diff options
Diffstat (limited to 'pkgs/applications/virtualization')
64 files changed, 1748 insertions, 1383 deletions
diff --git a/pkgs/applications/virtualization/arion/default.nix b/pkgs/applications/virtualization/arion/default.nix index 716a94a05d8e4..e5ab20cf1937a 100644 --- a/pkgs/applications/virtualization/arion/default.nix +++ b/pkgs/applications/virtualization/arion/default.nix @@ -54,7 +54,7 @@ let mv $out/bin/arion $out/libexec makeWrapper $out/libexec/arion $out/bin/arion \ --unset PYTHONPATH \ - --prefix PATH : ${lib.makeBinPath [ pkgs.docker-compose_1 ]} \ + --prefix PATH : ${lib.makeBinPath [ pkgs.docker-compose ]} \ ; ''; }; diff --git a/pkgs/applications/virtualization/cloud-hypervisor/default.nix b/pkgs/applications/virtualization/cloud-hypervisor/default.nix index c208ec8f92d9c..27df7ab819253 100644 --- a/pkgs/applications/virtualization/cloud-hypervisor/default.nix +++ b/pkgs/applications/virtualization/cloud-hypervisor/default.nix @@ -26,7 +26,8 @@ rustPlatform.buildRustPackage rec { separateDebugInfo = true; nativeBuildInputs = [ pkg-config ]; - buildInputs = [ openssl ] ++ lib.optional stdenv.isAarch64 dtc; + buildInputs = lib.optional stdenv.isAarch64 dtc; + checkInputs = [ openssl ]; OPENSSL_NO_VENDOR = true; diff --git a/pkgs/applications/virtualization/colima/default.nix b/pkgs/applications/virtualization/colima/default.nix index b3b981079d843..4338fccb6c6d6 100644 --- a/pkgs/applications/virtualization/colima/default.nix +++ b/pkgs/applications/virtualization/colima/default.nix @@ -17,13 +17,13 @@ buildGoModule rec { pname = "colima"; - version = "0.6.9"; + version = "0.7.0"; src = fetchFromGitHub { owner = "abiosoft"; repo = pname; rev = "v${version}"; - hash = "sha256-7kaZ55Uhvx8V75IgURD03fLoAd/O/+2h/7tv9XiqnX4="; + hash = "sha256-fl1QtGbcaUwHDz4Jg+UgK27GPTHyJUyK76LXyaYj4Fo="; # We need the git revision leaveDotGit = true; postFetch = '' @@ -35,7 +35,7 @@ buildGoModule rec { nativeBuildInputs = [ installShellFiles makeWrapper ] ++ lib.optionals stdenv.isDarwin [ darwin.DarwinTools ]; - vendorHash = "sha256-FPcz109zQBHaS/bIl78rVeiEluR1PhrJhgs21Ex6qEg="; + vendorHash = "sha256-OXK6ZHKghKxgETjY3mg1R2yp8pPpy5yV8M4K+Hh9Fjw="; # disable flaky Test_extractZones # https://hydra.nixos.org/build/212378003/log diff --git a/pkgs/applications/virtualization/containerd/default.nix b/pkgs/applications/virtualization/containerd/default.nix index acb652e33cb77..2bfbf5e4a2555 100644 --- a/pkgs/applications/virtualization/containerd/default.nix +++ b/pkgs/applications/virtualization/containerd/default.nix @@ -11,13 +11,13 @@ buildGoModule rec { pname = "containerd"; - version = "1.7.18"; + version = "1.7.20"; src = fetchFromGitHub { owner = "containerd"; repo = "containerd"; rev = "v${version}"; - hash = "sha256-IlK5IwniaBhqMgxQzV8btQcbdJkNEQeUMoh6aOsBOHQ="; + hash = "sha256-Q9lTzz+G5PSoChy8MZtbOpO81AyNWXC+CgGkdOg14uY="; }; vendorHash = null; diff --git a/pkgs/applications/virtualization/cri-o/default.nix b/pkgs/applications/virtualization/cri-o/default.nix index 00f17d75d6e59..5f7103886ccca 100644 --- a/pkgs/applications/virtualization/cri-o/default.nix +++ b/pkgs/applications/virtualization/cri-o/default.nix @@ -15,13 +15,13 @@ buildGoModule rec { pname = "cri-o"; - version = "1.30.2"; + version = "1.30.4"; src = fetchFromGitHub { owner = "cri-o"; repo = "cri-o"; rev = "v${version}"; - hash = "sha256-4v7Pt3WS68h+Un4QNATyQ/o/+8b8nVoNsy6VgwB9Brc="; + hash = "sha256-PfG5RlUmMGMduTApdlHoI+4kdRprvWXeXZDkd6brVkM="; }; vendorHash = null; diff --git a/pkgs/applications/virtualization/crosvm/default.nix b/pkgs/applications/virtualization/crosvm/default.nix index d2fda361660e7..cc6b7f269c693 100644 --- a/pkgs/applications/virtualization/crosvm/default.nix +++ b/pkgs/applications/virtualization/crosvm/default.nix @@ -1,4 +1,4 @@ -{ lib, rustPlatform, fetchgit, fetchpatch +{ lib, rustPlatform, fetchgit , pkg-config, protobuf, python3, wayland-scanner , libcap, libdrm, libepoxy, minijail, virglrenderer, wayland, wayland-protocols , pkgsCross @@ -6,27 +6,18 @@ rustPlatform.buildRustPackage rec { pname = "crosvm"; - version = "125.0"; + version = "126.0"; src = fetchgit { url = "https://chromium.googlesource.com/chromiumos/platform/crosvm"; - rev = "6a7ff1ecb7fad6820d3bbfe8b11e65854059aba5"; - hash = "sha256-y/vHU8i9YNbzSHla853z/2w914mVMFOryyaHE1uxlvM="; + rev = "5533201f3ff3230d121e06100557d369c055e6dc"; + hash = "sha256-Ufi8dIhNgXvD53PWLG2uj7CD37UZIegrqAQz3wTKTvE="; fetchSubmodules = true; }; - patches = [ - (fetchpatch { - name = "musl.patch"; - url = "https://chromium.googlesource.com/chromiumos/platform/crosvm/+/128e591037c0be0362ed814d0b5583aa65ff09e1%5E%21/?format=TEXT"; - decode = "base64 -d"; - hash = "sha256-p5VzHRb0l0vCJNe48cRl/uBYHwTQMEykMcBOMzL3yaY="; - }) - ]; - separateDebugInfo = true; - cargoHash = "sha256-1AUfd9dhIZvVVUsVbnGoLKc0lBfccwM4wqWgU4yZWOE="; + cargoHash = "sha256-E2lyBgptQs+/5JS2WJc4ietguXdK16DFEVzqylmX+Pk="; nativeBuildInputs = [ pkg-config protobuf python3 rustPlatform.bindgenHook wayland-scanner diff --git a/pkgs/applications/virtualization/ddev/default.nix b/pkgs/applications/virtualization/ddev/default.nix index 549022d9908c2..66ed0aa6b2839 100644 --- a/pkgs/applications/virtualization/ddev/default.nix +++ b/pkgs/applications/virtualization/ddev/default.nix @@ -2,13 +2,13 @@ buildGoModule rec { pname = "ddev"; - version = "1.23.2"; + version = "1.23.3"; src = fetchFromGitHub { owner = "ddev"; repo = "ddev"; rev = "v${version}"; - hash = "sha256-pzBSyCIA2r/4zYIYEmKF6c0gryudSKZebSXSpmJUbsQ="; + hash = "sha256-+DQEXJcW0nKBvw+pWZnFJfO/7R9IjbhAl9WZvorO9Io="; }; vendorHash = null; @@ -38,6 +38,6 @@ buildGoModule rec { license = licenses.asl20; platforms = platforms.unix; mainProgram = "ddev"; - maintainers = with maintainers; [ ]; + maintainers = [ ]; }; } diff --git a/pkgs/applications/virtualization/docker/buildx.nix b/pkgs/applications/virtualization/docker/buildx.nix index 609b0e97deb05..2230e31231e74 100644 --- a/pkgs/applications/virtualization/docker/buildx.nix +++ b/pkgs/applications/virtualization/docker/buildx.nix @@ -2,13 +2,13 @@ buildGoModule rec { pname = "docker-buildx"; - version = "0.14.1"; + version = "0.16.2"; src = fetchFromGitHub { owner = "docker"; repo = "buildx"; rev = "v${version}"; - hash = "sha256-IseiGF+tQWv7Z2jlCINuWH2Gzcdow2qazvYVFBGyQPU="; + hash = "sha256-s4VLuOLPNZGThnvr20EBddxKkreWf3B4D0RRx9OwJiw="; }; doCheck = false; diff --git a/pkgs/applications/virtualization/docker/compose.nix b/pkgs/applications/virtualization/docker/compose.nix index e5ce653f8b137..20c390d58dc98 100644 --- a/pkgs/applications/virtualization/docker/compose.nix +++ b/pkgs/applications/virtualization/docker/compose.nix @@ -2,13 +2,13 @@ buildGoModule rec { pname = "docker-compose"; - version = "2.27.2"; + version = "2.29.1"; src = fetchFromGitHub { owner = "docker"; repo = "compose"; rev = "v${version}"; - hash = "sha256-QwTn/oAfB1bJkPcI0oDGC4vp0xUQxjhF8+jZ+hqpr5Q="; + hash = "sha256-6GZtKfPBE9Wl6ccwU1OY+9rq+IZr2qpOB4Vlxidhisw="; }; postPatch = '' @@ -16,7 +16,7 @@ buildGoModule rec { rm -rf e2e/ ''; - vendorHash = "sha256-KczMkSwYP9Ng1dYUU7+ig2VRUEOPkaWTV77c9xGqbw0="; + vendorHash = "sha256-CkXCAqHOlSc3jHqVUYovT8YDnlCZewpLv3sC0ADgwL0="; ldflags = [ "-X github.com/docker/compose/v2/internal.Version=${version}" "-s" "-w" ]; @@ -35,6 +35,6 @@ buildGoModule rec { mainProgram = "docker-compose"; homepage = "https://github.com/docker/compose"; license = licenses.asl20; - maintainers = with maintainers; [ ]; + maintainers = [ ]; }; } diff --git a/pkgs/applications/virtualization/docker/compose_1.nix b/pkgs/applications/virtualization/docker/compose_1.nix deleted file mode 100644 index ac5d726439ce1..0000000000000 --- a/pkgs/applications/virtualization/docker/compose_1.nix +++ /dev/null @@ -1,47 +0,0 @@ -{ lib, buildPythonApplication, fetchPypi -, installShellFiles -, mock, pytest, nose -, pyyaml, colorama, docopt -, dockerpty, docker, jsonschema, requests -, six, texttable, websocket-client, cached-property -, paramiko, distro, python-dotenv -}: - -buildPythonApplication rec { - version = "1.29.2"; - pname = "docker-compose"; - - src = fetchPypi { - inherit pname version; - hash = "sha256-TIzZ0h0jdBJ5PRi9MxEASe6a+Nqz/iwhO70HM5WbCbc="; - }; - - # lots of networking and other fails - doCheck = false; - nativeBuildInputs = [ installShellFiles ]; - nativeCheckInputs = [ mock pytest nose ]; - propagatedBuildInputs = [ - pyyaml colorama dockerpty docker - jsonschema requests six texttable websocket-client - docopt cached-property paramiko distro python-dotenv - ]; - - postPatch = '' - # Remove upper bound on requires, see also - # https://github.com/docker/compose/issues/4431 - sed -i "s/, < .*',$/',/" setup.py - ''; - - postInstall = '' - installShellCompletion --bash contrib/completion/bash/docker-compose - installShellCompletion --zsh contrib/completion/zsh/_docker-compose - ''; - - meta = with lib; { - homepage = "https://docs.docker.com/compose/"; - description = "Multi-container orchestration for Docker"; - mainProgram = "docker-compose"; - license = licenses.asl20; - maintainers = with maintainers; [ Frostman ]; - }; -} diff --git a/pkgs/applications/virtualization/docker/default.nix b/pkgs/applications/virtualization/docker/default.nix index 3d096c3389f9d..a8a4863d6bf3b 100644 --- a/pkgs/applications/virtualization/docker/default.nix +++ b/pkgs/applications/virtualization/docker/default.nix @@ -21,6 +21,7 @@ rec { , withBtrfs ? stdenv.isLinux, btrfs-progs , withLvm ? stdenv.isLinux, lvm2 , withSeccomp ? stdenv.isLinux, libseccomp + , knownVulnerabilities ? [] }: let docker-runc = runc.overrideAttrs { @@ -267,6 +268,7 @@ rec { license = licenses.asl20; maintainers = with maintainers; [ offline vdemeester periklis teutat3s ]; mainProgram = "docker"; + inherit knownVulnerabilities; }; }); @@ -284,32 +286,52 @@ rec { containerdHash = "sha256-y3CYDZbA2QjIn1vyq/p1F1pAVxQHi/0a6hGWZCRWzyk="; tiniRev = "v0.19.0"; tiniHash = "sha256-ZDKu/8yE5G0RYFJdhgmCdN3obJNyRWv6K/Gd17zc1sI="; + knownVulnerabilities = [ + "CVE-2024-23651" + "CVE-2024-23652" + "CVE-2024-23653" + "CVE-2024-41110" + ]; }; docker_25 = callPackage dockerGen rec { - version = "25.0.5"; + version = "25.0.6"; cliRev = "v${version}"; - cliHash = "sha256-CACMi3bXUN6oGc2f/Z+lNQqMgQ4llRWPRKgijdpiPGg="; + cliHash = "sha256-7ZKjlONL5RXEJZrvssrL1PQMNANP0qTw4myGKdtd19U="; mobyRev = "v${version}"; - mobyHash = "sha256-4QGz22fXxyAD77pyUWb2lF3VKqxmPIrGqcJGoyrEHew="; + mobyHash = "sha256-+zkhUMeVD3HNq8WrWQmLskq+HykvD5kzSACmf67YbJE="; runcRev = "v1.1.12"; runcHash = "sha256-N77CU5XiGYIdwQNPFyluXjseTeaYuNJ//OsEUS0g/v0="; - containerdRev = "v1.7.13"; - containerdHash = "sha256-y3CYDZbA2QjIn1vyq/p1F1pAVxQHi/0a6hGWZCRWzyk="; + containerdRev = "v1.7.20"; + containerdHash = "sha256-Q9lTzz+G5PSoChy8MZtbOpO81AyNWXC+CgGkdOg14uY="; tiniRev = "v0.19.0"; tiniHash = "sha256-ZDKu/8yE5G0RYFJdhgmCdN3obJNyRWv6K/Gd17zc1sI="; }; docker_26 = callPackage dockerGen rec { - version = "26.1.4"; + version = "26.1.5"; cliRev = "v${version}"; - cliHash = "sha256-7yCR49Un1i1kB+66IKt/8lgwKNkUjtVh52DH9OY8Pw4="; + cliHash = "sha256-UlN+Uc0YHhLyu14h5oDBXP4K9y2tYKPOIPTGZCe4PVY="; mobyRev = "v${version}"; - mobyHash = "sha256-0WwlpUECvmNq6DBm7U7rjzYfGKF7pxsfs9+x5uVPV0k="; + mobyHash = "sha256-6Hx7GnA7P6HqDlnGoc+HpPHSl69XezwAEGbvWYUVQlE="; runcRev = "v1.1.12"; runcHash = "sha256-N77CU5XiGYIdwQNPFyluXjseTeaYuNJ//OsEUS0g/v0="; - containerdRev = "v1.7.15"; - containerdHash = "sha256-qLrPLGxsUmgEscrhyl+1rJ0k7c9ibKnpMpsJPD4xDZU="; + containerdRev = "v1.7.18"; + containerdHash = "sha256-IlK5IwniaBhqMgxQzV8btQcbdJkNEQeUMoh6aOsBOHQ="; + tiniRev = "v0.19.0"; + tiniHash = "sha256-ZDKu/8yE5G0RYFJdhgmCdN3obJNyRWv6K/Gd17zc1sI="; + }; + + docker_27 = callPackage dockerGen rec { + version = "27.1.1"; + cliRev = "v${version}"; + cliHash = "sha256-r9figEMYHHSbMYVFiw7GUMzjZBhlF+jyZqKixyCpoQ0="; + mobyRev = "v${version}"; + mobyHash = "sha256-LuCEdQQ3eWt8VyzmWkQTxlxTok9h/UlACTVls5LcI7g="; + runcRev = "v1.1.13"; + runcHash = "sha256-RQsM8Q7HogDVGbNpen3wxXNGR9lfqmNhkXTRoC+LBk8="; + containerdRev = "v1.7.20"; + containerdHash = "sha256-Q9lTzz+G5PSoChy8MZtbOpO81AyNWXC+CgGkdOg14uY="; tiniRev = "v0.19.0"; tiniHash = "sha256-ZDKu/8yE5G0RYFJdhgmCdN3obJNyRWv6K/Gd17zc1sI="; }; diff --git a/pkgs/applications/virtualization/ecs-agent/default.nix b/pkgs/applications/virtualization/ecs-agent/default.nix index e5fe625cdf9f1..ee2e1aa0a35f1 100644 --- a/pkgs/applications/virtualization/ecs-agent/default.nix +++ b/pkgs/applications/virtualization/ecs-agent/default.nix @@ -2,13 +2,13 @@ buildGoModule rec { pname = "amazon-ecs-agent"; - version = "1.82.4"; + version = "1.85.1"; src = fetchFromGitHub { rev = "v${version}"; owner = "aws"; repo = pname; - hash = "sha256-bM/K3fxkeDwsXKsgZaEkurgYdSHnOgIQ2oUKc5atvZk="; + hash = "sha256-TrfFJ6N1DreO3NcznXBcNZziESAMxWa4FR+KzDjRDmM="; }; vendorHash = null; diff --git a/pkgs/applications/virtualization/firecracker/default.nix b/pkgs/applications/virtualization/firecracker/default.nix deleted file mode 100644 index fca5227177d46..0000000000000 --- a/pkgs/applications/virtualization/firecracker/default.nix +++ /dev/null @@ -1,59 +0,0 @@ -{ fetchurl, lib, stdenv }: - -let - version = "1.7.0"; - # nixpkgs-update: no auto update - - suffix = { - x86_64-linux = "x86_64"; - aarch64-linux = "aarch64"; - }."${stdenv.hostPlatform.system}" or (throw "Unsupported system: ${stdenv.hostPlatform.system}"); - - baseurl = "https://github.com/firecracker-microvm/firecracker/releases/download"; - - dlbin = sha256: fetchurl { - url = "${baseurl}/v${version}/firecracker-v${version}-${suffix}.tgz"; - sha256 = sha256."${stdenv.hostPlatform.system}"or (throw "unsupported system ${stdenv.hostPlatform.system}"); - }; - -in -stdenv.mkDerivation { - pname = "firecracker"; - inherit version; - - sourceRoot = "."; - src = dlbin { - x86_64-linux = "sha256-Vb0+bVmf3RCONuUvmu4jGfBsGKkPL6SbZOk/3wb1/1M="; - aarch64-linux = "sha256-PLoQA4a6qulxSns/ZRSgn6EtHr46/hstNhP1pAHt9VA="; - }; - - dontConfigure = true; - - buildPhase = '' - mv release-v${version}-${suffix}/firecracker-v${version}-${suffix} firecracker - mv release-v${version}-${suffix}/jailer-v${version}-${suffix} jailer - chmod +x firecracker jailer - ''; - - doCheck = true; - checkPhase = '' - ./firecracker --version - ./jailer --version - ''; - - installPhase = '' - mkdir -p $out/bin - install -D firecracker $out/bin/firecracker - install -D jailer $out/bin/jailer - ''; - - meta = with lib; { - description = "Secure, fast, minimal micro-container virtualization"; - homepage = "http://firecracker-microvm.io"; - changelog = "https://github.com/firecracker-microvm/firecracker/releases/tag/v${version}"; - mainProgram = "firecracker"; - license = licenses.asl20; - platforms = [ "x86_64-linux" "aarch64-linux" ]; - maintainers = with maintainers; [ thoughtpolice qjoly ]; - }; -} diff --git a/pkgs/applications/virtualization/kraft/default.nix b/pkgs/applications/virtualization/kraft/default.nix index 1e066477b721b..a20f44bc9d881 100644 --- a/pkgs/applications/virtualization/kraft/default.nix +++ b/pkgs/applications/virtualization/kraft/default.nix @@ -1,7 +1,6 @@ { lib , buildGoModule , fetchFromGitHub -, stdenv , nix-update-script }: diff --git a/pkgs/applications/virtualization/libnvidia-container/default.nix b/pkgs/applications/virtualization/libnvidia-container/default.nix index b462b24711de5..28ea0a675b17b 100644 --- a/pkgs/applications/virtualization/libnvidia-container/default.nix +++ b/pkgs/applications/virtualization/libnvidia-container/default.nix @@ -1,6 +1,6 @@ { stdenv , lib -, addOpenGLRunpath +, addDriverRunpath , fetchFromGitHub , pkg-config , elfutils @@ -102,7 +102,7 @@ stdenv.mkDerivation rec { postInstall = let - inherit (addOpenGLRunpath) driverLink; + inherit (addDriverRunpath) driverLink; libraryPath = lib.makeLibraryPath [ "$out" driverLink "${driverLink}-32" ]; in '' diff --git a/pkgs/applications/virtualization/looking-glass-client/default.nix b/pkgs/applications/virtualization/looking-glass-client/default.nix index a3eaea0cfd787..bfc8d2177ce99 100644 --- a/pkgs/applications/virtualization/looking-glass-client/default.nix +++ b/pkgs/applications/virtualization/looking-glass-client/default.nix @@ -47,15 +47,15 @@ let icon = "lg-logo"; }; in -stdenv.mkDerivation rec { +stdenv.mkDerivation (finalAttrs: { pname = "looking-glass-client"; version = "B7-rc1"; src = fetchFromGitHub { owner = "gnif"; repo = "LookingGlass"; - rev = version; - sha256 = "sha256-ne1Q+67+P8RHcTsqdiSSwkFf0g3pSNT91WN/lsSzssU="; + rev = finalAttrs.version; + hash = "sha256-ne1Q+67+P8RHcTsqdiSSwkFf0g3pSNT91WN/lsSzssU="; fetchSubmodules = true; }; @@ -80,7 +80,7 @@ stdenv.mkDerivation rec { ++ lib.optionals (!pipewireSupport) [ "-DENABLE_PIPEWIRE=no" ]; postUnpack = '' - echo ${src.rev} > source/VERSION + echo ${finalAttrs.src.rev} > source/VERSION export sourceRoot="source/client" ''; @@ -105,4 +105,4 @@ stdenv.mkDerivation rec { maintainers = with maintainers; [ alexbakker babbaj j-brn ]; platforms = [ "x86_64-linux" ]; }; -} +}) diff --git a/pkgs/applications/virtualization/nixpacks/default.nix b/pkgs/applications/virtualization/nixpacks/default.nix index b32e607032750..a72770d347635 100644 --- a/pkgs/applications/virtualization/nixpacks/default.nix +++ b/pkgs/applications/virtualization/nixpacks/default.nix @@ -2,16 +2,16 @@ rustPlatform.buildRustPackage rec { pname = "nixpacks"; - version = "1.24.1"; + version = "1.26.0"; src = fetchFromGitHub { owner = "railwayapp"; repo = pname; rev = "v${version}"; - sha256 = "sha256-niKz+F1RJtZrE8+BaJwy5bjGS3miJf5C9LttTnC+iuk="; + sha256 = "sha256-w6XOSTMrjUg7q/M3a21sD2U+swmdkIUNvglgTFbufh8="; }; - cargoHash = "sha256-fzG53DqZKgW6Gen+0ZO9lxgPXkxw7S6OdZWNNI+y9hU="; + cargoHash = "sha256-Kxz7Lw2LEC6YwycR5kj+vRIoT7Jqt2y9rLJq8ACM/0E="; # skip test due FHS dependency doCheck = false; diff --git a/pkgs/applications/virtualization/open-vm-tools/default.nix b/pkgs/applications/virtualization/open-vm-tools/default.nix index e5dde1e021c7f..63abcad60a5d6 100644 --- a/pkgs/applications/virtualization/open-vm-tools/default.nix +++ b/pkgs/applications/virtualization/open-vm-tools/default.nix @@ -41,13 +41,13 @@ stdenv.mkDerivation (finalAttrs: { pname = "open-vm-tools"; - version = "12.4.0"; + version = "12.4.5"; src = fetchFromGitHub { owner = "vmware"; repo = "open-vm-tools"; rev = "stable-${finalAttrs.version}"; - hash = "sha256-RcjNY02aLOU4X6znfZ37+ICB19WYp+HxHRvvpfW3Ub8="; + hash = "sha256-VMnxWKGBgwnkP9eSVm///d6THzzWgUe5kNj/lGVBVlc="; }; sourceRoot = "${finalAttrs.src.name}/open-vm-tools"; diff --git a/pkgs/applications/virtualization/podman-compose/default.nix b/pkgs/applications/virtualization/podman-compose/default.nix index bdd585e9c8bc4..44d9caf260573 100644 --- a/pkgs/applications/virtualization/podman-compose/default.nix +++ b/pkgs/applications/virtualization/podman-compose/default.nix @@ -1,7 +1,7 @@ -{ lib, buildPythonApplication, fetchFromGitHub, python-dotenv, pyyaml, setuptools, pipBuildHook, pypaBuildHook }: +{ lib, buildPythonApplication, fetchFromGitHub, python-dotenv, pyyaml, setuptools, pypaBuildHook }: buildPythonApplication rec { - version = "1.1.0"; + version = "1.2.0"; pname = "podman-compose"; pyproject = true; @@ -9,10 +9,9 @@ buildPythonApplication rec { repo = "podman-compose"; owner = "containers"; rev = "v${version}"; - sha256 = "sha256-uNgzdLrnDIABtt0L2pvsil14esRzl0XcWohgf7Oksr8="; + hash = "sha256-40RatexY/6eRfCodaiBeJpyt1sDUj2STSPL0gBECdRs="; }; - build-system = [ setuptools ]; diff --git a/pkgs/applications/virtualization/podman-tui/default.nix b/pkgs/applications/virtualization/podman-tui/default.nix deleted file mode 100644 index 0d7947a3f2511..0000000000000 --- a/pkgs/applications/virtualization/podman-tui/default.nix +++ /dev/null @@ -1,51 +0,0 @@ -{ lib, stdenv, fetchFromGitHub, buildGoModule, testers, podman-tui }: - -buildGoModule rec { - pname = "podman-tui"; - version = "1.1.0"; - - src = fetchFromGitHub { - owner = "containers"; - repo = "podman-tui"; - rev = "v${version}"; - hash = "sha256-my/y2cgF7F0wk5VJKfmqotBrV3HPmRQGPjlSdMe7wXk="; - }; - - vendorHash = null; - - CGO_ENABLED = 0; - - tags = [ "containers_image_openpgp" "remote" ] - ++ lib.optional stdenv.isDarwin "darwin"; - - ldflags = [ "-s" "-w" ]; - - preCheck = '' - export USER=$(whoami) - export HOME="$(mktemp -d)" - ''; - - checkFlags = - let - skippedTests = [ - # Disable flaky tests - "TestDialogs" - "TestVoldialogs" - ]; - in - [ "-skip=^${builtins.concatStringsSep "$|^" skippedTests}$" ]; - - passthru.tests.version = testers.testVersion { - package = podman-tui; - command = "HOME=$(mktemp -d) podman-tui version"; - version = "v${version}"; - }; - - meta = with lib; { - homepage = "https://github.com/containers/podman-tui"; - description = "Podman Terminal UI"; - license = licenses.asl20; - maintainers = with maintainers; [ aaronjheng ]; - mainProgram = "podman-tui"; - }; -} diff --git a/pkgs/applications/virtualization/podman/default.nix b/pkgs/applications/virtualization/podman/default.nix index d9c506ae59c47..707053dc82b92 100644 --- a/pkgs/applications/virtualization/podman/default.nix +++ b/pkgs/applications/virtualization/podman/default.nix @@ -49,7 +49,7 @@ let helpersBin = symlinkJoin { name = "podman-helper-binary-wrapper"; - # this only works for some binaries, others may need to be be added to `binPath` or in the modules + # this only works for some binaries, others may need to be added to `binPath` or in the modules paths = [ gvproxy ] ++ lib.optionals stdenv.isLinux [ @@ -65,13 +65,13 @@ let in buildGoModule rec { pname = "podman"; - version = "5.1.1"; + version = "5.2.0"; src = fetchFromGitHub { owner = "containers"; repo = "podman"; rev = "v${version}"; - hash = "sha256-3u4QOX7K0bMcbvwkXVoCpq7p5rKkvmOlOIRSUEbjFOY="; + hash = "sha256-Rb9rOetMVxf1GhEOzZmaUwRI4nkPdJnpkpjIyJcb6r8="; }; patches = [ diff --git a/pkgs/applications/virtualization/qboot/default.nix b/pkgs/applications/virtualization/qboot/default.nix index f5a1e13410b98..e0d833d0c2d50 100644 --- a/pkgs/applications/virtualization/qboot/default.nix +++ b/pkgs/applications/virtualization/qboot/default.nix @@ -26,7 +26,7 @@ stdenv.mkDerivation { description = "Simple x86 firmware for booting Linux"; homepage = "https://github.com/bonzini/qboot"; license = lib.licenses.gpl2; - maintainers = with lib.maintainers; [ ]; + maintainers = [ ]; platforms = [ "x86_64-linux" "i686-linux" ]; }; } diff --git a/pkgs/applications/virtualization/qemu/default.nix b/pkgs/applications/virtualization/qemu/default.nix index 982eee2cbb1fc..6f4241444b623 100644 --- a/pkgs/applications/virtualization/qemu/default.nix +++ b/pkgs/applications/virtualization/qemu/default.nix @@ -55,11 +55,11 @@ stdenv.mkDerivation (finalAttrs: { + lib.optionalString hostCpuOnly "-host-cpu-only" + lib.optionalString nixosTestRunner "-for-vm-tests" + lib.optionalString toolsOnly "-utils"; - version = "9.0.1"; + version = "9.0.2"; src = fetchurl { url = "https://download.qemu.org/qemu-${finalAttrs.version}.tar.xz"; - hash = "sha256-0PTbD70VHAzxb4SusqUA9ulQCXMlRvRNr6uNIEm7uAU="; + hash = "sha256-qMP1lq7Olto7AMr7dLqvoNFFFer7jtHuP39cLQ6/ArY="; }; depsBuildBuild = [ buildPackages.stdenv.cc ] diff --git a/pkgs/applications/virtualization/quickgui/default.nix b/pkgs/applications/virtualization/quickgui/default.nix index 244e438626e0a..cb3c79f36aa9c 100644 --- a/pkgs/applications/virtualization/quickgui/default.nix +++ b/pkgs/applications/virtualization/quickgui/default.nix @@ -5,7 +5,7 @@ , dpkg , wrapGAppsHook3 , quickemu -, gnome +, zenity }: stdenvNoCC.mkDerivation rec { @@ -25,7 +25,7 @@ stdenvNoCC.mkDerivation rec { buildInputs = [ quickemu - gnome.zenity + zenity ]; strictDeps = true; @@ -42,7 +42,7 @@ stdenvNoCC.mkDerivation rec { preFixup = '' gappsWrapperArgs+=( - --prefix PATH : ${lib.makeBinPath [ quickemu gnome.zenity ]} + --prefix PATH : ${lib.makeBinPath [ quickemu zenity ]} ) ''; diff --git a/pkgs/applications/virtualization/rust-hypervisor-firmware/default.nix b/pkgs/applications/virtualization/rust-hypervisor-firmware/default.nix index 8b408cc96ed4b..193776fa5ec08 100644 --- a/pkgs/applications/virtualization/rust-hypervisor-firmware/default.nix +++ b/pkgs/applications/virtualization/rust-hypervisor-firmware/default.nix @@ -37,7 +37,7 @@ rustPlatform.buildRustPackage rec { sha256 = "sha256-hKk5pcop8rb5Q+IVchcl+XhMc3DCBBPn5P+AkAb9XxI="; }; - cargoSha256 = "sha256-edi6/Md6KebKM3wHArZe1htUCg0/BqMVZKA4xEH25GI="; + cargoHash = "sha256-edi6/Md6KebKM3wHArZe1htUCg0/BqMVZKA4xEH25GI="; # lld: error: unknown argument '-Wl,--undefined=AUDITABLE_VERSION_INFO' # https://github.com/cloud-hypervisor/rust-hypervisor-firmware/issues/249 diff --git a/pkgs/applications/virtualization/rvvm/default.nix b/pkgs/applications/virtualization/rvvm/default.nix index ce90b686bcb0f..2d6b7d3da0c50 100644 --- a/pkgs/applications/virtualization/rvvm/default.nix +++ b/pkgs/applications/virtualization/rvvm/default.nix @@ -38,10 +38,7 @@ stdenv.mkDerivation rec { makeFlags = [ "PREFIX=$(out)" ] ++ lib.optional enableSDL "USE_SDL=2" # Use SDL2 instead of SDL1 - ++ lib.optional (!enableSDL && !enableX11) "USE_FB=0" - - # work around https://github.com/NixOS/nixpkgs/issues/19098 - ++ lib.optional (stdenv.cc.isClang && stdenv.isDarwin) "CFLAGS=-fno-lto"; + ++ lib.optional (!enableSDL && !enableX11) "USE_FB=0"; meta = with lib; { homepage = "https://github.com/LekKit/RVVM"; diff --git a/pkgs/applications/virtualization/singularity/generic.nix b/pkgs/applications/virtualization/singularity/generic.nix index f27f58fda4876..1cac1d4f16c65 100644 --- a/pkgs/applications/virtualization/singularity/generic.nix +++ b/pkgs/applications/virtualization/singularity/generic.nix @@ -70,11 +70,19 @@ in # Whether to compile with SUID support enableSuid ? false, starterSuidPath ? null, - # newuidmapPath and newgidmapPath are to support --fakeroot - # where those SUID-ed executables are unavailable from the FHS system PATH. + # Extra system-wide /**/bin paths to prefix, + # useful to specify directories containing binaries with SUID bit set. + # The paths take higher precedence over the FHS system PATH specified + # inside the upstream source code. + # Include "/run/wrappers/bin" by default for the convenience of NixOS users. + systemBinPaths ? [ "/run/wrappers/bin" ], # Path to SUID-ed newuidmap executable + # Deprecated in favour of systemBinPaths + # TODO(@ShamrockLee): Remove after Nixpkgs 24.05 branch-off newuidmapPath ? null, # Path to SUID-ed newgidmap executable + # Deprecated in favour of systemBinPaths + # TODO(@ShamrockLee): Remove after Nixpkgs 24.05 branch-off newgidmapPath ? null, # External LOCALSTATEDIR externalLocalStateDir ? null, @@ -99,18 +107,30 @@ in vendorHash ? _defaultGoVendorArgs.vendorHash, deleteVendor ? _defaultGoVendorArgs.deleteVendor, proxyVendor ? _defaultGoVendorArgs.proxyVendor, -}: +}@args: let + # Backward compatibility for privileged-un-utils. + # TODO(@ShamrockLee): Remove after Nixpkgs 24.05 branch-off. privileged-un-utils = if ((newuidmapPath == null) && (newgidmapPath == null)) then null else - (runCommandLocal "privileged-un-utils" { } '' - mkdir -p "$out/bin" - ln -s ${lib.escapeShellArg newuidmapPath} "$out/bin/newuidmap" - ln -s ${lib.escapeShellArg newgidmapPath} "$out/bin/newgidmap" - ''); + lib.warn + "${pname}: arguments newuidmapPath and newgidmapPath is deprecated in favour of systemBinPaths." + ( + runCommandLocal "privileged-un-utils" { } '' + mkdir -p "$out/bin" + ln -s ${lib.escapeShellArg newuidmapPath} "$out/bin/newuidmap" + ln -s ${lib.escapeShellArg newgidmapPath} "$out/bin/newgidmap" + '' + ); + + # Backward compatibility for privileged-un-utils. + # TODO(@ShamrockLee): Remove after Nixpkgs 24.05 branch-off. + systemBinPaths = + lib.optional (privileged-un-utils != null) (lib.makeBinPath [ privileged-un-utils ]) + ++ args.systemBinPaths or [ "/run/wrappers/bin" ]; concatMapStringAttrsSep = sep: f: attrs: @@ -196,8 +216,9 @@ in # causes redefinition of _FORTIFY_SOURCE hardeningDisable = [ "fortify3" ]; - # Packages to prefix to the Apptainer/Singularity container runtime default PATH - # Use overrideAttrs to override + # Packages to provide fallback bin paths + # to the Apptainer/Singularity container runtime default PATHs. + # Override with `<pkg>.overrideAttrs`. defaultPathInputs = [ bash coreutils @@ -206,7 +227,6 @@ in fuse2fs # Mount ext3 filesystems go mount # mount - privileged-un-utils squashfsTools # mksquashfs unsquashfs # Make / unpack squashfs image squashfuse # squashfuse_ll squashfuse # Mount (without unpacking) a squashfs image without privileges ] ++ lib.optional enableNvidiaContainerCli nvidia-docker; @@ -228,7 +248,7 @@ in lib.concatStringsSep " " [ "--replace-fail" (addShellDoubleQuotes (lib.escapeShellArg originalDefaultPath)) - (addShellDoubleQuotes ''$inputsDefaultPath''${inputsDefaultPath:+:}${lib.escapeShellArg originalDefaultPath}'') + (addShellDoubleQuotes ''$systemDefaultPath''${systemDefaultPath:+:}${lib.escapeShellArg originalDefaultPath}''${inputsDefaultPath:+:}$inputsDefaultPath'') ] ) originalDefaultPaths } @@ -267,8 +287,11 @@ in postFixup = '' substituteInPlace "$out/bin/run-singularity" \ --replace "/usr/bin/env ${projectName}" "$out/bin/${projectName}" + # Respect PATH from the environment/the user. + # Fallback to bin paths provided by Nixpkgs packages. wrapProgram "$out/bin/${projectName}" \ - --prefix PATH : "$inputsDefaultPath" + --suffix PATH : "$systemDefaultPath" \ + --suffix PATH : "$inputsDefaultPath" # Make changes in the config file ${lib.optionalString forceNvcCli '' substituteInPlace "$out/etc/${projectName}/${projectName}.conf" \ @@ -326,6 +349,7 @@ in }).overrideAttrs ( finalAttrs: prevAttrs: { + systemDefaultPath = lib.concatStringsSep ":" systemBinPaths; inputsDefaultPath = lib.makeBinPath finalAttrs.defaultPathInputs; passthru = prevAttrs.passthru or { } // { inherit sourceFilesWithDefaultPaths; diff --git a/pkgs/applications/virtualization/singularity/packages.nix b/pkgs/applications/virtualization/singularity/packages.nix index f03bdf9631c56..6237db9cd6991 100644 --- a/pkgs/applications/virtualization/singularity/packages.nix +++ b/pkgs/applications/virtualization/singularity/packages.nix @@ -9,14 +9,14 @@ let callPackage (import ./generic.nix rec { pname = "apptainer"; - version = "1.3.2"; + version = "1.3.3"; projectName = "apptainer"; src = fetchFromGitHub { owner = "apptainer"; repo = "apptainer"; rev = "refs/tags/v${version}"; - hash = "sha256-NseigaPmRKDsBk8v7RpYf+uoEGvQHVnqOMO49kP0mQ8="; + hash = "sha256-xQZCQa9z1aJ2tVtxMlwcNhlm0EV/nn8OnbfaVZRm4JI="; }; # Update by running @@ -47,20 +47,20 @@ let callPackage (import ./generic.nix rec { pname = "singularity-ce"; - version = "4.1.3"; + version = "4.1.4"; projectName = "singularity"; src = fetchFromGitHub { owner = "sylabs"; repo = "singularity"; rev = "refs/tags/v${version}"; - hash = "sha256-pR8zyMr23wcbDCXAysVEgGUDHkrfhLoVF3fjMLgZFYs="; + hash = "sha256-+qwPzgwfF6A1c/rmSM/5T2N9/wVeWhMoAthj3eSQmh8="; }; # Update by running # nix-prefetch -E "{ sha256 }: ((import ./. { }).singularity.override { vendorHash = sha256; }).goModules" # at the root directory of the Nixpkgs repository - vendorHash = "sha256-332GFL04aE6B6vxgtJJH4TeI6YJCDBpCClJ3sc5gN3A="; + vendorHash = "sha256-dTqOSk8APLOsqwEiZ/IL8Zu1SR48MyEYPgRe6PC2nd8="; # Do not build conmon and squashfuse from the Git submodule sources, # Use Nixpkgs provided version diff --git a/pkgs/applications/virtualization/stratovirt/default.nix b/pkgs/applications/virtualization/stratovirt/default.nix index d927c8430a1ec..a1f3fb53e0430 100644 --- a/pkgs/applications/virtualization/stratovirt/default.nix +++ b/pkgs/applications/virtualization/stratovirt/default.nix @@ -6,16 +6,15 @@ rustPlatform.buildRustPackage rec { pname = "stratovirt"; - version = "2.3.0"; + version = "2.4.0"; src = fetchgit { url = "https://gitee.com/openeuler/stratovirt.git"; rev = "v${version}"; - sha256 = "sha256-f5710f7Lz7ul1DYrC0CAfDR+7e1NrE9ESPdB8nlVUKw="; + hash = "sha256-1Ex6ahKBoVRikSqrgHGYaBFzWkPFDm8bGVyB7KmO8tI="; }; - patches = [ ./micro_vm-allow-SYS_clock_gettime.patch ]; - cargoSha256 = "sha256-prs7zkPAKQ99gjW7gy+4+CgEgGhaTTCLPTbLk/ZHdts="; + cargoHash = "sha256-uuZCbmt3eIlKurwMOV7LezVSjOVG/90OdT2PC8YLi3I="; nativeBuildInputs = [ pkg-config diff --git a/pkgs/applications/virtualization/stratovirt/micro_vm-allow-SYS_clock_gettime.patch b/pkgs/applications/virtualization/stratovirt/micro_vm-allow-SYS_clock_gettime.patch deleted file mode 100644 index 11d2a0e88e194..0000000000000 --- a/pkgs/applications/virtualization/stratovirt/micro_vm-allow-SYS_clock_gettime.patch +++ /dev/null @@ -1,25 +0,0 @@ -From c5ef87eb831f7f77c0564dd1dce92a579e7c4747 Mon Sep 17 00:00:00 2001 -From: Astro <astro@spaceboyz.net> -Date: Sun, 18 Jun 2023 23:10:23 +0200 -Subject: [PATCH] micro_vm: allow SYS_clock_gettime - ---- - machine/src/micro_vm/syscall.rs | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/machine/src/micro_vm/syscall.rs b/machine/src/micro_vm/syscall.rs -index c37d3f4e..f9e7cce2 100644 ---- a/machine/src/micro_vm/syscall.rs -+++ b/machine/src/micro_vm/syscall.rs -@@ -125,6 +125,8 @@ pub fn syscall_whitelist() -> Vec<BpfRule> { - BpfRule::new(libc::SYS_readlink), - BpfRule::new(libc::SYS_getrandom), - BpfRule::new(libc::SYS_fallocate), -+ #[cfg(target_env = "gnu")] -+ BpfRule::new(libc::SYS_clock_gettime), - madvise_rule(), - ] - } --- -2.41.0 - diff --git a/pkgs/applications/virtualization/tart/default.nix b/pkgs/applications/virtualization/tart/default.nix index d0f2f3a0127e1..19ffd92db8189 100644 --- a/pkgs/applications/virtualization/tart/default.nix +++ b/pkgs/applications/virtualization/tart/default.nix @@ -10,11 +10,11 @@ }: stdenvNoCC.mkDerivation (finalAttrs: { pname = "tart"; - version = "2.12.0"; + version = "2.14.0"; src = fetchurl { url = "https://github.com/cirruslabs/tart/releases/download/${finalAttrs.version}/tart-arm64.tar.gz"; - hash = "sha256-+33Z7M9Y8fWFfCBNJrXHljwoAn7p70+yvTmBwx1X68M="; + hash = "sha256-3I4WSdWfPZd//pJiYXKcgpjx8qv4nSeMHHGJE1ja00o="; }; sourceRoot = "."; @@ -39,7 +39,7 @@ stdenvNoCC.mkDerivation (finalAttrs: { description = "macOS VMs on Apple Silicon to use in CI and other automations"; homepage = "https://tart.run"; license = licenses.fairsource09; - maintainers = with maintainers; [ emilytrau Enzime aduh95 ]; + maintainers = with maintainers; [ emilytrau aduh95 ]; mainProgram = finalAttrs.pname; platforms = [ "aarch64-darwin" ]; sourceProvenance = with sourceTypes; [ binaryNativeCode ]; diff --git a/pkgs/applications/virtualization/umoci/default.nix b/pkgs/applications/virtualization/umoci/default.nix index 5dc9ae5028e80..acf03a96c747d 100644 --- a/pkgs/applications/virtualization/umoci/default.nix +++ b/pkgs/applications/virtualization/umoci/default.nix @@ -3,7 +3,6 @@ , buildGoModule , go-md2man , installShellFiles -, bash }: buildGoModule rec { diff --git a/pkgs/applications/virtualization/virt-manager/default.nix b/pkgs/applications/virtualization/virt-manager/default.nix index 281f451fddbd2..228c2ed6cb9f8 100644 --- a/pkgs/applications/virtualization/virt-manager/default.nix +++ b/pkgs/applications/virtualization/virt-manager/default.nix @@ -1,6 +1,6 @@ { lib, fetchFromGitHub, python3, intltool, file, wrapGAppsHook3, gtk-vnc , vte, avahi, dconf, gobject-introspection, libvirt-glib, system-libvirt -, gsettings-desktop-schemas, gst_all_1, libosinfo, gnome, gtksourceview4, docutils, cpio +, gsettings-desktop-schemas, gst_all_1, libosinfo, adwaita-icon-theme, gtksourceview4, docutils, cpio , e2fsprogs, findutils, gzip, cdrtools, xorriso, fetchpatch , desktopToDarwinBundle, stdenv , spiceSupport ? true, spice-gtk ? null @@ -50,7 +50,7 @@ python3.pkgs.buildPythonApplication rec { buildInputs = [ gst_all_1.gst-plugins-base gst_all_1.gst-plugins-good - libvirt-glib vte dconf gtk-vnc gnome.adwaita-icon-theme avahi + libvirt-glib vte dconf gtk-vnc adwaita-icon-theme avahi gsettings-desktop-schemas libosinfo gtksourceview4 ] ++ lib.optional spiceSupport spice-gtk; diff --git a/pkgs/applications/virtualization/virt-what/default.nix b/pkgs/applications/virtualization/virt-what/default.nix index e11b265a9e3c0..3d553acd48ffb 100644 --- a/pkgs/applications/virtualization/virt-what/default.nix +++ b/pkgs/applications/virtualization/virt-what/default.nix @@ -2,11 +2,11 @@ stdenv.mkDerivation rec { pname = "virt-what"; - version = "1.25"; + version = "1.26"; src = fetchurl { url = "https://people.redhat.com/~rjones/virt-what/files/${pname}-${version}.tar.gz"; - sha256 = "sha256-1Py0I2Irr75eK7zYS32SrU1YP0d4siW3LEqBrp/Dxz0="; + sha256 = "sha256-qoap0xO1yQSK+a2aA4fkr/I4uw6kLzuDARTotQzTFTU="; }; meta = with lib; { diff --git a/pkgs/applications/virtualization/virtualbox/default.nix b/pkgs/applications/virtualization/virtualbox/default.nix index dd9b99f7f9bc9..9173e94740520 100644 --- a/pkgs/applications/virtualization/virtualbox/default.nix +++ b/pkgs/applications/virtualization/virtualbox/default.nix @@ -22,9 +22,6 @@ , extraConfigureFlags ? "" }: -# See https://github.com/cyberus-technology/virtualbox-kvm/issues/12 -assert enableKvm -> !enableHardening; - # The web services use Java infrastructure. assert enableWebService -> javaBindings; @@ -32,11 +29,11 @@ let buildType = "release"; # Use maintainers/scripts/update.nix to update the version and all related hashes or # change the hashes in extpack.nix and guest-additions/default.nix as well manually. - virtualboxVersion = "7.0.18"; - virtualboxSha256 = "d999513533631674a024762668de999411d8197060c51e68c5faf0a2c0eea1a5"; + virtualboxVersion = "7.0.20"; + virtualboxSha256 = "5cf5979bef66ebab3fcd495796b215a940e8a07c469d4bc56d064de44222dd02"; - kvmPatchVersion = "20240515"; - kvmPatchHash = "sha256-Kh/tlPScdf7CbEEpL54iqMpeUIdmnJL2r/mxnlEzLd0="; + kvmPatchVersion = "20240617"; + kvmPatchHash = "sha256-bOcM9xA1SXB1uTwljpw2vevVeSdHa3omCRon/8DoAUk="; # The KVM build is not compatible to VirtualBox's kernel modules. So don't export # modsrc at all. diff --git a/pkgs/applications/virtualization/virtualbox/extpack.nix b/pkgs/applications/virtualization/virtualbox/extpack.nix index 089ab4856c0d0..c234c079b4c89 100644 --- a/pkgs/applications/virtualization/virtualbox/extpack.nix +++ b/pkgs/applications/virtualization/virtualbox/extpack.nix @@ -12,7 +12,7 @@ fetchurl rec { # Manually sha256sum the extensionPack file, must be hex! # Thus do not use `nix-prefetch-url` but instead plain old `sha256sum`. # Checksums can also be found at https://www.virtualbox.org/download/hashes/${version}/SHA256SUMS - let value = "cab1abad478679fc34a0c5cb4a6d3566edc20e3c54cbed39c8e895d8cfad3ee2"; + let value = "d750fb17688d70e0cb2d7b06f1ad3a661303793f4d1ac39cfa9a54806b89da25"; in assert (builtins.stringLength value) == 64; value; meta = { diff --git a/pkgs/applications/virtualization/virtualbox/guest-additions-iso/default.nix b/pkgs/applications/virtualization/virtualbox/guest-additions-iso/default.nix index 9529c980475da..f59dcc25f4c20 100644 --- a/pkgs/applications/virtualization/virtualbox/guest-additions-iso/default.nix +++ b/pkgs/applications/virtualization/virtualbox/guest-additions-iso/default.nix @@ -5,7 +5,7 @@ let in fetchurl { url = "http://download.virtualbox.org/virtualbox/${version}/VBoxGuestAdditions_${version}.iso"; - sha256 = "4469bab0f59c62312b0a1b67dcf9c07a8a971afad339fa2c3eb80e209e099ef9"; + sha256 = "4c7523fa6d17436e3b7788f62956674270572cfefa340d03111b85f8517d5981"; meta = { description = "Guest additions ISO for VirtualBox"; longDescription = '' diff --git a/pkgs/applications/virtualization/virtualbox/guest-additions/builder.nix b/pkgs/applications/virtualization/virtualbox/guest-additions/builder.nix index 72c0af9626f72..00d0d555c60ad 100644 --- a/pkgs/applications/virtualization/virtualbox/guest-additions/builder.nix +++ b/pkgs/applications/virtualization/virtualbox/guest-additions/builder.nix @@ -1,7 +1,7 @@ -{ config, stdenv, kernel, fetchurl, lib, pam, libxslt -, libX11, libXext, libXcursor, libXmu +{ stdenv, kernel, fetchurl, lib, pam, libxslt +, libXext, libXcursor, libXmu , glib, libXrandr, dbus, xz -, pkg-config, which, zlib, xorg +, pkg-config, which, xorg , yasm, patchelf, makeself , linuxHeaders, openssl}: @@ -10,11 +10,11 @@ let in stdenv.mkDerivation (finalAttrs: { pname = "VirtualBox-GuestAdditions-builder-${kernel.version}"; - version = "7.0.18"; + version = "7.0.20"; src = fetchurl { url = "https://download.virtualbox.org/virtualbox/${finalAttrs.version}/VirtualBox-${finalAttrs.version}.tar.bz2"; - sha256 = "d999513533631674a024762668de999411d8197060c51e68c5faf0a2c0eea1a5"; + sha256 = "5cf5979bef66ebab3fcd495796b215a940e8a07c469d4bc56d064de44222dd02"; }; env.NIX_CFLAGS_COMPILE = "-Wno-error=incompatible-pointer-types -Wno-error=implicit-function-declaration"; @@ -37,7 +37,6 @@ in stdenv.mkDerivation (finalAttrs: { ''; patches = [ - #../gcc-13.patch ## https://www.virtualbox.org/changeset/100258/vbox ./no-legacy-xorg.patch ]; diff --git a/pkgs/applications/virtualization/virtualbox/guest-additions/default.nix b/pkgs/applications/virtualization/virtualbox/guest-additions/default.nix index ac867ce9ce720..4e0b8728f29b8 100644 --- a/pkgs/applications/virtualization/virtualbox/guest-additions/default.nix +++ b/pkgs/applications/virtualization/virtualbox/guest-additions/default.nix @@ -1,6 +1,5 @@ -{ config, stdenv, kernel, callPackage, lib, dbus -, libX11, libXext, libXcursor, libXmu, xorg -, which, zlib, patchelf, makeWrapper +{ stdenv, kernel, callPackage, lib, dbus +, xorg, zlib, patchelf, makeWrapper }: with lib; diff --git a/pkgs/applications/virtualization/x11docker/default.nix b/pkgs/applications/virtualization/x11docker/default.nix index 840c9d648b941..1e400088693b3 100644 --- a/pkgs/applications/virtualization/x11docker/default.nix +++ b/pkgs/applications/virtualization/x11docker/default.nix @@ -23,7 +23,7 @@ stdenv.mkDerivation rec { description = "Run graphical applications with Docker"; homepage = "https://github.com/mviereck/x11docker"; license = lib.licenses.mit; - maintainers = with lib.maintainers; [ ]; + maintainers = [ ]; platforms = lib.platforms.linux; mainProgram = "x11docker"; }; diff --git a/pkgs/applications/virtualization/xen/0000-fix-install-python.4.15.patch b/pkgs/applications/virtualization/xen/0000-fix-install-python.4.15.patch deleted file mode 100644 index 5fc5a6012ee30..0000000000000 --- a/pkgs/applications/virtualization/xen/0000-fix-install-python.4.15.patch +++ /dev/null @@ -1,16 +0,0 @@ -tools/python/install-wrap script brakes shebangs patching, disable - -diff --git a/tools/Rules.mk b/tools/Rules.mk -index 444e5bacdd..c99ea959ff 100644 ---- a/tools/Rules.mk -+++ b/tools/Rules.mk -@@ -135,8 +135,7 @@ CFLAGS += $(CFLAGS-y) - - CFLAGS += $(EXTRA_CFLAGS_XEN_TOOLS) - --INSTALL_PYTHON_PROG = \ -- $(XEN_ROOT)/tools/python/install-wrap "$(PYTHON_PATH)" $(INSTALL_PROG) -+INSTALL_PYTHON_PROG = $(INSTALL_PROG) - - %.opic: %.c - $(CC) $(CPPFLAGS) -DPIC $(CFLAGS) $(CFLAGS_$*.opic) -fPIC -c -o $@ $< $(APPEND_CFLAGS) diff --git a/pkgs/applications/virtualization/xen/0000-qemu-seabios-enable-ATA_DMA.patch b/pkgs/applications/virtualization/xen/0000-qemu-seabios-enable-ATA_DMA.patch deleted file mode 100644 index 339972a2cdeb1..0000000000000 --- a/pkgs/applications/virtualization/xen/0000-qemu-seabios-enable-ATA_DMA.patch +++ /dev/null @@ -1,19 +0,0 @@ -diff -uNr a/src/Kconfig b/src/Kconfig ---- a/src/Kconfig 2015-08-31 10:15:13.231134858 +0200 -+++ b/src/Kconfig 2015-08-31 10:14:24.039180178 +0200 -@@ -144,13 +144,13 @@ - config ATA_DMA - depends on ATA - bool "ATA DMA" -- default n -+ default y - help - Detect and try to use ATA bus mastering DMA controllers. - config ATA_PIO32 - depends on ATA - bool "ATA 32bit PIO" -- default n -+ default y - help - Use 32bit PIO accesses on ATA (minor optimization on PCI transfers). - config AHCI diff --git a/pkgs/applications/virtualization/xen/0004-makefile-use-efi-ld.4.15.patch b/pkgs/applications/virtualization/xen/0004-makefile-use-efi-ld.4.15.patch deleted file mode 100644 index c64ec52315c92..0000000000000 --- a/pkgs/applications/virtualization/xen/0004-makefile-use-efi-ld.4.15.patch +++ /dev/null @@ -1,42 +0,0 @@ -diff --git a/xen/arch/x86/Makefile b/xen/arch/x86/Makefile -index b6567c4127..83defeee95 100644 ---- a/xen/arch/x86/Makefile -+++ b/xen/arch/x86/Makefile -@@ -124,11 +124,11 @@ ifneq ($(efi-y),) - export XEN_BUILD_EFI := $(shell $(CC) $(XEN_CFLAGS) -c efi/check.c -o efi/check.o 2>/dev/null && echo y) - # Check if the linker supports PE. - EFI_LDFLAGS = $(patsubst -m%,-mi386pep,$(XEN_LDFLAGS)) --subsystem=10 --strip-debug --XEN_BUILD_PE := $(if $(XEN_BUILD_EFI),$(shell $(LD) $(EFI_LDFLAGS) -o efi/check.efi efi/check.o 2>/dev/null && echo y)) -+XEN_BUILD_PE := $(if $(XEN_BUILD_EFI),$(shell $(EFI_LD) $(EFI_LDFLAGS) -o efi/check.efi efi/check.o 2>/dev/null && echo y)) - CFLAGS-$(XEN_BUILD_EFI) += -DXEN_BUILD_EFI - # Check if the linker produces fixups in PE by default (we need to disable it doing so for now). - XEN_NO_PE_FIXUPS := $(if $(XEN_BUILD_EFI), \ -- $(shell $(LD) $(EFI_LDFLAGS) --disable-reloc-section -o efi/check.efi efi/check.o 2>/dev/null && \ -+ $(shell $(EFI_LD) $(EFI_LDFLAGS) --disable-reloc-section -o efi/check.efi efi/check.o 2>/dev/null && \ - echo --disable-reloc-section)) - endif - -@@ -217,20 +217,20 @@ note_file_option ?= $(note_file) - ifeq ($(XEN_BUILD_PE),y) - $(TARGET).efi: prelink-efi.o $(note_file) efi.lds efi/relocs-dummy.o efi/mkreloc - $(foreach base, $(VIRT_BASE) $(ALT_BASE), \ -- $(LD) $(call EFI_LDFLAGS,$(base)) -T efi.lds -N $< efi/relocs-dummy.o \ -+ $(EFI_LD) $(call EFI_LDFLAGS,$(base)) -T efi.lds -N $< efi/relocs-dummy.o \ - $(BASEDIR)/common/symbols-dummy.o $(note_file_option) -o $(@D)/.$(@F).$(base).0 &&) : - efi/mkreloc $(foreach base,$(VIRT_BASE) $(ALT_BASE),$(@D)/.$(@F).$(base).0) >$(@D)/.$(@F).0r.S - $(NM) -pa --format=sysv $(@D)/.$(@F).$(VIRT_BASE).0 \ - | $(BASEDIR)/tools/symbols $(all_symbols) --sysv --sort >$(@D)/.$(@F).0s.S - $(MAKE) -f $(BASEDIR)/Rules.mk $(@D)/.$(@F).0r.o $(@D)/.$(@F).0s.o - $(foreach base, $(VIRT_BASE) $(ALT_BASE), \ -- $(LD) $(call EFI_LDFLAGS,$(base)) -T efi.lds -N $< \ -+ $(EFI_LD) $(call EFI_LDFLAGS,$(base)) -T efi.lds -N $< \ - $(@D)/.$(@F).0r.o $(@D)/.$(@F).0s.o $(note_file_option) -o $(@D)/.$(@F).$(base).1 &&) : - efi/mkreloc $(foreach base,$(VIRT_BASE) $(ALT_BASE),$(@D)/.$(@F).$(base).1) >$(@D)/.$(@F).1r.S - $(NM) -pa --format=sysv $(@D)/.$(@F).$(VIRT_BASE).1 \ - | $(BASEDIR)/tools/symbols $(all_symbols) --sysv --sort >$(@D)/.$(@F).1s.S - $(MAKE) -f $(BASEDIR)/Rules.mk $(@D)/.$(@F).1r.o $(@D)/.$(@F).1s.o -- $(LD) $(call EFI_LDFLAGS,$(VIRT_BASE)) -T efi.lds -N $< \ -+ $(EFI_LD) $(call EFI_LDFLAGS,$(VIRT_BASE)) -T efi.lds -N $< \ - $(@D)/.$(@F).1r.o $(@D)/.$(@F).1s.o $(note_file_option) -o $@ - $(NM) -pa --format=sysv $(@D)/$(@F) \ - | $(BASEDIR)/tools/symbols --all-symbols --xensyms --sysv --sort >$(@D)/$(@F).map diff --git a/pkgs/applications/virtualization/xen/0005-makefile-fix-efi-mountdir-use.4.15.patch b/pkgs/applications/virtualization/xen/0005-makefile-fix-efi-mountdir-use.4.15.patch deleted file mode 100644 index 8f07c1a8e29ff..0000000000000 --- a/pkgs/applications/virtualization/xen/0005-makefile-fix-efi-mountdir-use.4.15.patch +++ /dev/null @@ -1,37 +0,0 @@ -EFI_MOUNTPOINT is conventionally /boot/efi or /boot/EFI or something -like that, and (on my machine) has directories within that called -{Boot, nixos, gummiboot}. - -This patch does two things: - -1) Xen apparently wants to put files in -$(EFI_MOUNTPOINT)/efi/$(EFI_VENDOR) - we remove the duplicate 'efi' name -because I can't see why we have it - -2) Ensures the said directory exists - - -diff --git a/xen/Makefile b/xen/Makefile -index acb2d28891..d0763fbbe7 100644 ---- a/xen/Makefile -+++ b/xen/Makefile -@@ -289,7 +289,9 @@ _install: $(TARGET)$(CONFIG_XEN_INSTALL_SUFFIX) - ln -sf $(T)-$(XEN_FULLVERSION).efi $(D)$(EFI_DIR)/$(T)-$(XEN_VERSION).efi; \ - ln -sf $(T)-$(XEN_FULLVERSION).efi $(D)$(EFI_DIR)/$(T).efi; \ - if [ -n '$(EFI_MOUNTPOINT)' -a -n '$(EFI_VENDOR)' ]; then \ -- $(INSTALL_DATA) $(TARGET).efi $(D)$(EFI_MOUNTPOINT)/efi/$(EFI_VENDOR)/$(T)-$(XEN_FULLVERSION).efi; \ -+ [ -d $(D)$(EFI_MOUNTPOINT)/$(EFI_VENDOR) ] || \ -+ $(INSTALL_DIR) $(D)$(EFI_MOUNTPOINT)/$(EFI_VENDOR) ;\ -+ $(INSTALL_DATA) $(TARGET).efi $(D)$(EFI_MOUNTPOINT)/$(EFI_VENDOR)/$(T)-$(XEN_FULLVERSION).efi; \ - elif [ "$(D)" = "$(patsubst $(shell cd $(XEN_ROOT) && pwd)/%,%,$(D))" ]; then \ - echo 'EFI installation only partially done (EFI_VENDOR not set)' >&2; \ - fi; \ -@@ -319,7 +321,7 @@ _uninstall: - rm -f $(D)$(DEBUG_DIR)/$(T)-$(XEN_FULLVERSION).efi.map - rm -f $(D)$(EFI_DIR)/$(T)-$(XEN_VERSION).efi - rm -f $(D)$(EFI_DIR)/$(T).efi -- rm -f $(D)$(EFI_MOUNTPOINT)/efi/$(EFI_VENDOR)/$(T)-$(XEN_FULLVERSION).efi -+ rm -f $(D)$(EFI_MOUNTPOINT)/$(EFI_VENDOR)/$(T)-$(XEN_FULLVERSION).efi - - .PHONY: _debug - _debug: diff --git a/pkgs/applications/virtualization/xen/4.15.nix b/pkgs/applications/virtualization/xen/4.15.nix deleted file mode 100644 index d4905088ae1e3..0000000000000 --- a/pkgs/applications/virtualization/xen/4.15.nix +++ /dev/null @@ -1,183 +0,0 @@ -{ lib, callPackage, fetchurl, fetchpatch, fetchgit -, ocaml-ng -, withInternalQemu ? true -, withInternalTraditionalQemu ? true -, withInternalSeabios ? true -, withSeabios ? !withInternalSeabios, seabios -, withInternalOVMF ? false # FIXME: tricky to build -, withOVMF ? false, OVMF -, withLibHVM ? false - -# xen -, python3Packages - -# qemu -, udev, pciutils, xorg, SDL, pixman, acl, glusterfs, spice-protocol, usbredir -, alsa-lib, glib, python3 -, ... } @ args: - -assert withInternalSeabios -> !withSeabios; -assert withInternalOVMF -> !withOVMF; -assert !withLibHVM; - -with lib; - -# Patching XEN? Check the XSAs at -# https://xenbits.xen.org/xsa/ -# and try applying all the ones we don't have yet. - -let - xsa = import ./xsa-patches.nix { inherit fetchpatch; }; - - qemuMemfdBuildFix = fetchpatch { - name = "xen-4.8-memfd-build-fix.patch"; - url = "https://github.com/qemu/qemu/commit/75e5b70e6b5dcc4f2219992d7cffa462aa406af0.patch"; - sha256 = "0gaz93kb33qc0jx6iphvny0yrd17i8zhcl3a9ky5ylc2idz0wiwa"; - }; - - qemuDeps = [ - udev pciutils xorg.libX11 SDL pixman acl glusterfs spice-protocol usbredir - alsa-lib glib python3 - ]; -in - -callPackage (import ./generic.nix (rec { - version = "4.15.1"; - - src = fetchurl { - url = "https://downloads.xenproject.org/release/xen/${version}/xen-${version}.tar.gz"; - sha256 = "1rmc7gb72xwhr3h9rc3bkac41s8kjjzz45miwdq6yalyq7j7vss5"; - }; - - # Sources needed to build tools and firmwares. - xenfiles = optionalAttrs withInternalQemu { - qemu-xen = { - src = fetchgit { - url = "https://xenbits.xen.org/git-http/qemu-xen.git"; - # rev = "refs/tags/qemu-xen-${version}"; - # use revision hash - reproducible but must be updated with each new version - rev = "e2af2d050338c99e8436e251ad67aafb3ebbd501"; - sha256 = "sha256-gVykPtzAA7tmpe6iVvnulaW+b0jD3gwL1JXC5yeIA7M="; - }; - buildInputs = qemuDeps; - postPatch = '' - # needed in build but /usr/bin/env is not available in sandbox - substituteInPlace scripts/tracetool.py \ - --replace "/usr/bin/env python" "${python3}/bin/python" - ''; - meta.description = "Xen's fork of upstream Qemu"; - }; - } // optionalAttrs withInternalTraditionalQemu { - # TODO 4.15: something happened with traditional in this release? - qemu-xen-traditional = { - src = fetchgit { - url = "https://xenbits.xen.org/git-http/qemu-xen-traditional.git"; - # rev = "refs/tags/xen-${version}"; - # use revision hash - reproducible but must be updated with each new version - rev = "3d273dd05e51e5a1ffba3d98c7437ee84e8f8764"; - sha256 = "1dc6dhjp4y2irmi9yiyw1kzmm1habyy8j1s2zkf6qyak850krqj7"; - }; - buildInputs = qemuDeps; - patches = [ - ]; - postPatch = '' - substituteInPlace xen-hooks.mak \ - --replace /usr/include/pci ${pciutils}/include/pci - ''; - meta.description = "Xen's fork of upstream Qemu that uses old device model"; - }; - } // optionalAttrs withInternalSeabios { - "firmware/seabios-dir-remote" = { - src = fetchgit { - url = "https://xenbits.xen.org/git-http/seabios.git"; - rev = "155821a1990b6de78dde5f98fa5ab90e802021e0"; - sha256 = "sha256-F3lzr00CMAObJtpz0eZFT/rwjFx+bvlI37/JtHXP5Eo="; - }; - patches = [ ./0000-qemu-seabios-enable-ATA_DMA.patch ]; - meta.description = "Xen's fork of Seabios"; - }; - } // optionalAttrs withInternalOVMF { - "firmware/ovmf-dir-remote" = { - src = fetchgit { - url = "https://xenbits.xen.org/git-http/ovmf.git"; - rev = "a3741780fe3535e19e02efa869a7cac481891129"; - sha256 = "0000000000000000000000000000000000000000000000000000"; - }; - meta.description = "Xen's fork of OVMF"; - }; - } // { - # TODO: patch Xen to make this optional? - "firmware/etherboot/ipxe.git" = { - src = fetchgit { - url = "https://git.ipxe.org/ipxe.git"; - rev = "988d2c13cdf0f0b4140685af35ced70ac5b3283c"; - sha256 = "1pkf1n1c0rdlzfls8fvjvi1sd9xjd9ijqlyz3wigr70ijcv6x8i9"; - }; - meta.description = "Xen's fork of iPXE"; - }; - }; - - configureFlags = [] - ++ optional (!withInternalQemu) "--with-system-qemu" # use qemu from PATH - ++ optional (withInternalTraditionalQemu) "--enable-qemu-traditional" - ++ optional (!withInternalTraditionalQemu) "--disable-qemu-traditional" - - ++ optional (withSeabios) "--with-system-seabios=${seabios}/share/seabios" - ++ optional (!withInternalSeabios && !withSeabios) "--disable-seabios" - - ++ optional (withOVMF) "--with-system-ovmf=${OVMF.firmware}" - ++ optional (withInternalOVMF) "--enable-ovmf"; - - NIX_CFLAGS_COMPILE = toString [ - # TODO 4.15: drop unneeded ones - # Fix build on Glibc 2.24. - "-Wno-error=deprecated-declarations" - # Fix build with GCC 8 - "-Wno-error=maybe-uninitialized" - "-Wno-error=stringop-truncation" - "-Wno-error=format-truncation" - "-Wno-error=array-bounds" - # Fix build with GCC 9 - "-Wno-error=address-of-packed-member" - "-Wno-error=format-overflow" - "-Wno-error=absolute-value" - # Fix build with GCC 10 - "-Wno-error=enum-conversion" - "-Wno-error=zero-length-bounds" - # Fix build with GCC 12 - # xentoollog_stubs.c:57: error: "Some_val" redefined [-Werror] - "-Wno-error" - ]; - - patches = with xsa; flatten [ - ./0000-fix-ipxe-src.4.15.patch - ./0000-fix-install-python.4.15.patch - ./0004-makefile-use-efi-ld.4.15.patch - ./0005-makefile-fix-efi-mountdir-use.4.15.patch - - XSA_386 - ]; - - postPatch = '' - # Avoid a glibc >= 2.25 deprecation warnings that get fatal via -Werror. - sed 1i'#include <sys/sysmacros.h>' \ - -i tools/libs/light/libxl_device.c - - # Fix missing pkg-config dir - mkdir -p tools/pkg-config - ''; - - preBuild = '' - # PKG_CONFIG env var collides with variables used in tools Makefiles. - unset PKG_CONFIG - ''; - - passthru = { - qemu-system-i386 = if withInternalQemu - then "lib/xen/bin/qemu-system-i386" - else throw "this xen has no qemu builtin"; - }; - -})) ({ - ocamlPackages = ocaml-ng.ocamlPackages_4_14; -} // args) diff --git a/pkgs/applications/virtualization/xen/0000-fix-ipxe-src.4.15.patch b/pkgs/applications/virtualization/xen/4.16/0000-xen-ipxe-src-4.16.patch index 08e9aa5ad2fb9..d96023d1946ae 100644 --- a/pkgs/applications/virtualization/xen/0000-fix-ipxe-src.4.15.patch +++ b/pkgs/applications/virtualization/xen/4.16/0000-xen-ipxe-src-4.16.patch @@ -1,21 +1,21 @@ -hack to make etherboot use prefetched ipxe +Hack to make etherboot use pre-fetched iPXE. diff --git a/tools/firmware/etherboot/Makefile b/tools/firmware/etherboot/Makefile index ed9e11305f..979a3acea8 100644 --- a/tools/firmware/etherboot/Makefile +++ b/tools/firmware/etherboot/Makefile @@ -16,6 +16,7 @@ IPXE_TARBALL_URL ?= $(XEN_EXTFILES_URL)/ipxe-git-$(IPXE_GIT_TAG).tar.gz - + D=ipxe T=ipxe.tar.gz +G=ipxe.git - + ROMS = $(addprefix $D/src/bin/, $(addsuffix .rom, $(ETHERBOOT_NICS))) ROM = $D/src/bin/ipxe.bin @@ -41,9 +42,9 @@ $T: fi mv _$T $T - + -$D/src/arch/i386/Makefile: $T Config - rm -rf $D - gzip -dc $T | tar xf - diff --git a/pkgs/applications/virtualization/xen/4.16/0001-xen-fig-geneneration-4.16.patch b/pkgs/applications/virtualization/xen/4.16/0001-xen-fig-geneneration-4.16.patch new file mode 100644 index 0000000000000..1d814b562a179 --- /dev/null +++ b/pkgs/applications/virtualization/xen/4.16/0001-xen-fig-geneneration-4.16.patch @@ -0,0 +1,16 @@ +Remove a pipe that was causing SIGPIPE +issues on overloaded Hydra machines. + +diff --git a/docs/figs/Makefile b/docs/figs/Makefile +index e128a4364f..943f745dda 100644 +--- a/docs/figs/Makefile ++++ b/docs/figs/Makefile +@@ -8,7 +8,7 @@ TARGETS= network-bridge.png network-basic.png + all: $(TARGETS) + + %.png: %.fig +- $(FIG2DEV) -L png $< >$@.tmp ++ $(FIG2DEV) -L png $< $@.tmp + mv -f $@.tmp $@ + + clean: diff --git a/pkgs/applications/virtualization/xen/4.16/default.nix b/pkgs/applications/virtualization/xen/4.16/default.nix new file mode 100644 index 0000000000000..980096e4bbfab --- /dev/null +++ b/pkgs/applications/virtualization/xen/4.16/default.nix @@ -0,0 +1,52 @@ +{ + lib, + fetchpatch, + callPackage, + ocaml-ng, + ... +}@genericDefinition: + +let + upstreamPatches = import ../patches.nix { + inherit lib; + inherit fetchpatch; + }; + + upstreamPatchList = lib.lists.flatten [ upstreamPatches.XSA_458 ]; +in + +callPackage (import ../generic.nix { + branch = "4.16"; + version = "4.16.6"; + latest = false; + pkg = { + xen = { + rev = "4b33780de790bd438dd7cbb6143b410d94f0f049"; + hash = "sha256-2kcmfKwBo3w1U5CSxLSYSteqvzcJaB+cA7keVb3amyA="; + patches = [ + ./0000-xen-ipxe-src-4.16.patch + ./0001-xen-fig-geneneration-4.16.patch + ] ++ upstreamPatchList; + }; + qemu = { + rev = "c02cb236b5e4a76cf74e641cc35a0e3ebd3e52f3"; + hash = "sha256-LwlPry04az9QQowaDG2la8PYlGOUMbZaQAsCHxj+pwM="; + patches = [ ]; + }; + seaBIOS = { + rev = "d239552ce7220e448ae81f41515138f7b9e3c4db"; + hash = "sha256-UKMceJhIprN4/4Xe4EG2EvKlanxVcEi5Qcrrk3Ogiik="; + patches = [ ]; + }; + ovmf = { + rev = "7b4a99be8a39c12d3a7fc4b8db9f0eab4ac688d5"; + hash = "sha256-Qq2RgktCkJZBsq6Ch+6tyRHhme4lfcN7d2oQfxwhQt8="; + patches = [ ]; + }; + ipxe = { + rev = "3c040ad387099483102708bb1839110bc788cefb"; + hash = "sha256-y2QdZEoGsGUQjrrvD8YRa8VoqcZSr4tjLM//I/MrsLI="; + patches = [ ]; + }; + }; +}) ({ ocamlPackages = ocaml-ng.ocamlPackages_4_14; } // genericDefinition) diff --git a/pkgs/applications/virtualization/xen/4.17/0000-xen-ipxe-src-4.17.patch b/pkgs/applications/virtualization/xen/4.17/0000-xen-ipxe-src-4.17.patch new file mode 100644 index 0000000000000..d96023d1946ae --- /dev/null +++ b/pkgs/applications/virtualization/xen/4.17/0000-xen-ipxe-src-4.17.patch @@ -0,0 +1,27 @@ +Hack to make etherboot use pre-fetched iPXE. + +diff --git a/tools/firmware/etherboot/Makefile b/tools/firmware/etherboot/Makefile +index ed9e11305f..979a3acea8 100644 +--- a/tools/firmware/etherboot/Makefile ++++ b/tools/firmware/etherboot/Makefile +@@ -16,6 +16,7 @@ IPXE_TARBALL_URL ?= $(XEN_EXTFILES_URL)/ipxe-git-$(IPXE_GIT_TAG).tar.gz + + D=ipxe + T=ipxe.tar.gz ++G=ipxe.git + + ROMS = $(addprefix $D/src/bin/, $(addsuffix .rom, $(ETHERBOOT_NICS))) + ROM = $D/src/bin/ipxe.bin +@@ -41,9 +42,9 @@ $T: + fi + mv _$T $T + +-$D/src/arch/i386/Makefile: $T Config +- rm -rf $D +- gzip -dc $T | tar xf - ++$D/src/arch/i386/Makefile: $G Config ++ mkdir $D ++ cp -a $G/* $D + for i in $$(cat patches/series) ; do \ + patch -d $D -p1 --quiet <patches/$$i || exit 1 ; \ + done diff --git a/pkgs/applications/virtualization/xen/4.17/0001-xen-fig-geneneration-4.17.patch b/pkgs/applications/virtualization/xen/4.17/0001-xen-fig-geneneration-4.17.patch new file mode 100644 index 0000000000000..1d814b562a179 --- /dev/null +++ b/pkgs/applications/virtualization/xen/4.17/0001-xen-fig-geneneration-4.17.patch @@ -0,0 +1,16 @@ +Remove a pipe that was causing SIGPIPE +issues on overloaded Hydra machines. + +diff --git a/docs/figs/Makefile b/docs/figs/Makefile +index e128a4364f..943f745dda 100644 +--- a/docs/figs/Makefile ++++ b/docs/figs/Makefile +@@ -8,7 +8,7 @@ TARGETS= network-bridge.png network-basic.png + all: $(TARGETS) + + %.png: %.fig +- $(FIG2DEV) -L png $< >$@.tmp ++ $(FIG2DEV) -L png $< $@.tmp + mv -f $@.tmp $@ + + clean: diff --git a/pkgs/applications/virtualization/xen/4.17/default.nix b/pkgs/applications/virtualization/xen/4.17/default.nix new file mode 100644 index 0000000000000..f20d15c9d59b4 --- /dev/null +++ b/pkgs/applications/virtualization/xen/4.17/default.nix @@ -0,0 +1,55 @@ +{ + lib, + fetchpatch, + callPackage, + ocaml-ng, + ... +}@genericDefinition: + +let + upstreamPatches = import ../patches.nix { + inherit lib; + inherit fetchpatch; + }; + + upstreamPatchList = lib.lists.flatten [ + upstreamPatches.QUBES_REPRODUCIBLE_BUILDS + upstreamPatches.XSA_458 + ]; +in + +callPackage (import ../generic.nix { + branch = "4.17"; + version = "4.17.4"; + latest = false; + pkg = { + xen = { + rev = "d530627aaa9b6e03c7f911434bb342fca3d13300"; + hash = "sha256-4ltQUzo4XPzGT/7fGt1hnNMqBQBVF7VP+WXD9ZaJcGo="; + patches = [ + ./0000-xen-ipxe-src-4.17.patch + ./0001-xen-fig-geneneration-4.17.patch + ] ++ upstreamPatchList; + }; + qemu = { + rev = "ffb451126550b22b43b62fb8731a0d78e3376c03"; + hash = "sha256-G0hMPid9d3fd1jAY7CiZ33xUZf1hdy96T1VUKFGeHSk="; + patches = [ ]; + }; + seaBIOS = { + rev = "d239552ce7220e448ae81f41515138f7b9e3c4db"; + hash = "sha256-UKMceJhIprN4/4Xe4EG2EvKlanxVcEi5Qcrrk3Ogiik="; + patches = [ ]; + }; + ovmf = { + rev = "7b4a99be8a39c12d3a7fc4b8db9f0eab4ac688d5"; + hash = "sha256-Qq2RgktCkJZBsq6Ch+6tyRHhme4lfcN7d2oQfxwhQt8="; + patches = [ ]; + }; + ipxe = { + rev = "1d1cf74a5e58811822bee4b3da3cff7282fcdfca"; + hash = "sha256-8pwoPrmkpL6jIM+Y/C0xSvyrBM/Uv0D1GuBwNm+0DHU="; + patches = [ ]; + }; + }; +}) ({ ocamlPackages = ocaml-ng.ocamlPackages_4_14; } // genericDefinition) diff --git a/pkgs/applications/virtualization/xen/4.18/0000-xen-ipxe-src-4.18.patch b/pkgs/applications/virtualization/xen/4.18/0000-xen-ipxe-src-4.18.patch new file mode 100644 index 0000000000000..d96023d1946ae --- /dev/null +++ b/pkgs/applications/virtualization/xen/4.18/0000-xen-ipxe-src-4.18.patch @@ -0,0 +1,27 @@ +Hack to make etherboot use pre-fetched iPXE. + +diff --git a/tools/firmware/etherboot/Makefile b/tools/firmware/etherboot/Makefile +index ed9e11305f..979a3acea8 100644 +--- a/tools/firmware/etherboot/Makefile ++++ b/tools/firmware/etherboot/Makefile +@@ -16,6 +16,7 @@ IPXE_TARBALL_URL ?= $(XEN_EXTFILES_URL)/ipxe-git-$(IPXE_GIT_TAG).tar.gz + + D=ipxe + T=ipxe.tar.gz ++G=ipxe.git + + ROMS = $(addprefix $D/src/bin/, $(addsuffix .rom, $(ETHERBOOT_NICS))) + ROM = $D/src/bin/ipxe.bin +@@ -41,9 +42,9 @@ $T: + fi + mv _$T $T + +-$D/src/arch/i386/Makefile: $T Config +- rm -rf $D +- gzip -dc $T | tar xf - ++$D/src/arch/i386/Makefile: $G Config ++ mkdir $D ++ cp -a $G/* $D + for i in $$(cat patches/series) ; do \ + patch -d $D -p1 --quiet <patches/$$i || exit 1 ; \ + done diff --git a/pkgs/applications/virtualization/xen/4.18/0001-xen-fig-geneneration-4.18.patch b/pkgs/applications/virtualization/xen/4.18/0001-xen-fig-geneneration-4.18.patch new file mode 100644 index 0000000000000..1d814b562a179 --- /dev/null +++ b/pkgs/applications/virtualization/xen/4.18/0001-xen-fig-geneneration-4.18.patch @@ -0,0 +1,16 @@ +Remove a pipe that was causing SIGPIPE +issues on overloaded Hydra machines. + +diff --git a/docs/figs/Makefile b/docs/figs/Makefile +index e128a4364f..943f745dda 100644 +--- a/docs/figs/Makefile ++++ b/docs/figs/Makefile +@@ -8,7 +8,7 @@ TARGETS= network-bridge.png network-basic.png + all: $(TARGETS) + + %.png: %.fig +- $(FIG2DEV) -L png $< >$@.tmp ++ $(FIG2DEV) -L png $< $@.tmp + mv -f $@.tmp $@ + + clean: diff --git a/pkgs/applications/virtualization/xen/4.18/default.nix b/pkgs/applications/virtualization/xen/4.18/default.nix new file mode 100644 index 0000000000000..89c3713c6286c --- /dev/null +++ b/pkgs/applications/virtualization/xen/4.18/default.nix @@ -0,0 +1,55 @@ +{ + lib, + fetchpatch, + callPackage, + ocaml-ng, + ... +}@genericDefinition: + +let + upstreamPatches = import ../patches.nix { + inherit lib; + inherit fetchpatch; + }; + + upstreamPatchList = lib.lists.flatten [ + upstreamPatches.QUBES_REPRODUCIBLE_BUILDS + upstreamPatches.XSA_458 + ]; +in + +callPackage (import ../generic.nix { + branch = "4.18"; + version = "4.18.2"; + latest = false; + pkg = { + xen = { + rev = "d152a0424677d8b78e00ed1270a583c5dafff16f"; + hash = "sha256-pHCjj+Bcy4xQfB9xHU9fccFwVdP2DXrUhdszwGvrdmY="; + patches = [ + ./0000-xen-ipxe-src-4.18.patch + ./0001-xen-fig-geneneration-4.18.patch + ] ++ upstreamPatchList; + }; + qemu = { + rev = "0df9387c8983e1b1e72d8c574356f572342c03e6"; + hash = "sha256-BX+LXfNzwdUMALwwI1ZDW12dJ357oynjnrboLHREDGQ="; + patches = [ ]; + }; + seaBIOS = { + rev = "ea1b7a0733906b8425d948ae94fba63c32b1d425"; + hash = "sha256-J2FuT+FXn9YoFLSfxDOxyKZvKrys59a6bP1eYvEXVNU="; + patches = [ ]; + }; + ovmf = { + rev = "ba91d0292e593df8528b66f99c1b0b14fadc8e16"; + hash = "sha256-htOvV43Hw5K05g0SF3po69HncLyma3BtgpqYSdzRG4s="; + patches = [ ]; + }; + ipxe = { + rev = "1d1cf74a5e58811822bee4b3da3cff7282fcdfca"; + hash = "sha256-8pwoPrmkpL6jIM+Y/C0xSvyrBM/Uv0D1GuBwNm+0DHU="; + patches = [ ]; + }; + }; +}) ({ ocamlPackages = ocaml-ng.ocamlPackages_4_14; } // genericDefinition) diff --git a/pkgs/applications/virtualization/xen/4.19/0000-xen-ipxe-src-4.19.patch b/pkgs/applications/virtualization/xen/4.19/0000-xen-ipxe-src-4.19.patch new file mode 100644 index 0000000000000..d96023d1946ae --- /dev/null +++ b/pkgs/applications/virtualization/xen/4.19/0000-xen-ipxe-src-4.19.patch @@ -0,0 +1,27 @@ +Hack to make etherboot use pre-fetched iPXE. + +diff --git a/tools/firmware/etherboot/Makefile b/tools/firmware/etherboot/Makefile +index ed9e11305f..979a3acea8 100644 +--- a/tools/firmware/etherboot/Makefile ++++ b/tools/firmware/etherboot/Makefile +@@ -16,6 +16,7 @@ IPXE_TARBALL_URL ?= $(XEN_EXTFILES_URL)/ipxe-git-$(IPXE_GIT_TAG).tar.gz + + D=ipxe + T=ipxe.tar.gz ++G=ipxe.git + + ROMS = $(addprefix $D/src/bin/, $(addsuffix .rom, $(ETHERBOOT_NICS))) + ROM = $D/src/bin/ipxe.bin +@@ -41,9 +42,9 @@ $T: + fi + mv _$T $T + +-$D/src/arch/i386/Makefile: $T Config +- rm -rf $D +- gzip -dc $T | tar xf - ++$D/src/arch/i386/Makefile: $G Config ++ mkdir $D ++ cp -a $G/* $D + for i in $$(cat patches/series) ; do \ + patch -d $D -p1 --quiet <patches/$$i || exit 1 ; \ + done diff --git a/pkgs/applications/virtualization/xen/4.19/0001-xen-fig-geneneration-4.19.patch b/pkgs/applications/virtualization/xen/4.19/0001-xen-fig-geneneration-4.19.patch new file mode 100644 index 0000000000000..1d814b562a179 --- /dev/null +++ b/pkgs/applications/virtualization/xen/4.19/0001-xen-fig-geneneration-4.19.patch @@ -0,0 +1,16 @@ +Remove a pipe that was causing SIGPIPE +issues on overloaded Hydra machines. + +diff --git a/docs/figs/Makefile b/docs/figs/Makefile +index e128a4364f..943f745dda 100644 +--- a/docs/figs/Makefile ++++ b/docs/figs/Makefile +@@ -8,7 +8,7 @@ TARGETS= network-bridge.png network-basic.png + all: $(TARGETS) + + %.png: %.fig +- $(FIG2DEV) -L png $< >$@.tmp ++ $(FIG2DEV) -L png $< $@.tmp + mv -f $@.tmp $@ + + clean: diff --git a/pkgs/applications/virtualization/xen/4.19/default.nix b/pkgs/applications/virtualization/xen/4.19/default.nix new file mode 100644 index 0000000000000..ba1475cd7b256 --- /dev/null +++ b/pkgs/applications/virtualization/xen/4.19/default.nix @@ -0,0 +1,52 @@ +{ + lib, + fetchpatch, + callPackage, + ocaml-ng, + ... +}@genericDefinition: + +let + upstreamPatches = import ../patches.nix { + inherit lib; + inherit fetchpatch; + }; + + upstreamPatchList = lib.lists.flatten [ upstreamPatches.QUBES_REPRODUCIBLE_BUILDS ]; +in + +callPackage (import ../generic.nix { + branch = "4.19"; + version = "4.19.0"; + latest = true; + pkg = { + xen = { + rev = "026c9fa29716b0ff0f8b7c687908e71ba29cf239"; + hash = "sha256-Q6x+2fZ4ITBz6sKICI0NHGx773Rc919cl+wzI89UY+Q="; + patches = [ + ./0000-xen-ipxe-src-4.19.patch + ./0001-xen-fig-geneneration-4.19.patch + ] ++ upstreamPatchList; + }; + qemu = { + rev = "0df9387c8983e1b1e72d8c574356f572342c03e6"; + hash = "sha256-BX+LXfNzwdUMALwwI1ZDW12dJ357oynjnrboLHREDGQ="; + patches = [ ]; + }; + seaBIOS = { + rev = "a6ed6b701f0a57db0569ab98b0661c12a6ec3ff8"; + hash = "sha256-hWemj83cxdY8p+Jhkh5GcPvI0Sy5aKYZJCsKDjHTUUk="; + patches = [ ]; + }; + ovmf = { + rev = "ba91d0292e593df8528b66f99c1b0b14fadc8e16"; + hash = "sha256-htOvV43Hw5K05g0SF3po69HncLyma3BtgpqYSdzRG4s="; + patches = [ ]; + }; + ipxe = { + rev = "1d1cf74a5e58811822bee4b3da3cff7282fcdfca"; + hash = "sha256-8pwoPrmkpL6jIM+Y/C0xSvyrBM/Uv0D1GuBwNm+0DHU="; + patches = [ ]; + }; + }; +}) ({ ocamlPackages = ocaml-ng.ocamlPackages_4_14; } // genericDefinition) diff --git a/pkgs/applications/virtualization/xen/README.md b/pkgs/applications/virtualization/xen/README.md new file mode 100644 index 0000000000000..c059808dcecbf --- /dev/null +++ b/pkgs/applications/virtualization/xen/README.md @@ -0,0 +1,205 @@ +<p align="center"> + <a href="https://xenproject.org/"> + <picture> + <source + media="(prefers-color-scheme: light)" + srcset="https://downloads.xenproject.org/Branding/Logos/Green+Black/xen_project_logo_dualcolor_2000x832.png"> + <source + media="(prefers-color-scheme: dark)" + srcset="https://xenproject.org/wp-content/uploads/sites/79/2018/09/logo_xenproject.png"> + <img + src="https://downloads.xenproject.org/Branding/Logos/Green+Black/xen_project_logo_dualcolor_2000x832.png" + width="512px" + alt="Xen Project Logo"> + </picture> + </a> +</p> + +# Xen Hypervisor <a href="https://xenproject.org/"><img src="https://downloads.xenproject.org/Branding/Mascots/Xen-Fu-Panda-2000px.png" width="48px" align="top" alt="Xen Fu Panda"></a> + +This directory includes the build recipes for the [Xen Hypervisor](https://xenproject.org/). + +Some other notable packages that compose the Xen Ecosystem include: + +- `ocamlPackages.xenstore`: Mirage's `oxenstore` implementation. +- `ocamlPackages.vchan`: Mirage's `xen-vchan` implementation. +- `ocamlPackages.xenstore-tool`: XAPI's `oxenstore` utilities. +- `xen-guest-agent`: Guest drivers for UNIX domUs. +- `win-pvdrivers`: Guest drivers for Windows domUs. + +## Updating + +### Automatically + +An automated update script is available in this directory. To produce up-to-date +files for all supported Xen branches, simply run `./update.sh`, and follow the +instructions given to you by the script. Notably, it will request that you verify +the Xen Project code signing PGP key. This README understands that the fingerprint +of that key is [`23E3 222C 145F 4475 FA80 60A7 83FE 14C9 57E8 2BD9`](https://keys.openpgp.org/search?q=pgp%40xen.org), +but you should verify this information by seeking the fingerprint from other trusted +sources, as this document may be compromised. Once the PGP key is verified, it will +use `git verify-tag` to ascertain the validity of the cloned Xen sources. + +After the script is done, follow the steps in +[**For Both Update Methods**](#for-both-update-methods) below. + +#### Downstream Patch Names + +The script expects local patch names to follow a certain specification. +Please name any required patches using the template below: + +```console +0000-project-description-branch.patch +``` + +Where: + +1. The first four numbers define the patch order. + **0001** will be applied after **0000**, and so on. +1. `project` means the name of the source the patch should be applied to. + - If you are applying patches to the main Xen sources, use `xen`. + - For the pre-fetched QEMU, use `qemu`. + - For SeaBIOS, use `seabios`. + - For OVMF, use `ovmf`. + - For iPXE, use `ipxe`. +1. `description` is a string with uppercase and lowercase letters, numbers and + dashes. It describes the patch name and what it does to the upstream code. +1. `branch` is the branch for which this patch is supposed to patch. + It should match the name of the directory it is in. + +For example, a patch fixing `xentop`'s output in the 4.15 branch should have +the following name: `0000-xen-xentop-output-4.15.patch`, and it should be added +to the `4.15/` directory. + +### Manually + +The script is not infallible, and it may break in the future. If that happens, +open a PR fixing the script, and update Xen manually: + +1. Check the support matrix to see which branches are security-supported. +1. Create one directory per branch. +1. [Update](https://xenbits.xenproject.org/gitweb/) the `default.nix` files for + the branches that already exist and copy a new one to any branches that do + not yet exist in Nixpkgs. + - Do not forget to set the `branch`, `version`, and `latest` attributes for + each of the `default.nix` files. + - The revisions are preferably commit hashes, but tag names are acceptable + as well. + +### For Both Update Methods + +1. Update `packages.nix` with the new versions. Don't forget the `slim` packages! +1. Make sure all branches build. (Both the `standard` and `slim` versions) +1. Use the NixOS module to test if dom0 boots successfully on all new versions. +1. Make sure the `meta` attributes evaluate to something that makes sense. The + following one-line command is useful for testing this: + + ```console + xenToEvaluate=xen; echo -e "\033[1m$(nix eval .#"$xenToEvaluate".meta.description 2> /dev/null | tail -c +2 | head -c -2)\033[0m\n\n$(nix eval .#"$xenToEvaluate".meta.longDescription 2> /dev/null | tail -c +2 | head -c -2)" + ``` + + Change the value of `xenToEvaluate` to evaluate all relevant Xen packages. +1. Clean up your changes and commit them, making sure to follow the + [Nixpkgs Contribution Guidelines](../../../../CONTRIBUTING.md). +1. Open a PR and await a review from the current maintainers. + +## Features + +### Pre-fetched Sources + +On a typical Xen build, the Xen Makefiles will fetch more required sources with +`git` and `wget`. Due to the Nix Sandbox, build-time fetching will fail, so we +pre-fetch the required sources before building.[^1] To accomplish this, we have +a `prefetchedSources` attribute that contains the required derivations, if they +are requested by the main Xen build. + +### EFI + +Building `xen.efi` requires an `ld` with PE support.[^2] + +We use a `makeFlag` to override the `$LD` environment variable to point to our +patched `efiBinutils`. For more information, see the comment in `./generic.nix`. + +> [!TIP] +> If you are certain you will not be running Xen in an x86 EFI environment, disable +the `withEFI` flag with an [override](https://nixos.org/manual/nixpkgs/stable/#chap-overrides) +to save you the need to compile `efiBinutils`. + +### Default Overrides + +By default, Xen also builds +[QEMU](https://www.qemu.org/), +[SeaBIOS](https://www.seabios.org/SeaBIOS), +[OVMF](https://github.com/tianocore/tianocore.github.io/wiki/OVMF) and +[iPXE](https://ipxe.org/). + +- QEMU is used for stubdomains and handling devices. +- SeaBIOS is the default legacy BIOS ROM for HVM domains. +- OVMF is the default UEFI ROM for HVM domains. +- iPXE provides a PXE boot environment for HVMs. + +However, those packages are already available on Nixpkgs, and Xen does not +necessarily need to build them into the main hypervisor build. For this reason, +we also have the `withInternal<Component>` flags, which enables and disables +building those built-in components. The two most popular Xen configurations will +be the default build, with all built-in components, and a `slim` build, with none +of those components. To simplify this process, the `./packages.nix` file includes +the `xen-slim` package overrides that have all `withInternal<Component>` flags +disabled. See the `meta.longDescription` attribute for the `xen-slim` packages +for more information. + +## Security + +We aim to support all **security-supported** versions of Xen at any given time. +See the [Xen Support Matrix](https://xenbits.xen.org/docs/unstable/support-matrix.html) +for a list of versions. As soon as a version is no longer **security-supported**, +it should be removed from Nixpkgs. + +> [!CAUTION] +> Pull requests that introduce XSA patches +should have the `1.severity: security` label. + +### Maintainers + +Xen is a particularly complex piece of software, so we are always looking for new +maintainers. Help out by [making and triaging issues](https://github.com/NixOS/nixpkgs/issues/new/choose), +[sending build fixes and improvements through PRs](https://github.com/NixOS/nixpkgs/compare), +updating the branches, and [patching security flaws](https://xenbits.xenproject.org/xsa/). + +We are also looking for testers, particularly those who can test Xen on AArch64 +machines. Open issues for any build failures or runtime errors you find! + +## Tests + +So far, we only have had one simple automated test that checks for +the correct `pkg-config` output files. + +Due to Xen's nature as a type-1 hypervisor, it is not a trivial matter to design +new tests, as even basic functionality requires a machine booted in a dom0 +kernel. For this reason, most testing done with this package must be done +manually in a NixOS machine with `virtualisation.xen.enable` set to `true`. + +Another unfortunate thing is that none of the Xen commands have a `--version` +flag. This means that `testers.testVersion` cannot ascertain the Xen version. +The only way to verify that you have indeed built the correct version is to +boot into the freshly built Xen kernel and run `xl info`. + +<p align="center"> + <a href="https://xenproject.org/"> + <img + src="https://downloads.xenproject.org/Branding/Mascots/Xen%20Big%20Panda%204242x3129.png" + width="96px" + alt="Xen Fu Panda"> + </a> +</p> + +[^1]: We also produce fake `git`, `wget` and `hostname` binaries that do nothing, + to prevent the build from failing because Xen cannot fetch the sources that + were already fetched by Nix. +[^2]: From the [Xen Documentation](https://xenbits.xenproject.org/docs/unstable/misc/efi.html): + > For x86, building `xen.efi` requires `gcc` 4.5.x or above (4.6.x or newer + recommended, as 4.5.x was probably never really tested for this purpose) + and `binutils` 2.22 or newer. Additionally, the `binutils` build must be + configured to include support for the x86_64-pep emulation (i.e. + `--enable-targets=x86_64-pep` or an option of equivalent effect should be + passed to the configure script). diff --git a/pkgs/applications/virtualization/xen/generic.nix b/pkgs/applications/virtualization/xen/generic.nix index 826cd8a3d9d84..b8672770e5bdd 100644 --- a/pkgs/applications/virtualization/xen/generic.nix +++ b/pkgs/applications/virtualization/xen/generic.nix @@ -1,265 +1,690 @@ -config: -{ lib, stdenv, cmake, pkg-config, which - -# Xen -, bison, bzip2, checkpolicy, dev86, figlet, flex, gettext, glib -, acpica-tools, libaio, libiconv, libuuid, ncurses, openssl, perl -, xz, yajl, zlib -, python3Packages - -# Xen Optional -, ocamlPackages - -# Scripts -, coreutils, gawk, gnused, gnugrep, diffutils, multipath-tools -, iproute2, inetutils, iptables, bridge-utils, openvswitch, nbd, drbd -, util-linux, procps, systemd - -# Documentation -# python3Packages.markdown -, fig2dev, ghostscript, texinfo, pandoc - -, binutils-unwrapped - -, ...} @ args: - -with lib; +versionDefinition: +{ + lib, + stdenv, + autoPatchelfHook, + cmake, + ninja, + pkg-config, + testers, + which, + + fetchgit, + fetchFromGitHub, + + # Xen + acpica-tools, + bison, + bzip2, + dev86, + e2fsprogs, + flex, + libnl, + libuuid, + lzo, + ncurses, + ocamlPackages, + perl, + python311Packages, + systemdMinimal, + xz, + yajl, + zlib, + zstd, + + # Xen Optional + withInternalQEMU ? true, + pixman, + glib, + + withInternalSeaBIOS ? true, + withSeaBIOS ? !withInternalSeaBIOS, + seabios, + + withInternalOVMF ? true, + withOVMF ? !withInternalOVMF, + OVMF, + nasm, + + withInternalIPXE ? true, + withIPXE ? !withInternalIPXE, + ipxe, + + withFlask ? false, + checkpolicy, + + efiVendor ? "nixos", # Allow downstreams with custom branding to quickly override the EFI Vendor string. + withEFI ? true, + binutils-unwrapped, + + # Documentation + fig2dev, + imagemagick, + pandoc, + + # Scripts + bridge-utils, + coreutils, + diffutils, + gawk, + gnugrep, + gnused, + inetutils, + iproute2, + iptables, + multipath-tools, + nbd, + openvswitch, + util-linux, + ... +}@packageDefinition: let - #TODO: fix paths instead - scriptEnvPath = concatMapStringsSep ":" (x: "${x}/bin") [ - which perl - coreutils gawk gnused gnugrep diffutils util-linux multipath-tools - iproute2 inetutils iptables bridge-utils openvswitch nbd drbd + #TODO: fix paths instead. + scriptEnvPath = lib.strings.concatMapStringsSep ":" (x: "${x}/bin") [ + bridge-utils + coreutils + diffutils + gawk + gnugrep + gnused + inetutils + iproute2 + iptables + multipath-tools + nbd + openvswitch + perl + util-linux + which ]; - withXenfiles = f: concatStringsSep "\n" (mapAttrsToList f config.xenfiles); - - withTools = a: f: withXenfiles (name: x: optionalString (hasAttr a x) '' - echo "processing ${name}" - __do() { - cd "tools/${name}" - ${f name x} + inherit (versionDefinition) branch; + inherit (versionDefinition) version; + inherit (versionDefinition) latest; + inherit (versionDefinition) pkg; + pname = "xen"; + + # Sources needed to build tools and firmwares. + prefetchedSources = + lib.attrsets.optionalAttrs withInternalQEMU { + qemu-xen = { + src = fetchgit { + url = "https://xenbits.xen.org/git-http/qemu-xen.git"; + fetchSubmodules = true; + inherit (pkg.qemu) rev; + inherit (pkg.qemu) hash; + }; + patches = lib.lists.optionals (lib.attrsets.hasAttrByPath [ "patches" ] pkg.qemu) pkg.qemu.patches; + postPatch = '' + substituteInPlace scripts/tracetool.py \ + --replace-fail "/usr/bin/env python" "${python311Packages.python}/bin/python" + ''; + }; } - ( __do ) - ''); - - # We don't want to use the wrapped version, because this version of ld is - # only used for linking the Xen EFI binary, and the build process really - # needs control over the LDFLAGS used + // lib.attrsets.optionalAttrs withInternalSeaBIOS { + "firmware/seabios-dir-remote" = { + src = fetchgit { + url = "https://xenbits.xen.org/git-http/seabios.git"; + inherit (pkg.seaBIOS) rev; + inherit (pkg.seaBIOS) hash; + }; + patches = lib.lists.optionals (lib.attrsets.hasAttrByPath [ + "patches" + ] pkg.seaBIOS) pkg.seaBIOS.patches; + }; + } + // lib.attrsets.optionalAttrs withInternalOVMF { + "firmware/ovmf-dir-remote" = { + src = fetchgit { + url = "https://xenbits.xen.org/git-http/ovmf.git"; + fetchSubmodules = true; + inherit (pkg.ovmf) rev; + inherit (pkg.ovmf) hash; + }; + patches = lib.lists.optionals (lib.attrsets.hasAttrByPath [ "patches" ] pkg.ovmf) pkg.ovmf.patches; + postPatch = '' + substituteInPlace \ + OvmfPkg/build.sh BaseTools/BinWrappers/PosixLike/{AmlToC,BrotliCompress,build,GenFfs,GenFv,GenFw,GenSec,LzmaCompress,TianoCompress,Trim,VfrCompile} \ + --replace-fail "/usr/bin/env bash" ${stdenv.shell} + ''; + }; + } + // lib.attrsets.optionalAttrs withInternalIPXE { + "firmware/etherboot/ipxe.git" = { + src = fetchFromGitHub { + owner = "ipxe"; + repo = "ipxe"; + inherit (pkg.ipxe) rev; + inherit (pkg.ipxe) hash; + }; + patches = lib.lists.optionals (lib.attrsets.hasAttrByPath [ "patches" ] pkg.ipxe) pkg.ipxe.patches; + }; + }; + withPrefetchedSources = + sourcePkg: lib.strings.concatLines (lib.attrsets.mapAttrsToList sourcePkg prefetchedSources); + + # Sometimes patches are sourced through a path, like ./0000-xen.patch. + # This would break the patch attribute parser functions, so we normalise + # all patches sourced through paths by setting them to a { type = "path"; } + # attribute set. + # Patches from fetchpatch are already attribute sets. + normalisedPatchList = builtins.map ( + patch: + if !builtins.isAttrs patch then + if builtins.isPath patch then + { type = "path"; } + else + throw "xen/generic.nix: normalisedPatchList attempted to normalise something that is not a Path or an Attribute Set." + else + patch + ) pkg.xen.patches; + + # Simple counter for the number of attrsets (patches) in the patches list after normalisation. + numberOfPatches = lib.lists.count (patch: builtins.isAttrs patch) normalisedPatchList; + + # builtins.elemAt's index begins at 0, so we subtract 1 from the number of patches in order to + # produce the range that will be used in the following builtin.map calls. + availablePatchesToTry = lib.lists.range 0 (numberOfPatches - 1); + + # Takes in an attrByPath input, and outputs the attribute value for each patch in a list. + # If a patch does not have a given attribute, returns `null`. Use lib.lists.remove null + # to remove these junk values, if necessary. + retrievePatchAttributes = + attributeName: + builtins.map ( + x: lib.attrsets.attrByPath attributeName null (builtins.elemAt normalisedPatchList x) + ) availablePatchesToTry; + + # Produces a list of newline-separated strings that lists the vulnerabilities this + # Xen is NOT affected by, due to the applied Xen Security Advisory patches. This is + # then used in meta.longDescription, to let users know their Xen is patched against + # known vulnerabilities, as the package version isn't always the best indicator. + # + # Produces something like this: (one string for each XSA) + # * [Xen Security Advisory #1](https://xenbits.xenproject.org/xsa/advisory-1.html): **Title for XSA.** + # >Description of issue in XSA + #Extra lines + #are not indented, + #but markdown should be + #fine with it. + # Fixes: + # * [CVE-1999-00001](https://www.cve.org/CVERecord?id=CVE-1999-00001) + # * [CVE-1999-00002](https://www.cve.org/CVERecord?id=CVE-1999-00002) + # * [CVE-1999-00003](https://www.cve.org/CVERecord?id=CVE-1999-00003) + writeAdvisoryDescription = + if (lib.lists.remove null (retrievePatchAttributes [ "xsa" ]) != [ ]) then + lib.lists.zipListsWith (a: b: a + b) + (lib.lists.zipListsWith (a: b: a + "**" + b + ".**\n >") + (lib.lists.zipListsWith (a: b: "* [Xen Security Advisory #" + a + "](" + b + "): ") + (lib.lists.remove null (retrievePatchAttributes [ "xsa" ])) + ( + lib.lists.remove null (retrievePatchAttributes [ + "meta" + "homepage" + ]) + ) + ) + ( + lib.lists.remove null (retrievePatchAttributes [ + "meta" + "description" + ]) + ) + ) + ( + lib.lists.remove null (retrievePatchAttributes [ + "meta" + "longDescription" + ]) + ) + else + [ ]; + + withTools = + attr: file: + withPrefetchedSources ( + name: source: + lib.strings.optionalString (builtins.hasAttr attr source) '' + echo "processing ${name}" + __do() { + cd "tools/${name}" + ${file name source} + } + ( __do ) + '' + ); + + # Originally, there were two versions of binutils being used: the standard one and + # this patched one. Unfortunately, that required patches to the Xen Makefiles, and + # quickly became too complex to maintain. The new solution is to simply build this + # efi-binutils derivation and use it for the whole build process, except if + # enableEFI is disabled; it'll then use `binutils`. efiBinutils = binutils-unwrapped.overrideAttrs (oldAttrs: { name = "efi-binutils"; - configureFlags = oldAttrs.configureFlags ++ [ - "--enable-targets=x86_64-pep" - ]; - doInstallCheck = false; # We get a spurious failure otherwise, due to host/target mis-match + configureFlags = oldAttrs.configureFlags ++ [ "--enable-targets=x86_64-pep" ]; + doInstallCheck = false; # We get a spurious failure otherwise, due to a host/target mismatch. }); in -stdenv.mkDerivation (rec { - inherit (config) version; - - name = "xen-${version}"; +stdenv.mkDerivation (finalAttrs: { + inherit pname; + inherit version; - dontUseCmakeConfigure = true; - - hardeningDisable = [ "stackprotector" "fortify" "pic" ]; - - nativeBuildInputs = [ pkg-config cmake ]; - buildInputs = [ - which - - # Xen - bison bzip2 checkpolicy dev86 figlet flex gettext glib acpica-tools libaio - libiconv libuuid ncurses openssl perl python3Packages.python xz yajl zlib - - # oxenstored - ocamlPackages.findlib ocamlPackages.ocaml systemd + outputs = [ + "out" # TODO: Split $out in $bin for binaries and $lib for libraries. + "man" # Manual pages for Xen userspace utilities. + "doc" # The full Xen documentation in HTML format. + "dev" # Development headers. + "boot" # xen.gz kernel, policy file if Flask is enabled, xen.efi if EFI is enabled. + ]; - # Python fixes - python3Packages.wrapPython + # Main Xen source. + src = fetchgit { + url = "https://xenbits.xen.org/git-http/xen.git"; + inherit (pkg.xen) rev; + inherit (pkg.xen) hash; + }; + + # Gets the patches from the pkg.xen.patches attribute from the versioned files. + patches = lib.lists.optionals (lib.attrsets.hasAttrByPath [ "patches" ] pkg.xen) pkg.xen.patches; + + nativeBuildInputs = + [ + autoPatchelfHook + bison + cmake + fig2dev + imagemagick # Causes build failures in Hydra related to fig generation if not included. + flex + pandoc + pkg-config + ] + ++ lib.lists.optionals withInternalQEMU [ + ninja + python311Packages.sphinx + ]; + buildInputs = + [ + # Xen + acpica-tools + bzip2 + dev86 + e2fsprogs.dev + libnl + libuuid + lzo + ncurses + perl + python311Packages.python + xz + yajl + zlib + zstd + + # oxenstored + ocamlPackages.findlib + ocamlPackages.ocaml + systemdMinimal + + # Python Fixes + python311Packages.wrapPython + ] + ++ lib.lists.optionals withInternalQEMU [ + glib + pixman + ] + ++ lib.lists.optional withInternalOVMF nasm + ++ lib.lists.optional withFlask checkpolicy; + + configureFlags = + [ "--enable-systemd" ] + ++ lib.lists.optional (!withInternalQEMU) "--with-system-qemu" + + ++ lib.lists.optional withSeaBIOS "--with-system-seabios=${seabios}/share/seabios" + ++ lib.lists.optional (!withInternalSeaBIOS && !withSeaBIOS) "--disable-seabios" + + ++ lib.lists.optional withOVMF "--with-system-ovmf=${OVMF.firmware}" + ++ lib.lists.optional withInternalOVMF "--enable-ovmf" + + ++ lib.lists.optional withIPXE "--with-system-ipxe=${ipxe}" + ++ lib.lists.optional withInternalIPXE "--enable-ipxe"; + + makeFlags = + [ + "PREFIX=$(out)" + "CONFIG_DIR=/etc" + "XEN_EXTFILES_URL=\\$(XEN_ROOT)/xen_ext_files" + "XEN_SCRIPT_DIR=$(CONFIG_DIR)/xen/scripts" + "BASH_COMPLETION_DIR=$(PREFIX)/share/bash-completion/completions" + ] + ++ lib.lists.optionals withEFI [ + "EFI_VENDOR=${efiVendor}" + "INSTALL_EFI_STRIP=1" + "LD=${efiBinutils}/bin/ld" # See the comment in the efiBinutils definition above. + ] + # These flags set the CONFIG_* options in /boot/xen.config + # and define if the default policy file is built. However, + # the Flask binaries always get compiled by default. + ++ lib.lists.optionals withFlask [ + "XSM_ENABLE=y" + "FLASK_ENABLE=y" + ] + ++ (pkg.xen.makeFlags or [ ]); + + buildFlags = [ + "xen" # Build the Xen Hypervisor. + "tools" # Build the userspace tools, such as `xl`. + "docs" # Build the Xen Documentation + # TODO: Enable the Stubdomains target. This requires another pre-fetched source: mini-os. Currently, Xen appears to build a limited version of stubdomains which does not include mini-os. + # "stubdom" + ]; - # Documentation - python3Packages.markdown fig2dev ghostscript texinfo pandoc + enableParallelBuilding = true; - # Others - ] ++ (concatMap (x: x.buildInputs or []) (attrValues config.xenfiles)) - ++ (config.buildInputs or []); + env.NIX_CFLAGS_COMPILE = builtins.toString ( + [ + "-Wno-error=maybe-uninitialized" + "-Wno-error=array-bounds" + ] + ++ lib.lists.optionals withInternalOVMF [ + "-Wno-error=format-security" + "-Wno-error=use-after-free" + "-Wno-error=vla-parameter" + "-Wno-error=dangling-pointer" + "-Wno-error=stringop-overflow" + ] + ); - prePatch = '' - ### Generic fixes + dontUseCmakeConfigure = true; + dontUseNinjaBuild = withInternalQEMU; + prePatch = # Xen's stubdoms, tools and firmwares need various sources that # are usually fetched at build time using wget and git. We can't - # have that, so we prefetch them in nix-expression and setup - # fake wget and git for debugging purposes. - - mkdir fake-bin - - # Fake git: just print what it wants and die - cat > fake-bin/wget << EOF - #!${stdenv.shell} -e - echo ===== FAKE WGET: Not fetching \$* - [ -e \$3 ] - EOF - - # Fake git: just print what it wants and die - cat > fake-bin/git << EOF - #!${stdenv.shell} - echo ===== FAKE GIT: Not cloning \$* - [ -e \$3 ] - EOF - - chmod +x fake-bin/* - export PATH=$PATH:$PWD/fake-bin - - # Remove in-tree qemu stuff in case we build from a tar-ball - rm -rf tools/qemu-xen tools/qemu-xen-traditional - - # Fix shebangs, mainly for build-scripts - # We want to do this before getting prefetched stuff to speed things up - # (prefetched stuff has lots of files) - find . -type f | xargs sed -i 's@/usr/bin/\(python\|perl\)@/usr/bin/env \1@g' - find . -type f -not -path "./tools/hotplug/Linux/xendomains.in" \ - | xargs sed -i 's@/bin/bash@${stdenv.shell}@g' - - # Get prefetched stuff - ${withXenfiles (name: x: '' - echo "${x.src} -> tools/${name}" - cp -r ${x.src} tools/${name} - chmod -R +w tools/${name} - '')} - ''; - - patches = [ - ] ++ (config.patches or []); - - postPatch = '' - ### Hacks - - # Work around a bug in our GCC wrapper: `gcc -MF foo -v' doesn't - # print the GCC version number properly. - substituteInPlace xen/Makefile \ - --replace '$(CC) $(CFLAGS) -v' '$(CC) -v' - - # Hack to get `gcc -m32' to work without having 32-bit Glibc headers. - mkdir -p tools/include/gnu - touch tools/include/gnu/stubs-32.h - - ### Fixing everything else - - substituteInPlace tools/libfsimage/common/fsimage_plugin.c \ - --replace /usr $out - - substituteInPlace tools/misc/xenpvnetboot \ - --replace /usr/sbin/mount ${util-linux}/bin/mount \ - --replace /usr/sbin/umount ${util-linux}/bin/umount - - substituteInPlace tools/xenmon/xenmon.py \ - --replace /usr/bin/pkill ${procps}/bin/pkill - - ${optionalString (builtins.compareVersions config.version "4.8" >= 0) '' + # have that, so we pre-fetch them in the versioned Nix expressions, + # and produce fake wget and git executables for debugging purposes. + # + # We also produce a fake hostname executable to prevent spurious + # command-not-found errors during compilation. + # + # The snippet below produces executables that simply print in stdout + # what they were supposed to fetch, and exit gracefully. + '' + mkdir fake-bin + + cat > fake-bin/wget << EOF + #!${stdenv.shell} -e + echo ===== FAKE WGET: Not fetching \$* + [ -e \$3 ] + EOF + + cat > fake-bin/git << EOF + #!${stdenv.shell} + echo ===== FAKE GIT: Not cloning \$* + [ -e \$3 ] + EOF + + cat > fake-bin/hostname << EOF + #!${stdenv.shell} + echo ${efiVendor} + [ -e \$3 ] + EOF + + chmod +x fake-bin/* + export PATH=$PATH:$PWD/fake-bin + '' + + # Remove in-tree QEMU sources, as we either pre-fetch them through + # the versioned Nix expressions if withInternalQEMU is true, or we + # don't build QEMU at all if withInternalQEMU is false. + + '' + rm --recursive --force tools/qemu-xen tools/qemu-xen-traditional + '' + + # The following expression moves the sources we fetched in the + # versioned Nix expressions to their correct locations inside + # the Xen source tree. + + '' + ${withPrefetchedSources ( + name: source: '' + echo "Copying pre-fetched source: ${source.src} -> tools/${name}" + cp --recursive ${source.src} tools/${name} + chmod --recursive +w tools/${name} + '' + )} + ''; + + postPatch = + # The following patch forces Xen to install xen.efi on $out/boot + # instead of $out/boot/efi/efi/nixos, as the latter directory + # would otherwise need to be created manually. This also creates + # a more consistent output for downstreams who override the + # efiVendor attribute above. + '' + substituteInPlace xen/Makefile \ + --replace-fail "\$(D)\$(EFI_MOUNTPOINT)/efi/\$(EFI_VENDOR)/\$(T)-\$(XEN_FULLVERSION).efi" \ + "\$(D)\$(BOOT_DIR)/\$(T)-\$(XEN_FULLVERSION).efi" + '' + + # The following patch fixes the call to /bin/mkdir on the + # launch_xenstore.sh helper script. + + '' substituteInPlace tools/hotplug/Linux/launch-xenstore.in \ - --replace /bin/mkdir mkdir - ''} - - ${optionalString (builtins.compareVersions config.version "4.6" < 0) '' - # TODO: use this as a template and support our own if-up scripts instead? - substituteInPlace tools/hotplug/Linux/xen-backend.rules.in \ - --replace "@XEN_SCRIPT_DIR@" $out/etc/xen/scripts - - # blktap is not provided by xen, but by xapi - sed -i '/blktap/d' tools/hotplug/Linux/xen-backend.rules.in - ''} - - ${withTools "patches" (name: x: '' - ${concatMapStringsSep "\n" (p: '' - echo "# Patching with ${p}" - patch -p1 < ${p} - '') x.patches} - '')} - - ${withTools "postPatch" (name: x: x.postPatch)} - - ${config.postPatch or ""} - ''; - - postConfigure = '' - substituteInPlace tools/hotplug/Linux/xendomains \ - --replace /bin/ls ls - ''; - - EFI_LD = "${efiBinutils}/bin/ld"; - EFI_VENDOR = "nixos"; - - # TODO: Flask needs more testing before enabling it by default. - #makeFlags = [ "XSM_ENABLE=y" "FLASK_ENABLE=y" "PREFIX=$(out)" "CONFIG_DIR=/etc" "XEN_EXTFILES_URL=\\$(XEN_ROOT)/xen_ext_files" ]; - makeFlags = [ "PREFIX=$(out) CONFIG_DIR=/etc" "XEN_SCRIPT_DIR=/etc/xen/scripts" ] - ++ (config.makeFlags or []); - - preBuild = '' - ${config.preBuild or ""} - ''; - - buildFlags = [ "xen" "tools" ]; + --replace-fail "/bin/mkdir" "${coreutils}/bin/mkdir" + '' + + # The following expression fixes the paths called by Xen's systemd + # units, so we can use them in the NixOS module. + + '' + substituteInPlace \ + tools/hotplug/Linux/systemd/{xen-init-dom0,xen-qemu-dom0-disk-backend,xenconsoled,xendomains,xenstored}.service.in \ + --replace-fail /bin/grep ${gnugrep}/bin/grep + substituteInPlace \ + tools/hotplug/Linux/systemd/{xen-qemu-dom0-disk-backend,xenconsoled}.service.in \ + --replace-fail "/bin/mkdir" "${coreutils}/bin/mkdir" + '' + + # The following expression applies the patches defined on each + # prefetchedSources attribute. + + '' + ${withTools "patches" ( + name: source: '' + ${lib.strings.concatMapStringsSep "\n" (patch: '' + echo "Patching with ${patch}" + patch --strip 1 < ${patch} + '') source.patches} + '' + )} + + ${withTools "postPatch" (name: source: source.postPatch)} + + ${pkg.xen.postPatch or ""} + ''; + + preBuild = lib.lists.optionals (lib.attrsets.hasAttrByPath [ "preBuild" ] pkg.xen) pkg.xen.preBuild; postBuild = '' - make -C docs man-pages - - ${withTools "buildPhase" (name: x: x.buildPhase)} - ''; - - installPhase = '' - mkdir -p $out $out/share $out/share/man - cp -prvd dist/install/nix/store/*/* $out/ - cp -prvd dist/install/boot $out/boot - cp -prvd dist/install/etc $out - cp -dR docs/man1 docs/man5 $out/share/man/ - - ${withTools "installPhase" (name: x: x.installPhase)} - - # Hack - substituteInPlace $out/etc/xen/scripts/hotplugpath.sh \ - --replace SBINDIR=\"$out/sbin\" SBINDIR=\"$out/bin\" + ${withTools "buildPhase" (name: source: source.buildPhase)} - wrapPythonPrograms - # We also need to wrap pygrub, which lies in lib - wrapPythonProgramsIn "$out/lib" "$out $pythonPath" - - shopt -s extglob - for i in $out/etc/xen/scripts/!(*.sh); do - sed -i "2s@^@export PATH=$out/bin:${scriptEnvPath}\n@" $i - done + ${pkg.xen.postBuild or ""} ''; - enableParallelBuilding = true; + installPhase = + let + cpFlags = builtins.toString [ + "--preserve=mode,ownership,timestamps,link" + "--recursive" + "--verbose" + "--no-dereference" + ]; + in + # Run the preInstall tasks. + '' + runHook preInstall + '' + + # Create $out directories and copy build output. + + '' + mkdir --parents $out $out/share $boot + cp ${cpFlags} dist/install/nix/store/*/* $out/ + cp ${cpFlags} dist/install/etc $out + cp ${cpFlags} dist/install/boot $boot + '' + + # Run the postInstall tasks. + + '' + runHook postInstall + ''; + + postInstall = + # Wrap xencov_split, xenmon and xentrace_format. + '' + wrapPythonPrograms + '' + + # We also need to wrap pygrub, which lies in $out/libexec/xen/bin. + + '' + wrapPythonProgramsIn "$out/libexec/xen/bin" "$out $pythonPath" + '' + + # Fix shebangs in Xen's various scripts. + #TODO: Remove any and all usage of `sed` and replace these complicated magic runes with readable code. + + '' + shopt -s extglob + for i in $out/etc/xen/scripts/!(*.sh); do + sed --in-place "2s@^@export PATH=$out/bin:${scriptEnvPath}\n@" $i + done + '' + + + '' + ${withTools "installPhase" (name: source: source.installPhase)} + + ${pkg.xen.installPhase or ""} + ''; + + postFixup = + # Fix binaries in $out/libexec/xen/bin. + '' + addAutoPatchelfSearchPath $out/lib + autoPatchelf $out/libexec/xen/bin + '' + # Flask is particularly hard to disable. Even after + # setting the make flags to `n`, it still gets compiled. + # If withFlask is disabled, delete the extra binaries. + + lib.strings.optionalString (!withFlask) '' + rm -f $out/bin/flask-* + ''; + + passthru = { + efi = + if withEFI then "boot/xen-${version}.efi" else throw "This Xen was compiled without an EFI binary."; + flaskPolicy = + if withFlask then + "boot/xenpolicy-${version}" + else + throw "This Xen was compiled without FLASK support."; + qemu-system-i386 = + if withInternalQEMU then + "libexec/xen/bin/qemu-system-i386" + else + throw "This Xen was compiled without a built-in QEMU."; + # This test suite is very simple, as Xen's userspace + # utilities require the hypervisor to be booted. + tests = { + pkg-config = testers.hasPkgConfigModules { + package = finalAttrs.finalPackage; + moduleNames = [ + "xencall" + "xencontrol" + "xendevicemodel" + "xenevtchn" + "xenforeignmemory" + "xengnttab" + "xenguest" + "xenhypfs" + "xenlight" + "xenstat" + "xenstore" + "xentoolcore" + "xentoollog" + "xenvchan" + "xlutil" + ]; + }; + }; + }; - # TODO(@oxij): Stop referencing args here meta = { - homepage = "http://www.xen.org/"; - description = "Xen hypervisor and related components" - + optionalString (args ? meta && args.meta ? description) - " (${args.meta.description})"; - longDescription = (args.meta.longDescription or "") - + "\nIncludes:\n" - + withXenfiles (name: x: "* ${name}: ${x.meta.description or "(No description)"}."); - platforms = [ "x86_64-linux" ]; - maintainers = [ ]; - license = lib.licenses.gpl2; - knownVulnerabilities = [ - # https://www.openwall.com/lists/oss-security/2023/03/21/1 - # Affects 3.2 (at *least*) - 4.17 - "CVE-2022-42332" - # https://www.openwall.com/lists/oss-security/2023/03/21/2 - # Affects 4.11 - 4.17 - "CVE-2022-42333" - "CVE-2022-42334" - # https://www.openwall.com/lists/oss-security/2023/03/21/3 - # Affects 4.15 - 4.17 - "CVE-2022-42331" - # https://xenbits.xen.org/docs/unstable/support-matrix.html - ] ++ lib.optionals (lib.versionOlder version "4.15") [ - "This version of Xen has reached its end of life. See https://xenbits.xen.org/docs/unstable/support-matrix.html" + inherit branch; + # Short description for Xen. + description = + "Xen Hypervisor" + # The "and related components" addition is automatically hidden if said components aren't being built. + + lib.strings.optionalString (prefetchedSources != { }) " and related components" + # To alter the description inside the paranthesis, edit ./packages.nix. + + lib.strings.optionalString (lib.attrsets.hasAttrByPath [ + "meta" + "description" + ] packageDefinition) " (${packageDefinition.meta.description})"; + # Long description for Xen. + longDescription = + # Starts with the longDescription from ./packages.nix. + (packageDefinition.meta.longDescription or "") + + lib.strings.optionalString (!withInternalQEMU) ( + "\nUse with `qemu_xen_${lib.stringAsChars (x: if x == "." then "_" else x) branch}`" + + lib.strings.optionalString latest " or `qemu_xen`" + + ".\n" + ) + # Then, if any of the optional with* components are being built, add the "Includes:" string. + + + lib.strings.optionalString + ( + withInternalQEMU + || withInternalSeaBIOS + || withInternalOVMF + || withInternalIPXE + || withEFI + || withFlask + ) + ( + "\nIncludes:" + # Originally, this was a call for the complicated withPrefetchedSources. Since there aren't + # that many optional components, we just use lib.strings.optionalString, because it's simpler. + # Optional components that aren't being built are automatically hidden. + + lib.strings.optionalString withEFI "\n* `xen.efi`: Xen's [EFI binary](https://xenbits.xenproject.org/docs/${branch}-testing/misc/efi.html), available on the `boot` output of this package." + + lib.strings.optionalString withFlask "\n* `xsm-flask`: The [FLASK Xen Security Module](https://wiki.xenproject.org/wiki/Xen_Security_Modules_:_XSM-FLASK). The `xenpolicy-${version}` file is available on the `boot` output of this package." + + lib.strings.optionalString withInternalQEMU "\n* `qemu-xen`: Xen's mirror of [QEMU](https://www.qemu.org/)." + + lib.strings.optionalString withInternalSeaBIOS "\n* `seabios-xen`: Xen's mirror of [SeaBIOS](https://www.seabios.org/SeaBIOS)." + + lib.strings.optionalString withInternalOVMF "\n* `ovmf-xen`: Xen's mirror of [OVMF](https://github.com/tianocore/tianocore.github.io/wiki/OVMF)." + + lib.strings.optionalString withInternalIPXE "\n* `ipxe-xen`: Xen's pinned version of [iPXE](https://ipxe.org/)." + ) + # Finally, we write a notice explaining which vulnerabilities this Xen is NOT vulnerable to. + # This will hopefully give users the peace of mind that their Xen is secure, without needing + # to search the source code for the XSA patches. + + lib.strings.optionalString (writeAdvisoryDescription != [ ]) ( + "\n\nThis Xen (${version}) has been patched against the following known security vulnerabilities:\n" + + lib.strings.removeSuffix "\n" (lib.strings.concatLines writeAdvisoryDescription) + ); + homepage = "https://xenproject.org/"; + downloadPage = "https://downloads.xenproject.org/release/xen/${version}/"; + changelog = "https://wiki.xenproject.org/wiki/Xen_Project_${branch}_Release_Notes"; + license = with lib.licenses; [ + # Documentation. + cc-by-40 + # Most of Xen is licensed under the GPL v2.0. + gpl2Only + # Xen Libraries and the `xl` command-line utility. + lgpl21Only + # Development headers in $dev/include. + mit + ]; + maintainers = [ lib.maintainers.sigmasquadron ]; + mainProgram = "xl"; + # Evaluates to x86_64-linux. + platforms = lib.lists.intersectLists lib.platforms.linux lib.platforms.x86_64; + knownVulnerabilities = lib.lists.optionals (lib.strings.versionOlder version "4.16") [ + "Xen ${version} is no longer supported by the Xen Security Team. See https://xenbits.xenproject.org/docs/unstable/support-matrix.html" ]; - } // (config.meta or {}); -} // removeAttrs config [ "xenfiles" "buildInputs" "patches" "postPatch" "meta" ]) + }; +}) diff --git a/pkgs/applications/virtualization/xen/packages.nix b/pkgs/applications/virtualization/xen/packages.nix index c55a719995c0b..96bd42e052013 100644 --- a/pkgs/applications/virtualization/xen/packages.nix +++ b/pkgs/applications/virtualization/xen/packages.nix @@ -1,58 +1,68 @@ -{ callPackage - -}: - -# TODO(@oxij) on new Xen version: generalize this to generate [vanilla slim -# light] for each ./<version>.nix. - -rec { - xen_4_15-vanilla = callPackage ./4.15.nix { +{ callPackage }: +let + standard = { meta = { - description = "vanilla"; + description = "Standard Xen"; longDescription = '' - Vanilla version of Xen. Uses forks of Qemu and Seabios bundled - with Xen. This gives vanilla experince, but wastes space and - build time: typical NixOS setup that runs lots of VMs will - build three different versions of Qemu when using this (two - forks and upstream). + Standard version of Xen. Uses forks of QEMU, SeaBIOS, OVMF and iPXE provided + by the Xen Project. This provides the vanilla Xen experince, but wastes space + and build time. A typical NixOS setup that runs lots of VMs will usually need + to build two different versions of QEMU when using this Xen derivation (one + fork and upstream). ''; }; }; - - xen_4_15-slim = xen_4_15-vanilla.override { - withInternalQemu = false; - withInternalTraditionalQemu = true; - withInternalSeabios = false; - withSeabios = true; - + slim = { meta = { - description = "slim"; + description = "Without Internal Components"; longDescription = '' - Slimmed-down version of Xen that reuses nixpkgs packages as - much as possible. Different parts may get out of sync, but - this builds faster and uses less space than vanilla. Use with - `qemu_xen` from nixpkgs. + Slimmed-down version of Xen that reuses nixpkgs packages as much as possible. + Instead of using the Xen forks for various internal components, this version uses + `seabios`, `ovmf` and `ipxe` from nixpkgs. These components may ocasionally get + out of sync with the hypervisor itself, but this builds faster and uses less space + than the default derivation. ''; }; }; +in +# TODO: generalise this to automatically generate both Xen variants for each ./<version>/default.nix. +rec { + xen_4_19 = callPackage ./4.19/default.nix { inherit (standard) meta; }; + xen_4_19-slim = xen_4_19.override { + withInternalQEMU = false; + withInternalSeaBIOS = false; + withInternalOVMF = false; + withInternalIPXE = false; + inherit (slim) meta; + }; - xen_4_15-light = xen_4_15-vanilla.override { - withInternalQemu = false; - withInternalTraditionalQemu = false; - withInternalSeabios = false; - withSeabios = true; + xen_4_18 = callPackage ./4.18/default.nix { inherit (standard) meta; }; + xen_4_18-slim = xen_4_18.override { + withInternalQEMU = false; + withInternalSeaBIOS = false; + withInternalOVMF = false; + withInternalIPXE = false; + inherit (slim) meta; + }; - meta = { - description = "light"; - longDescription = '' - Slimmed-down version of Xen without `qemu-traditional` (you - don't need it if you don't know what it is). Use with - `qemu_xen-light` from nixpkgs. - ''; - }; + xen_4_17 = callPackage ./4.17/default.nix { inherit (standard) meta; }; + xen_4_17-slim = xen_4_17.override { + withInternalQEMU = false; + withInternalSeaBIOS = false; + withInternalOVMF = false; + withInternalIPXE = false; + inherit (slim) meta; + }; + + xen_4_16 = callPackage ./4.16/default.nix { inherit (standard) meta; }; + xen_4_16-slim = xen_4_16.override { + withInternalQEMU = false; + withInternalSeaBIOS = false; + withInternalOVMF = false; + withInternalIPXE = false; + inherit (slim) meta; }; - xen-vanilla = xen_4_15-vanilla; - xen-slim = xen_4_15-slim; - xen-light = xen_4_15-light; + xen = xen_4_19; + xen-slim = xen_4_19-slim; } diff --git a/pkgs/applications/virtualization/xen/patches.nix b/pkgs/applications/virtualization/xen/patches.nix new file mode 100644 index 0000000000000..7236fcf28e0f6 --- /dev/null +++ b/pkgs/applications/virtualization/xen/patches.nix @@ -0,0 +1,117 @@ +# Patching Xen? Check the XSAs at https://xenbits.xen.org/xsa/ +# and try applying all the ones we haven't gotten around to +# yet, if any are necessary. Patches from other downstreams +# are also welcome if they fix important issues with vanilla Xen. + +{ lib, fetchpatch }: + +let + xsaPatch = + { + id, + title, + description, + type ? "xsa", + hash ? "", + cve ? null, + }: + (fetchpatch { + name = + "XSA-" + id + lib.strings.optionalString (cve != null) ("-" + builtins.concatStringsSep "+" cve); + url = "https://xenbits.xen.org/xsa/xsa${id}.patch"; + inherit hash; + passthru = { + xsa = id; + inherit type; + }; + meta = { + description = title; + longDescription = + description + + "\n" + + ( + if (cve == null) then + # Why the two spaces preceding these CVE messages? + # This is parsed by writeAdvisoryDescription in generic.nix, + # and doing this was easier than messing with lib.strings even more. + " _No CVE was assigned to this XSA._" + else + " Fixes:${ + lib.strings.concatMapStrings ( + x: "\n * [" + x + "](https://www.cve.org/CVERecord?id=" + x + ")" + ) cve + }" + ); + homepage = "https://xenbits.xenproject.org/xsa/advisory-${id}.html"; + }; + }); + qubesPatch = + { + name, + tag, + type ? "qubes", + hash ? "", + }: + (fetchpatch { + inherit name; + url = "https://raw.githubusercontent.com/QubesOS/qubes-vmm-xen/v${tag}/${name}.patch"; + inherit hash; + passthru.type = type; + }); +in +{ + # Example patches: + # + # "XSA_100" = xsaPatch { + # id = "100"; + # title = "Verbatim Title of XSA"; + # description = '' + # Verbatim description of XSA. + # ''; + # cve = [ "CVE-1999-0001" "CVE-1999-0002" ]; # Not all XSAs have CVEs. This attribute is optional. + # hash = "sha256-0000000000000000000000000000000000000000000000000000"; + # }; + # + # "QUBES_libxl-fix-all-issues" = qubesPatch { + # name = "1000-libxl-fix-all-issues"; + # tag = "4.20.0-1"; + # hash = "sha256-0000000000000000000000000000000000000000000000000000"; + # }; + + # Build reproducibility patches for Xen. + # Qubes OS has not updated them to later versions of Xen yet, + # but they appear to work on Xen 4.17.4 - 4.19.0. + QUBES_REPRODUCIBLE_BUILDS = [ + (qubesPatch { + name = "1100-Define-build-dates-time-based-on-SOURCE_DATE_EPOCH"; + tag = "4.17.4-5"; + hash = "sha256-OwKA9oPTwhRcSmiOb+PxzifbO/IG8IHWlvddFh/nP6s="; + }) + (qubesPatch { + name = "1101-docs-rename-DATE-to-PANDOC_REL_DATE-and-allow-to-spe"; + tag = "4.17.4-5"; + hash = "sha256-BUtYt0mM3bURVaGv4oDznzxx1Wo4sfOpGV5GB8qc5Ns="; + }) + (qubesPatch { + name = "1102-docs-xen-headers-use-alphabetical-sorting-for-incont"; + tag = "4.17.4-5"; + hash = "sha256-mQUp2w9lUb7KDq5MuPQjs6y7iuMDeXoZjDjlXfa5z44="; + }) + ]; + + # Xen Security Advisory #458: (4.16 - 4.19-rc3) + "XSA_458" = xsaPatch { + id = "458"; + title = "Double unlock in x86 guest IRQ handling"; + description = '' + An optional feature of PCI MSI called "Multiple Message" allows a device + to use multiple consecutive interrupt vectors. Unlike for MSI-X, the + setting up of these consecutive vectors needs to happen all in one go. + In this handling an error path could be taken in different situations, + with or without a particular lock held. This error path wrongly releases + the lock even when it is not currently held. + ''; + cve = [ "CVE-2024-31143" ]; + hash = "sha256-yHI9Sp/7Ed40iIYQ/HOOIULlfzAzL0c0MGqdF+GR+AQ="; + }; +} diff --git a/pkgs/applications/virtualization/xen/update.sh b/pkgs/applications/virtualization/xen/update.sh new file mode 100755 index 0000000000000..0b0c7516fa835 --- /dev/null +++ b/pkgs/applications/virtualization/xen/update.sh @@ -0,0 +1,194 @@ +#!/usr/bin/env nix-shell +#!nix-shell -i bash -p gitMinimal curl gnupg nix-prefetch-git nixfmt-rfc-style +# shellcheck disable=SC2206,SC2207 shell=bash +set -e + +# Set a temporary $HOME in /tmp for GPG. +HOME=/tmp/xenUpdateScript + +# This script expects to be called in an interactive terminal somewhere inside Nixpkgs. +echo "Preparing..." +nixpkgs=$(git rev-parse --show-toplevel) +xenPath="$nixpkgs/pkgs/applications/virtualization/xen" +rm -rf /tmp/xenUpdateScript +mkdir /tmp/xenUpdateScript + +# Import and verify PGP key. +curl --silent --output /tmp/xenUpdateScript/xen.asc https://keys.openpgp.org/vks/v1/by-fingerprint/23E3222C145F4475FA8060A783FE14C957E82BD9 +gpg --quiet --import /tmp/xenUpdateScript/xen.asc +fingerprint="$(gpg --with-colons --fingerprint "pgp@xen.org" 2>/dev/null | awk -F: '/^pub:.*/ { getline; print $10}')" +echo -e "Please ascertain through multiple external sources that the \e[1;32mXen Project PGP Key Fingerprint\e[0m is indeed \e[1;33m$fingerprint\e[0m. If that is not the case, \e[1;31mexit immediately\e[0m." +read -r -p $'Press \e[1;34menter\e[0m to continue with a pre-filled expected fingerprint, or input an arbitrary PGP fingerprint to match with the key\'s fingerprint: ' userInputFingerprint +userInputFingerprint=${userInputFingerprint:-"23E3222C145F4475FA8060A783FE14C957E82BD9"} + +# Clone xen.git. +echo -e "Cloning \e[1;34mxen.git\e[0m..." +git clone --quiet https://xenbits.xen.org/git-http/xen.git /tmp/xenUpdateScript/xen +cd /tmp/xenUpdateScript/xen + +# Get list of versions and branches. +versionList="$(git tag --list "RELEASE-*" | sed s/RELEASE-//g | sed s/4.1.6.1//g | sort --numeric-sort)" +latestVersion=$(echo "$versionList" | tr ' ' '\n' | tail --lines=1) +branchList=($(echo "$versionList" | tr ' ' '\n' | sed s/\.[0-9]*$//g | awk '!seen[$0]++')) + +# Figure out which versions we're actually going to install. +minSupportedBranch="$(grep " knownVulnerabilities = lib.lists.optionals (lib.strings.versionOlder version " "$xenPath"/generic.nix | sed s/' knownVulnerabilities = lib.lists.optionals (lib.strings.versionOlder version "'//g | sed s/'") \['//g)" +supportedBranches=($(for version in "${branchList[@]}"; do if [ "$(printf '%s\n' "$minSupportedBranch" "$version" | sort -V | head -n1)" = "$minSupportedBranch" ]; then echo "$version"; fi; done)) +supportedVersions=($(for version in "${supportedBranches[@]}"; do echo "$versionList" | tr ' ' '\n' | grep "$version" | tail --lines=1; done)) + +# Main loop that installs every supportedVersion. +for version in "${supportedVersions[@]}"; do + echo -e "\n------------------------------------------------" + branch=${version/%.[0-9]/} + if [[ "$version" == "$latestVersion" ]]; then + latest=true + echo -e "\nFound \e[1;34mlatest\e[0m release: \e[1;32mXen $version\e[0m in branch \e[1;36m$branch\e[0m." + else + latest=false + echo -e "\nFound \e[1;33msecurity-supported\e[0m release: \e[1;32mXen $version\e[0m in branch \e[1;36m$branch\e[0m." + fi + + # Verify PGP key automatically. If the fingerprint matches what the user specified, or the default fingerprint, then we consider it trusted. + cd /tmp/xenUpdateScript/xen + if [[ "$fingerprint" = "$userInputFingerprint" ]]; then + echo "$fingerprint:6:" | gpg --quiet --import-ownertrust + (git verify-tag RELEASE-"$version" 2>/dev/null && echo -e "\n\e[1;32mSuccessfully authenticated Xen $version.\e[0m") || (echo -e "\e[1;31merror:\e[0m Unable to verify tag \e[1;32mRELEASE-$version\e[0m.\n- It is possible that \e[1;33mthis script has broken\e[0m, the Xen Project has \e[1;33mcycled their PGP keys\e[0m, or a \e[1;31msupply chain attack is in progress\e[0m.\n\n\e[1;31mPlease update manually.\e[0m" && exit 1) + else + echo -e "\e[1;31merror:\e[0m Unable to verify \e[1;34mpgp@xen.org\e[0m's fingerprint.\n- It is possible that \e[1;33mthis script has broken\e[0m, the Xen Project has \e[1;33mcycled their PGP keys\e[0m, or an \e[1;31mimpersonation attack is in progress\e[0m.\n\n\e[1;31mPlease update manually.\e[0m" && exit 1 + fi + + git switch --quiet --detach RELEASE-"$version" + + # Originally we told people to go check the Makefile themselves. + echo -e "\nDetermining source versions from Xen Makefiles..." + qemuVersion="$(grep -ie "QEMU_UPSTREAM_REVISION ?=" /tmp/xenUpdateScript/xen/Config.mk | sed s/"QEMU_UPSTREAM_REVISION ?= "//g)" + seaBIOSVersion="$(grep -ie "SEABIOS_UPSTREAM_REVISION ?= rel-" /tmp/xenUpdateScript/xen/Config.mk | sed s/"SEABIOS_UPSTREAM_REVISION ?= "//g)" + ovmfVersion="$(grep -ie "OVMF_UPSTREAM_REVISION ?=" /tmp/xenUpdateScript/xen/Config.mk | sed s/"OVMF_UPSTREAM_REVISION ?= "//g)" + ipxeVersion="$(grep -ie "IPXE_GIT_TAG :=" /tmp/xenUpdateScript/xen/tools/firmware/etherboot/Makefile | sed s/"IPXE_GIT_TAG := "//g)" + + # Use `nix-prefetch-git` to fetch `rev`s and `hash`es. + echo "Pre-fetching sources and determining hashes..." + echo -e -n " \e[1;32mXen\e[0m..." + fetchXen=$(nix-prefetch-git --url https://xenbits.xen.org/git-http/xen.git --rev RELEASE-"$version" --quiet) + finalVersion="$(echo "$fetchXen" | tr ', ' '\n ' | grep -ie rev | sed s/' "rev": "'//g | sed s/'"'//g)" + hash="$(echo "$fetchXen" | tr ', ' '\n ' | grep -ie hash | sed s/' "hash": "'//g | sed s/'"'//g)" + echo "done!" + echo -e -n " \e[1;36mQEMU\e[0m..." + fetchQEMU=$(nix-prefetch-git --url https://xenbits.xen.org/git-http/qemu-xen.git --rev "$qemuVersion" --quiet --fetch-submodules) + finalQEMUVersion="$(echo "$fetchQEMU" | tr ', ' '\n ' | grep -ie rev | sed s/' "rev": "'//g | sed s/'"'//g)" + qemuHash="$(echo "$fetchQEMU" | tr ', ' '\n ' | grep -ie hash | sed s/' "hash": "'//g | sed s/'"'//g)" + echo "done!" + echo -e -n " \e[1;36mSeaBIOS\e[0m..." + fetchSeaBIOS=$(nix-prefetch-git --url https://xenbits.xen.org/git-http/seabios.git --rev "$seaBIOSVersion" --quiet) + finalSeaBIOSVersion="$(echo "$fetchSeaBIOS" | tr ', ' '\n ' | grep -ie rev | sed s/' "rev": "'//g | sed s/'"'//g)" + seaBIOSHash="$(echo "$fetchSeaBIOS" | tr ', ' '\n ' | grep -ie hash | sed s/' "hash": "'//g | sed s/'"'//g)" + echo "done!" + echo -e -n " \e[1;36mOVMF\e[0m..." + ovmfHash="$(nix-prefetch-git --url https://xenbits.xen.org/git-http/ovmf.git --rev "$ovmfVersion" --quiet --fetch-submodules | grep -ie hash | sed s/' "hash": "'//g | sed s/'",'//g)" + echo "done!" + echo -e -n " \e[1;36miPXE\e[0m..." + ipxeHash="$(nix-prefetch-git --url https://github.com/ipxe/ipxe.git --rev "$ipxeVersion" --quiet | grep -ie hash | sed s/' "hash": "'//g | sed s/'",'//g)" + echo "done!" + + cd "$xenPath" + + echo -e "\nFound the following revisions:\n \e[1;32mXen\e[0m: \e[1;33m$finalVersion\e[0m (\e[1;33m$hash\e[0m)\n \e[1;36mQEMU\e[0m: \e[1;33m$finalQEMUVersion\e[0m (\e[1;33m$qemuHash\e[0m)\n \e[1;36mSeaBIOS\e[0m: \e[1;33m$finalSeaBIOSVersion\e[0m (\e[1;33m$seaBIOSHash\e[0m)\n \e[1;36mOVMF\e[0m: \e[1;33m$ovmfVersion\e[0m (\e[1;33m$ovmfHash\e[0m)\n \e[1;36miPXE\e[0m: \e[1;33m$ipxeVersion\e[0m (\e[1;33m$ipxeHash\e[0m)" + + # Set OCaml Version + read -r -p $'\nEnter the corresponding \e[1;33mOCaml\e[0m version for \e[1;32mXen '"$version"$'\e[0m, or press \e[1;34menter\e[0m for the default value of \e[1;32m4_14\e[0m: ' ocamlVersion + ocamlVersion=${ocamlVersion:-"4_14"} + + mkdir -p "$branch"/ + rm -f "$branch"/default.nix + + # Prepare any .patch files that are called by Nix through a path value. + echo -e "\nPlease add any required patches to version \e[1;32m$branch\e[0m in \e[1;34m$branch/\e[0m, and press \e[1;34menter\e[0m when done." + read -r -p $'Remember to follow the naming specification as defined in \e[1;34m./README.md\e[0m.' + + echo -e "\nDiscovering patches..." + discoveredXenPatches="$(find "$branch"/ -type f -name "[0-9][0-9][0-9][0-9]-xen-*-$branch.patch" -printf "./%f ")" + discoveredQEMUPatches="$(find "$branch"/ -type f -name "[0-9][0-9][0-9][0-9]-qemu-*-$branch.patch" -printf "./%f ")" + discoveredSeaBIOSPatches="$(find "$branch"/ -type f -name "[0-9][0-9][0-9][0-9]-seabios-*-$branch.patch" -printf "./%f ")" + discoveredOVMFPatches="$(find "$branch"/ -type f -name "[0-9][0-9][0-9][0-9]-ovmf-*-$branch.patch" -printf "./%f ")" + discoveredIPXEPatches="$(find "$branch"/ -type f -name "[0-9][0-9][0-9][0-9]-ipxe-*-$branch.patch" -printf "./%f ")" + + discoveredXenPatchesEcho=${discoveredXenPatches:-"\e[1;31mNone found!\e[0m"} + discoveredQEMUPatchesEcho=${discoveredQEMUPatches:-"\e[1;31mNone found!\e[0m"} + discoveredSeaBIOSPatchesEcho=${discoveredSeaBIOSPatches:-"\e[1;31mNone found!\e[0m"} + discoveredOVMFPatchesEcho=${discoveredOVMFPatches:-"\e[1;31mNone found!\e[0m"} + discoveredIPXEPatchesEcho=${discoveredIPXEPatches:-"\e[1;31mNone found!\e[0m"} + + echo -e "Found the following patches:\n \e[1;32mXen\e[0m: \e[1;33m$discoveredXenPatchesEcho\e[0m\n \e[1;36mQEMU\e[0m: \e[1;33m$discoveredQEMUPatchesEcho\e[0m\n \e[1;36mSeaBIOS\e[0m: \e[1;33m$discoveredSeaBIOSPatchesEcho\e[0m\n \e[1;36mOVMF\e[0m: \e[1;33m$discoveredOVMFPatchesEcho\e[0m\n \e[1;36miPXE\e[0m: \e[1;33m$discoveredIPXEPatchesEcho\e[0m" + + # Prepare patches that are called in ./patches.nix. + defaultPatchListInit=("QUBES_REPRODUCIBLE_BUILDS" "XSA_458") + read -r -a defaultPatchList -p $'\nWould you like to override the \e[1;34mupstreamPatches\e[0m list for \e[1;32mXen '"$version"$'\e[0m? If no, press \e[1;34menter\e[0m to use the default patch list: [ \e[1;34m'"${defaultPatchListInit[*]}"$' \e[0m]: ' + defaultPatchList=(${defaultPatchList[@]:-${defaultPatchListInit[@]}}) + spaceSeparatedPatchList=${defaultPatchList[*]} + upstreamPatches="upstreamPatches.${spaceSeparatedPatchList// / upstreamPatches.}" + + # Write and format default.nix file. + echo -e "\nWriting updated \e[1;34mversionDefinition\e[0m..." + cat >"$branch"/default.nix <<EOF +{ + lib, + fetchpatch, + callPackage, + ocaml-ng, + ... +}@genericDefinition: + +let + upstreamPatches = import ../patches.nix { + inherit lib; + inherit fetchpatch; + }; + + upstreamPatchList = lib.lists.flatten [ + $upstreamPatches + ]; +in + +callPackage (import ../generic.nix { + branch = "$branch"; + version = "$version"; + latest = $latest; + pkg = { + xen = { + rev = "$finalVersion"; + hash = "$hash"; + patches = [ $discoveredXenPatches ] ++ upstreamPatchList; + }; + qemu = { + rev = "$finalQEMUVersion"; + hash = "$qemuHash"; + patches = [ $discoveredQEMUPatches ]; + }; + seaBIOS = { + rev = "$finalSeaBIOSVersion"; + hash = "$seaBIOSHash"; + patches = [ $discoveredSeaBIOSPatches ]; + }; + ovmf = { + rev = "$ovmfVersion"; + hash = "$ovmfHash"; + patches = [ $discoveredOVMFPatches ]; + }; + ipxe = { + rev = "$ipxeVersion"; + hash = "$ipxeHash"; + patches = [ $discoveredIPXEPatches ]; + }; + }; +}) ({ ocamlPackages = ocaml-ng.ocamlPackages_$ocamlVersion; } // genericDefinition) +EOF + + echo "Formatting..." + nixfmt "$branch"/default.nix + + echo -e "\n\e[1;32mSuccessfully produced $branch/default.nix.\e[0m" +done + +echo -e -n "\nCleaning up..." +rm -rf /tmp/xenUpdateScript +echo done! diff --git a/pkgs/applications/virtualization/xen/xsa-patches.nix b/pkgs/applications/virtualization/xen/xsa-patches.nix deleted file mode 100644 index d789697a55991..0000000000000 --- a/pkgs/applications/virtualization/xen/xsa-patches.nix +++ /dev/null @@ -1,493 +0,0 @@ -{ fetchpatch }: - -let - xsaPatch = { name , sha256 }: (fetchpatch { - url = "https://xenbits.xen.org/xsa/xsa${name}.patch"; - inherit sha256; - }); -in { - # 4.5 - XSA_190 = (xsaPatch { - name = "190-4.5"; - sha256 = "0f8pw38kkxky89ny3ic5h26v9zsjj9id89lygx896zc3w1klafqm"; - }); - - # 4.5 - XSA_191 = (xsaPatch { - name = "191-4.6"; - sha256 = "1wl1ndli8rflmc44pkp8cw4642gi8z7j7gipac8mmlavmn3wdqhg"; - }); - - # 4.5 - XSA_192 = (xsaPatch { - name = "192-4.5"; - sha256 = "0m8cv0xqvx5pdk7fcmaw2vv43xhl62plyx33xqj48y66x5z9lxpm"; - }); - - # 4.5 - XSA_193 = (xsaPatch { - name = "193-4.5"; - sha256 = "0k9mykhrpm4rbjkhv067f6s05lqmgnldcyb3vi8cl0ndlyh66lvr"; - }); - - # 4.5 - XSA_195 = (xsaPatch { - name = "195"; - sha256 = "0m0g953qnjy2knd9qnkdagpvkkgjbk3ydgajia6kzs499dyqpdl7"; - }); - - # 4.5 - XSA_196 = [ - (xsaPatch { - name = "196-0001-x86-emul-Correct-the-IDT-entry-calculation-in-inject"; - sha256 = "0z53nzrjvc745y26z1qc8jlg3blxp7brawvji1hx3s74n346ssl6"; - }) - (xsaPatch { - name = "196-0002-x86-svm-Fix-injection-of-software-interrupts"; - sha256 = "11cqvr5jn2s92wsshpilx9qnfczrd9hnyb5aim6qwmz3fq3hrrkz"; - }) - ]; - - # 4.5 - XSA_198 = (xsaPatch { - name = "198"; - sha256 = "0d1nndn4p520c9xa87ixnyks3mrvzcri7c702d6mm22m8ansx6d9"; - }); - - # 4.5 - XSA_200 = (xsaPatch { - name = "200-4.6"; - sha256 = "0k918ja83470iz5k4vqi15293zjvz2dipdhgc9sy9rrhg4mqncl7"; - }); - - # 4.5 - XSA_202_45 = (xsaPatch { - name = "202-4.6"; - sha256 = "0nnznkrvfbbc8z64dr9wvbdijd4qbpc0wz2j5vpmx6b32sm7932f"; - }); - - # 4.5 - XSA_204_45 = (xsaPatch { - name = "204-4.5"; - sha256 = "083z9pbdz3f532fnzg7n2d5wzv6rmqc0f4mvc3mnmkd0rzqw8vcp"; - }); - - # 4.5 - XSA_206_45 = [ - (xsaPatch { - name = "206-4.5/0001-xenstored-apply-a-write-transaction-rate-limit"; - sha256 = "07vsm8mlbxh2s01ny2xywnm1bqhhxas1az31fzwb6f1g14vkzwm4"; - }) - (xsaPatch { - name = "206-4.5/0002-xenstored-Log-when-the-write-transaction-rate-limit-"; - sha256 = "17pnvxjmhny22abwwivacfig4vfsy5bqlki07z236whc2y7yzbsx"; - }) - (xsaPatch { - name = "206-4.5/0003-oxenstored-refactor-putting-response-on-wire"; - sha256 = "0xf566yicnisliy82cydb2s9k27l3bxc43qgmv6yr2ir3ixxlw5s"; - }) - (xsaPatch { - name = "206-4.5/0004-oxenstored-remove-some-unused-parameters"; - sha256 = "16cqx9i0w4w3x06qqdk9rbw4z96yhm0kbc32j40spfgxl82d1zlk"; - }) - (xsaPatch { - name = "206-4.5/0005-oxenstored-refactor-request-processing"; - sha256 = "1g2hzlv7w03sqnifbzda85mwlz3bw37rk80l248180sv3k7k6bgv"; - }) - (xsaPatch { - name = "206-4.5/0006-oxenstored-keep-track-of-each-transaction-s-operatio"; - sha256 = "0n65yfxvpfd4cz95dpbwqj3nablyzq5g7a0klvi2y9zybhch9cmg"; - }) - (xsaPatch { - name = "206-4.5/0007-oxenstored-move-functions-that-process-simple-operat"; - sha256 = "0qllvbc9rnj7jhhlslxxs35gvphvih0ywz52jszj4irm23ka5vnz"; - }) - (xsaPatch { - name = "206-4.5/0008-oxenstored-replay-transaction-upon-conflict"; - sha256 = "0lixkxjfzciy9l0f980cmkr8mcsx14c289kg0mn5w1cscg0hb46g"; - }) - (xsaPatch { - name = "206-4.5/0009-oxenstored-log-request-and-response-during-transacti"; - sha256 = "09ph8ddcx0k7rndd6hx6kszxh3fhxnvdjsq13p97n996xrpl1x7b"; - }) - (xsaPatch { - name = "206-4.5/0010-oxenstored-allow-compilation-prior-to-OCaml-3.12.0"; - sha256 = "1y0m7sqdz89z2vs4dfr45cyvxxas323rxar0xdvvvivgkgxawvxj"; - }) - (xsaPatch { - name = "206-4.5/0011-oxenstored-comments-explaining-some-variables"; - sha256 = "1d3n0y9syya4kaavrvqn01d3wsn85gmw7qrbylkclznqgkwdsr2p"; - }) - (xsaPatch { - name = "206-4.5/0012-oxenstored-handling-of-domain-conflict-credit"; - sha256 = "12zgid5y9vrhhpk2syxp0x01lzzr6447fa76n6rjmzi1xgdzpaf8"; - }) - (xsaPatch { - name = "206-4.5/0013-oxenstored-ignore-domains-with-no-conflict-credit"; - sha256 = "0v3g9pm60w6qi360hdqjcw838s0qcyywz9qpl8gzmhrg7a35avxl"; - }) - (xsaPatch { - name = "206-4.5/0014-oxenstored-add-transaction-info-relevant-to-history-"; - sha256 = "0vv3w0h5xh554i9v2vbc8gzm8wabjf2vzya3dyv5yzvly6ygv0sb"; - }) - (xsaPatch { - name = "206-4.5/0015-oxenstored-support-commit-history-tracking"; - sha256 = "1iv2vy29g437vj73x9p33rdcr5ln2q0kx1b3pgxq202ghbc1x1zj"; - }) - (xsaPatch { - name = "206-4.5/0016-oxenstored-only-record-operations-with-side-effects-"; - sha256 = "1cjkw5ganbg6lq78qsg0igjqvbgph3j349faxgk1p5d6nr492zzy"; - }) - (xsaPatch { - name = "206-4.5/0017-oxenstored-discard-old-commit-history-on-txn-end"; - sha256 = "0lm15lq77403qqwpwcqvxlzgirp6ffh301any9g401hs98f9y4ps"; - }) - (xsaPatch { - name = "206-4.5/0018-oxenstored-track-commit-history"; - sha256 = "1jh92p6vjhkm3bn5vz260npvsjji63g2imsxflxs4f3r69sz1nkd"; - }) - (xsaPatch { - name = "206-4.5/0019-oxenstored-blame-the-connection-that-caused-a-transa"; - sha256 = "17k264pk0fvsamj85578msgpx97mw63nmj0j9v5hbj4bgfazvj4h"; - }) - (xsaPatch { - name = "206-4.5/0020-oxenstored-allow-self-conflicts"; - sha256 = "15z3rd49q0pa72si0s8wjsy2zvbm613d0hjswp4ikc6nzsnsh4qy"; - }) - (xsaPatch { - name = "206-4.5/0021-oxenstored-do-not-commit-read-only-transactions"; - sha256 = "04wpzazhv90lg3228z5i6vnh1z4lzd08z0d0fvc4br6pkd0w4va8"; - }) - (xsaPatch { - name = "206-4.5/0022-oxenstored-don-t-wake-to-issue-no-conflict-credit"; - sha256 = "1shbrn0w68rlywcc633zcgykfccck1a77igmg8ydzwjsbwxsmsjy"; - }) - (xsaPatch { - name = "206-4.5/0023-oxenstored-transaction-conflicts-improve-logging"; - sha256 = "1086y268yh8047k1vxnxs2nhp6izp7lfmq01f1gq5n7jiy1sxcq7"; - }) - (xsaPatch { - name = "206-4.5/0024-oxenstored-trim-history-in-the-frequent_ops-function"; - sha256 = "014zs6i4gzrimn814k5i7gz66vbb0adkzr2qyai7i4fxc9h9r7w8"; - }) - ]; - - # 4.5 - 4.8 - XSA_207 = (xsaPatch { - name = "207"; - sha256 = "0wdlhijmw9mdj6a82pyw1rwwiz605dwzjc392zr3fpb2jklrvibc"; - }); - - # 4.5 - 4.8 - XSA_212 = (xsaPatch { - name = "212"; - sha256 = "1ggjbbym5irq534a3zc86md9jg8imlpc9wx8xsadb9akgjrr1r8d"; - }); - - # 4.5 - XSA_213_45 = (xsaPatch { - name = "213-4.5"; - sha256 = "1vnqf89ydacr5bq3d6z2r33xb2sn5vsd934rncyc28ybc9rvj6wm"; - }); - - # 4.5 - 4.8 - XSA_214 = (xsaPatch { - name = "214"; - sha256 = "0qapzx63z0yl84phnpnglpkxp6b9sy1y7cilhwjhxyigpfnm2rrk"; - }); - - # 4.5 - XSA_215 = (xsaPatch { - name = "215"; - sha256 = "0sv8ccc5xp09f1w1gj5a9n3mlsdsh96sdb1n560vh31f4kkd61xs"; - }); - - # 4.5 - XSA_217_45 = (xsaPatch { - name = "217-4.5"; - sha256 = "067pgsfrb9py2dhm1pk9g8f6fs40vyfrcxhj8c12vzamb6svzmn4"; - }); - - # 4.5 - XSA_218_45 = [ - (xsaPatch { - name = "218-4.5/0001-IOMMU-handle-IOMMU-mapping-and-unmapping-failures"; - sha256 = "00y6j3yjxw0igpldsavikmhlxw711k2jsj1qx0s05w2k608gadkq"; - }) - (xsaPatch { - name = "218-4.5/0002-gnttab-fix-unmap-pin-accounting-race"; - sha256 = "0qbbfnnjlpdcd29mzmacfmi859k92c213l91q7w1rg2k6pzx928k"; - }) - (xsaPatch { - name = "218-4.5/0003-gnttab-Avoid-potential-double-put-of-maptrack-entry"; - sha256 = "1cndzvyhf41mk4my6vh3bk9jvh2y4gpmqdhvl9zhxhmppszslqkc"; - }) - (xsaPatch { - name = "218-4.5/0004-gnttab-correct-maptrack-table-accesses"; - sha256 = "02zpb0ffigijacqvyyjylwx3qpgibwslrka7mbxwnclf4s9c03a2"; - }) - ]; - - # 4.5 - XSA_219_45 = (xsaPatch { - name = "219-4.5"; - sha256 = "003msr5vhsc66scmdpgn0lp3p01g4zfw5vj86y5lw9ajkbaywdsm"; - }); - - # 4.5 - XSA_220_45 = (xsaPatch { - name = "220-4.5"; - sha256 = "1dj9nn6lzxlipjb3nb7b9m4337fl6yn2bd7ap1lqrjn8h9zkk1pp"; - }); - - # 4.5 - 4.8 - XSA_221 = (xsaPatch { - name = "221"; - sha256 = "1mcr1nqgxyjrkywdg7qhlfwgz7vj2if1dhic425vgd41p9cdgl26"; - }); - - # 4.5 - XSA_222_45 = [ - (xsaPatch { - name = "222-1-4.6"; - sha256 = "1g4dqm5qx4wqlv1520jpfiscph95vllcp4gqp1rdfailk8xi0mcf"; - }) - (xsaPatch { - name = "222-2-4.5"; - sha256 = "1hw8rhc7q4v309f4w11gxfsn5x1pirvxkg7s4kr711fnmvp9hkzd"; - }) - ]; - - # 4.5 - 4.8 - XSA_223 = (xsaPatch { - name = "223"; - sha256 = "0803gjgcbq9vaz2mq0v5finf1fq8iik1g4hqsjqhjxvspn8l70c5"; - }); - - # 4.5 - XSA_224_45 = [ - (xsaPatch { - name = "224-4.5/0001-gnttab-Fix-handling-of-dev_bus_addr-during-unmap"; - sha256 = "1aislj66ss4cb3v2bh12mrqsyrf288d4h54rj94jjq7h1hnycw7h"; - }) - (xsaPatch { - name = "224-4.5/0002-gnttab-never-create-host-mapping-unless-asked-to"; - sha256 = "1j6fgm1ccb07gg0mi5qmdr0vqwwc3n12z433g1jrija2gbk1x8aq"; - }) - (xsaPatch { - name = "224-4.5/0003-gnttab-correct-logic-to-get-page-references-during-m"; - sha256 = "166kmicwx280fjqjvgigbmhabjksa0hhvqx5h4v6kjlcjpmxqy08"; - }) - (xsaPatch { - name = "224-4.5/0004-gnttab-__gnttab_unmap_common_complete-is-all-or-noth"; - sha256 = "1skc0yj1zsn8xgyq1y57bdc0scvvlmd0ynrjwwf1zkias1wlilav"; - }) - ]; - - # 4.5 - XSA_226_45 = [ - (xsaPatch { - name = "226-4.5/0001-gnttab-dont-use-possibly-unbounded-tail-calls"; - sha256 = "1hx47ppv5q33cw4dwp82lgvv4fp28gx7rxijw0iaczsv8bvb8vcg"; - }) - (xsaPatch { - name = "226-4.5/0002-gnttab-fix-transitive-grant-handling"; - sha256 = "1gzp8m2zfihwlk71c3lqyd0ajh9h11pvkhzhw0mawckxy0qksvlc"; - }) - ]; - - # 4.5 - XSA_227_45 = (xsaPatch { - name = "227-4.5"; - sha256 = "1qfjfisgqm4x98qw54x2qrvgjnvvzizx9p1pjhcnsps9q6g1y3x8"; - }); - - # 4.5 - 4.9 - XSA_230 = (xsaPatch { - name = "230"; - sha256 = "10x0j7wmzkrwycs1ng89fgjzvzh8vsdd4c5nb68b3j1azdx4ld83"; - }); - - # 4.5 - XSA_231_45 = (xsaPatch { - name = "231-4.5"; - sha256 = "06gwx2f1lg51dfk2b4zxp7wv9c4pxdi87pg2asvmxqc78ir7l5s6"; - }); - - # 4.5 - 4.9 - XSA_232 = (xsaPatch { - name = "232"; - sha256 = "0n6irjpmraa3hbxxm64a1cplc6y6g07x7v2fmlpvn70ql3fs0220"; - }); - - # 4.5 - 4.9 - XSA_233 = (xsaPatch { - name = "233"; - sha256 = "1w3m8349cqav56av63w6jzvlsv4jw5rimwvskr9pq2rcbk2dx8kf"; - }); - - # 4.5 - XSA_234_45 = (xsaPatch { - name = "234-4.5"; - sha256 = "1ji6hbgybb4gbgz5l5fis9midnvjbddzam8d63377rkzdyb3yz9f"; - }); - - # 4.5 - XSA_235_45 = (xsaPatch { - name = "235-4.5"; - sha256 = "0hhgnql2gji111020z4wiyzg23wqs6ymanb67rg11p4qad1fp3ff"; - }); - - # 4.5 - XSA_236_45 = (xsaPatch { - name = "236-4.5"; - sha256 = "0hcla86x81wykssd2967gblp7fzx61290p4ls4v0hcyxdg2bs2yz"; - }); - - # 4.5 - XSA_237_45 = [ - (xsaPatch { - name = "237-4.5/0001-x86-dont-allow-MSI-pIRQ-mapping-on-unowned-device"; - sha256 = "0hjxs20jhls4i0iph45a0qpw4znkm04gv74jmwhw84gy4hrhzq3b"; - }) - (xsaPatch { - name = "237-4.5/0002-x86-enforce-proper-privilege-when-mapping-pIRQ-s"; - sha256 = "0ki8nmbc2g1l9wnqsph45a2k4c6dk5s7jvdlxg3zznyiyxjcv8yn"; - }) - (xsaPatch { - name = "237-4.5/0003-x86-MSI-disallow-redundant-enabling"; - sha256 = "1hdz83qrjaqnihz8ji186dypxiblbfpgyb01j9m5alhk4whjqvp1"; - }) - (xsaPatch { - name = "237-4.5/0004-x86-IRQ-conditionally-preserve-irq-pirq-mapping-on-error"; - sha256 = "0csdfn9kzn1k94pg3fcwsgqw14wcd4myi1jkcq5alj1fmkhw4wmk"; - }) - (xsaPatch { - name = "237-4.5/0005-x86-FLASK-fix-unmap-domain-IRQ-XSM-hook"; - sha256 = "14b73rkvbkd1a2gh9kp0zrvv2d3kfwkiv24fg9agh4hrf2w3nx7y"; - }) - ]; - - # 4.5 - XSA_238_45 = (xsaPatch { - name = "238-4.5"; - sha256 = "1x2fg5vfv5jc084h5gjm6fq0nxjpzvi96px3sqzz4pvsvy4y4i1z"; - }); - - # 4.5 - XSA_239_45 = (xsaPatch { - name = "239-4.5"; - sha256 = "06bi8q3973yajxsdj7pcqarvb56q2gisxdiy0cpbyffbmpkfv3h6"; - }); - - # 4.5 - XSA_240_45 = [ - (xsaPatch { - name = "240-4.5/0001-x86-limit-linear-page-table-use-to-a-single-level"; - sha256 = "0pmf10mbnmb88y7mly8s2l0j88cg0ayhkcnmj1zbjrkjmpccv395"; - }) - (xsaPatch { - name = "240-4.5/0002-x86-mm-Disable-PV-linear-pagetables-by-default"; - sha256 = "19f096ra3xndvzkjjasx73p2g25hfkm905px0p3yakwll0qzd029"; - }) - ]; - - # 4.5 - 4.8 - XSA_241 = (xsaPatch { - name = "241-4.8"; - sha256 = "16zb75kzs98f4mdxhbyczk5mbh9dvn6j3yhfafki34x1dfdnq4pj"; - }); - - # 4.5 - 4.9 - XSA_242 = (xsaPatch { - name = "242-4.9"; - sha256 = "0yx3x0i2wybsm7lzdffxa2mm866bjl4ipbb9vipnw77dyg705zpr"; - }); - - # 4.5 - XSA_243_45 = [ - (xsaPatch { - name = "243-4.6-1"; - sha256 = "1cqanpyysa7px0j645z4jw9yqsvv6cbh7yq1b86ap134axfifcan"; - }) - (xsaPatch { - name = "243-4.5-2"; - sha256 = "0wbcgw4m0nzm2902jnda2020l7bd5adkq8j5myi1zmsfzbq03hwn"; - }) - ]; - - # 4.5 - XSA_244_45 = (xsaPatch { - name = "244-4.5"; - sha256 = "05ci3vdl1ywfjpzcvsy1k52whxjk8pxzj7dh3r94yqasr56i5v2l"; - }); - - # 4.5 - 4.9 - XSA_245 = [ - (xsaPatch { - name = "245/0001-xen-page_alloc-Cover-memory-unreserved-after-boot-in"; - sha256 = "12brsgbn7xwakalsn10afykgqmx119mqg6vjj3v2b1pnmf4ss0w8"; - }) - (xsaPatch { - name = "245/0002-xen-arm-Correctly-report-the-memory-region-in-the-du"; - sha256 = "1k6z5r7wnrswsczn2j3a1mc4nvxqm4ydj6n6rvgqizk2pszdkqg8"; - }) - ]; - - # 4.5 - 4.7 - XSA_246_45 = [ - (xsaPatch { - name = "246-4.7"; - sha256 = "13rad4k8z3bq15d67dhgy96kdbrjiq9sy8px0jskbpx9ygjdahkn"; - }) - ]; - - # 4.5 - XSA_247_45 = [ - (xsaPatch { - name = "247-4.5/0001-p2m-Always-check-to-see-if-removing-a-p2m-entry-actu"; - sha256 = "0h1mp5s9si8aw2gipds317f27h9pi7bgnhj0bcmw11p0ch98sg1m"; - }) - (xsaPatch { - name = "247-4.5/0002-p2m-Check-return-value-of-p2m_set_entry-when-decreas"; - sha256 = "0vjjybxbcm4xl26wbqvcqfiyvvlayswm4f98i1fr5a9abmljn5sb"; - }) - ]; - - # 4.5 - XSA_248_45 = [ - (xsaPatch { - name = "248-4.5"; - sha256 = "0csxg6h492ddsa210b45av28iqf7cn2dfdqk4zx10zwf1pv2shyn"; - }) - ]; - - # 4.5 .. 4.9 - XSA_249 = [ - (xsaPatch { - name = "249"; - sha256 = "0v6ngzqhkz7yv4n83xlpxfbkr2qyg5b1cds7ikkinm86hiqy6agl"; - }) - ]; - - # 4.5 - XSA_250_45 = [ - (xsaPatch { - name = "250-4.5"; - sha256 = "0pqldl6qnl834gvfp90z247q9xcjh3835s2iffnajz7jhjb2145d"; - }) - ]; - - # 4.5 - XSA_251_45 = [ - (xsaPatch { - name = "251-4.5"; - sha256 = "0lc94cx271z09r0mhxaypyd9d4740051p28idf5calx5228dqjgm"; - }) - ]; - - XSA_386 = (xsaPatch { - name = "386"; - sha256 = "sha256-pAuLgt3sDeL73NSDqZCWxRGZk1tWaYlDbh7cUcJ4s+w="; - }); -} diff --git a/pkgs/applications/virtualization/youki/default.nix b/pkgs/applications/virtualization/youki/default.nix index d63fa87238e45..7b7cf4911c90c 100644 --- a/pkgs/applications/virtualization/youki/default.nix +++ b/pkgs/applications/virtualization/youki/default.nix @@ -6,6 +6,7 @@ , dbus , libseccomp , systemd +, stdenv }: rustPlatform.buildRustPackage rec { @@ -27,7 +28,7 @@ rustPlatform.buildRustPackage rec { buildInputs = [ dbus libseccomp systemd ]; - postInstall = '' + postInstall = lib.optionalString (stdenv.buildPlatform.canExecute stdenv.hostPlatform) '' installShellCompletion --cmd youki \ --bash <($out/bin/youki completion -s bash) \ --fish <($out/bin/youki completion -s fish) \ @@ -44,7 +45,7 @@ rustPlatform.buildRustPackage rec { homepage = "https://containers.github.io/youki/"; changelog = "https://github.com/containers/youki/releases/tag/v${version}"; license = licenses.asl20; - maintainers = []; + maintainers = [ ]; platforms = platforms.linux; mainProgram = "youki"; }; |