs-chrootenv/env.nix diff --git a/pkgs/build-support/build-fhs-chrootenv/default.nix b/pkgs/build-support/build-fhs-chrootenv/default.nix index a4ba456d7a53..8f24ab5e63c7 100644 --- a/pkgs/build-support/build-fhs-chrootenv/default.nix +++ b/pkgs/build-support/build-fhs-chrootenv/default.nix @@ -1,97 +1,6 @@ -{ buildEnv, nixpkgs, nixpkgs_i686, system -, stdenv, glibc, glibc_multi, glibcLocales -, bashInteractive, coreutils, less, shadow, su -, gawk, gcc, gcc_multi, diffutils, findutils, gnused, gnugrep -, gnutar, gzip, bzip2, xz -} : -{ name, pkgs ? [], profile ? "" -, targetPkgs ? null, multiPkgs ? null -, extraBuildCommands ? "", extraBuildCommandsMulti ? "" -}: - -assert pkgs != [] -> targetPkgs == null && multiPkgs == null; -assert targetPkgs != null -> multiPkgs != null; -assert multiPkgs != null -> targetPkgs != null; -assert targetPkgs != null -> pkgs == []; - - -# HOWTO: -# If pkgs is defined buildFHSChrootEnv will run in legacy mode. This means -# it will build all pkgs contained in pkgs and basePkgs and then just merge -# all of their contents together via buildEnv. -# -# The new way is to define both targetPkgs and multiPkgs. These two are -# functions which get a pkgs environment supplied and should then return a list -# of packages based this environment. -# For example: targetPkgs = pkgs: [ pkgs.nmap ]; -# -# All packages (most likeley programs) placed in targetPkgs will only be -# installed once--matching the hosts architecture (64bit on x86_64 and 32bit on -# x86). These packages will populate the chroot directory tree. -# -# Packages (most likeley libraries) defined in multiPkgs will be installed once -# on x86 systems and twice on x86_64 systems. -# On x86 they will just be merge with the packages defined in targetPkgs. -# On x86_64 they will be added to targetPkgs and in addition their 32bit -# versions will also be installed. The final directory should look as follows: -# /lib will include 32bit libraries from multiPkgs -# /lib32 will link to /lib -# /lib64 will include 64bit libraries from multiPkgs and targetPkgs -# /x86 will contain a complete 32bit environment composed by multiPkgs +{ stdenv } : { env } : let - is64Bit = system == "x86_64-linux"; - # enable multi builds on x86_64 hosts if pakgs_target/multi are defined - isMultiBuild = is64Bit && targetPkgs != null; - isTargetBuild = !isMultiBuild; - - # list of packages (usually programs) which will only be installed for the - # hosts architecture - targetPaths = if targetPkgs == null - then pkgs - else targetPkgs nixpkgs ++ multiPkgs nixpkgs; - - # list of pckages which should be build for both x86 and x86_64 on x86_64 - # systems - multiPaths = if isMultiBuild - then multiPkgs nixpkgs_i686 - else []; - - # base packages of the chroot - # these match the hosts architecture, gcc/glibc_multi will be choosen - # on multi builds - choosenGcc = if isMultiBuild then gcc_multi else gcc; - basePkgs = - [ (if isMultiBuild then glibc_multi else glibc) - choosenGcc - bashInteractive coreutils less shadow su - gawk diffutils findutils gnused gnugrep - gnutar gzip bzip2 xz - ]; - - # Compose a global profile for the chroot environment - profilePkg = nixpkgs.stdenv.mkDerivation { - name = "${name}-chrootenv-profile"; - buildCommand = '' - mkdir -p $out/etc - cat >> $out/etc/profile << "EOF" - export PS1='${name}-chrootenv:\u@\h:\w\$ ' - ${profile} - EOF - ''; - }; - - # Composes a /usr like directory structure - staticUsrProfileTarget = buildEnv { - name = "system-profile-target"; - paths = basePkgs ++ [ profilePkg ] ++ targetPaths; - }; - - staticUsrProfileMulti = buildEnv { - name = "system-profile-multi"; - paths = multiPaths; - }; - # References to shell scripts that set up or tear down the environment initSh = ./init.sh.in; mountSh = ./mount.sh.in; @@ -99,89 +8,15 @@ let umountSh = ./umount.sh.in; destroySh = ./destroy.sh.in; - linkProfile = profile: '' - for i in ${profile}/{etc,bin,sbin,share,var}; do - if [ -x "$i" ] - then - ln -s "$i" - fi - done - ''; - - # the target profile is the actual profile that will be used for the chroot - setupTargetProfile = '' - ${linkProfile staticUsrProfileTarget} - ${setupLibDirs} - - mkdir -m0755 usr - cd usr - ${linkProfile staticUsrProfileTarget} - ${setupLibDirs} - cd .. - ''; - - # this will happen on x86_64 host: - # /x86 -> links to the whole profile defined by multiPaths - # /lib, /lib32 -> links to 32bit binaries - # /lib64 -> links to 64bit binaries - # /usr/lib* -> same as above - setupMultiProfile = if isTargetBuild then "" else '' - mkdir -m0755 x86 - cd x86 - ${linkProfile staticUsrProfileMulti} - cd .. - ''; - - setupLibDirs = if isTargetBuild then setupLibDirs_target - else setupLibDirs_multi; - - # setup library paths only for the targeted architecture - setupLibDirs_target = '' - mkdir -m0755 lib - - # copy content of targetPaths - cp -rsf ${staticUsrProfileTarget}/lib/* lib/ - ''; - - # setup /lib, /lib32 and /lib64 - setupLibDirs_multi = '' - mkdir -m0755 lib - mkdir -m0755 lib64 - ln -s lib lib32 - - # copy glibc stuff - cp -rsf ${staticUsrProfileTarget}/lib/32/* lib/ - - # copy content of multiPaths (32bit libs) - cp -rsf ${staticUsrProfileMulti}/lib/* lib/ - - # copy content of targetPaths (64bit libs) - cp -rsf ${staticUsrProfileTarget}/lib/* lib64/ - - # most 64bit only libs put their stuff into /lib - # some pkgs (like gcc_multi) put 32bit libs into and /lib 64bit libs into /lib64 - # by overwriting these we will hopefully catch all these cases - # in the end /lib should only contain 32bit and /lib64 only 64bit libs - cp -rsf ${staticUsrProfileTarget}/lib64/* lib64/ - - # copy gcc libs (and may overwrite exitsting wrongly placed libs) - cp -rsf ${choosenGcc.cc}/lib/* lib/ - cp -rsf ${choosenGcc.cc}/lib64/* lib64/ - ''; + name = env.pname; in stdenv.mkDerivation { name = "${name}-chrootenv"; buildCommand = '' - mkdir -p "$out/sw" - cd "$out/sw" - ${setupTargetProfile} - ${setupMultiProfile} - cd .. + mkdir -p $out/bin + cd $out/bin - mkdir -p bin - cd bin - - sed -e "s|@chrootEnv@|$out|g" \ + sed -e "s|@chrootEnv@|${env}|g" \ -e "s|@name@|${name}|g" \ -e "s|@shell@|${stdenv.shell}|g" \ ${initSh} > init-${name}-chrootenv @@ -202,18 +37,10 @@ in stdenv.mkDerivation { ${umountSh} > umount-${name}-chrootenv chmod +x umount-${name}-chrootenv - sed -e "s|@chrootEnv@|$out|g" \ + sed -e "s|@chrootEnv@|${env}|g" \ -e "s|@shell@|${stdenv.shell}|g" \ -e "s|@name@|${name}|g" \ ${destroySh} > destroy-${name}-chrootenv chmod +x destroy-${name}-chrootenv - - cd .. - - cd "$out/sw" - ${extraBuildCommands} - cd "$out/sw" - ${if isMultiBuild then extraBuildCommandsMulti else ""} - cd .. ''; } diff --git a/pkgs/build-support/build-fhs-chrootenv/destroy.sh.in b/pkgs/build-support/build-fhs-chrootenv/destroy.sh.in index 8ddf350913eb..015f742d85a5 100644 --- a/pkgs/build-support/build-fhs-chrootenv/destroy.sh.in +++ b/pkgs/build-support/build-fhs-chrootenv/destroy.sh.in @@ -6,9 +6,9 @@ chrootenvDest=/run/chrootenv/@name@ rmdir $chrootenvDest/{dev,nix/store,nix,proc,sys,host-etc,home,var,run,tmp} # Remove symlinks to the software that should be part of the chroot system profile -for i in @chrootEnv@/sw/* +for i in @chrootEnv@/* do - if [ "$i" != "@chrootEnv@/sw/etc" ] && [ "$i" != "@chrootEnv@/sw/var" ] + if [ "$i" != "@chrootEnv@/etc" ] && [ "$i" != "@chrootEnv@/var" ] then rm $chrootenvDest/$(basename $i) fi diff --git a/pkgs/build-support/build-fhs-chrootenv/env.nix b/pkgs/build-support/build-fhs-chrootenv/env.nix new file mode 100644 index 000000000000..12c0fff7510a --- /dev/null +++ b/pkgs/build-support/build-fhs-chrootenv/env.nix @@ -0,0 +1,176 @@ +{ nixpkgs, nixpkgs_i686, system +} : +{ name, pkgs ? [], profile ? "" +, targetPkgs ? null, multiPkgs ? null +, extraBuildCommands ? "", extraBuildCommandsMulti ? "" +}: + +assert pkgs != [] -> targetPkgs == null && multiPkgs == null; +assert targetPkgs != null -> multiPkgs != null; +assert multiPkgs != null -> targetPkgs != null; +assert targetPkgs != null -> pkgs == []; + + +# HOWTO: +# If pkgs is defined buildFHSEnv will run in legacy mode. This means +# it will build all pkgs contained in pkgs and basePkgs and then just merge +# all of their contents together via buildEnv. +# +# The new way is to define both targetPkgs and multiPkgs. These two are +# functions which get a pkgs environment supplied and should then return a list +# of packages based this environment. +# For example: targetPkgs = pkgs: [ pkgs.nmap ]; +# +# All packages (most likely programs) placed in targetPkgs will only be +# installed once--matching the hosts architecture (64bit on x86_64 and 32bit on +# x86). These packages will populate the chroot directory tree. +# +# Packages (most likeley libraries) defined in multiPkgs will be installed once +# on x86 systems and twice on x86_64 systems. +# On x86 they will just be merge with the packages defined in targetPkgs. +# On x86_64 they will be added to targetPkgs and in addition their 32bit +# versions will also be installed. The final directory should look as follows: +# /lib will include 32bit libraries from multiPkgs +# /lib32 will link to /lib +# /lib64 will include 64bit libraries from multiPkgs and targetPkgs +# /x86 will contain a complete 32bit environment composed by multiPkgs + +let + is64Bit = system == "x86_64-linux"; + # enable multi builds on x86_64 hosts if pakgs_target/multi are defined + isMultiBuild = is64Bit && targetPkgs != null; + isTargetBuild = !isMultiBuild; + + # list of packages (usually programs) which will only be installed for the + # hosts architecture + targetPaths = if targetPkgs == null + then pkgs + else targetPkgs nixpkgs ++ multiPkgs nixpkgs; + + # list of pckages which should be build for both x86 and x86_64 on x86_64 + # systems + multiPaths = if isMultiBuild + then multiPkgs nixpkgs_i686 + else []; + + # base packages of the chroot + # these match the hosts architecture, gcc/glibc_multi will be choosen + # on multi builds + chosenGcc = if isMultiBuild then nixpkgs.gcc_multi else nixpkgs.gcc; + basePkgs = with nixpkgs; + [ (if isMultiBuild then glibc_multi else glibc) + chosenGcc + bashInteractive coreutils less shadow su + gawk diffutils findutils gnused gnugrep + gnutar gzip bzip2 xz + ]; + + # Compose a global profile for the chroot environment + profilePkg = nixpkgs.stdenv.mkDerivation { + name = "${name}-chrootenv-profile"; + buildCommand = '' + mkdir -p $out/etc + cat >> $out/etc/profile << "EOF" + export PS1='${name}-chrootenv:\u@\h:\w\$ ' + ${profile} + EOF + ''; + }; + + # Composes a /usr like directory structure + staticUsrProfileTarget = nixpkgs.buildEnv { + name = "system-profile-target"; + paths = basePkgs ++ [ profilePkg ] ++ targetPaths; + }; + + staticUsrProfileMulti = nixpkgs.buildEnv { + name = "system-profile-multi"; + paths = multiPaths; + }; + + linkProfile = profile: '' + for i in ${profile}/{etc,bin,sbin,share,var}; do + if [ -x "$i" ] + then + ln -s "$i" + fi + done + ''; + + # the target profile is the actual profile that will be used for the chroot + setupTargetProfile = '' + ${linkProfile staticUsrProfileTarget} + ${setupLibDirs} + + mkdir -m0755 usr + cd usr + ${linkProfile staticUsrProfileTarget} + ${setupLibDirs} + cd .. + ''; + + # this will happen on x86_64 host: + # /x86 -> links to the whole profile defined by multiPaths + # /lib, /lib32 -> links to 32bit binaries + # /lib64 -> links to 64bit binaries + # /usr/lib* -> same as above + setupMultiProfile = if isTargetBuild then "" else '' + mkdir -m0755 x86 + cd x86 + ${linkProfile staticUsrProfileMulti} + cd .. + ''; + + setupLibDirs = if isTargetBuild then setupLibDirs_target + else setupLibDirs_multi; + + # setup library paths only for the targeted architecture + setupLibDirs_target = '' + mkdir -m0755 lib + + # copy content of targetPaths + cp -rsf ${staticUsrProfileTarget}/lib/* lib/ + ''; + + # setup /lib, /lib32 and /lib64 + setupLibDirs_multi = '' + mkdir -m0755 lib + mkdir -m0755 lib64 + ln -s lib lib32 + + # copy glibc stuff + cp -rsf ${staticUsrProfileTarget}/lib/32/* lib/ + + # copy content of multiPaths (32bit libs) + cp -rsf ${staticUsrProfileMulti}/lib/* lib/ + + # copy content of targetPaths (64bit libs) + cp -rsf ${staticUsrProfileTarget}/lib/* lib64/ + + # most 64bit only libs put their stuff into /lib + # some pkgs (like gcc_multi) put 32bit libs into and /lib 64bit libs into /lib64 + # by overwriting these we will hopefully catch all these cases + # in the end /lib should only contain 32bit and /lib64 only 64bit libs + cp -rsf ${staticUsrProfileTarget}/lib64/* lib64/ + + # copy gcc libs (and may overwrite exitsting wrongly placed libs) + cp -rsf ${chosenGcc.cc}/lib/* lib/ + cp -rsf ${chosenGcc.cc}/lib64/* lib64/ + ''; + +in nixpkgs.stdenv.mkDerivation { + name = "${name}-fhs"; + buildCommand = '' + mkdir -p $out + cd $out + ${setupTargetProfile} + ${setupMultiProfile} + cd $out + ${extraBuildCommands} + cd $out + ${if isMultiBuild then extraBuildCommandsMulti else ""} + ''; + passthru = { + pname = name; + }; +} diff --git a/pkgs/build-support/build-fhs-chrootenv/init.sh.in b/pkgs/build-support/build-fhs-chrootenv/init.sh.in index 079ec09d60f7..f3bdad85fa74 100644 --- a/pkgs/build-support/build-fhs-chrootenv/init.sh.in +++ b/pkgs/build-support/build-fhs-chrootenv/init.sh.in @@ -6,9 +6,9 @@ chrootenvDest=/run/chrootenv/@name@ mkdir -p $chrootenvDest/{nix/store,dev,proc,sys,host-etc,home,var,run} # Symlink the software that should be part of the chroot system profile -for i in @chrootEnv@/sw/* +for i in @chrootEnv@/* do - if [ "$i" != "@chrootEnv@/sw/etc" ] && [ "$i" != "@chrootEnv@/sw/var" ] + if [ "$i" != "@chrootEnv@/etc" ] && [ "$i" != "@chrootEnv@/var" ] then ln -s "$i" "$chrootenvDest" fi @@ -18,7 +18,7 @@ done mkdir $chrootenvDest/etc -for i in @chrootEnv@/sw/etc/* +for i in @chrootEnv@/etc/* do ln -s "$i" $chrootenvDest/etc done diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 4ac6232575d2..16f2c4af7308 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -260,17 +260,17 @@ let inherit (pkgs) runCommand perl; }; - buildFHSChrootEnv = import ../build-support/build-fhs-chrootenv { - inherit buildEnv system; - inherit stdenv glibc glibc_multi glibcLocales; - inherit bashInteractive coreutils less shadow su; - inherit gawk gcc gcc_multi diffutils findutils gnused gnugrep; - inherit gnutar gzip bzip2 xz; - + buildFHSEnv = callPackage ../build-support/build-fhs-chrootenv/env.nix { nixpkgs = pkgs; nixpkgs_i686 = pkgsi686Linux; }; + chrootFHSEnv = callPackage ../build-support/build-fhs-chrootenv { }; + + buildFHSChrootEnv = args: chrootFHSEnv { + env = buildFHSEnv args; + }; + dotnetenv = import ../build-support/dotnetenv { inherit stdenv; dotnetfx = dotnetfx40; From 4b3bb7b4489bffc35efdf8b972f8393beb2f870b Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Thu, 5 Feb 2015 18:14:28 +0300 Subject: [PATCH 07/12] userFHSEnv: add build tool --- .../build-fhs-userenv/chroot-user.rb | 175 ++++++++++++++++++ .../build-fhs-userenv/default.nix | 36 ++++ pkgs/top-level/all-packages.nix | 8 + 3 files changed, 219 insertions(+) create mode 100755 pkgs/build-support/build-fhs-userenv/chroot-user.rb create mode 100644 pkgs/build-support/build-fhs-userenv/default.nix diff --git a/pkgs/build-support/build-fhs-userenv/chroot-user.rb b/pkgs/build-support/build-fhs-userenv/chroot-user.rb new file mode 100755 index 000000000000..857ccd58cd7f --- /dev/null +++ b/pkgs/build-support/build-fhs-userenv/chroot-user.rb @@ -0,0 +1,175 @@ +#!/usr/bin/env ruby + +# Bind mounts hierarchy: [from, to (relative)] +# If 'to' is nil, path will be the same +mounts = [ ['/nix/store', nil], + ['/dev', nil], + ['/proc', nil], + ['/sys', nil], + ['/etc', 'host-etc'], + ['/home', nil], + ['/var', nil], + ['/run', nil], + ['/root', nil], + ].map! { |x| [ x[0], x[1].nil? ? x[0].sub(/^\/*/, '') : x[1] ] } + +# Create directories +mkdirs = ['tmp', + ] + +# Symlinks: [from, to (dir)] +symlinks = + # /etc symlinks: [file name, prefix in host-etc] + [ ['passwd', ''], + ['group', ''], + ['shadow', ''], + ['hosts', ''], + ['resolv.conf', ''], + ['nsswitch.conf', ''], + ['pam.d', 'static'], + ['fonts/fonts.conf', 'static'], + ['fonts/conf.d/00-nixos.conf', 'static'], + ].map! { |x| [ "host-etc/#{x[1]}/#{x[0]}", "etc/#{File.dirname x[0]}" ] } + +require 'tmpdir' +require 'fileutils' +require 'pathname' +require 'set' +require 'fiddle' + +def write_file(path, str) + File.open(path, 'w') { |file| file.write str } +end + +# Import C standard library and several needed calls +$libc = Fiddle.dlopen nil + +def make_fcall(name, args, output) + c = Fiddle::Function.new $libc[name], args, output + lambda do |*args| + ret = c.call *args + raise SystemCallError.new Fiddle.last_error if ret < 0 + return ret + end +end + +$fork = make_fcall 'fork', [], Fiddle::TYPE_INT + +CLONE_NEWNS = 0x00020000 +CLONE_NEWUSER = 0x10000000 +$unshare = make_fcall 'unshare', [Fiddle::TYPE_INT], Fiddle::TYPE_INT + +MS_BIND = 0x1000 +MS_REC = 0x4000 +$mount = make_fcall 'mount', [Fiddle::TYPE_VOIDP, + Fiddle::TYPE_VOIDP, + Fiddle::TYPE_VOIDP, + Fiddle::TYPE_LONG, + Fiddle::TYPE_VOIDP], + Fiddle::TYPE_INT + +# Read command line args +abort "Usage: chrootenv swdir program args..." unless ARGV.length >= 2 +swdir = Pathname.new ARGV[0] +execp = ARGV.drop 1 + +# Create temporary directory for root and chdir +root = Dir.mktmpdir 'chrootenv' + +# Fork process; we need this to do a proper cleanup because +# child process will chroot into temporary directory. +# We use imported 'fork' instead of native to overcome +# CRuby's meddling with threads; this should be safe because +# we don't use threads at all. +$cpid = $fork.call +if $cpid == 0 + # Save user UID and GID + uid = Process.uid + gid = Process.gid + + # Create new mount and user namespaces + # CLONE_NEWUSER requires a program to be non-threaded, hence + # native fork above. + $unshare.call CLONE_NEWNS | CLONE_NEWUSER + + # Map users and groups to the parent namespace + write_file '/proc/self/setgroups', 'deny' + write_file '/proc/self/uid_map', "#{uid} #{uid} 1" + write_file '/proc/self/gid_map', "#{gid} #{gid} 1" + + # Do mkdirs + mkdirs.each { |x| FileUtils.mkdir_p x } + + # Do rbind mounts. + mounts.each do |x| + to = "#{root}/#{x[1]}" + FileUtils.mkdir_p to + $mount.call x[0], to, nil, MS_BIND | MS_REC, nil + end + + # Chroot! + Dir.chroot root + Dir.chdir '/' + + # Do symlinks + symlinks.each do |x| + FileUtils.mkdir_p x[1] + FileUtils.ln_s x[0], x[1] + end + + # Symlink swdir hierarchy + mount_dirs = Set.new mounts.map { |x| Pathname.new x[1] } + link_swdir = lambda do |swdir, prefix| + swdir.find do |path| + rel = prefix.join path.relative_path_from(swdir) + # Don't symlink anything in binded or symlinked directories + Find.prune if mount_dirs.include? rel or rel.symlink? + if not rel.directory? + # File does not exist; make a symlink and bail out + rel.make_symlink path + Find.prune + end + # Recursively follow symlinks + link_swdir.call path.readlink, rel if path.symlink? + end + end + link_swdir.call swdir, Pathname.new('') + + # New environment + oldenv = ENV.to_h + ENV.replace({ 'PS1' => oldenv['PS1'], + 'TERM' => oldenv['TERM'], + 'DISPLAY' => oldenv['DISPLAY'], + 'HOME' => oldenv['HOME'], + 'PATH' => '/bin:/sbin', + 'XDG_RUNTIME_DIR' => oldenv['XDG_RUNTIME_DIR'], + }) + + # Finally, exec! + exec *execp +end + +# Wait for a child. If we catch a signal, resend it to child and continue +# waiting. +def wait_child + begin + Process.wait + + # Return child's exit code + if $?.exited? + exit $?.exitstatus + else + exit 1 + end + rescue SignalException => e + Process.kill e.signo, $cpid + wait_child + end +end + +begin + wait_child +ensure + # Cleanup + FileUtils.rm_rf root, secure: true +end diff --git a/pkgs/build-support/build-fhs-userenv/default.nix b/pkgs/build-support/build-fhs-userenv/default.nix new file mode 100644 index 000000000000..b3bbc19dda80 --- /dev/null +++ b/pkgs/build-support/build-fhs-userenv/default.nix @@ -0,0 +1,36 @@ +{ writeTextFile, stdenv, ruby } : { env, runScript } : + +let + name = env.pname; + + # Sandboxing script + chroot-user = writeTextFile { + name = "chroot-user"; + executable = true; + destination = "/bin/chroot-user"; + text = '' + #! ${ruby}/bin/ruby + ${builtins.readFile ./chroot-user.rb} + ''; + }; + +in stdenv.mkDerivation { + name = "${name}-userenv"; + buildInputs = [ ruby ]; + buildCommand = '' + mkdir -p $out/bin + cat > $out/bin/${name} < $out/libexec/run < Date: Thu, 5 Feb 2015 18:16:02 +0300 Subject: [PATCH 08/12] steam-chrootenv: use UserEnv --- pkgs/games/steam/chrootenv.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/pkgs/games/steam/chrootenv.nix b/pkgs/games/steam/chrootenv.nix index 404eaf4ce9f2..8220e24147ed 100644 --- a/pkgs/games/steam/chrootenv.nix +++ b/pkgs/games/steam/chrootenv.nix @@ -1,6 +1,6 @@ -{ buildFHSChrootEnv, config }: +{ buildFHSUserEnv, config }: -buildFHSChrootEnv { +buildFHSUserEnv { name = "steam"; targetPkgs = pkgs: @@ -69,4 +69,6 @@ buildFHSChrootEnv { export LD_LIBRARY_PATH=/run/opengl-driver/lib:/run/opengl-driver-32/lib:/lib:/lib32:/lib64 export PATH=$PATH:/usr/bin:/usr/sbin ''; + + runScript = "exec steam"; } From 627f8178b8b779b639a64716dbe13c7a64ad56f0 Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Thu, 5 Feb 2015 19:43:20 +0300 Subject: [PATCH 09/12] steam: rename, add a warning --- pkgs/games/steam/chrootenv.nix | 2 +- pkgs/top-level/all-packages.nix | 12 ++++++++++-- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/pkgs/games/steam/chrootenv.nix b/pkgs/games/steam/chrootenv.nix index 8220e24147ed..7ebd07752920 100644 --- a/pkgs/games/steam/chrootenv.nix +++ b/pkgs/games/steam/chrootenv.nix @@ -4,7 +4,7 @@ buildFHSUserEnv { name = "steam"; targetPkgs = pkgs: - [ pkgs.steam + [ pkgs.steamOriginal pkgs.corefonts pkgs.curl pkgs.dbus diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 123d7164862a..37b5f45412b0 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -12153,9 +12153,17 @@ let stardust = callPackage ../games/stardust {}; - steam = callPackage ../games/steam {}; + steamOriginal = callPackage ../games/steam { }; - steamChrootEnv = callPackage ../games/steam/chrootenv.nix { }; + steam = callPackage ../games/steam/chrootenv.nix { }; + + steamChrootEnv = steam.overrideDerivation (args: { + buildCommand = '' + ${args.buildCommand} + echo >&2 "'steamChrootEnv' is replaced with 'steam' now" + echo >&2 "You now need just to run 'steam' without root rights" + ''; + }); stuntrally = callPackage ../games/stuntrally { }; From d2bfb5ceb08bed179a996969119a4c72b8eb147a Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Thu, 5 Feb 2015 18:06:57 +0100 Subject: [PATCH 10/12] Add options for installing additional root certificates --- nixos/modules/security/ca.nix | 45 ++++++++++++++++++++++++++++++++++- 1 file changed, 44 insertions(+), 1 deletion(-) diff --git a/nixos/modules/security/ca.nix b/nixos/modules/security/ca.nix index f430a5a6339f..e070ffc95e43 100644 --- a/nixos/modules/security/ca.nix +++ b/nixos/modules/security/ca.nix @@ -4,10 +4,53 @@ with lib; { + options = { + + security.pki.certificateFiles = mkOption { + type = types.listOf types.path; + default = []; + example = literalExample "[ \"\${pkgs.cacert}/etc/ca-bundle.crt\" ]"; + description = '' + A list of files containing trusted root certificates in PEM + format. These are concatenated to form + /etc/ssl/certs/ca-bundle.crt, which is + used by many programs that use OpenSSL, such as + curl and git. + ''; + }; + + security.pki.certificates = mkOption { + type = types.listOf types.string; + default = []; + example = singleton '' + NixOS.org + ========= + -----BEGIN CERTIFICATE----- + MIIGUDCCBTigAwIBAgIDD8KWMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ + TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0 + ... + -----END CERTIFICATE----- + ''; + description = '' + A list of trusted root certificates in PEM format. + ''; + }; + + }; + config = { + security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ca-bundle.crt" ]; + environment.etc = - [ { source = "${pkgs.cacert}/etc/ca-bundle.crt"; + [ { source = pkgs.runCommand "ca-bundle.crt" + { files = + config.security.pki.certificateFiles ++ + [ (builtins.toFile "extra.crt" (concatStringsSep "\n" config.security.pki.certificates)) ]; + } + '' + cat $files > $out + ''; target = "ssl/certs/ca-bundle.crt"; } ]; From 3500978b8fa4410fa98b5213f21ab9912cc7b880 Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Thu, 5 Feb 2015 20:39:01 +0300 Subject: [PATCH 11/12] build-fhs-*: prefer local build --- pkgs/build-support/build-fhs-chrootenv/default.nix | 3 ++- pkgs/build-support/build-fhs-chrootenv/env.nix | 1 + pkgs/build-support/build-fhs-userenv/default.nix | 3 ++- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/pkgs/build-support/build-fhs-chrootenv/default.nix b/pkgs/build-support/build-fhs-chrootenv/default.nix index 8f24ab5e63c7..461f4762aba6 100644 --- a/pkgs/build-support/build-fhs-chrootenv/default.nix +++ b/pkgs/build-support/build-fhs-chrootenv/default.nix @@ -11,7 +11,8 @@ let name = env.pname; in stdenv.mkDerivation { - name = "${name}-chrootenv"; + name = "${name}-chrootenv"; + preferLocalBuild = true; buildCommand = '' mkdir -p $out/bin cd $out/bin diff --git a/pkgs/build-support/build-fhs-chrootenv/env.nix b/pkgs/build-support/build-fhs-chrootenv/env.nix index 12c0fff7510a..b810adefab16 100644 --- a/pkgs/build-support/build-fhs-chrootenv/env.nix +++ b/pkgs/build-support/build-fhs-chrootenv/env.nix @@ -170,6 +170,7 @@ in nixpkgs.stdenv.mkDerivation { cd $out ${if isMultiBuild then extraBuildCommandsMulti else ""} ''; + preferLocalBuild = true; passthru = { pname = name; }; diff --git a/pkgs/build-support/build-fhs-userenv/default.nix b/pkgs/build-support/build-fhs-userenv/default.nix index b3bbc19dda80..57864b4934bb 100644 --- a/pkgs/build-support/build-fhs-userenv/default.nix +++ b/pkgs/build-support/build-fhs-userenv/default.nix @@ -15,8 +15,9 @@ let }; in stdenv.mkDerivation { - name = "${name}-userenv"; + name = "${name}-userenv"; buildInputs = [ ruby ]; + preferLocalBuild = true; buildCommand = '' mkdir -p $out/bin cat > $out/bin/${name} < Date: Thu, 5 Feb 2015 20:21:09 +0100 Subject: [PATCH 12/12] i2pd: update url --- pkgs/tools/networking/i2pd/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/tools/networking/i2pd/default.nix b/pkgs/tools/networking/i2pd/default.nix index da055edc380a..c5cefb7a7cea 100644 --- a/pkgs/tools/networking/i2pd/default.nix +++ b/pkgs/tools/networking/i2pd/default.nix @@ -6,7 +6,7 @@ stdenv.mkDerivation rec { version = "0.7.0"; src = fetchurl { - url = "https://github.com/PrivacySolutions/i2pd/archive/${version}.tar.gz"; + url = "https://github.com/PurpleI2P/i2pd/archive/${version}.tar.gz"; sha256 = "1fic1jxdr48b0jfaamwbfkldbfi7awfbrqga2k7gvpncq32v0aj6"; };