ISO images: Initialize the Nix database with correct NAR hashes/sizes

The boot test now runs "nix verify" to ensure that all hashes are
correct.

3 files changed, 12 insertions, 46 deletions

diff --git a/nixos/lib/make-iso9660-image.nix b/nixos/lib/make-iso9660-image.nix
index 75be70dbcb2b..c6bafd48f9db 100644
--- a/nixos/lib/make-iso9660-image.nix
+++ b/nixos/lib/make-iso9660-image.nix
@@ -1,4 +1,4 @@
-{ stdenv, perl, pathsFromGraph, xorriso, syslinux
+{ stdenv, perl, closureInfo, xorriso, syslinux
 
 , # The file name of the resulting ISO image.
   isoName ? "cd.iso"
@@ -48,9 +48,9 @@ assert usbBootable -> isohybridMbrImage != "";
 stdenv.mkDerivation {
   name = isoName;
   builder = ./make-iso9660-image.sh;
-  buildInputs = [perl xorriso syslinux];
+  buildInputs = [ xorriso syslinux ];
 
-  inherit isoName bootable bootImage compressImage volumeID pathsFromGraph efiBootImage efiBootable isohybridMbrImage usbBootable;
+  inherit isoName bootable bootImage compressImage volumeID efiBootImage efiBootable isohybridMbrImage usbBootable;
 
   # !!! should use XML.
   sources = map (x: x.source) contents;
@@ -61,6 +61,5 @@ stdenv.mkDerivation {
   symlinks = map (x: x.symlink) storeContents;
 
   # For obtaining the closure of `storeContents'.
-  exportReferencesGraph =
-    map (x: [("closure-" + baseNameOf x.object) x.object]) storeContents;
+  closureInfo = closureInfo { rootPaths = map (x: x.object) storeContents; };
 }
diff --git a/nixos/lib/make-iso9660-image.sh b/nixos/lib/make-iso9660-image.sh
index c623436f6c5b..45cdef1ef4df 100644
--- a/nixos/lib/make-iso9660-image.sh
+++ b/nixos/lib/make-iso9660-image.sh
@@ -72,16 +72,15 @@ done
 
 
 # Add the closures of the top-level store objects.
-storePaths=$(perl $pathsFromGraph closure-*)
-for i in $storePaths; do
+for i in $(< $closureInfo/store-paths); do
     addPath "${i:1}" "$i"
 done
 
 
 # Also include a manifest of the closures in a format suitable for
 # nix-store --load-db.
-if [ -n "$object" ]; then
-    printRegistration=1 perl $pathsFromGraph closure-* > nix-path-registration
+if [[ ${#objects[*]} != 0 ]]; then
+    cp $closureInfo/registration nix-path-registration
     addPath "nix-path-registration" "nix-path-registration"
 fi
 
diff --git a/nixos/lib/make-squashfs.nix b/nixos/lib/make-squashfs.nix
index 9d47a3222cc2..7ab84e47f53b 100644
--- a/nixos/lib/make-squashfs.nix
+++ b/nixos/lib/make-squashfs.nix
@@ -1,4 +1,4 @@
-{ stdenv, squashfsTools, perl, pathsFromGraph
+{ stdenv, squashfsTools, closureInfo
 
 , # The root directory of the squashfs filesystem is filled with the
   # closures of the Nix store paths listed here.
@@ -8,50 +8,18 @@
 stdenv.mkDerivation {
   name = "squashfs.img";
 
-  nativeBuildInputs = [perl squashfsTools];
-
-  # For obtaining the closure of `storeContents'.
-  exportReferencesGraph =
-    map (x: [("closure-" + baseNameOf x) x]) storeContents;
+  nativeBuildInputs = [ squashfsTools ];
 
   buildCommand =
     ''
-      # Add the closures of the top-level store objects.
-      storePaths=$(perl ${pathsFromGraph} closure-*)
-
-      # If a Hydra slave happens to have store paths with bad permissions/mtime,
-      # abort now so that they don't end up in ISO images in the channel.
-      # https://github.com/NixOS/nixpkgs/issues/32242
-      hasBadPaths=""
-      for path in $storePaths; do
-        if [ -h "$path" ]; then
-          continue
-        fi
-
-        mtime=$(stat -c %Y "$path")
-        mode=$(stat -c %a "$path")
-
-        if [ "$mtime" != 1 ]; then
-          echo "Store path '$path' has an invalid mtime."
-          hasBadPaths=1
-        fi
-        if [ "$mode" != 444 ] && [ "$mode" != 555 ]; then
-          echo "Store path '$path' has invalid permissions ($mode)."
-          hasBadPaths=1
-        fi
-      done
-
-      if [ -n "$hasBadPaths" ]; then
-        echo "You have bad paths in your store, please fix them."
-        exit 1
-      fi
+      closureInfo=${closureInfo { rootPaths = storeContents; }}
 
       # Also include a manifest of the closures in a format suitable
       # for nix-store --load-db.
-      printRegistration=1 perl ${pathsFromGraph} closure-* > nix-path-registration
+      cp $closureInfo/registration nix-path-registration
 
       # Generate the squashfs image.
-      mksquashfs nix-path-registration $storePaths $out \
+      mksquashfs nix-path-registration $(cat $closureInfo/store-paths) $out \
         -keep-as-directory -all-root -b 1048576 -comp xz -Xdict-size 100%
     '';
 }