ISO images: Initialize the Nix database with correct NAR hashes/sizes

The boot test now runs "nix verify" to ensure that all hashes are correct.
NixOS · Feb 7, 2018 · df117ac · df117ac
1 parent 5193807
commit df117ac
Show file tree

Hide file tree

Showing 5 changed files with 15 additions and 52 deletions.
diff --git a/nixos/lib/make-iso9660-image.nix b/nixos/lib/make-iso9660-image.nix
@@ -1,4 +1,4 @@
-{ stdenv, perl, pathsFromGraph, xorriso, syslinux
+{ stdenv, perl, closureInfo, xorriso, syslinux
 
 , # The file name of the resulting ISO image.
   isoName ? "cd.iso"
@@ -48,9 +48,9 @@ assert usbBootable -> isohybridMbrImage != "";
 stdenv.mkDerivation {
   name = isoName;
   builder = ./make-iso9660-image.sh;
-  buildInputs = [perl xorriso syslinux];
+  buildInputs = [ xorriso syslinux ];
 
-  inherit isoName bootable bootImage compressImage volumeID pathsFromGraph efiBootImage efiBootable isohybridMbrImage usbBootable;
+  inherit isoName bootable bootImage compressImage volumeID efiBootImage efiBootable isohybridMbrImage usbBootable;
 
   # !!! should use XML.
   sources = map (x: x.source) contents;
@@ -61,6 +61,5 @@ stdenv.mkDerivation {
   symlinks = map (x: x.symlink) storeContents;
 
   # For obtaining the closure of `storeContents'.
-  exportReferencesGraph =
-    map (x: [("closure-" + baseNameOf x.object) x.object]) storeContents;
+  closureInfo = closureInfo { rootPaths = map (x: x.object) storeContents; };
 }
diff --git a/nixos/lib/make-iso9660-image.sh b/nixos/lib/make-iso9660-image.sh
@@ -72,16 +72,15 @@ done
 
 
 # Add the closures of the top-level store objects.
-storePaths=$(perl $pathsFromGraph closure-*)
-for i in $storePaths; do
+for i in $(< $closureInfo/store-paths); do
     addPath "${i:1}" "$i"
 done
 
 
 # Also include a manifest of the closures in a format suitable for
 # nix-store --load-db.
-if [ -n "$object" ]; then
-    printRegistration=1 perl $pathsFromGraph closure-* > nix-path-registration
+if [[ ${#objects[*]} != 0 ]]; then
+    cp $closureInfo/registration nix-path-registration
     addPath "nix-path-registration" "nix-path-registration"
 fi
 

diff --git a/nixos/lib/make-squashfs.nix b/nixos/lib/make-squashfs.nix
@@ -1,4 +1,4 @@
-{ stdenv, squashfsTools, perl, pathsFromGraph
+{ stdenv, squashfsTools, closureInfo
 
 , # The root directory of the squashfs filesystem is filled with the
   # closures of the Nix store paths listed here.
@@ -8,50 +8,18 @@
 stdenv.mkDerivation {
   name = "squashfs.img";
 
-  nativeBuildInputs = [perl squashfsTools];
-
-  # For obtaining the closure of `storeContents'.
-  exportReferencesGraph =
-    map (x: [("closure-" + baseNameOf x) x]) storeContents;
+  nativeBuildInputs = [ squashfsTools ];
 
   buildCommand =
     ''
-      # Add the closures of the top-level store objects.
-      storePaths=$(perl ${pathsFromGraph} closure-*)
-
-      # If a Hydra slave happens to have store paths with bad permissions/mtime,
-      # abort now so that they don't end up in ISO images in the channel.
-      # https://github.com/NixOS/nixpkgs/issues/32242
-      hasBadPaths=""
-      for path in $storePaths; do
-        if [ -h "$path" ]; then
-          continue
-        fi
-
-        mtime=$(stat -c %Y "$path")
-        mode=$(stat -c %a "$path")
-
-        if [ "$mtime" != 1 ]; then
-          echo "Store path '$path' has an invalid mtime."
-          hasBadPaths=1
-        fi
-        if [ "$mode" != 444 ] && [ "$mode" != 555 ]; then
-          echo "Store path '$path' has invalid permissions ($mode)."
-          hasBadPaths=1
-        fi
-      done
-
-      if [ -n "$hasBadPaths" ]; then
-        echo "You have bad paths in your store, please fix them."
-        exit 1
-      fi
+      closureInfo=${closureInfo { rootPaths = storeContents; }}
 
       # Also include a manifest of the closures in a format suitable
       # for nix-store --load-db.
-      printRegistration=1 perl ${pathsFromGraph} closure-* > nix-path-registration
+      cp $closureInfo/registration nix-path-registration
 
       # Generate the squashfs image.
-      mksquashfs nix-path-registration $storePaths $out \
+      mksquashfs nix-path-registration $(cat $closureInfo/store-paths) $out \
         -keep-as-directory -all-root -b 1048576 -comp xz -Xdict-size 100%
     '';
 }
diff --git a/nixos/modules/installer/cd-dvd/iso-image.nix b/nixos/modules/installer/cd-dvd/iso-image.nix
@@ -331,8 +331,7 @@ in
         config.system.build.toplevel.drvPath;
 
     # Create the squashfs image that contains the Nix store.
-    system.build.squashfsStore = import ../../../lib/make-squashfs.nix {
-      inherit (pkgs) stdenv squashfsTools perl pathsFromGraph;
+    system.build.squashfsStore = pkgs.callPackage ../../../lib/make-squashfs.nix {
       storeContents = config.isoImage.storeContents;
     };
 
@@ -383,11 +382,8 @@ in
     boot.loader.timeout = 10;
 
     # Create the ISO image.
-    system.build.isoImage = import ../../../lib/make-iso9660-image.nix ({
-      inherit (pkgs) stdenv perl pathsFromGraph xorriso syslinux;
-
+    system.build.isoImage = pkgs.callPackage ../../../lib/make-iso9660-image.nix ({
       inherit (config.isoImage) isoName compressImage volumeID contents;
-
       bootable = true;
       bootImage = "/isolinux/isolinux.bin";
     } // optionalAttrs config.isoImage.makeUsbBootable {

diff --git a/nixos/tests/boot.nix b/nixos/tests/boot.nix
@@ -24,6 +24,7 @@ let
           my $machine = createMachine({ ${machineConfig}, qemuFlags => '-m 768' });
           $machine->start;
           $machine->waitForUnit("multi-user.target");
+          $machine->succeed("nix verify -r --no-trust /run/current-system");
           $machine->shutdown;
         '';
     };