Merge pull request #73097 from andrew-d/andrew/gvisor-redux

gvisor: init at 2019-11-14

5 files changed, 191 insertions, 0 deletions

diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index df65ef249e8a7..fbc8b511f3b6a 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -103,6 +103,7 @@ in
   grafana = handleTest ./grafana.nix {};
   graphite = handleTest ./graphite.nix {};
   graylog = handleTest ./graylog.nix {};
+  gvisor = handleTest ./gvisor.nix {};
   hadoop.hdfs = handleTestOn [ "x86_64-linux" ] ./hadoop/hdfs.nix {};
   hadoop.yarn = handleTestOn [ "x86_64-linux" ] ./hadoop/yarn.nix {};
   handbrake = handleTestOn ["x86_64-linux"] ./handbrake.nix {};
diff --git a/nixos/tests/gvisor.nix b/nixos/tests/gvisor.nix
new file mode 100644
index 0000000000000..4d68a1d8a5f89
--- /dev/null
+++ b/nixos/tests/gvisor.nix
@@ -0,0 +1,49 @@
+# This test runs a container through gvisor and checks if simple container starts
+
+import ./make-test-python.nix ({ pkgs, ...} : {
+  name = "gvisor";
+  meta = with pkgs.stdenv.lib.maintainers; {
+    maintainers = [ andrew-d ];
+  };
+
+  nodes = {
+    gvisor =
+      { pkgs, ... }:
+        {
+          virtualisation.docker = {
+            enable = true;
+            extraOptions = "--add-runtime runsc=${pkgs.gvisor}/bin/runsc";
+          };
+
+          networking = {
+            dhcpcd.enable = false;
+            defaultGateway = "192.168.1.1";
+            interfaces.eth1.ipv4.addresses = pkgs.lib.mkOverride 0 [
+              { address = "192.168.1.2"; prefixLength = 24; }
+            ];
+          };
+        };
+    };
+
+  testScript = ''
+    start_all()
+
+    gvisor.wait_for_unit("network.target")
+    gvisor.wait_for_unit("sockets.target")
+
+    # Start by verifying that gvisor itself works
+    output = gvisor.succeed(
+        "${pkgs.gvisor}/bin/runsc -alsologtostderr do ${pkgs.coreutils}/bin/echo hello world"
+    )
+    assert output.strip() == "hello world"
+
+    # Also test the Docker runtime
+    gvisor.succeed("tar cv --files-from /dev/null | docker import - scratchimg")
+    gvisor.succeed(
+        "docker run -d --name=sleeping --runtime=runsc -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10"
+    )
+    gvisor.succeed("docker ps | grep sleeping")
+    gvisor.succeed("docker stop sleeping")
+  '';
+})
+
diff --git a/pkgs/applications/virtualization/gvisor/containerd-shim.nix b/pkgs/applications/virtualization/gvisor/containerd-shim.nix
new file mode 100644
index 0000000000000..0161a117def34
--- /dev/null
+++ b/pkgs/applications/virtualization/gvisor/containerd-shim.nix
@@ -0,0 +1,36 @@
+{ lib, fetchFromGitHub, buildGoModule, go-bindata }:
+
+buildGoModule rec {
+  name = "gvisor-containerd-shim-${version}";
+  version = "2019-10-09";
+
+  src = fetchFromGitHub {
+    owner  = "google";
+    repo   = "gvisor-containerd-shim";
+    rev    = "f299b553afdd8455a0057862004061ea12e660f5";
+    sha256 = "077bhrmjrpcxv1z020yxhx2c4asn66j21gxlpa6hz0av3lfck9lm";
+  };
+
+  modSha256 = "1jdhgbrn59ahnabwnig99i21f6kimmqx9f3dg10ffwfs3dx0gzlg";
+
+  buildPhase = ''
+    make
+  '';
+
+  doCheck = true;
+  checkPhase = ''
+    make test
+  '';
+
+  installPhase = ''
+    make install DESTDIR="$out"
+  '';
+
+  meta = with lib; {
+    description = "containerd shim for gVisor";
+    homepage    = https://github.com/google/gvisor-containerd-shim;
+    license     = licenses.asl20;
+    maintainers = with maintainers; [ andrew-d ];
+    platforms   = [ "x86_64-linux" ];
+  };
+}
diff --git a/pkgs/applications/virtualization/gvisor/default.nix b/pkgs/applications/virtualization/gvisor/default.nix
new file mode 100644
index 0000000000000..2d99fb3bf5730
--- /dev/null
+++ b/pkgs/applications/virtualization/gvisor/default.nix
@@ -0,0 +1,101 @@
+{ stdenv
+, buildBazelPackage
+, fetchFromGitHub
+, cacert
+, git
+, glibcLocales
+, go
+, iproute
+, iptables
+, makeWrapper
+, procps
+, python3
+}:
+
+let
+  preBuild = ''
+    patchShebangs .
+
+    # Tell rules_go to use the Go binary found in the PATH
+    sed -E -i \
+      -e 's|go_version\s*=\s*"[^"]+",|go_version = "host",|g' \
+      WORKSPACE
+
+    # The gazelle Go tooling needs CA certs
+    export SSL_CERT_FILE="${cacert}/etc/ssl/certs/ca-bundle.crt"
+
+    # If we don't reset our GOPATH, the rules_go stdlib builder tries to
+    # install something into it. Ideally that wouldn't happen, but for now we
+    # can also get around it by unsetting GOPATH entirely, since rules_go
+    # doesn't need it.
+    export GOPATH=
+  '';
+
+in buildBazelPackage rec {
+  name = "gvisor-${version}";
+  version = "2019-11-14";
+
+  src = fetchFromGitHub {
+    owner = "google";
+    repo  = "gvisor";
+    rev   = "release-20191114.0";
+    sha256 = "0kyixjjlws9iz2r2srgpdd4rrq94vpxkmh2rmmzxd9mcqy2i9bg1";
+  };
+
+  nativeBuildInputs = [ git glibcLocales go makeWrapper python3 ];
+
+  bazelTarget = "//runsc:runsc";
+
+  # gvisor uses the Starlark implementation of rules_cc, not the built-in one,
+  # so we shouldn't delete it from our dependencies.
+  removeRulesCC = false;
+
+  fetchAttrs = {
+    inherit preBuild;
+
+    preInstall = ''
+      # Remove the go_sdk (it's just a copy of the go derivation) and all
+      # references to it from the marker files. Bazel does not need to download
+      # this sdk because we have patched the WORKSPACE file to point to the one
+      # currently present in PATH. Without removing the go_sdk from the marker
+      # file, the hash of it will change anytime the Go derivation changes and
+      # that would lead to impurities in the marker files which would result in
+      # a different sha256 for the fetch phase.
+      rm -rf $bazelOut/external/{go_sdk,\@go_sdk.marker}
+
+      # Remove the gazelle tools, they contain go binaries that are built
+      # non-deterministically. As long as the gazelle version matches the tools
+      # should be equivalent.
+      rm -rf $bazelOut/external/{bazel_gazelle_go_repository_tools,\@bazel_gazelle_go_repository_tools.marker}
+
+      # Remove the gazelle repository cache
+      chmod -R +w $bazelOut/external/bazel_gazelle_go_repository_cache
+      rm -rf $bazelOut/external/{bazel_gazelle_go_repository_cache,\@bazel_gazelle_go_repository_cache.marker}
+
+      # Remove log file(s)
+      rm -f "$bazelOut"/java.log "$bazelOut"/java.log.*
+    '';
+
+    sha256 = "122qk6iv8hd7g2a84y9aqqhij4r0m47vpxzbqhhh6k5livc73qd6";
+  };
+
+  buildAttrs = {
+    inherit preBuild;
+
+    installPhase = ''
+      install -Dm755 bazel-bin/runsc/*_pure_stripped/runsc $out/bin/runsc
+
+      # Needed for the 'runsc do' subcomand
+      wrapProgram $out/bin/runsc \
+        --prefix PATH : ${stdenv.lib.makeBinPath [ iproute iptables procps ]}
+    '';
+  };
+
+  meta = with stdenv.lib; {
+    description = "Container Runtime Sandbox";
+    homepage = https://github.com/google/gvisor;
+    license = licenses.asl20;
+    maintainers = with maintainers; [ andrew-d ];
+    platforms = [ "x86_64-linux" ];
+  };
+}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index c6130718ceb23..ae495eb019ba9 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -19207,6 +19207,10 @@ in
 
   gv = callPackage ../applications/misc/gv { };
 
+  gvisor = callPackage ../applications/virtualization/gvisor { };
+
+  gvisor-containerd-shim = callPackage ../applications/virtualization/gvisor/containerd-shim.nix { };
+
   guvcview = callPackage ../os-specific/linux/guvcview { };
 
   gxmessage = callPackage ../applications/misc/gxmessage { };