df716c98d2
On Linux it's possible to run a process in its own network namespace, meaning that it gets its own set of network interfaces, disjunct from the rest of the system. We use this to completely remove network access to chroot builds, except that they get a private loopback interface. This means that: - Builders cannot connect to the outside network or to other processes on the same machine, except processes within the same build. - Vice versa, other processes cannot connect to processes in a chroot build, and open ports/connections do not show up in "netstat". - If two concurrent builders try to listen on the same port (e.g. as part of a test), they no longer conflict with each other. This was inspired by the "PrivateNetwork" flag in systemd. |
||
|---|---|---|
| corepkgs | ||
| doc | ||
| misc | ||
| perl | ||
| scripts | ||
| src | ||
| tests | ||
| .gitignore | ||
| AUTHORS | ||
| COPYING | ||
| INSTALL | ||
| Makefile.am | ||
| README | ||
| bootstrap.sh | ||
| build.nix | ||
| configure.ac | ||
| nix.conf.example | ||
| nix.spec.in | ||
| release.nix | ||
| substitute.mk | ||
| version | ||
README
Nix is a purely functional package manager. For installation and usage instructions, please read the manual, which can be found in `docs/manual/manual.html', and additionally at the Nix website at <http://nixos.org/>. Acknowledgments This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.OpenSSL.org/).