diff options
Diffstat (limited to 'pkgs/applications/virtualization/singularity')
-rw-r--r-- | pkgs/applications/virtualization/singularity/generic.nix | 50 | ||||
-rw-r--r-- | pkgs/applications/virtualization/singularity/packages.nix | 10 |
2 files changed, 42 insertions, 18 deletions
diff --git a/pkgs/applications/virtualization/singularity/generic.nix b/pkgs/applications/virtualization/singularity/generic.nix index f27f58fda4876..1cac1d4f16c65 100644 --- a/pkgs/applications/virtualization/singularity/generic.nix +++ b/pkgs/applications/virtualization/singularity/generic.nix @@ -70,11 +70,19 @@ in # Whether to compile with SUID support enableSuid ? false, starterSuidPath ? null, - # newuidmapPath and newgidmapPath are to support --fakeroot - # where those SUID-ed executables are unavailable from the FHS system PATH. + # Extra system-wide /**/bin paths to prefix, + # useful to specify directories containing binaries with SUID bit set. + # The paths take higher precedence over the FHS system PATH specified + # inside the upstream source code. + # Include "/run/wrappers/bin" by default for the convenience of NixOS users. + systemBinPaths ? [ "/run/wrappers/bin" ], # Path to SUID-ed newuidmap executable + # Deprecated in favour of systemBinPaths + # TODO(@ShamrockLee): Remove after Nixpkgs 24.05 branch-off newuidmapPath ? null, # Path to SUID-ed newgidmap executable + # Deprecated in favour of systemBinPaths + # TODO(@ShamrockLee): Remove after Nixpkgs 24.05 branch-off newgidmapPath ? null, # External LOCALSTATEDIR externalLocalStateDir ? null, @@ -99,18 +107,30 @@ in vendorHash ? _defaultGoVendorArgs.vendorHash, deleteVendor ? _defaultGoVendorArgs.deleteVendor, proxyVendor ? _defaultGoVendorArgs.proxyVendor, -}: +}@args: let + # Backward compatibility for privileged-un-utils. + # TODO(@ShamrockLee): Remove after Nixpkgs 24.05 branch-off. privileged-un-utils = if ((newuidmapPath == null) && (newgidmapPath == null)) then null else - (runCommandLocal "privileged-un-utils" { } '' - mkdir -p "$out/bin" - ln -s ${lib.escapeShellArg newuidmapPath} "$out/bin/newuidmap" - ln -s ${lib.escapeShellArg newgidmapPath} "$out/bin/newgidmap" - ''); + lib.warn + "${pname}: arguments newuidmapPath and newgidmapPath is deprecated in favour of systemBinPaths." + ( + runCommandLocal "privileged-un-utils" { } '' + mkdir -p "$out/bin" + ln -s ${lib.escapeShellArg newuidmapPath} "$out/bin/newuidmap" + ln -s ${lib.escapeShellArg newgidmapPath} "$out/bin/newgidmap" + '' + ); + + # Backward compatibility for privileged-un-utils. + # TODO(@ShamrockLee): Remove after Nixpkgs 24.05 branch-off. + systemBinPaths = + lib.optional (privileged-un-utils != null) (lib.makeBinPath [ privileged-un-utils ]) + ++ args.systemBinPaths or [ "/run/wrappers/bin" ]; concatMapStringAttrsSep = sep: f: attrs: @@ -196,8 +216,9 @@ in # causes redefinition of _FORTIFY_SOURCE hardeningDisable = [ "fortify3" ]; - # Packages to prefix to the Apptainer/Singularity container runtime default PATH - # Use overrideAttrs to override + # Packages to provide fallback bin paths + # to the Apptainer/Singularity container runtime default PATHs. + # Override with `<pkg>.overrideAttrs`. defaultPathInputs = [ bash coreutils @@ -206,7 +227,6 @@ in fuse2fs # Mount ext3 filesystems go mount # mount - privileged-un-utils squashfsTools # mksquashfs unsquashfs # Make / unpack squashfs image squashfuse # squashfuse_ll squashfuse # Mount (without unpacking) a squashfs image without privileges ] ++ lib.optional enableNvidiaContainerCli nvidia-docker; @@ -228,7 +248,7 @@ in lib.concatStringsSep " " [ "--replace-fail" (addShellDoubleQuotes (lib.escapeShellArg originalDefaultPath)) - (addShellDoubleQuotes ''$inputsDefaultPath''${inputsDefaultPath:+:}${lib.escapeShellArg originalDefaultPath}'') + (addShellDoubleQuotes ''$systemDefaultPath''${systemDefaultPath:+:}${lib.escapeShellArg originalDefaultPath}''${inputsDefaultPath:+:}$inputsDefaultPath'') ] ) originalDefaultPaths } @@ -267,8 +287,11 @@ in postFixup = '' substituteInPlace "$out/bin/run-singularity" \ --replace "/usr/bin/env ${projectName}" "$out/bin/${projectName}" + # Respect PATH from the environment/the user. + # Fallback to bin paths provided by Nixpkgs packages. wrapProgram "$out/bin/${projectName}" \ - --prefix PATH : "$inputsDefaultPath" + --suffix PATH : "$systemDefaultPath" \ + --suffix PATH : "$inputsDefaultPath" # Make changes in the config file ${lib.optionalString forceNvcCli '' substituteInPlace "$out/etc/${projectName}/${projectName}.conf" \ @@ -326,6 +349,7 @@ in }).overrideAttrs ( finalAttrs: prevAttrs: { + systemDefaultPath = lib.concatStringsSep ":" systemBinPaths; inputsDefaultPath = lib.makeBinPath finalAttrs.defaultPathInputs; passthru = prevAttrs.passthru or { } // { inherit sourceFilesWithDefaultPaths; diff --git a/pkgs/applications/virtualization/singularity/packages.nix b/pkgs/applications/virtualization/singularity/packages.nix index f03bdf9631c56..6237db9cd6991 100644 --- a/pkgs/applications/virtualization/singularity/packages.nix +++ b/pkgs/applications/virtualization/singularity/packages.nix @@ -9,14 +9,14 @@ let callPackage (import ./generic.nix rec { pname = "apptainer"; - version = "1.3.2"; + version = "1.3.3"; projectName = "apptainer"; src = fetchFromGitHub { owner = "apptainer"; repo = "apptainer"; rev = "refs/tags/v${version}"; - hash = "sha256-NseigaPmRKDsBk8v7RpYf+uoEGvQHVnqOMO49kP0mQ8="; + hash = "sha256-xQZCQa9z1aJ2tVtxMlwcNhlm0EV/nn8OnbfaVZRm4JI="; }; # Update by running @@ -47,20 +47,20 @@ let callPackage (import ./generic.nix rec { pname = "singularity-ce"; - version = "4.1.3"; + version = "4.1.4"; projectName = "singularity"; src = fetchFromGitHub { owner = "sylabs"; repo = "singularity"; rev = "refs/tags/v${version}"; - hash = "sha256-pR8zyMr23wcbDCXAysVEgGUDHkrfhLoVF3fjMLgZFYs="; + hash = "sha256-+qwPzgwfF6A1c/rmSM/5T2N9/wVeWhMoAthj3eSQmh8="; }; # Update by running # nix-prefetch -E "{ sha256 }: ((import ./. { }).singularity.override { vendorHash = sha256; }).goModules" # at the root directory of the Nixpkgs repository - vendorHash = "sha256-332GFL04aE6B6vxgtJJH4TeI6YJCDBpCClJ3sc5gN3A="; + vendorHash = "sha256-dTqOSk8APLOsqwEiZ/IL8Zu1SR48MyEYPgRe6PC2nd8="; # Do not build conmon and squashfuse from the Git submodule sources, # Use Nixpkgs provided version |