Skip to content

Commit

Permalink
Basic store path provenance tracking
Browse files Browse the repository at this point in the history
Nix historically has been bad at being able to answer the question
"where did this store path come from", i.e. to provide traceability
from a store path back to the Nix expression from which is was
built. Nix tracks the "deriver" of a store path (the .drv file that
built it) but that's pretty useless in practice, since it doesn't link
back to the Nix expressions.

So this PR adds a "provenance" field (a JSON object) to the ValidPaths
table and to .narinfo files that describes where the store path came
from and how it can be reproduced.

There are currently 3 types of provenance:

* "copied": Records that the store path was copied or substituted from
  another store (typically a binary cache). Its "from" field is the
  URL of the origin store. Its "provenance" field propagates the
  provenance of the store path on the origin store.

* "derivation": Records that the store path is the output of a .drv
  file. This is equivalent for the "deriver" field, but it has a
  nested "provenance" field that records how the .drv file was
  created.

* "flake": Records that the store path was created during the
  evaluation of a flake output.

Example:

  $ nix path-info --json /nix/store/xcqzb13bd60zmfw6wv0z4242b9mfw042-patchelf-0.18.0
  {
    "/nix/store/xcqzb13bd60zmfw6wv0z4242b9mfw042-patchelf-0.18.0": {
      "provenance": {
        "from": "https://cache.example.org",
        "provenance": {
          "drv": "rlabxgjx88bavjkc694v1bqbwslwivxs-patchelf-0.18.0.drv",
          "output": "out",
          "provenance": {
            "flake": {
              "lastModified": 1729856604,
              "narHash": "sha256-obmE2ZI9sTPXczzGMerwQX4SALF+ABL9J0oB371yvZE=",
              "owner": "NixOS",
              "repo": "patchelf",
              "rev": "689f19e499caee8e5c3d387008bbd4ed7f8dc3a9",
              "type": "github",
            },
            "output": "packages.x86_64-linux.default",
            "type": "flake"
          },
          "type": "derivation"
        },
        "type": "copied"
      },
      ...
    }
  }

This specifies that the store path was copied from the binary cache
https://cache.example.org and it's the "out" output of a store
derivation that was produced by evaluating the flake ouput
`packages.x86_64-linux.default` of some revision of the patchelf
GitHub repository.
  • Loading branch information
edolstra committed Oct 25, 2024
1 parent 27ea437 commit f2b796f
Show file tree
Hide file tree
Showing 31 changed files with 402 additions and 44 deletions.
15 changes: 14 additions & 1 deletion src/libcmd/installable-flake.cc
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
#include "url.hh"
#include "registry.hh"
#include "build-result.hh"
#include "provenance.hh"

#include <regex>
#include <queue>
Expand Down Expand Up @@ -81,6 +82,18 @@ DerivedPathsWithInfo InstallableFlake::toDerivedPaths()

auto attrPath = attr->getAttrPathStr();

auto lockedRef = getLockedFlake()->flake.lockedRef;

state->setRootProvenance(
{
{
Provenance::ProvFlake {
.flake = std::make_shared<nlohmann::json>(fetchers::attrsToJSON(lockedRef.input.attrs)),
.flakeOutput = attrPath,
}
}
});

if (!attr->isDerivation()) {

// FIXME: use eval cache?
Expand Down Expand Up @@ -147,7 +160,7 @@ DerivedPathsWithInfo InstallableFlake::toDerivedPaths()
},
ExtraPathInfoFlake::Flake {
.originalRef = flakeRef,
.lockedRef = getLockedFlake()->flake.lockedRef,
.lockedRef = lockedRef,
}),
}};
}
Expand Down
17 changes: 16 additions & 1 deletion src/libexpr/eval.cc
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
#include "fetch-to-store.hh"
#include "tarball.hh"
#include "parser-tab.hh"
#include "provenance.hh"

#include <algorithm>
#include <iostream>
Expand Down Expand Up @@ -2364,7 +2365,8 @@ StorePath EvalState::copyPathToStore(NixStringContext & context, const SourcePat
path.baseName(),
ContentAddressMethod::Raw::NixArchive,
nullptr,
repair);
repair,
getRootProvenance());
allowPath(dstPath);
srcToStore.lock()->try_emplace(path, dstPath);
printMsg(lvlChatty, "copied source '%1%' -> '%2%'", path, store->printStorePath(dstPath));
Expand Down Expand Up @@ -3163,4 +3165,17 @@ std::ostream & operator << (std::ostream & str, const ExternalValueBase & v) {
}


std::optional<std::reference_wrapper<Provenance>> EvalState::getRootProvenance()
{
return rootProvenance
? std::optional<std::reference_wrapper<Provenance>>(*rootProvenance)
: std::nullopt;
}


void EvalState::setRootProvenance(std::optional<Provenance> provenance)
{
rootProvenance = provenance ? std::make_shared<Provenance>(std::move(*provenance)) : nullptr;
}

}
10 changes: 10 additions & 0 deletions src/libexpr/eval.hh
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ class StorePath;
struct SingleDerivedPath;
enum RepairFlag : bool;
struct MemorySourceAccessor;
struct Provenance;
namespace eval_cache {
class EvalCache;
}
Expand Down Expand Up @@ -863,6 +864,15 @@ private:

friend struct Value;
friend class ListBuilder;

// FIXME: how to handle this in the multi-threaded evaluator?
std::shared_ptr<Provenance> rootProvenance;

public:

std::optional<std::reference_wrapper<Provenance>> getRootProvenance();

void setRootProvenance(std::optional<Provenance> provenance);
};

struct DebugTraceStacker {
Expand Down
15 changes: 12 additions & 3 deletions src/libexpr/primops.cc
Original file line number Diff line number Diff line change
Expand Up @@ -1519,7 +1519,7 @@ static void derivationStrictInternal(
}

/* Write the resulting term into the Nix store directory. */
auto drvPath = writeDerivation(*state.store, drv, state.repair);
auto drvPath = writeDerivation(*state.store, drv, state.repair, false, state.getRootProvenance());
auto drvPathS = state.store->printStorePath(drvPath);

printMsg(lvlChatty, "instantiated '%1%' -> '%2%'", drvName, drvPathS);
Expand Down Expand Up @@ -2320,7 +2320,15 @@ static void prim_toFile(EvalState & state, const PosIdx pos, Value * * args, Val
})
: ({
StringSource s { contents };
state.store->addToStoreFromDump(s, name, FileSerialisationMethod::Flat, ContentAddressMethod::Raw::Text, HashAlgorithm::SHA256, refs, state.repair);
state.store->addToStoreFromDump(
s,
name,
FileSerialisationMethod::Flat,
ContentAddressMethod::Raw::Text,
HashAlgorithm::SHA256,
refs,
state.repair,
state.getRootProvenance());
});

/* Note: we don't need to add `context' to the context of the
Expand Down Expand Up @@ -2480,7 +2488,8 @@ static void addPath(
name,
method,
filter.get(),
state.repair);
state.repair,
state.getRootProvenance());
if (expectedHash && expectedStorePath != dstPath)
state.error<EvalError>(
"store path mismatch in (possibly filtered) path added from '%s'",
Expand Down
5 changes: 3 additions & 2 deletions src/libfetchers/fetch-to-store.cc
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,8 @@ StorePath fetchToStore(
std::string_view name,
ContentAddressMethod method,
PathFilter * filter,
RepairFlag repair)
RepairFlag repair,
std::optional<std::reference_wrapper<Provenance>> provenance)
{
// FIXME: add an optimisation for the case where the accessor is
// a `PosixSourceAccessor` pointing to a store path.
Expand Down Expand Up @@ -42,7 +43,7 @@ StorePath fetchToStore(
? store.computeStorePath(
name, path, method, HashAlgorithm::SHA256, {}, filter2).first
: store.addToStore(
name, path, method, HashAlgorithm::SHA256, {}, filter2, repair);
name, path, method, HashAlgorithm::SHA256, {}, filter2, repair, provenance);

if (cacheKey && mode == FetchMode::Copy)
fetchers::getCache()->upsert(*cacheKey, store, {}, storePath);
Expand Down
3 changes: 2 additions & 1 deletion src/libfetchers/fetch-to-store.hh
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ StorePath fetchToStore(
std::string_view name = "source",
ContentAddressMethod method = ContentAddressMethod::Raw::NixArchive,
PathFilter * filter = nullptr,
RepairFlag repair = NoRepair);
RepairFlag repair = NoRepair,
std::optional<std::reference_wrapper<Provenance>> provenance = std::nullopt);

}
1 change: 1 addition & 0 deletions src/libstore-tests/data/nar-info/impure.json
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
"downloadSize": 4029176,
"narHash": "sha256-FePFYIlMuycIXPZbWi7LGEiMmZSX9FMbaQenWBzm1Sc=",
"narSize": 34878,
"provenance": null,
"references": [
"/nix/store/g1w7hy3qg1w7hy3qg1w7hy3qg1w7hy3q-bar",
"/nix/store/n5wkd9frr45pa74if5gpz9j7mifg27fh-foo"
Expand Down
1 change: 1 addition & 0 deletions src/libstore-tests/data/path-info/empty_impure.json
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
"deriver": null,
"narHash": "sha256-FePFYIlMuycIXPZbWi7LGEiMmZSX9FMbaQenWBzm1Sc=",
"narSize": 0,
"provenance": null,
"references": [],
"registrationTime": null,
"signatures": [],
Expand Down
1 change: 1 addition & 0 deletions src/libstore-tests/data/path-info/impure.json
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
"deriver": "/nix/store/g1w7hy3qg1w7hy3qg1w7hy3qg1w7hy3q-bar.drv",
"narHash": "sha256-FePFYIlMuycIXPZbWi7LGEiMmZSX9FMbaQenWBzm1Sc=",
"narSize": 34878,
"provenance": null,
"references": [
"/nix/store/g1w7hy3qg1w7hy3qg1w7hy3qg1w7hy3q-bar",
"/nix/store/n5wkd9frr45pa74if5gpz9j7mifg27fh-foo"
Expand Down
12 changes: 10 additions & 2 deletions src/libstore/binary-cache-store.cc
Original file line number Diff line number Diff line change
Expand Up @@ -302,8 +302,12 @@ StorePath BinaryCacheStore::addToStoreFromDump(
ContentAddressMethod hashMethod,
HashAlgorithm hashAlgo,
const StorePathSet & references,
RepairFlag repair)
RepairFlag repair,
std::optional<std::reference_wrapper<Provenance>> provenance)
{
if (provenance)
throw UnimplementedError("BinaryCacheStore::addToStoreFromDump() with provenance");

std::optional<Hash> caHash;
std::string nar;

Expand Down Expand Up @@ -448,8 +452,12 @@ StorePath BinaryCacheStore::addToStore(
HashAlgorithm hashAlgo,
const StorePathSet & references,
PathFilter & filter,
RepairFlag repair)
RepairFlag repair,
std::optional<std::reference_wrapper<Provenance>> provenance)
{
if (provenance)
throw UnimplementedError("BinaryCacheStore::addToStore() with provenance");

/* FIXME: Make BinaryCacheStore::addToStoreCommon support
non-recursive+sha256 so we can just use the default
implementation of this method in terms of addToStoreFromDump. */
Expand Down
9 changes: 7 additions & 2 deletions src/libstore/binary-cache-store.hh
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,9 @@ protected:

public:

bool uriIsUsefulProvenance() override
{ return true; }

virtual bool fileExists(const std::string & path) = 0;

virtual void upsertFile(const std::string & path,
Expand Down Expand Up @@ -129,7 +132,8 @@ public:
ContentAddressMethod hashMethod,
HashAlgorithm hashAlgo,
const StorePathSet & references,
RepairFlag repair) override;
RepairFlag repair,
std::optional<std::reference_wrapper<Provenance>> provenance = std::nullopt) override;

StorePath addToStore(
std::string_view name,
Expand All @@ -138,7 +142,8 @@ public:
HashAlgorithm hashAlgo,
const StorePathSet & references,
PathFilter & filter,
RepairFlag repair) override;
RepairFlag repair,
std::optional<std::reference_wrapper<Provenance>> provenance) override;

void registerDrvOutput(const Realisation & info) override;

Expand Down
3 changes: 2 additions & 1 deletion src/libstore/build/derivation-goal.cc
Original file line number Diff line number Diff line change
Expand Up @@ -172,7 +172,7 @@ Goal::Co DerivationGoal::loadDerivation()
things being garbage collected while we're busy. */
worker.evalStore.addTempRoot(drvPath);

/* Get the derivation. It is probably in the eval store, but it might be inthe main store:
/* Get the derivation. It is probably in the eval store, but it might be in the main store:
- Resolved derivation are resolved against main store realisations, and so must be stored there.
Expand All @@ -181,6 +181,7 @@ Goal::Co DerivationGoal::loadDerivation()
for (auto * drvStore : { &worker.evalStore, &worker.store }) {
if (drvStore->isValidPath(drvPath)) {
drv = std::make_unique<Derivation>(drvStore->readDerivation(drvPath));
drvProvenance = drvStore->queryPathInfo(drvPath)->provenance;
break;
}
}
Expand Down
3 changes: 3 additions & 0 deletions src/libstore/build/derivation-goal.hh
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,9 @@ struct DerivationGoal : public Goal
/** The path of the derivation. */
StorePath drvPath;

/** The provenance of the derivation, if any. */
std::shared_ptr<const Provenance> drvProvenance;

/**
* The goal for the corresponding resolved derivation
*/
Expand Down
18 changes: 15 additions & 3 deletions src/libstore/derivations.cc
Original file line number Diff line number Diff line change
Expand Up @@ -135,8 +135,12 @@ bool BasicDerivation::isBuiltin() const
}


StorePath writeDerivation(Store & store,
const Derivation & drv, RepairFlag repair, bool readOnly)
StorePath writeDerivation(
Store & store,
const Derivation & drv,
RepairFlag repair,
bool readOnly,
std::optional<std::reference_wrapper<Provenance>> provenance)
{
auto references = drv.inputSrcs;
for (auto & i : drv.inputDrvs.map)
Expand All @@ -153,7 +157,15 @@ StorePath writeDerivation(Store & store,
})
: ({
StringSource s { contents };
store.addToStoreFromDump(s, suffix, FileSerialisationMethod::Flat, ContentAddressMethod::Raw::Text, HashAlgorithm::SHA256, references, repair);
store.addToStoreFromDump(
s,
suffix,
FileSerialisationMethod::Flat,
ContentAddressMethod::Raw::Text,
HashAlgorithm::SHA256,
references,
repair,
provenance);
});
}

Expand Down
4 changes: 3 additions & 1 deletion src/libstore/derivations.hh
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
namespace nix {

struct StoreDirConfig;
struct Provenance;

/* Abstract syntax of derivations. */

Expand Down Expand Up @@ -395,7 +396,8 @@ class Store;
StorePath writeDerivation(Store & store,
const Derivation & drv,
RepairFlag repair = NoRepair,
bool readOnly = false);
bool readOnly = false,
std::optional<std::reference_wrapper<Provenance>> provenance = std::nullopt);

/**
* Read a derivation from a file.
Expand Down
3 changes: 2 additions & 1 deletion src/libstore/dummy-store.cc
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,8 @@ struct DummyStore : public virtual DummyStoreConfig, public virtual Store
ContentAddressMethod hashMethod = FileIngestionMethod::NixArchive,
HashAlgorithm hashAlgo = HashAlgorithm::SHA256,
const StorePathSet & references = StorePathSet(),
RepairFlag repair = NoRepair) override
RepairFlag repair = NoRepair,
std::optional<std::reference_wrapper<Provenance>> provenance = std::nullopt) override
{ unsupported("addToStore"); }

void narFromPath(const StorePath & path, Sink & sink) override
Expand Down
9 changes: 7 additions & 2 deletions src/libstore/legacy-ssh-store.hh
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,9 @@ struct LegacySSHStore : public virtual LegacySSHStoreConfig, public virtual Stor

std::string getUri() override;

bool uriIsUsefulProvenance() override
{ return true; }

void queryPathInfoUncached(const StorePath & path,
Callback<std::shared_ptr<const ValidPathInfo>> callback) noexcept override;

Expand All @@ -75,7 +78,8 @@ struct LegacySSHStore : public virtual LegacySSHStoreConfig, public virtual Stor
HashAlgorithm hashAlgo,
const StorePathSet & references,
PathFilter & filter,
RepairFlag repair) override
RepairFlag repair,
std::optional<std::reference_wrapper<Provenance>> provenance) override
{ unsupported("addToStore"); }

virtual StorePath addToStoreFromDump(
Expand All @@ -85,7 +89,8 @@ struct LegacySSHStore : public virtual LegacySSHStoreConfig, public virtual Stor
ContentAddressMethod hashMethod = FileIngestionMethod::NixArchive,
HashAlgorithm hashAlgo = HashAlgorithm::SHA256,
const StorePathSet & references = StorePathSet(),
RepairFlag repair = NoRepair) override
RepairFlag repair = NoRepair,
std::optional<std::reference_wrapper<Provenance>> provenance = std::nullopt) override
{ unsupported("addToStore"); }

public:
Expand Down
Loading

0 comments on commit f2b796f

Please sign in to comment.