diff options
Diffstat (limited to 'pkgs/applications/virtualization/singularity')
| -rw-r--r-- | pkgs/applications/virtualization/singularity/generic.nix | 42 | ||||
| -rw-r--r-- | pkgs/applications/virtualization/singularity/packages.nix | 26 |
2 files changed, 58 insertions, 10 deletions
diff --git a/pkgs/applications/virtualization/singularity/generic.nix b/pkgs/applications/virtualization/singularity/generic.nix index da7c8accf873a..f27f58fda4876 100644 --- a/pkgs/applications/virtualization/singularity/generic.nix +++ b/pkgs/applications/virtualization/singularity/generic.nix @@ -44,6 +44,7 @@ in gpgme, libseccomp, libuuid, + mount, # This is for nvidia-container-cli nvidia-docker, openssl, @@ -79,6 +80,20 @@ in externalLocalStateDir ? null, # Remove the symlinks to `singularity*` when projectName != "singularity" removeCompat ? false, + # The defaultPath values to substitute in each source files. + # + # `defaultPath` are PATH variables hard-coded inside Apptainer/Singularity + # binaries to search for third-party utilities, as a hardening for + # `$out/bin/starter-suid`. + # + # The upstream provided values are suitable for FHS-conformant environment. + # We substitute them and insert Nixpkgs-specific values. + # + # Example: + # { + # "path/to/source/file1" = [ "<originalDefaultPath11>" "<originalDefaultPath12>" ... ]; + # } + sourceFilesWithDefaultPaths ? { }, # Workaround #86349 # should be removed when the issue is resolved vendorHash ? _defaultGoVendorArgs.vendorHash, @@ -87,7 +102,6 @@ in }: let - defaultPathOriginal = "/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin"; privileged-un-utils = if ((newuidmapPath == null) && (newgidmapPath == null)) then null @@ -97,6 +111,12 @@ let ln -s ${lib.escapeShellArg newuidmapPath} "$out/bin/newuidmap" ln -s ${lib.escapeShellArg newgidmapPath} "$out/bin/newgidmap" ''); + + concatMapStringAttrsSep = + sep: f: attrs: + lib.concatMapStringsSep sep (name: f name attrs.${name}) (lib.attrNames attrs); + + addShellDoubleQuotes = s: lib.escapeShellArg ''"'' + s + lib.escapeShellArg ''"''; in (buildGoModule { inherit pname version src; @@ -185,6 +205,7 @@ in fakeroot fuse2fs # Mount ext3 filesystems go + mount # mount privileged-un-utils squashfsTools # mksquashfs unsquashfs # Make / unpack squashfs image squashfuse # squashfuse_ll squashfuse # Mount (without unpacking) a squashfs image without privileges @@ -199,8 +220,19 @@ in patchShebangs --build "$configureScript" makeit e2e scripts mlocal/scripts # Patching the hard-coded defaultPath by prefixing the packages in defaultPathInputs - substituteInPlace cmd/internal/cli/actions.go \ - --replace "defaultPath = \"${defaultPathOriginal}\"" "defaultPath = \"''${defaultPathInputs// /\/bin:}''${defaultPathInputs:+/bin:}${defaultPathOriginal}\"" + ${concatMapStringAttrsSep "\n" (fileName: originalDefaultPaths: '' + substituteInPlace ${lib.escapeShellArg fileName} \ + ${ + lib.concatMapStringsSep " \\\n " ( + originalDefaultPath: + lib.concatStringsSep " " [ + "--replace-fail" + (addShellDoubleQuotes (lib.escapeShellArg originalDefaultPath)) + (addShellDoubleQuotes ''$inputsDefaultPath''${inputsDefaultPath:+:}${lib.escapeShellArg originalDefaultPath}'') + ] + ) originalDefaultPaths + } + '') sourceFilesWithDefaultPaths} substituteInPlace internal/pkg/util/gpu/nvidia.go \ --replace \ @@ -236,7 +268,7 @@ in substituteInPlace "$out/bin/run-singularity" \ --replace "/usr/bin/env ${projectName}" "$out/bin/${projectName}" wrapProgram "$out/bin/${projectName}" \ - --prefix PATH : "''${defaultPathInputs// /\/bin:}''${defaultPathInputs:+/bin:}" + --prefix PATH : "$inputsDefaultPath" # Make changes in the config file ${lib.optionalString forceNvcCli '' substituteInPlace "$out/etc/${projectName}/${projectName}.conf" \ @@ -294,7 +326,9 @@ in }).overrideAttrs ( finalAttrs: prevAttrs: { + inputsDefaultPath = lib.makeBinPath finalAttrs.defaultPathInputs; passthru = prevAttrs.passthru or { } // { + inherit sourceFilesWithDefaultPaths; tests = { image-hello-cowsay = singularity-tools.buildImage { name = "hello-cowsay"; diff --git a/pkgs/applications/virtualization/singularity/packages.nix b/pkgs/applications/virtualization/singularity/packages.nix index bd7deb298d47b..f03bdf9631c56 100644 --- a/pkgs/applications/virtualization/singularity/packages.nix +++ b/pkgs/applications/virtualization/singularity/packages.nix @@ -9,20 +9,20 @@ let callPackage (import ./generic.nix rec { pname = "apptainer"; - version = "1.3.1"; + version = "1.3.2"; projectName = "apptainer"; src = fetchFromGitHub { owner = "apptainer"; repo = "apptainer"; rev = "refs/tags/v${version}"; - hash = "sha256-XhJecINx8jC6pRzIoM4nC6Aunj40xL8EmYIA4UizfAY="; + hash = "sha256-NseigaPmRKDsBk8v7RpYf+uoEGvQHVnqOMO49kP0mQ8="; }; # Update by running # nix-prefetch -E "{ sha256 }: ((import ./. { }).apptainer.override { vendorHash = sha256; }).goModules" # at the root directory of the Nixpkgs repository - vendorHash = "sha256-MXW1U13uDRAx4tqZvqsuJvoD22nEL2gcxiGaa/6zwU0="; + vendorHash = "sha256-W853++SSvkAYYUczbl8vnoBQZnimUdsAEXp4MCkLPBU="; extraDescription = " (previously known as Singularity)"; extraMeta.homepage = "https://apptainer.org"; @@ -35,26 +35,32 @@ let # when building on a system with disabled unprivileged namespace. # See https://github.com/NixOS/nixpkgs/pull/215690#issuecomment-1426954601 defaultToSuid = null; + + sourceFilesWithDefaultPaths = { + "cmd/internal/cli/actions.go" = [ "/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin" ]; + "e2e/env/env.go" = [ "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ]; + "internal/pkg/util/env/env.go" = [ "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ]; + }; }; singularity = callPackage (import ./generic.nix rec { pname = "singularity-ce"; - version = "4.1.2"; + version = "4.1.3"; projectName = "singularity"; src = fetchFromGitHub { owner = "sylabs"; repo = "singularity"; rev = "refs/tags/v${version}"; - hash = "sha256-/KTDdkCMkZ5hO+VYHzw9vB8FDWxg7PS1yb2waRJQngY="; + hash = "sha256-pR8zyMr23wcbDCXAysVEgGUDHkrfhLoVF3fjMLgZFYs="; }; # Update by running # nix-prefetch -E "{ sha256 }: ((import ./. { }).singularity.override { vendorHash = sha256; }).goModules" # at the root directory of the Nixpkgs repository - vendorHash = "sha256-4Nxj2PzZmFdvouWKyXLFDk8iuRhFuvyPW/+VRTw75Zw="; + vendorHash = "sha256-332GFL04aE6B6vxgtJJH4TeI6YJCDBpCClJ3sc5gN3A="; # Do not build conmon and squashfuse from the Git submodule sources, # Use Nixpkgs provided version @@ -71,6 +77,14 @@ let # on UNIX-like platforms, # and only have --without-suid but not --with-suid. defaultToSuid = true; + + sourceFilesWithDefaultPaths = { + "cmd/internal/cli/actions.go" = [ "/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin" ]; + "e2e/env/env.go" = [ "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ]; + "internal/pkg/util/env/clean.go" = [ + "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + ]; + }; }; genOverridenNixos = |