mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-22 23:13:19 +00:00
Merge pull request #73097 from andrew-d/andrew/gvisor-redux
gvisor: init at 2019-11-14
This commit is contained in:
commit
3140fa89c5
@ -103,6 +103,7 @@ in
|
||||
grafana = handleTest ./grafana.nix {};
|
||||
graphite = handleTest ./graphite.nix {};
|
||||
graylog = handleTest ./graylog.nix {};
|
||||
gvisor = handleTest ./gvisor.nix {};
|
||||
hadoop.hdfs = handleTestOn [ "x86_64-linux" ] ./hadoop/hdfs.nix {};
|
||||
hadoop.yarn = handleTestOn [ "x86_64-linux" ] ./hadoop/yarn.nix {};
|
||||
handbrake = handleTestOn ["x86_64-linux"] ./handbrake.nix {};
|
||||
|
49
nixos/tests/gvisor.nix
Normal file
49
nixos/tests/gvisor.nix
Normal file
@ -0,0 +1,49 @@
|
||||
# This test runs a container through gvisor and checks if simple container starts
|
||||
|
||||
import ./make-test-python.nix ({ pkgs, ...} : {
|
||||
name = "gvisor";
|
||||
meta = with pkgs.stdenv.lib.maintainers; {
|
||||
maintainers = [ andrew-d ];
|
||||
};
|
||||
|
||||
nodes = {
|
||||
gvisor =
|
||||
{ pkgs, ... }:
|
||||
{
|
||||
virtualisation.docker = {
|
||||
enable = true;
|
||||
extraOptions = "--add-runtime runsc=${pkgs.gvisor}/bin/runsc";
|
||||
};
|
||||
|
||||
networking = {
|
||||
dhcpcd.enable = false;
|
||||
defaultGateway = "192.168.1.1";
|
||||
interfaces.eth1.ipv4.addresses = pkgs.lib.mkOverride 0 [
|
||||
{ address = "192.168.1.2"; prefixLength = 24; }
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
testScript = ''
|
||||
start_all()
|
||||
|
||||
gvisor.wait_for_unit("network.target")
|
||||
gvisor.wait_for_unit("sockets.target")
|
||||
|
||||
# Start by verifying that gvisor itself works
|
||||
output = gvisor.succeed(
|
||||
"${pkgs.gvisor}/bin/runsc -alsologtostderr do ${pkgs.coreutils}/bin/echo hello world"
|
||||
)
|
||||
assert output.strip() == "hello world"
|
||||
|
||||
# Also test the Docker runtime
|
||||
gvisor.succeed("tar cv --files-from /dev/null | docker import - scratchimg")
|
||||
gvisor.succeed(
|
||||
"docker run -d --name=sleeping --runtime=runsc -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10"
|
||||
)
|
||||
gvisor.succeed("docker ps | grep sleeping")
|
||||
gvisor.succeed("docker stop sleeping")
|
||||
'';
|
||||
})
|
||||
|
36
pkgs/applications/virtualization/gvisor/containerd-shim.nix
Normal file
36
pkgs/applications/virtualization/gvisor/containerd-shim.nix
Normal file
@ -0,0 +1,36 @@
|
||||
{ lib, fetchFromGitHub, buildGoModule, go-bindata }:
|
||||
|
||||
buildGoModule rec {
|
||||
name = "gvisor-containerd-shim-${version}";
|
||||
version = "2019-10-09";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "google";
|
||||
repo = "gvisor-containerd-shim";
|
||||
rev = "f299b553afdd8455a0057862004061ea12e660f5";
|
||||
sha256 = "077bhrmjrpcxv1z020yxhx2c4asn66j21gxlpa6hz0av3lfck9lm";
|
||||
};
|
||||
|
||||
modSha256 = "1jdhgbrn59ahnabwnig99i21f6kimmqx9f3dg10ffwfs3dx0gzlg";
|
||||
|
||||
buildPhase = ''
|
||||
make
|
||||
'';
|
||||
|
||||
doCheck = true;
|
||||
checkPhase = ''
|
||||
make test
|
||||
'';
|
||||
|
||||
installPhase = ''
|
||||
make install DESTDIR="$out"
|
||||
'';
|
||||
|
||||
meta = with lib; {
|
||||
description = "containerd shim for gVisor";
|
||||
homepage = https://github.com/google/gvisor-containerd-shim;
|
||||
license = licenses.asl20;
|
||||
maintainers = with maintainers; [ andrew-d ];
|
||||
platforms = [ "x86_64-linux" ];
|
||||
};
|
||||
}
|
101
pkgs/applications/virtualization/gvisor/default.nix
Normal file
101
pkgs/applications/virtualization/gvisor/default.nix
Normal file
@ -0,0 +1,101 @@
|
||||
{ stdenv
|
||||
, buildBazelPackage
|
||||
, fetchFromGitHub
|
||||
, cacert
|
||||
, git
|
||||
, glibcLocales
|
||||
, go
|
||||
, iproute
|
||||
, iptables
|
||||
, makeWrapper
|
||||
, procps
|
||||
, python3
|
||||
}:
|
||||
|
||||
let
|
||||
preBuild = ''
|
||||
patchShebangs .
|
||||
|
||||
# Tell rules_go to use the Go binary found in the PATH
|
||||
sed -E -i \
|
||||
-e 's|go_version\s*=\s*"[^"]+",|go_version = "host",|g' \
|
||||
WORKSPACE
|
||||
|
||||
# The gazelle Go tooling needs CA certs
|
||||
export SSL_CERT_FILE="${cacert}/etc/ssl/certs/ca-bundle.crt"
|
||||
|
||||
# If we don't reset our GOPATH, the rules_go stdlib builder tries to
|
||||
# install something into it. Ideally that wouldn't happen, but for now we
|
||||
# can also get around it by unsetting GOPATH entirely, since rules_go
|
||||
# doesn't need it.
|
||||
export GOPATH=
|
||||
'';
|
||||
|
||||
in buildBazelPackage rec {
|
||||
name = "gvisor-${version}";
|
||||
version = "2019-11-14";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "google";
|
||||
repo = "gvisor";
|
||||
rev = "release-20191114.0";
|
||||
sha256 = "0kyixjjlws9iz2r2srgpdd4rrq94vpxkmh2rmmzxd9mcqy2i9bg1";
|
||||
};
|
||||
|
||||
nativeBuildInputs = [ git glibcLocales go makeWrapper python3 ];
|
||||
|
||||
bazelTarget = "//runsc:runsc";
|
||||
|
||||
# gvisor uses the Starlark implementation of rules_cc, not the built-in one,
|
||||
# so we shouldn't delete it from our dependencies.
|
||||
removeRulesCC = false;
|
||||
|
||||
fetchAttrs = {
|
||||
inherit preBuild;
|
||||
|
||||
preInstall = ''
|
||||
# Remove the go_sdk (it's just a copy of the go derivation) and all
|
||||
# references to it from the marker files. Bazel does not need to download
|
||||
# this sdk because we have patched the WORKSPACE file to point to the one
|
||||
# currently present in PATH. Without removing the go_sdk from the marker
|
||||
# file, the hash of it will change anytime the Go derivation changes and
|
||||
# that would lead to impurities in the marker files which would result in
|
||||
# a different sha256 for the fetch phase.
|
||||
rm -rf $bazelOut/external/{go_sdk,\@go_sdk.marker}
|
||||
|
||||
# Remove the gazelle tools, they contain go binaries that are built
|
||||
# non-deterministically. As long as the gazelle version matches the tools
|
||||
# should be equivalent.
|
||||
rm -rf $bazelOut/external/{bazel_gazelle_go_repository_tools,\@bazel_gazelle_go_repository_tools.marker}
|
||||
|
||||
# Remove the gazelle repository cache
|
||||
chmod -R +w $bazelOut/external/bazel_gazelle_go_repository_cache
|
||||
rm -rf $bazelOut/external/{bazel_gazelle_go_repository_cache,\@bazel_gazelle_go_repository_cache.marker}
|
||||
|
||||
# Remove log file(s)
|
||||
rm -f "$bazelOut"/java.log "$bazelOut"/java.log.*
|
||||
'';
|
||||
|
||||
sha256 = "122qk6iv8hd7g2a84y9aqqhij4r0m47vpxzbqhhh6k5livc73qd6";
|
||||
};
|
||||
|
||||
buildAttrs = {
|
||||
inherit preBuild;
|
||||
|
||||
installPhase = ''
|
||||
install -Dm755 bazel-bin/runsc/*_pure_stripped/runsc $out/bin/runsc
|
||||
|
||||
# Needed for the 'runsc do' subcomand
|
||||
wrapProgram $out/bin/runsc \
|
||||
--prefix PATH : ${stdenv.lib.makeBinPath [ iproute iptables procps ]}
|
||||
'';
|
||||
};
|
||||
|
||||
meta = with stdenv.lib; {
|
||||
description = "Container Runtime Sandbox";
|
||||
homepage = https://github.com/google/gvisor;
|
||||
license = licenses.asl20;
|
||||
maintainers = with maintainers; [ andrew-d ];
|
||||
platforms = [ "x86_64-linux" ];
|
||||
};
|
||||
}
|
@ -19207,6 +19207,10 @@ in
|
||||
|
||||
gv = callPackage ../applications/misc/gv { };
|
||||
|
||||
gvisor = callPackage ../applications/virtualization/gvisor { };
|
||||
|
||||
gvisor-containerd-shim = callPackage ../applications/virtualization/gvisor/containerd-shim.nix { };
|
||||
|
||||
guvcview = callPackage ../os-specific/linux/guvcview { };
|
||||
|
||||
gxmessage = callPackage ../applications/misc/gxmessage { };
|
||||
|
Loading…
Reference in New Issue
Block a user