diff options
author | Florian Klink <flokli@flokli.de> | 2019-12-05 01:28:43 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-12-05 01:28:43 +0100 |
commit | 3140fa89c51233397f496f49014f6b23216667c2 (patch) | |
tree | 03dbb59e94a80fea91df634c1a9ba95241e635ad | |
parent | 39bce3333228db1d3db19598b0efaed1abe854c4 (diff) | |
parent | c37902dfd196bd493fcd8fc1492790ac64be0d58 (diff) |
Merge pull request #73097 from andrew-d/andrew/gvisor-redux
gvisor: init at 2019-11-14
-rw-r--r-- | nixos/tests/all-tests.nix | 1 | ||||
-rw-r--r-- | nixos/tests/gvisor.nix | 49 | ||||
-rw-r--r-- | pkgs/applications/virtualization/gvisor/containerd-shim.nix | 36 | ||||
-rw-r--r-- | pkgs/applications/virtualization/gvisor/default.nix | 101 | ||||
-rw-r--r-- | pkgs/top-level/all-packages.nix | 4 |
5 files changed, 191 insertions, 0 deletions
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index df65ef249e8a7..fbc8b511f3b6a 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -103,6 +103,7 @@ in grafana = handleTest ./grafana.nix {}; graphite = handleTest ./graphite.nix {}; graylog = handleTest ./graylog.nix {}; + gvisor = handleTest ./gvisor.nix {}; hadoop.hdfs = handleTestOn [ "x86_64-linux" ] ./hadoop/hdfs.nix {}; hadoop.yarn = handleTestOn [ "x86_64-linux" ] ./hadoop/yarn.nix {}; handbrake = handleTestOn ["x86_64-linux"] ./handbrake.nix {}; diff --git a/nixos/tests/gvisor.nix b/nixos/tests/gvisor.nix new file mode 100644 index 0000000000000..4d68a1d8a5f89 --- /dev/null +++ b/nixos/tests/gvisor.nix @@ -0,0 +1,49 @@ +# This test runs a container through gvisor and checks if simple container starts + +import ./make-test-python.nix ({ pkgs, ...} : { + name = "gvisor"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ andrew-d ]; + }; + + nodes = { + gvisor = + { pkgs, ... }: + { + virtualisation.docker = { + enable = true; + extraOptions = "--add-runtime runsc=${pkgs.gvisor}/bin/runsc"; + }; + + networking = { + dhcpcd.enable = false; + defaultGateway = "192.168.1.1"; + interfaces.eth1.ipv4.addresses = pkgs.lib.mkOverride 0 [ + { address = "192.168.1.2"; prefixLength = 24; } + ]; + }; + }; + }; + + testScript = '' + start_all() + + gvisor.wait_for_unit("network.target") + gvisor.wait_for_unit("sockets.target") + + # Start by verifying that gvisor itself works + output = gvisor.succeed( + "${pkgs.gvisor}/bin/runsc -alsologtostderr do ${pkgs.coreutils}/bin/echo hello world" + ) + assert output.strip() == "hello world" + + # Also test the Docker runtime + gvisor.succeed("tar cv --files-from /dev/null | docker import - scratchimg") + gvisor.succeed( + "docker run -d --name=sleeping --runtime=runsc -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10" + ) + gvisor.succeed("docker ps | grep sleeping") + gvisor.succeed("docker stop sleeping") + ''; +}) + diff --git a/pkgs/applications/virtualization/gvisor/containerd-shim.nix b/pkgs/applications/virtualization/gvisor/containerd-shim.nix new file mode 100644 index 0000000000000..0161a117def34 --- /dev/null +++ b/pkgs/applications/virtualization/gvisor/containerd-shim.nix @@ -0,0 +1,36 @@ +{ lib, fetchFromGitHub, buildGoModule, go-bindata }: + +buildGoModule rec { + name = "gvisor-containerd-shim-${version}"; + version = "2019-10-09"; + + src = fetchFromGitHub { + owner = "google"; + repo = "gvisor-containerd-shim"; + rev = "f299b553afdd8455a0057862004061ea12e660f5"; + sha256 = "077bhrmjrpcxv1z020yxhx2c4asn66j21gxlpa6hz0av3lfck9lm"; + }; + + modSha256 = "1jdhgbrn59ahnabwnig99i21f6kimmqx9f3dg10ffwfs3dx0gzlg"; + + buildPhase = '' + make + ''; + + doCheck = true; + checkPhase = '' + make test + ''; + + installPhase = '' + make install DESTDIR="$out" + ''; + + meta = with lib; { + description = "containerd shim for gVisor"; + homepage = https://github.com/google/gvisor-containerd-shim; + license = licenses.asl20; + maintainers = with maintainers; [ andrew-d ]; + platforms = [ "x86_64-linux" ]; + }; +} diff --git a/pkgs/applications/virtualization/gvisor/default.nix b/pkgs/applications/virtualization/gvisor/default.nix new file mode 100644 index 0000000000000..2d99fb3bf5730 --- /dev/null +++ b/pkgs/applications/virtualization/gvisor/default.nix @@ -0,0 +1,101 @@ +{ stdenv +, buildBazelPackage +, fetchFromGitHub +, cacert +, git +, glibcLocales +, go +, iproute +, iptables +, makeWrapper +, procps +, python3 +}: + +let + preBuild = '' + patchShebangs . + + # Tell rules_go to use the Go binary found in the PATH + sed -E -i \ + -e 's|go_version\s*=\s*"[^"]+",|go_version = "host",|g' \ + WORKSPACE + + # The gazelle Go tooling needs CA certs + export SSL_CERT_FILE="${cacert}/etc/ssl/certs/ca-bundle.crt" + + # If we don't reset our GOPATH, the rules_go stdlib builder tries to + # install something into it. Ideally that wouldn't happen, but for now we + # can also get around it by unsetting GOPATH entirely, since rules_go + # doesn't need it. + export GOPATH= + ''; + +in buildBazelPackage rec { + name = "gvisor-${version}"; + version = "2019-11-14"; + + src = fetchFromGitHub { + owner = "google"; + repo = "gvisor"; + rev = "release-20191114.0"; + sha256 = "0kyixjjlws9iz2r2srgpdd4rrq94vpxkmh2rmmzxd9mcqy2i9bg1"; + }; + + nativeBuildInputs = [ git glibcLocales go makeWrapper python3 ]; + + bazelTarget = "//runsc:runsc"; + + # gvisor uses the Starlark implementation of rules_cc, not the built-in one, + # so we shouldn't delete it from our dependencies. + removeRulesCC = false; + + fetchAttrs = { + inherit preBuild; + + preInstall = '' + # Remove the go_sdk (it's just a copy of the go derivation) and all + # references to it from the marker files. Bazel does not need to download + # this sdk because we have patched the WORKSPACE file to point to the one + # currently present in PATH. Without removing the go_sdk from the marker + # file, the hash of it will change anytime the Go derivation changes and + # that would lead to impurities in the marker files which would result in + # a different sha256 for the fetch phase. + rm -rf $bazelOut/external/{go_sdk,\@go_sdk.marker} + + # Remove the gazelle tools, they contain go binaries that are built + # non-deterministically. As long as the gazelle version matches the tools + # should be equivalent. + rm -rf $bazelOut/external/{bazel_gazelle_go_repository_tools,\@bazel_gazelle_go_repository_tools.marker} + + # Remove the gazelle repository cache + chmod -R +w $bazelOut/external/bazel_gazelle_go_repository_cache + rm -rf $bazelOut/external/{bazel_gazelle_go_repository_cache,\@bazel_gazelle_go_repository_cache.marker} + + # Remove log file(s) + rm -f "$bazelOut"/java.log "$bazelOut"/java.log.* + ''; + + sha256 = "122qk6iv8hd7g2a84y9aqqhij4r0m47vpxzbqhhh6k5livc73qd6"; + }; + + buildAttrs = { + inherit preBuild; + + installPhase = '' + install -Dm755 bazel-bin/runsc/*_pure_stripped/runsc $out/bin/runsc + + # Needed for the 'runsc do' subcomand + wrapProgram $out/bin/runsc \ + --prefix PATH : ${stdenv.lib.makeBinPath [ iproute iptables procps ]} + ''; + }; + + meta = with stdenv.lib; { + description = "Container Runtime Sandbox"; + homepage = https://github.com/google/gvisor; + license = licenses.asl20; + maintainers = with maintainers; [ andrew-d ]; + platforms = [ "x86_64-linux" ]; + }; +} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index c6130718ceb23..ae495eb019ba9 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -19207,6 +19207,10 @@ in gv = callPackage ../applications/misc/gv { }; + gvisor = callPackage ../applications/virtualization/gvisor { }; + + gvisor-containerd-shim = callPackage ../applications/virtualization/gvisor/containerd-shim.nix { }; + guvcview = callPackage ../os-specific/linux/guvcview { }; gxmessage = callPackage ../applications/misc/gxmessage { }; |