ISO images: Initialize the Nix database with correct NAR hashes/sizes
The boot test now runs "nix verify" to ensure that all hashes are correct.
This commit is contained in:
parent
5193807750
commit
df117acab7
|
@ -1,4 +1,4 @@
|
||||||
{ stdenv, perl, pathsFromGraph, xorriso, syslinux
|
{ stdenv, perl, closureInfo, xorriso, syslinux
|
||||||
|
|
||||||
, # The file name of the resulting ISO image.
|
, # The file name of the resulting ISO image.
|
||||||
isoName ? "cd.iso"
|
isoName ? "cd.iso"
|
||||||
|
@ -48,9 +48,9 @@ assert usbBootable -> isohybridMbrImage != "";
|
||||||
stdenv.mkDerivation {
|
stdenv.mkDerivation {
|
||||||
name = isoName;
|
name = isoName;
|
||||||
builder = ./make-iso9660-image.sh;
|
builder = ./make-iso9660-image.sh;
|
||||||
buildInputs = [perl xorriso syslinux];
|
buildInputs = [ xorriso syslinux ];
|
||||||
|
|
||||||
inherit isoName bootable bootImage compressImage volumeID pathsFromGraph efiBootImage efiBootable isohybridMbrImage usbBootable;
|
inherit isoName bootable bootImage compressImage volumeID efiBootImage efiBootable isohybridMbrImage usbBootable;
|
||||||
|
|
||||||
# !!! should use XML.
|
# !!! should use XML.
|
||||||
sources = map (x: x.source) contents;
|
sources = map (x: x.source) contents;
|
||||||
|
@ -61,6 +61,5 @@ stdenv.mkDerivation {
|
||||||
symlinks = map (x: x.symlink) storeContents;
|
symlinks = map (x: x.symlink) storeContents;
|
||||||
|
|
||||||
# For obtaining the closure of `storeContents'.
|
# For obtaining the closure of `storeContents'.
|
||||||
exportReferencesGraph =
|
closureInfo = closureInfo { rootPaths = map (x: x.object) storeContents; };
|
||||||
map (x: [("closure-" + baseNameOf x.object) x.object]) storeContents;
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -72,16 +72,15 @@ done
|
||||||
|
|
||||||
|
|
||||||
# Add the closures of the top-level store objects.
|
# Add the closures of the top-level store objects.
|
||||||
storePaths=$(perl $pathsFromGraph closure-*)
|
for i in $(< $closureInfo/store-paths); do
|
||||||
for i in $storePaths; do
|
|
||||||
addPath "${i:1}" "$i"
|
addPath "${i:1}" "$i"
|
||||||
done
|
done
|
||||||
|
|
||||||
|
|
||||||
# Also include a manifest of the closures in a format suitable for
|
# Also include a manifest of the closures in a format suitable for
|
||||||
# nix-store --load-db.
|
# nix-store --load-db.
|
||||||
if [ -n "$object" ]; then
|
if [[ ${#objects[*]} != 0 ]]; then
|
||||||
printRegistration=1 perl $pathsFromGraph closure-* > nix-path-registration
|
cp $closureInfo/registration nix-path-registration
|
||||||
addPath "nix-path-registration" "nix-path-registration"
|
addPath "nix-path-registration" "nix-path-registration"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ stdenv, squashfsTools, perl, pathsFromGraph
|
{ stdenv, squashfsTools, closureInfo
|
||||||
|
|
||||||
, # The root directory of the squashfs filesystem is filled with the
|
, # The root directory of the squashfs filesystem is filled with the
|
||||||
# closures of the Nix store paths listed here.
|
# closures of the Nix store paths listed here.
|
||||||
|
@ -8,50 +8,18 @@
|
||||||
stdenv.mkDerivation {
|
stdenv.mkDerivation {
|
||||||
name = "squashfs.img";
|
name = "squashfs.img";
|
||||||
|
|
||||||
nativeBuildInputs = [perl squashfsTools];
|
nativeBuildInputs = [ squashfsTools ];
|
||||||
|
|
||||||
# For obtaining the closure of `storeContents'.
|
|
||||||
exportReferencesGraph =
|
|
||||||
map (x: [("closure-" + baseNameOf x) x]) storeContents;
|
|
||||||
|
|
||||||
buildCommand =
|
buildCommand =
|
||||||
''
|
''
|
||||||
# Add the closures of the top-level store objects.
|
closureInfo=${closureInfo { rootPaths = storeContents; }}
|
||||||
storePaths=$(perl ${pathsFromGraph} closure-*)
|
|
||||||
|
|
||||||
# If a Hydra slave happens to have store paths with bad permissions/mtime,
|
|
||||||
# abort now so that they don't end up in ISO images in the channel.
|
|
||||||
# https://github.com/NixOS/nixpkgs/issues/32242
|
|
||||||
hasBadPaths=""
|
|
||||||
for path in $storePaths; do
|
|
||||||
if [ -h "$path" ]; then
|
|
||||||
continue
|
|
||||||
fi
|
|
||||||
|
|
||||||
mtime=$(stat -c %Y "$path")
|
|
||||||
mode=$(stat -c %a "$path")
|
|
||||||
|
|
||||||
if [ "$mtime" != 1 ]; then
|
|
||||||
echo "Store path '$path' has an invalid mtime."
|
|
||||||
hasBadPaths=1
|
|
||||||
fi
|
|
||||||
if [ "$mode" != 444 ] && [ "$mode" != 555 ]; then
|
|
||||||
echo "Store path '$path' has invalid permissions ($mode)."
|
|
||||||
hasBadPaths=1
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
if [ -n "$hasBadPaths" ]; then
|
|
||||||
echo "You have bad paths in your store, please fix them."
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Also include a manifest of the closures in a format suitable
|
# Also include a manifest of the closures in a format suitable
|
||||||
# for nix-store --load-db.
|
# for nix-store --load-db.
|
||||||
printRegistration=1 perl ${pathsFromGraph} closure-* > nix-path-registration
|
cp $closureInfo/registration nix-path-registration
|
||||||
|
|
||||||
# Generate the squashfs image.
|
# Generate the squashfs image.
|
||||||
mksquashfs nix-path-registration $storePaths $out \
|
mksquashfs nix-path-registration $(cat $closureInfo/store-paths) $out \
|
||||||
-keep-as-directory -all-root -b 1048576 -comp xz -Xdict-size 100%
|
-keep-as-directory -all-root -b 1048576 -comp xz -Xdict-size 100%
|
||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
|
|
|
@ -331,8 +331,7 @@ in
|
||||||
config.system.build.toplevel.drvPath;
|
config.system.build.toplevel.drvPath;
|
||||||
|
|
||||||
# Create the squashfs image that contains the Nix store.
|
# Create the squashfs image that contains the Nix store.
|
||||||
system.build.squashfsStore = import ../../../lib/make-squashfs.nix {
|
system.build.squashfsStore = pkgs.callPackage ../../../lib/make-squashfs.nix {
|
||||||
inherit (pkgs) stdenv squashfsTools perl pathsFromGraph;
|
|
||||||
storeContents = config.isoImage.storeContents;
|
storeContents = config.isoImage.storeContents;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -383,11 +382,8 @@ in
|
||||||
boot.loader.timeout = 10;
|
boot.loader.timeout = 10;
|
||||||
|
|
||||||
# Create the ISO image.
|
# Create the ISO image.
|
||||||
system.build.isoImage = import ../../../lib/make-iso9660-image.nix ({
|
system.build.isoImage = pkgs.callPackage ../../../lib/make-iso9660-image.nix ({
|
||||||
inherit (pkgs) stdenv perl pathsFromGraph xorriso syslinux;
|
|
||||||
|
|
||||||
inherit (config.isoImage) isoName compressImage volumeID contents;
|
inherit (config.isoImage) isoName compressImage volumeID contents;
|
||||||
|
|
||||||
bootable = true;
|
bootable = true;
|
||||||
bootImage = "/isolinux/isolinux.bin";
|
bootImage = "/isolinux/isolinux.bin";
|
||||||
} // optionalAttrs config.isoImage.makeUsbBootable {
|
} // optionalAttrs config.isoImage.makeUsbBootable {
|
||||||
|
|
|
@ -24,6 +24,7 @@ let
|
||||||
my $machine = createMachine({ ${machineConfig}, qemuFlags => '-m 768' });
|
my $machine = createMachine({ ${machineConfig}, qemuFlags => '-m 768' });
|
||||||
$machine->start;
|
$machine->start;
|
||||||
$machine->waitForUnit("multi-user.target");
|
$machine->waitForUnit("multi-user.target");
|
||||||
|
$machine->succeed("nix verify -r --no-trust /run/current-system");
|
||||||
$machine->shutdown;
|
$machine->shutdown;
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in a new issue