75 KiB
The Standard Environment
The standard build environment in the Nix Packages collection provides an environment for building Unix packages that does a lot of common build tasks automatically. In fact, for Unix packages that use the standard ./configure; make; make install
build interface, you don’t need to write a build script at all; the standard environment does everything automatically. If stdenv
doesn’t do what you need automatically, you can easily customise or override the various build phases.
Using stdenv
To build a package with the standard environment, you use the function stdenv.mkDerivation
, instead of the primitive built-in function derivation
, e.g.
stdenv.mkDerivation {
name = "libfoo-1.2.3";
src = fetchurl {
url = "http://example.org/libfoo-1.2.3.tar.bz2";
sha256 = "0x2g1jqygyr5wiwg4ma1nd7w4ydpy82z9gkcv8vh2v8dn3y58v5m";
};
}
(stdenv
needs to be in scope, so if you write this in a separate Nix expression from pkgs/all-packages.nix
, you need to pass it as a function argument.) Specifying a name
and a src
is the absolute minimum Nix requires. For convenience, you can also use pname
and version
attributes and mkDerivation
will automatically set name
to "${pname}-${version}"
by default. Since RFC 0035, this is preferred for packages in Nixpkgs, as it allows us to reuse the version easily:
stdenv.mkDerivation rec {
pname = "libfoo";
version = "1.2.3";
src = fetchurl {
url = "http://example.org/libfoo-source-${version}.tar.bz2";
sha256 = "0x2g1jqygyr5wiwg4ma1nd7w4ydpy82z9gkcv8vh2v8dn3y58v5m";
};
}
Many packages have dependencies that are not provided in the standard environment. It’s usually sufficient to specify those dependencies in the buildInputs
attribute:
stdenv.mkDerivation {
name = "libfoo-1.2.3";
...
buildInputs = [libbar perl ncurses];
}
This attribute ensures that the bin
subdirectories of these packages appear in the PATH
environment variable during the build, that their include
subdirectories are searched by the C compiler, and so on. (See for details.)
Often it is necessary to override or modify some aspect of the build. To make this easier, the standard environment breaks the package build into a number of phases, all of which can be overridden or modified individually: unpacking the sources, applying patches, configuring, building, and installing. (There are some others; see .) For instance, a package that doesn’t supply a makefile but instead has to be compiled "manually" could be handled like this:
stdenv.mkDerivation {
name = "fnord-4.5";
...
buildPhase = ''
gcc foo.c -o foo
'';
installPhase = ''
mkdir -p $out/bin
cp foo $out/bin
'';
}
(Note the use of ''
-style string literals, which are very convenient for large multi-line script fragments because they don’t need escaping of "
and \
, and because indentation is intelligently removed.)
There are many other attributes to customise the build. These are listed in .
While the standard environment provides a generic builder, you can still supply your own build script:
stdenv.mkDerivation {
name = "libfoo-1.2.3";
...
builder = ./builder.sh;
}
where the builder can do anything it wants, but typically starts with
source $stdenv/setup
to let stdenv
set up the environment (e.g. by resetting PATH
and populating it from build inputs). If you want, you can still use stdenv
’s generic builder:
source $stdenv/setup
buildPhase() {
echo "... this is my custom build phase ..."
gcc foo.c -o foo
}
installPhase() {
mkdir -p $out/bin
cp foo $out/bin
}
genericBuild
Tools provided by stdenv
The standard environment provides the following packages:
- The GNU C Compiler, configured with C and C++ support.
- GNU coreutils (contains a few dozen standard Unix commands).
- GNU findutils (contains
find
). - GNU diffutils (contains
diff
,cmp
). - GNU
sed
. - GNU
grep
. - GNU
awk
. - GNU
tar
. gzip
,bzip2
andxz
.- GNU Make.
- Bash. This is the shell used for all builders in the Nix Packages collection. Not using
/bin/sh
removes a large source of portability problems. - The
patch
command.
On Linux, stdenv
also includes the patchelf
utility.
Specifying dependencies
As described in the Nix manual, almost any *.drv
store path in a derivation’s attribute set will induce a dependency on that derivation. mkDerivation
, however, takes a few attributes intended to include all the dependencies of a package. This is done both for structure and consistency, but also so that certain other setup can take place. For example, certain dependencies need their bin directories added to the PATH
. That is built-in, but other setup is done via a pluggable mechanism that works in conjunction with these dependency attributes. See for details.
Dependencies can be broken down along three axes: their host and target platforms relative to the new derivation’s, and whether they are propagated. The platform distinctions are motivated by cross compilation; see for exactly what each platform means. 1 But even if one is not cross compiling, the platforms imply whether or not the dependency is needed at run-time or build-time, a concept that makes perfect sense outside of cross compilation. By default, the run-time/build-time distinction is just a hint for mental clarity, but with strictDeps
set it is mostly enforced even in the native case.
The extension of PATH
with dependencies, alluded to above, proceeds according to the relative platforms alone. The process is carried out only for dependencies whose host platform matches the new derivation’s build platform i.e. dependencies which run on the platform where the new derivation will be built. 2 For each dependency <dep> of those dependencies, dep/bin
, if present, is added to the PATH
environment variable.
A dependency is said to be propagated when some of its other-transitive (non-immediate) downstream dependencies also need it as an immediate dependency. 3
It is important to note that dependencies are not necessarily propagated as the same sort of dependency that they were before, but rather as the corresponding sort so that the platform rules still line up. To determine the exact rules for dependency propagation, we start by assigning to each dependency a couple of ternary numbers (-1
for build
, 0
for host
, and 1
for target
) representing its dependency type, which captures how its host and target platforms are each "offset" from the depending derivation’s host and target platforms. The following table summarize the different combinations that can be obtained:
host → target |
attribute name | offset |
---|---|---|
build --> build |
depsBuildBuild |
-1, -1 |
build --> host |
nativeBuildInputs |
-1, 0 |
build --> target |
depsBuildTarget |
-1, 1 |
host --> host |
depsHostHost |
0, 0 |
host --> target |
buildInputs |
0, 1 |
target --> target |
depsTargetTarget |
1, 1 |
Algorithmically, we traverse propagated inputs, accumulating every propagated dependency’s propagated dependencies and adjusting them to account for the “shift in perspective” described by the current dependency’s platform offsets. This results is sort of a transitive closure of the dependency relation, with the offsets being approximately summed when two dependency links are combined. We also prune transitive dependencies whose combined offsets go out-of-bounds, which can be viewed as a filter over that transitive closure removing dependencies that are blatantly absurd.
We can define the process precisely with Natural Deduction using the inference rules. This probably seems a bit obtuse, but so is the bash code that actually implements it! 4 They’re confusing in very different ways so… hopefully if something doesn’t make sense in one presentation, it will in the other!
let mapOffset(h, t, i) = i + (if i <= 0 then h else t - 1)
propagated-dep(h0, t0, A, B)
propagated-dep(h1, t1, B, C)
h0 + h1 in {-1, 0, 1}
h0 + t1 in {-1, 0, 1}
-------------------------------------- Transitive property
propagated-dep(mapOffset(h0, t0, h1),
mapOffset(h0, t0, t1),
A, C)
let mapOffset(h, t, i) = i + (if i <= 0 then h else t - 1)
dep(h0, _, A, B)
propagated-dep(h1, t1, B, C)
h0 + h1 in {-1, 0, 1}
h0 + t1 in {-1, 0, -1}
----------------------------- Take immediate dependencies' propagated dependencies
propagated-dep(mapOffset(h0, t0, h1),
mapOffset(h0, t0, t1),
A, C)
propagated-dep(h, t, A, B)
----------------------------- Propagated dependencies count as dependencies
dep(h, t, A, B)
Some explanation of this monstrosity is in order. In the common case, the target offset of a dependency is the successor to the target offset: t = h + 1
. That means that:
let f(h, t, i) = i + (if i <= 0 then h else t - 1)
let f(h, h + 1, i) = i + (if i <= 0 then h else (h + 1) - 1)
let f(h, h + 1, i) = i + (if i <= 0 then h else h)
let f(h, h + 1, i) = i + h
This is where “sum-like” comes in from above: We can just sum all of the host offsets to get the host offset of the transitive dependency. The target offset is the transitive dependency is simply the host offset + 1, just as it was with the dependencies composed to make this transitive one; it can be ignored as it doesn’t add any new information.
Because of the bounds checks, the uncommon cases are h = t
and h + 2 = t
. In the former case, the motivation for mapOffset
is that since its host and target platforms are the same, no transitive dependency of it should be able to “discover” an offset greater than its reduced target offsets. mapOffset
effectively “squashes” all its transitive dependencies’ offsets so that none will ever be greater than the target offset of the original h = t
package. In the other case, h + 1
is skipped over between the host and target offsets. Instead of squashing the offsets, we need to “rip” them apart so no transitive dependencies’ offset is that one.
Overall, the unifying theme here is that propagation shouldn’t be introducing transitive dependencies involving platforms the depending package is unaware of. [One can imagine the dependending package asking for dependencies with the platforms it knows about; other platforms it doesn’t know how to ask for. The platform description in that scenario is a kind of unforagable capability.] The offset bounds checking and definition of mapOffset
together ensure that this is the case. Discovering a new offset is discovering a new platform, and since those platforms weren’t in the derivation “spec” of the needing package, they cannot be relevant. From a capability perspective, we can imagine that the host and target platforms of a package are the capabilities a package requires, and the depending package must provide the capability to the dependency.
Variables specifying dependencies
depsBuildBuild
A list of dependencies whose host and target platforms are the new derivation’s build platform. These are programs and libraries used at build time that produce programs and libraries also used at build time. If the dependency doesn’t care about the target platform (i.e. isn’t a compiler or similar tool), put it in nativeBuildInputs
instead. The most common use of this buildPackages.stdenv.cc
, the default C compiler for this role. That example crops up more than one might think in old commonly used C libraries.
Since these packages are able to be run at build-time, they are always added to the PATH
, as described above. But since these packages are only guaranteed to be able to run then, they shouldn’t persist as run-time dependencies. This isn’t currently enforced, but could be in the future.
nativeBuildInputs
A list of dependencies whose host platform is the new derivation’s build platform, and target platform is the new derivation’s host platform. These are programs and libraries used at build-time that, if they are a compiler or similar tool, produce code to run at run-time—i.e. tools used to build the new derivation. If the dependency doesn’t care about the target platform (i.e. isn’t a compiler or similar tool), put it here, rather than in depsBuildBuild
or depsBuildTarget
. This could be called depsBuildHost
but nativeBuildInputs
is used for historical continuity.
Since these packages are able to be run at build-time, they are added to the PATH
, as described above. But since these packages are only guaranteed to be able to run then, they shouldn’t persist as run-time dependencies. This isn’t currently enforced, but could be in the future.
depsBuildTarget
A list of dependencies whose host platform is the new derivation’s build platform, and target platform is the new derivation’s target platform. These are programs used at build time that produce code to run with code produced by the depending package. Most commonly, these are tools used to build the runtime or standard library that the currently-being-built compiler will inject into any code it compiles. In many cases, the currently-being-built-compiler is itself employed for that task, but when that compiler won’t run (i.e. its build and host platform differ) this is not possible. Other times, the compiler relies on some other tool, like binutils, that is always built separately so that the dependency is unconditional.
This is a somewhat confusing concept to wrap one’s head around, and for good reason. As the only dependency type where the platform offsets, -1
and 1
, are not adjacent integers, it requires thinking of a bootstrapping stage two away from the current one. It and its use-case go hand in hand and are both considered poor form: try to not need this sort of dependency, and try to avoid building standard libraries and runtimes in the same derivation as the compiler produces code using them. Instead strive to build those like a normal library, using the newly-built compiler just as a normal library would. In short, do not use this attribute unless you are packaging a compiler and are sure it is needed.
Since these packages are able to run at build time, they are added to the PATH
, as described above. But since these packages are only guaranteed to be able to run then, they shouldn’t persist as run-time dependencies. This isn’t currently enforced, but could be in the future.
depsHostHost
A list of dependencies whose host and target platforms match the new derivation’s host platform. In practice, this would usually be tools used by compilers for macros or a metaprogramming system, or libraries used by the macros or metaprogramming code itself. It’s always preferable to use a depsBuildBuild
dependency in the derivation being built over a depsHostHost
on the tool doing the building for this purpose.
buildInputs
A list of dependencies whose host platform and target platform match the new derivation’s. This would be called depsHostTarget
but for historical continuity. If the dependency doesn’t care about the target platform (i.e. isn’t a compiler or similar tool), put it here, rather than in depsBuildBuild
.
These are often programs and libraries used by the new derivation at run-time, but that isn’t always the case. For example, the machine code in a statically-linked library is only used at run-time, but the derivation containing the library is only needed at build-time. Even in the dynamic case, the library may also be needed at build-time to appease the linker.
depsTargetTarget
A list of dependencies whose host platform matches the new derivation’s target platform. These are packages that run on the target platform, e.g. the standard library or run-time deps of standard library that a compiler insists on knowing about. It’s poor form in almost all cases for a package to depend on another from a future stage [future stage corresponding to positive offset]. Do not use this attribute unless you are packaging a compiler and are sure it is needed.
depsBuildBuildPropagated
The propagated equivalent of depsBuildBuild
. This perhaps never ought to be used, but it is included for consistency [see below for the others].
propagatedNativeBuildInputs
The propagated equivalent of nativeBuildInputs
. This would be called depsBuildHostPropagated
but for historical continuity. For example, if package Y
has propagatedNativeBuildInputs = [X]
, and package Z
has buildInputs = [Y]
, then package Z
will be built as if it included package X
in its nativeBuildInputs
. If instead, package Z
has nativeBuildInputs = [Y]
, then Z
will be built as if it included X
in the depsBuildBuild
of package Z
, because of the sum of the two -1
host offsets.
depsBuildTargetPropagated
The propagated equivalent of depsBuildTarget
. This is prefixed for the same reason of alerting potential users.
depsHostHostPropagated
The propagated equivalent of depsHostHost
.
propagatedBuildInputs
The propagated equivalent of buildInputs
. This would be called depsHostTargetPropagated
but for historical continuity.
depsTargetTargetPropagated
The propagated equivalent of depsTargetTarget
. This is prefixed for the same reason of alerting potential users.
Attributes
Variables affecting stdenv
initialisation
NIX_DEBUG
A natural number indicating how much information to log. If set to 1 or higher, stdenv
will print moderate debugging information during the build. In particular, the gcc
and ld
wrapper scripts will print out the complete command line passed to the wrapped tools. If set to 6 or higher, the stdenv
setup script will be run with set -x
tracing. If set to 7 or higher, the gcc
and ld
wrapper scripts will also be run with set -x
tracing.
Attributes affecting build properties
enableParallelBuilding
If set to true
, stdenv
will pass specific flags to make
and other build tools to enable parallel building with up to build-cores
workers.
Unless set to false
, some build systems with good support for parallel building including cmake
, meson
, and qmake
will set it to true
.
Special variables
passthru
This is an attribute set which can be filled with arbitrary values. For example:
passthru = {
foo = "bar";
baz = {
value1 = 4;
value2 = 5;
};
}
Values inside it are not passed to the builder, so you can change them without triggering a rebuild. However, they can be accessed outside of a derivation directly, as if they were set inside a derivation itself, e.g. hello.baz.value1
. We don’t specify any usage or schema of passthru
- it is meant for values that would be useful outside the derivation in other parts of a Nix expression (e.g. in other derivations). An example would be to convey some specific dependency of your derivation which contains a program with plugins support. Later, others who make derivations with plugins can use passed-through dependency to ensure that their plugin would be binary-compatible with built program.
passthru.updateScript
A script to be run by maintainers/scripts/update.nix
when the package is matched. It needs to be an executable file, either on the file system:
passthru.updateScript = ./update.sh;
or inside the expression itself:
passthru.updateScript = writeScript "update-zoom-us" ''
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p curl pcre common-updater-scripts
set -eu -o pipefail
version="$(curl -sI https://zoom.us/client/latest/zoom_x86_64.tar.xz | grep -Fi 'Location:' | pcregrep -o1 '/(([0-9]\.?)+)/')"
update-source-version zoom-us "$version"
'';
The attribute can also contain a list, a script followed by arguments to be passed to it:
passthru.updateScript = [ ../../update.sh pname "--requested-release=unstable" ];
The script will be run with the UPDATE_NIX_NAME
, UPDATE_NIX_PNAME
, UPDATE_NIX_OLD_VERSION
and UPDATE_NIX_ATTR_PATH
environment variables set respectively to the name, pname, old version and attribute path of the package it is supposed to update.
::: {.note}
The script will be usually run from the root of the Nixpkgs repository but you should not rely on that. Also note that the update scripts will be run in parallel by default; you should avoid running git commit
or any other commands that cannot handle that.
:::
For information about how to run the updates, execute nix-shell maintainers/scripts/update.nix
.
Recursive attributes in mkDerivation
If you pass a function to mkDerivation
, it will receive as its argument the final arguments, including the overrides when reinvoked via overrideAttrs
. For example:
mkDerivation (finalAttrs: {
pname = "hello";
withFeature = true;
configureFlags =
lib.optionals finalAttrs.withFeature ["--with-feature"];
})
Note that this does not use the rec
keyword to reuse withFeature
in configureFlags
.
The rec
keyword works at the syntax level and is unaware of overriding.
Instead, the definition references finalAttrs
, allowing users to change withFeature
consistently with overrideAttrs
.
finalAttrs
also contains the attribute finalPackage
, which includes the output paths, etc.
Let's look at a more elaborate example to understand the differences between various bindings:
# `pkg` is the _original_ definition (for illustration purposes)
let pkg =
mkDerivation (finalAttrs: {
# ...
# An example attribute
packages = [];
# `passthru.tests` is a commonly defined attribute.
passthru.tests.simple = f finalAttrs.finalPackage;
# An example of an attribute containing a function
passthru.appendPackages = packages':
finalAttrs.finalPackage.overrideAttrs (newSelf: super: {
packages = super.packages ++ packages';
});
# For illustration purposes; referenced as
# `(pkg.overrideAttrs(x)).finalAttrs` etc in the text below.
passthru.finalAttrs = finalAttrs;
passthru.original = pkg;
});
in pkg
Unlike the pkg
binding in the above example, the finalAttrs
parameter always references the final attributes. For instance (pkg.overrideAttrs(x)).finalAttrs.finalPackage
is identical to pkg.overrideAttrs(x)
, whereas (pkg.overrideAttrs(x)).original
is the same as the original pkg
.
See also the section about passthru.tests
.
Phases
stdenv.mkDerivation
sets the Nix derivation's builder to a script that loads the stdenv setup.sh
bash library and calls genericBuild
. Most packaging functions rely on this default builder.
This generic command invokes a number of phases. Package builds are split into phases to make it easier to override specific parts of the build (e.g., unpacking the sources or installing the binaries).
Each phase can be overridden in its entirety either by setting the environment variable namePhase
to a string containing some shell commands to be executed, or by redefining the shell function namePhase
. The former is convenient to override a phase from the derivation, while the latter is convenient from a build script. However, typically one only wants to add some commands to a phase, e.g. by defining postInstall
or preFixup
, as skipping some of the default actions may have unexpected consequences. The default script for each phase is defined in the file pkgs/stdenv/generic/setup.sh
.
When overriding a phase, for example installPhase
, it is important to start with runHook preInstall
and end it with runHook postInstall
, otherwise preInstall
and postInstall
will not be run. Even if you don't use them directly, it is good practice to do so anyways for downstream users who would want to add a postInstall
by overriding your derivation.
While inside an interactive nix-shell
, if you wanted to run all phases in the order they would be run in an actual build, you can invoke genericBuild
yourself.
Controlling phases
There are a number of variables that control what phases are executed and in what order:
Variables affecting phase control
phases
Specifies the phases. You can change the order in which phases are executed, or add new phases, by setting this variable. If it’s not set, the default value is used, which is $prePhases unpackPhase patchPhase $preConfigurePhases configurePhase $preBuildPhases buildPhase checkPhase $preInstallPhases installPhase fixupPhase installCheckPhase $preDistPhases distPhase $postPhases
.
It is discouraged to set this variable, as it is easy to miss some important functionality hidden in some of the less obviously needed phases (like fixupPhase
which patches the shebang of scripts).
Usually, if you just want to add a few phases, it’s more convenient to set one of the variables below (such as preInstallPhases
).
prePhases
Additional phases executed before any of the default phases.
preConfigurePhases
Additional phases executed just before the configure phase.
preBuildPhases
Additional phases executed just before the build phase.
preInstallPhases
Additional phases executed just before the install phase.
preFixupPhases
Additional phases executed just before the fixup phase.
preDistPhases
Additional phases executed just before the distribution phase.
postPhases
Additional phases executed after any of the default phases.
The unpack phase
The unpack phase is responsible for unpacking the source code of the package. The default implementation of unpackPhase
unpacks the source files listed in the src
environment variable to the current directory. It supports the following files by default:
Tar files
These can optionally be compressed using gzip
(.tar.gz
, .tgz
or .tar.Z
), bzip2
(.tar.bz2
, .tbz2
or .tbz
) or xz
(.tar.xz
, .tar.lzma
or .txz
).
Zip files
Zip files are unpacked using unzip
. However, unzip
is not in the standard environment, so you should add it to nativeBuildInputs
yourself.
Directories in the Nix store
These are simply copied to the current directory. The hash part of the file name is stripped, e.g. /nix/store/1wydxgby13cz...-my-sources
would be copied to my-sources
.
Additional file types can be supported by setting the unpackCmd
variable (see below).
Variables controlling the unpack phase
srcs
/ src
The list of source files or directories to be unpacked or copied. One of these must be set. Note that if you use srcs
, you should also set sourceRoot
or setSourceRoot
.
sourceRoot
After running unpackPhase
, the generic builder changes the current directory to the directory created by unpacking the sources. If there are multiple source directories, you should set sourceRoot
to the name of the intended directory. Set sourceRoot = ".";
if you use srcs
and control the unpack phase yourself.
By default the sourceRoot
is set to "source"
. If you want to point to a sub-directory inside your project, you therefore need to set sourceRoot = "source/my-sub-directory"
.
setSourceRoot
Alternatively to setting sourceRoot
, you can set setSourceRoot
to a shell command to be evaluated by the unpack phase after the sources have been unpacked. This command must set sourceRoot
.
preUnpack
Hook executed at the start of the unpack phase.
postUnpack
Hook executed at the end of the unpack phase.
dontUnpack
Set to true to skip the unpack phase.
dontMakeSourcesWritable
If set to 1
, the unpacked sources are not made writable. By default, they are made writable to prevent problems with read-only sources. For example, copied store directories would be read-only without this.
unpackCmd
The unpack phase evaluates the string $unpackCmd
for any unrecognised file. The path to the current source file is contained in the curSrc
variable.
The patch phase
The patch phase applies the list of patches defined in the patches
variable.
Variables controlling the patch phase
dontPatch
Set to true to skip the patch phase.
patches
The list of patches. They must be in the format accepted by the patch
command, and may optionally be compressed using gzip
(.gz
), bzip2
(.bz2
) or xz
(.xz
).
patchFlags
Flags to be passed to patch
. If not set, the argument -p1
is used, which causes the leading directory component to be stripped from the file names in each patch.
prePatch
Hook executed at the start of the patch phase.
postPatch
Hook executed at the end of the patch phase.
The configure phase
The configure phase prepares the source tree for building. The default configurePhase
runs ./configure
(typically an Autoconf-generated script) if it exists.
Variables controlling the configure phase
configureScript
The name of the configure script. It defaults to ./configure
if it exists; otherwise, the configure phase is skipped. This can actually be a command (like perl ./Configure.pl
).
configureFlags
A list of strings passed as additional arguments to the configure script.
dontConfigure
Set to true to skip the configure phase.
configureFlagsArray
A shell array containing additional arguments passed to the configure script. You must use this instead of configureFlags
if the arguments contain spaces.
dontAddPrefix
By default, the flag --prefix=$prefix
is added to the configure flags. If this is undesirable, set this variable to true.
prefix
The prefix under which the package must be installed, passed via the --prefix
option to the configure script. It defaults to $out
.
prefixKey
The key to use when specifying the prefix. By default, this is set to --prefix=
as that is used by the majority of packages.
dontAddStaticConfigureFlags
By default, when building statically, stdenv will try to add build system appropriate configure flags to try to enable static builds.
If this is undesirable, set this variable to true.
dontAddDisableDepTrack
By default, the flag --disable-dependency-tracking
is added to the configure flags to speed up Automake-based builds. If this is undesirable, set this variable to true.
dontFixLibtool
By default, the configure phase applies some special hackery to all files called ltmain.sh
before running the configure script in order to improve the purity of Libtool-based packages 5 . If this is undesirable, set this variable to true.
dontDisableStatic
By default, when the configure script has --enable-static
, the option --disable-static
is added to the configure flags.
If this is undesirable, set this variable to true. It is automatically set to true when building statically, for example through pkgsStatic
.
configurePlatforms
By default, when cross compiling, the configure script has --build=...
and --host=...
passed. Packages can instead pass [ "build" "host" "target" ]
or a subset to control exactly which platform flags are passed. Compilers and other tools can use this to also pass the target platform. 6
preConfigure
Hook executed at the start of the configure phase.
postConfigure
Hook executed at the end of the configure phase.
The build phase
The build phase is responsible for actually building the package (e.g. compiling it). The default buildPhase
simply calls make
if a file named Makefile
, makefile
or GNUmakefile
exists in the current directory (or the makefile
is explicitly set); otherwise it does nothing.
Variables controlling the build phase
dontBuild
Set to true to skip the build phase.
makefile
The file name of the Makefile.
makeFlags
A list of strings passed as additional flags to make
. These flags are also used by the default install and check phase. For setting make flags specific to the build phase, use buildFlags
(see below).
makeFlags = [ "PREFIX=$(out)" ];
::: {.note} The flags are quoted in bash, but environment variables can be specified by using the make syntax. :::
makeFlagsArray
A shell array containing additional arguments passed to make
. You must use this instead of makeFlags
if the arguments contain spaces, e.g.
preBuild = ''
makeFlagsArray+=(CFLAGS="-O0 -g" LDFLAGS="-lfoo -lbar")
'';
Note that shell arrays cannot be passed through environment variables, so you cannot set makeFlagsArray
in a derivation attribute (because those are passed through environment variables): you have to define them in shell code.
buildFlags
/ buildFlagsArray
A list of strings passed as additional flags to make
. Like makeFlags
and makeFlagsArray
, but only used by the build phase.
preBuild
Hook executed at the start of the build phase.
postBuild
Hook executed at the end of the build phase.
You can set flags for make
through the makeFlags
variable.
Before and after running make
, the hooks preBuild
and postBuild
are called, respectively.
The check phase
The check phase checks whether the package was built correctly by running its test suite. The default checkPhase
calls make check
, but only if the doCheck
variable is enabled.
Variables controlling the check phase
doCheck
Controls whether the check phase is executed. By default it is skipped, but if doCheck
is set to true, the check phase is usually executed. Thus you should set
doCheck = true;
in the derivation to enable checks. The exception is cross compilation. Cross compiled builds never run tests, no matter how doCheck
is set, as the newly-built program won’t run on the platform used to build it.
makeFlags
/ makeFlagsArray
/ makefile
See the build phase for details.
checkTarget
The make target that runs the tests. Defaults to check
.
checkFlags
/ checkFlagsArray
A list of strings passed as additional flags to make
. Like makeFlags
and makeFlagsArray
, but only used by the check phase.
checkInputs
A list of dependencies used by the phase. This gets included in nativeBuildInputs
when doCheck
is set.
preCheck
Hook executed at the start of the check phase.
postCheck
Hook executed at the end of the check phase.
The install phase
The install phase is responsible for installing the package in the Nix store under out
. The default installPhase
creates the directory $out
and calls make install
.
Variables controlling the install phase
dontInstall
Set to true to skip the install phase.
makeFlags
/ makeFlagsArray
/ makefile
See the build phase for details.
installTargets
The make targets that perform the installation. Defaults to install
. Example:
installTargets = "install-bin install-doc";
installFlags
/ installFlagsArray
A list of strings passed as additional flags to make
. Like makeFlags
and makeFlagsArray
, but only used by the install phase.
preInstall
Hook executed at the start of the install phase.
postInstall
Hook executed at the end of the install phase.
The fixup phase
The fixup phase performs (Nix-specific) post-processing actions on the files installed under $out
by the install phase. The default fixupPhase
does the following:
- It moves the
man/
,doc/
andinfo/
subdirectories of$out
toshare/
. - It strips libraries and executables of debug information.
- On Linux, it applies the
patchelf
command to ELF executables and libraries to remove unused directories from theRPATH
in order to prevent unnecessary runtime dependencies. - It rewrites the interpreter paths of shell scripts to paths found in
PATH
. E.g.,/usr/bin/perl
will be rewritten to/nix/store/some-perl/bin/perl
found inPATH
. See for details.
Variables controlling the fixup phase
dontFixup
Set to true to skip the fixup phase.
dontStrip
If set, libraries and executables are not stripped. By default, they are.
dontStripHost
Like dontStrip
, but only affects the strip
command targetting the package’s host platform. Useful when supporting cross compilation, but otherwise feel free to ignore.
dontStripTarget
Like dontStrip
, but only affects the strip
command targetting the packages’ target platform. Useful when supporting cross compilation, but otherwise feel free to ignore.
dontMoveSbin
If set, files in $out/sbin
are not moved to $out/bin
. By default, they are.
stripAllList
List of directories to search for libraries and executables from which all symbols should be stripped. By default, it’s empty. Stripping all symbols is risky, since it may remove not just debug symbols but also ELF information necessary for normal execution.
stripAllListTarget
Like stripAllList
, but only applies to packages’ target platform. By default, it’s empty. Useful when supporting cross compilation.
stripAllFlags
Flags passed to the strip
command applied to the files in the directories listed in stripAllList
. Defaults to -s
(i.e. --strip-all
).
stripDebugList
List of directories to search for libraries and executables from which only debugging-related symbols should be stripped. It defaults to lib lib32 lib64 libexec bin sbin
.
stripDebugListTarget
Like stripDebugList
, but only applies to packages’ target platform. By default, it’s empty. Useful when supporting cross compilation.
stripDebugFlags
Flags passed to the strip
command applied to the files in the directories listed in stripDebugList
. Defaults to -S
(i.e. --strip-debug
).
dontPatchELF
If set, the patchelf
command is not used to remove unnecessary RPATH
entries. Only applies to Linux.
dontPatchShebangs
If set, scripts starting with #!
do not have their interpreter paths rewritten to paths in the Nix store. See on how patching shebangs works.
dontPruneLibtoolFiles
If set, libtool .la
files associated with shared libraries won’t have their dependency_libs
field cleared.
forceShare
The list of directories that must be moved from $out
to $out/share
. Defaults to man doc info
.
setupHook
A package can export a setup hook by setting this variable. The setup hook, if defined, is copied to $out/nix-support/setup-hook
. Environment variables are then substituted in it using substituteAll
.
preFixup
Hook executed at the start of the fixup phase.
postFixup
Hook executed at the end of the fixup phase.
separateDebugInfo
If set to true
, the standard environment will enable debug information in C/C++ builds. After installation, the debug information will be separated from the executables and stored in the output named debug
. (This output is enabled automatically; you don’t need to set the outputs
attribute explicitly.) To be precise, the debug information is stored in debug/lib/debug/.build-id/XX/YYYY…
, where <XXYYYY…> is the <build ID> of the binary — a SHA-1 hash of the contents of the binary. Debuggers like GDB use the build ID to look up the separated debug information.
For example, with GDB, you can add
set debug-file-directory ~/.nix-profile/lib/debug
to ~/.gdbinit
. GDB will then be able to find debug information installed via nix-env -i
.
The installCheck phase
The installCheck phase checks whether the package was installed correctly by running its test suite against the installed directories. The default installCheck
calls make installcheck
.
It is often better to add tests that are not part of the source distribution to passthru.tests
(see ). This avoids adding overhead to every build and enables us to run them independently.
Variables controlling the installCheck phase
doInstallCheck
Controls whether the installCheck phase is executed. By default it is skipped, but if doInstallCheck
is set to true, the installCheck phase is usually executed. Thus you should set
doInstallCheck = true;
in the derivation to enable install checks. The exception is cross compilation. Cross compiled builds never run tests, no matter how doInstallCheck
is set, as the newly-built program won’t run on the platform used to build it.
installCheckTarget
The make target that runs the install tests. Defaults to installcheck
.
installCheckFlags
/ installCheckFlagsArray
A list of strings passed as additional flags to make
. Like makeFlags
and makeFlagsArray
, but only used by the installCheck phase.
installCheckInputs
A list of dependencies used by the phase. This gets included in nativeBuildInputs
when doInstallCheck
is set.
preInstallCheck
Hook executed at the start of the installCheck phase.
postInstallCheck
Hook executed at the end of the installCheck phase.
The distribution phase
The distribution phase is intended to produce a source distribution of the package. The default distPhase
first calls make dist
, then it copies the resulting source tarballs to $out/tarballs/
. This phase is only executed if the attribute doDist
is set.
Variables controlling the distribution phase
distTarget
The make target that produces the distribution. Defaults to dist
.
distFlags
/ distFlagsArray
Additional flags passed to make
.
tarballs
The names of the source distribution files to be copied to $out/tarballs/
. It can contain shell wildcards. The default is *.tar.gz
.
dontCopyDist
If set, no files are copied to $out/tarballs/
.
preDist
Hook executed at the start of the distribution phase.
postDist
Hook executed at the end of the distribution phase.
Shell functions and utilities
The standard environment provides a number of useful functions.
makeWrapper
<executable> <wrapperfile> <args>
Constructs a wrapper for a program with various possible arguments. It is defined as part of 2 setup-hooks named makeWrapper
and makeBinaryWrapper
that implement the same bash functions. Hence, to use it you have to add makeWrapper
to your nativeBuildInputs
. Here's an example usage:
# adds `FOOBAR=baz` to `$out/bin/foo`’s environment
makeWrapper $out/bin/foo $wrapperfile --set FOOBAR baz
# Prefixes the binary paths of `hello` and `git`
# and suffixes the binary path of `xdg-utils`.
# Be advised that paths often should be patched in directly
# (via string replacements or in `configurePhase`).
makeWrapper $out/bin/foo $wrapperfile \
--prefix PATH : ${lib.makeBinPath [ hello git ]} \
--suffix PATH : ${lib.makeBinPath [ xdg-utils ]}
Packages may expect or require other utilities to be available at runtime.
makeWrapper
can be used to add packages to a PATH
environment variable local to a wrapper.
Use --prefix
to explicitly set dependencies in PATH
.
:::{note}
--prefix
essentially hard-codes dependencies into the wrapper.
They cannot be overridden without rebuilding the package.
:::
If dependencies should be resolved at runtime, use --suffix
to append fallback values to PATH
.
There’s many more kinds of arguments, they are documented in nixpkgs/pkgs/build-support/setup-hooks/make-wrapper.sh
for the makeWrapper
implementation and in nixpkgs/pkgs/build-support/setup-hooks/make-binary-wrapper/make-binary-wrapper.sh
for the makeBinaryWrapper
implementation.
wrapProgram
is a convenience function you probably want to use most of the time, implemented by both makeWrapper
and makeBinaryWrapper
.
Using the makeBinaryWrapper
implementation is usually preferred, as it creates a tiny compiled wrapper executable, that can be used as a shebang interpreter. This is needed mostly on Darwin, where shebangs cannot point to scripts, due to a limitation with the execve
-syscall. Compiled wrappers generated by makeBinaryWrapper
can be inspected with less <path-to-wrapper>
- by scrolling past the binary data you should be able to see the shell command that generated the executable and there see the environment variables that were injected into the wrapper.
remove-references-to -t
<storepath> [ -t
<storepath> ... ] <file> ...
Removes the references of the specified files to the specified store files. This is done without changing the size of the file by replacing the hash by eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
, and should work on compiled executables. This is meant to be used to remove the dependency of the output on inputs that are known to be unnecessary at runtime. Of course, reckless usage will break the patched programs.
To use this, add removeReferencesTo
to nativeBuildInputs
.
As remove-references-to
is an actual executable and not a shell function, it can be used with find
.
Example removing all references to the compiler in the output:
postInstall = ''
find "$out" -type f -exec remove-references-to -t ${stdenv.cc} '{}' +
'';
substitute
<infile> <outfile> <subs>
Performs string substitution on the contents of <infile>, writing the result to <outfile>. The substitutions in <subs> are of the following form:
--replace
<s1> <s2>
Replace every occurrence of the string <s1> by <s2>.
--subst-var
<varName>
Replace every occurrence of @varName@
by the contents of the environment variable <varName>. This is useful for generating files from templates, using @...@
in the template as placeholders.
--subst-var-by
<varName> <s>
Replace every occurrence of @varName@
by the string <s>.
Example:
substitute ./foo.in ./foo.out \
--replace /usr/bin/bar $bar/bin/bar \
--replace "a string containing spaces" "some other text" \
--subst-var someVar
substituteInPlace
<multiple files> <subs>
Like substitute
, but performs the substitutions in place on the files passed.
substituteAll
<infile> <outfile>
Replaces every occurrence of @varName@
, where <varName> is any environment variable, in <infile>, writing the result to <outfile>. For instance, if <infile> has the contents
#! @bash@/bin/sh
PATH=@coreutils@/bin
echo @foo@
and the environment contains bash=/nix/store/bmwp0q28cf21...-bash-3.2-p39
and coreutils=/nix/store/68afga4khv0w...-coreutils-6.12
, but does not contain the variable foo
, then the output will be
#! /nix/store/bmwp0q28cf21...-bash-3.2-p39/bin/sh
PATH=/nix/store/68afga4khv0w...-coreutils-6.12/bin
echo @foo@
That is, no substitution is performed for undefined variables.
Environment variables that start with an uppercase letter or an underscore are filtered out, to prevent global variables (like HOME
) or private variables (like __ETC_PROFILE_DONE
) from accidentally getting substituted. The variables also have to be valid bash "names", as defined in the bash manpage (alphanumeric or _
, must not start with a number).
substituteAllInPlace
<file>
Like substituteAll
, but performs the substitutions in place on the file <file>.
stripHash
<path>
Strips the directory and hash part of a store path, outputting the name part to stdout
. For example:
# prints coreutils-8.24
stripHash "/nix/store/9s9r019176g7cvn2nvcw41gsp862y6b4-coreutils-8.24"
If you wish to store the result in another variable, then the following idiom may be useful:
name="/nix/store/9s9r019176g7cvn2nvcw41gsp862y6b4-coreutils-8.24"
someVar=$(stripHash $name)
wrapProgram
<executable> <makeWrapperArgs>
Convenience function for makeWrapper
that replaces <\executable\>
with a wrapper that executes the original program. It takes all the same arguments as makeWrapper
, except for --inherit-argv0
(used by the makeBinaryWrapper
implementation) and --argv0
(used by both makeWrapper
and makeBinaryWrapper
wrapper implementations).
If you will apply it multiple times, it will overwrite the wrapper file and you will end up with double wrapping, which should be avoided.
Package setup hooks
Nix itself considers a build-time dependency as merely something that should previously be built and accessible at build time—packages themselves are on their own to perform any additional setup. In most cases, that is fine, and the downstream derivation can deal with its own dependencies. But for a few common tasks, that would result in almost every package doing the same sort of setup work—depending not on the package itself, but entirely on which dependencies were used.
In order to alleviate this burden, the setup hook mechanism was written, where any package can include a shell script that [by convention rather than enforcement by Nix], any downstream reverse-dependency will source as part of its build process. That allows the downstream dependency to merely specify its dependencies, and lets those dependencies effectively initialize themselves. No boilerplate mirroring the list of dependencies is needed.
The setup hook mechanism is a bit of a sledgehammer though: a powerful feature with a broad and indiscriminate area of effect. The combination of its power and implicit use may be expedient, but isn’t without costs. Nix itself is unchanged, but the spirit of added dependencies being effect-free is violated even if the letter isn’t. For example, if a derivation path is mentioned more than once, Nix itself doesn’t care and simply makes sure the dependency derivation is already built just the same—depending is just needing something to exist, and needing is idempotent. However, a dependency specified twice will have its setup hook run twice, and that could easily change the build environment (though a well-written setup hook will therefore strive to be idempotent so this is in fact not observable). More broadly, setup hooks are anti-modular in that multiple dependencies, whether the same or different, should not interfere and yet their setup hooks may well do so.
The most typical use of the setup hook is actually to add other hooks which are then run (i.e. after all the setup hooks) on each dependency. For example, the C compiler wrapper’s setup hook feeds itself flags for each dependency that contains relevant libraries and headers. This is done by defining a bash function, and appending its name to one of envBuildBuildHooks
, envBuildHostHooks
, envBuildTargetHooks
, envHostHostHooks
, envHostTargetHooks
, or envTargetTargetHooks
. These 6 bash variables correspond to the 6 sorts of dependencies by platform (there’s 12 total but we ignore the propagated/non-propagated axis).
Packages adding a hook should not hard code a specific hook, but rather choose a variable relative to how they are included. Returning to the C compiler wrapper example, if the wrapper itself is an n
dependency, then it only wants to accumulate flags from n + 1
dependencies, as only those ones match the compiler’s target platform. The hostOffset
variable is defined with the current dependency’s host offset targetOffset
with its target offset, before its setup hook is sourced. Additionally, since most environment hooks don’t care about the target platform, that means the setup hook can append to the right bash array by doing something like
addEnvHooks "$hostOffset" myBashFunction
The existence of setups hooks has long been documented and packages inside Nixpkgs are free to use this mechanism. Other packages, however, should not rely on these mechanisms not changing between Nixpkgs versions. Because of the existing issues with this system, there’s little benefit from mandating it be stable for any period of time.
First, let’s cover some setup hooks that are part of Nixpkgs default stdenv
. This means that they are run for every package built using stdenv.mkDerivation
or when using a custom builder that has source $stdenv/setup
. Some of these are platform specific, so they may run on Linux but not Darwin or vice-versa.
move-docs.sh
This setup hook moves any installed documentation to the /share
subdirectory directory. This includes the man, doc and info directories. This is needed for legacy programs that do not know how to use the share
subdirectory.
compress-man-pages.sh
This setup hook compresses any man pages that have been installed. The compression is done using the gzip program. This helps to reduce the installed size of packages.
strip.sh
This runs the strip command on installed binaries and libraries. This removes unnecessary information like debug symbols when they are not needed. This also helps to reduce the installed size of packages.
patch-shebangs.sh
This setup hook patches installed scripts to add Nix store paths to their shebang interpreter as found in the build environment. The shebang line tells a Unix-like operating system which interpreter to use to execute the script's contents.
::: note
The generic builder populates PATH
from inputs of the derivation.
:::
Invocation
Multiple paths can be specified.
patchShebangs [--build | --host] PATH...
Flags
--build
- Look up commands available at build time
--host
- Look up commands available at run time
Examples
patchShebangs --host /nix/store/<hash>-hello-1.0/bin
patchShebangs --build configure
#!/bin/sh
will be rewritten to #!/nix/store/<hash>-some-bash/bin/sh
.
#!/usr/bin/env
gets special treatment: #!/usr/bin/env python
is rewritten to /nix/store/<hash>/bin/python
.
Interpreter paths that point to a valid Nix store location are not changed.
::: note A script file must be marked as executable, otherwise it will not be considered. :::
This mechanism ensures that the interpreter for a given script is always found and is exactly the one specified by the build.
It can be disabled by setting dontPatchShebangs
:
stdenv.mkDerivation {
# ...
dontPatchShebangs = true;
# ...
}
The file patch-shebangs.sh
defines the patchShebangs
function. It is used to implement patchShebangsAuto
, the setup hook that is registered to run during the fixup phase by default.
If you need to run patchShebangs
at build time, it must be called explicitly within one of the build phases.
audit-tmpdir.sh
This verifies that no references are left from the install binaries to the directory used to build those binaries. This ensures that the binaries do not need things outside the Nix store. This is currently supported in Linux only.
multiple-outputs.sh
This setup hook adds configure flags that tell packages to install files into any one of the proper outputs listed in outputs
. This behavior can be turned off by setting setOutputFlags
to false in the derivation environment. See for more information.
move-sbin.sh
This setup hook moves any binaries installed in the sbin/
subdirectory into bin/
. In addition, a link is provided from sbin/
to bin/
for compatibility.
move-lib64.sh
This setup hook moves any libraries installed in the lib64/
subdirectory into lib/
. In addition, a link is provided from lib64/
to lib/
for compatibility.
move-systemd-user-units.sh
This setup hook moves any systemd user units installed in the lib/
subdirectory into share/
. In addition, a link is provided from share/
to lib/
for compatibility. This is needed for systemd to find user services when installed into the user profile.
This hook only runs when compiling for Linux.
set-source-date-epoch-to-latest.sh
This sets SOURCE_DATE_EPOCH
to the modification time of the most recent file.
Bintools Wrapper and hook
The Bintools Wrapper wraps the binary utilities for a bunch of miscellaneous purposes. These are GNU Binutils when targeting Linux, and a mix of cctools and GNU binutils for Darwin. [The “Bintools” name is supposed to be a compromise between “Binutils” and “cctools” not denoting any specific implementation.] Specifically, the underlying bintools package, and a C standard library (glibc or Darwin’s libSystem, just for the dynamic loader) are all fed in, and dependency finding, hardening (see below), and purity checks for each are handled by the Bintools Wrapper. Packages typically depend on CC Wrapper, which in turn (at run time) depends on the Bintools Wrapper.
The Bintools Wrapper was only just recently split off from CC Wrapper, so the division of labor is still being worked out. For example, it shouldn’t care about the C standard library, but just take a derivation with the dynamic loader (which happens to be the glibc on linux). Dependency finding however is a task both wrappers will continue to need to share, and probably the most important to understand. It is currently accomplished by collecting directories of host-platform dependencies (i.e. buildInputs
and nativeBuildInputs
) in environment variables. The Bintools Wrapper’s setup hook causes any lib
and lib64
subdirectories to be added to NIX_LDFLAGS
. Since the CC Wrapper and the Bintools Wrapper use the same strategy, most of the Bintools Wrapper code is sparsely commented and refers to the CC Wrapper. But the CC Wrapper’s code, by contrast, has quite lengthy comments. The Bintools Wrapper merely cites those, rather than repeating them, to avoid falling out of sync.
A final task of the setup hook is defining a number of standard environment variables to tell build systems which executables fulfill which purpose. They are defined to just be the base name of the tools, under the assumption that the Bintools Wrapper’s binaries will be on the path. Firstly, this helps poorly-written packages, e.g. ones that look for just gcc
when CC
isn’t defined yet clang
is to be used. Secondly, this helps packages not get confused when cross-compiling, in which case multiple Bintools Wrappers may simultaneously be in use. 7 BUILD_
- and TARGET_
-prefixed versions of the normal environment variable are defined for additional Bintools Wrappers, properly disambiguating them.
A problem with this final task is that the Bintools Wrapper is honest and defines LD
as ld
. Most packages, however, firstly use the C compiler for linking, secondly use LD
anyways, defining it as the C compiler, and thirdly, only so define LD
when it is undefined as a fallback. This triple-threat means Bintools Wrapper will break those packages, as LD is already defined as the actual linker which the package won’t override yet doesn’t want to use. The workaround is to define, just for the problematic package, LD
as the C compiler. A good way to do this would be preConfigure = "LD=$CC"
.
CC Wrapper and hook
The CC Wrapper wraps a C toolchain for a bunch of miscellaneous purposes. Specifically, a C compiler (GCC or Clang), wrapped binary tools, and a C standard library (glibc or Darwin’s libSystem, just for the dynamic loader) are all fed in, and dependency finding, hardening (see below), and purity checks for each are handled by the CC Wrapper. Packages typically depend on the CC Wrapper, which in turn (at run-time) depends on the Bintools Wrapper.
Dependency finding is undoubtedly the main task of the CC Wrapper. This works just like the Bintools Wrapper, except that any include
subdirectory of any relevant dependency is added to NIX_CFLAGS_COMPILE
. The setup hook itself contains elaborate comments describing the exact mechanism by which this is accomplished.
Similarly, the CC Wrapper follows the Bintools Wrapper in defining standard environment variables with the names of the tools it wraps, for the same reasons described above. Importantly, while it includes a cc
symlink to the c compiler for portability, the CC
will be defined using the compiler’s “real name” (i.e. gcc
or clang
). This helps lousy build systems that inspect on the name of the compiler rather than run it.
Here are some more packages that provide a setup hook. Since the list of hooks is extensible, this is not an exhaustive list. The mechanism is only to be used as a last resort, so it might cover most uses.
Other hooks
Many other packages provide hooks, that are not part of stdenv
. You can find
these in the Hooks Reference.
Purity in Nixpkgs
Measures taken to prevent dependencies on packages outside the store, and what you can do to prevent them.
GCC doesn’t search in locations such as /usr/include
. In fact, attempts to add such directories through the -I
flag are filtered out. Likewise, the linker (from GNU binutils) doesn’t search in standard locations such as /usr/lib
. Programs built on Linux are linked against a GNU C Library that likewise doesn’t search in the default system locations.
Hardening in Nixpkgs
There are flags available to harden packages at compile or link-time. These can be toggled using the stdenv.mkDerivation
parameters hardeningDisable
and hardeningEnable
.
Both parameters take a list of flags as strings. The special "all"
flag can be passed to hardeningDisable
to turn off all hardening. These flags can also be used as environment variables for testing or development purposes.
For more in-depth information on these hardening flags and hardening in general, refer to the Debian Wiki, Ubuntu Wiki, Gentoo Wiki, and the Arch Wiki.
Hardening flags enabled by default
The following flags are enabled by default and might require disabling with hardeningDisable
if the program to package is incompatible.
format
Adds the -Wformat -Wformat-security -Werror=format-security
compiler options. At present, this warns about calls to printf
and scanf
functions where the format string is not a string literal and there are no format arguments, as in printf(foo);
. This may be a security hole if the format string came from untrusted input and contains %n
.
This needs to be turned off or fixed for errors similar to:
/tmp/nix-build-zynaddsubfx-2.5.2.drv-0/zynaddsubfx-2.5.2/src/UI/guimain.cpp:571:28: error: format not a string literal and no format arguments [-Werror=format-security]
printf(help_message);
^
cc1plus: some warnings being treated as errors
stackprotector
Adds the -fstack-protector-strong --param ssp-buffer-size=4
compiler options. This adds safety checks against stack overwrites rendering many potential code injection attacks into aborting situations. In the best case this turns code injection vulnerabilities into denial of service or into non-issues (depending on the application).
This needs to be turned off or fixed for errors similar to:
bin/blib.a(bios_console.o): In function `bios_handle_cup':
/tmp/nix-build-ipxe-20141124-5cbdc41.drv-0/ipxe-5cbdc41/src/arch/i386/firmware/pcbios/bios_console.c:86: undefined reference to `__stack_chk_fail'
fortify
Adds the -O2 -D_FORTIFY_SOURCE=2
compiler options. During code generation the compiler knows a great deal of information about buffer sizes (where possible), and attempts to replace insecure unlimited length buffer function calls with length-limited ones. This is especially useful for old, crufty code. Additionally, format strings in writable memory that contain %n
are blocked. If an application depends on such a format string, it will need to be worked around.
Additionally, some warnings are enabled which might trigger build failures if compiler warnings are treated as errors in the package build. In this case, set NIX_CFLAGS_COMPILE
to -Wno-error=warning-type
.
This needs to be turned off or fixed for errors similar to:
malloc.c:404:15: error: return type is an incomplete type
malloc.c:410:19: error: storage size of 'ms' isn't known
strdup.h:22:1: error: expected identifier or '(' before '__extension__'
strsep.c:65:23: error: register name not specified for 'delim'
installwatch.c:3751:5: error: conflicting types for '__open_2'
fcntl2.h:50:4: error: call to '__open_missing_mode' declared with attribute error: open with O_CREAT or O_TMPFILE in second argument needs 3 arguments
pic
Adds the -fPIC
compiler options. This options adds support for position independent code in shared libraries and thus making ASLR possible.
Most notably, the Linux kernel, kernel modules and other code not running in an operating system environment like boot loaders won’t build with PIC enabled. The compiler will is most cases complain that PIC is not supported for a specific build.
This needs to be turned off or fixed for assembler errors similar to:
ccbLfRgg.s: Assembler messages:
ccbLfRgg.s:33: Error: missing or invalid displacement expression `private_key_len@GOTOFF'
strictoverflow
Signed integer overflow is undefined behaviour according to the C standard. If it happens, it is an error in the program as it should check for overflow before it can happen, not afterwards. GCC provides built-in functions to perform arithmetic with overflow checking, which are correct and faster than any custom implementation. As a workaround, the option -fno-strict-overflow
makes gcc behave as if signed integer overflows were defined.
This flag should not trigger any build or runtime errors.
relro
Adds the -z relro
linker option. During program load, several ELF memory sections need to be written to by the linker, but can be turned read-only before turning over control to the program. This prevents some GOT (and .dtors) overwrite attacks, but at least the part of the GOT used by the dynamic linker (.got.plt) is still vulnerable.
This flag can break dynamic shared object loading. For instance, the module systems of Xorg and OpenCV are incompatible with this flag. In almost all cases the bindnow
flag must also be disabled and incompatible programs typically fail with similar errors at runtime.
bindnow
Adds the -z bindnow
linker option. During program load, all dynamic symbols are resolved, allowing for the complete GOT to be marked read-only (due to relro
). This prevents GOT overwrite attacks. For very large applications, this can incur some performance loss during initial load while symbols are resolved, but this shouldn’t be an issue for daemons.
This flag can break dynamic shared object loading. For instance, the module systems of Xorg and PHP are incompatible with this flag. Programs incompatible with this flag often fail at runtime due to missing symbols, like:
intel_drv.so: undefined symbol: vgaHWFreeHWRec
Hardening flags disabled by default
The following flags are disabled by default and should be enabled with hardeningEnable
for packages that take untrusted input like network services.
pie
This flag is disabled by default for normal glibc
based NixOS package builds, but enabled by default for musl
based package builds.
Adds the -fPIE
compiler and -pie
linker options. Position Independent Executables are needed to take advantage of Address Space Layout Randomization, supported by modern kernel versions. While ASLR can already be enforced for data areas in the stack and heap (brk and mmap), the code areas must be compiled as position-independent. Shared libraries already do this with the pic
flag, so they gain ASLR automatically, but binary .text regions need to be build with pie
to gain ASLR. When this happens, ROP attacks are much harder since there are no static locations to bounce off of during a memory corruption attack.
Static libraries need to be compiled with -fPIE
so that executables can link them in with the -pie
linker option.
If the libraries lack -fPIE
, you will get the error recompile with -fPIE
.
-
The build platform is ignored because it is a mere implementation detail of the package satisfying the dependency: As a general programming principle, dependencies are always specified as interfaces, not concrete implementation. ↩︎
-
Currently, this means for native builds all dependencies are put on the
PATH
. But in the future that may not be the case for sake of matching cross: the platforms would be assumed to be unique for native and cross builds alike, so only thedepsBuild*
andnativeBuildInputs
would be added to thePATH
. ↩︎ -
Nix itself already takes a package’s transitive dependencies into account, but this propagation ensures nixpkgs-specific infrastructure like setup hooks also are run as if it were a propagated dependency. ↩︎
-
The
findInputs
function, currently residing inpkgs/stdenv/generic/setup.sh
, implements the propagation logic. ↩︎ -
It clears the
sys_lib_*search_path
variables in the Libtool script to prevent Libtool from using libraries in/usr/lib
and such. ↩︎ -
Eventually these will be passed building natively as well, to improve determinism: build-time guessing, as is done today, is a risk of impurity. ↩︎
-
Each wrapper targets a single platform, so if binaries for multiple platforms are needed, the underlying binaries must be wrapped multiple times. As this is a property of the wrapper itself, the multiple wrappings are needed whether or not the same underlying binaries can target multiple platforms. ↩︎