diff --git a/packages/build-support/build-fhs-userenv-bubblewrap/default.nix b/packages/build-support/build-fhs-userenv-bubblewrap/default.nix deleted file mode 100644 index 41b1ed8..0000000 --- a/packages/build-support/build-fhs-userenv-bubblewrap/default.nix +++ /dev/null @@ -1,216 +0,0 @@ -{ lib, callPackage, runCommandLocal, writeShellScriptBin, glibc, pkgsi686Linux, coreutils, bubblewrap }: - -let buildFHSEnv = callPackage ./env.nix { }; in - -args @ { - name -, runScript ? "bash" -, extraInstallCommands ? "" -, meta ? {} -, passthru ? {} -, unshareUser ? true -, unshareIpc ? true -, unsharePid ? true -, unshareNet ? false -, unshareUts ? true -, unshareCgroup ? true -, dieWithParent ? true -, specifyHomeDirs ? false -, mountInHome ? [] -, chdirTo ? "\"$(pwd)\"" -, additionalBlacklist ? [] -, additionalMounts ? [] -, extraEnv ? {} -, ... -}: - -with builtins; -let - buildFHSEnv = callPackage ./env.nix { }; - - env = buildFHSEnv (removeAttrs args [ - "runScript" "extraInstallCommands" "meta" "passthru" "dieWithParent" - "unshareUser" "unshareCgroup" "unshareUts" "unshareNet" "unsharePid" "unshareIpc" - ]); - - etcBindFlags = let - files = [ - # NixOS Compatibility - "static" - "nix" # mainly for nixUnstable users, but also for access to nix/netrc - # Shells - "bashrc" - "zshenv" - "zshrc" - "zinputrc" - "zprofile" - # Users, Groups, NSS - "passwd" - "group" - "shadow" - "hosts" - "resolv.conf" - "nsswitch.conf" - # User profiles - "profiles" - # Sudo & Su - "login.defs" - "sudoers" - "sudoers.d" - # Time - "localtime" - "zoneinfo" - # Other Core Stuff - "machine-id" - "os-release" - # PAM - "pam.d" - # Fonts - "fonts" - # ALSA - "alsa" - "asound.conf" - # SSL - "ssl/certs" - "pki" - ]; - in concatStringsSep "\n " - (map (file: "--ro-bind-try /etc/${file} /etc/${file}") files); - - # Create this on the fly instead of linking from /nix - # The container might have to modify it and re-run ldconfig if there are - # issues running some binary with LD_LIBRARY_PATH - createLdConfCache = '' - cat > /etc/ld.so.conf < /dev/null - ''; - init = run: writeShellScriptBin "${name}-init" '' - source /etc/profile - ${createLdConfCache} - exec ${run} "$@" - ''; - - extraEnvString = lib.foldl (acc: val: acc + val + "\n") "" (lib.mapAttrsToList (name: value: "--setenv ${name} \"${value}\"") extraEnv); - - bwrapCmd = { initArgs ? "" }: '' - blacklist=(/nix /dev /proc /etc ${lib.optionalString specifyHomeDirs "/home"} ${builtins.toString additionalBlacklist}) - ro_mounts=() - symlinks=() - for i in ${env}/*; do - path="/''${i##*/}" - if [[ $path == '/etc' ]]; then - : - elif [[ -L $i ]]; then - symlinks+=(--symlink "$(${coreutils}/bin/readlink "$i")" "$path") - blacklist+=("$path") - else - ro_mounts+=(--ro-bind "$i" "$path") - blacklist+=("$path") - fi - done - - if [[ -d ${env}/etc ]]; then - for i in ${env}/etc/*; do - path="/''${i##*/}" - # NOTE: we're binding /etc/fonts and /etc/ssl/certs from the host so we - # don't want to override it with a path from the FHS environment. - if [[ $path == '/fonts' || $path == '/ssl' ]]; then - continue - fi - ro_mounts+=(--ro-bind "$i" "/etc$path") - done - fi - - declare -a auto_mounts - # loop through all directories in the root - for dir in /*; do - # if it is a directory and it is not in the blacklist - if [[ -d "$dir" ]] && [[ ! "''${blacklist[@]}" =~ "$dir" ]]; then - # add it to the mount list - auto_mounts+=(--bind "$dir" "$dir") - fi - done - - if [[ "${lib.optionalString specifyHomeDirs "1"}" = "1" ]]; then - for entry in ${builtins.toString mountInHome}; do - auto_mounts+=(--bind "/home/$USER/$entry" "/home/$USER/$entry") - done - fi - - if [[ ! -z "${builtins.toString additionalMounts}" ]]; then - for entry in ${builtins.toString additionalMounts}; do - auto_mounts+=(--bind "$entry" "$entry") - done - fi - - cmd=( - ${bubblewrap}/bin/bwrap - --dev-bind /dev /dev - --proc /proc - --chdir ${chdirTo} - ${lib.optionalString unshareUser "--unshare-user"} - ${lib.optionalString unshareIpc "--unshare-ipc"} - ${lib.optionalString unsharePid "--unshare-pid"} - ${lib.optionalString unshareNet "--unshare-net"} - ${lib.optionalString unshareUts "--unshare-uts"} - ${lib.optionalString unshareCgroup "--unshare-cgroup"} - ${lib.optionalString dieWithParent "--die-with-parent"} - --ro-bind /nix /nix - # Our glibc will look for the cache in its own path in `/nix/store`. - # As such, we need a cache to exist there, because pressure-vessel - # depends on the existence of an ld cache. However, adding one - # globally proved to be a bad idea (see #100655), the solution we - # settled on being mounting one via bwrap. - # Also, the cache needs to go to both 32 and 64 bit glibcs, for games - # of both architectures to work. - --tmpfs ${glibc}/etc \ - --symlink /etc/ld.so.conf ${glibc}/etc/ld.so.conf \ - --symlink /etc/ld.so.cache ${glibc}/etc/ld.so.cache \ - --ro-bind ${glibc}/etc/rpc ${glibc}/etc/rpc \ - --remount-ro ${glibc}/etc \ - --tmpfs ${pkgsi686Linux.glibc}/etc \ - --symlink /etc/ld.so.conf ${pkgsi686Linux.glibc}/etc/ld.so.conf \ - --symlink /etc/ld.so.cache ${pkgsi686Linux.glibc}/etc/ld.so.cache \ - --ro-bind ${pkgsi686Linux.glibc}/etc/rpc ${pkgsi686Linux.glibc}/etc/rpc \ - --remount-ro ${pkgsi686Linux.glibc}/etc \ - ${etcBindFlags} - "''${ro_mounts[@]}" - "''${symlinks[@]}" - "''${auto_mounts[@]}" - ${extraEnvString} - ${init runScript}/bin/${name}-init ${initArgs} - ) - exec "''${cmd[@]}" - ''; - - bin = writeShellScriptBin name (bwrapCmd { initArgs = ''"$@"''; }); - -in runCommandLocal name { - inherit meta; - - passthru = passthru // { - env = runCommandLocal "${name}-shell-env" { - shellHook = bwrapCmd {}; - } '' - echo >&2 "" - echo >&2 "*** User chroot 'env' attributes are intended for interactive nix-shell sessions, not for building! ***" - echo >&2 "" - exit 1 - ''; - }; -} '' - mkdir -p $out/bin - ln -s ${bin}/bin/${name} $out/bin/${name} - ${extraInstallCommands} -'' diff --git a/packages/build-support/build-fhs-userenv-bubblewrap/env.nix b/packages/build-support/build-fhs-userenv-bubblewrap/env.nix deleted file mode 100644 index 1d02bc0..0000000 --- a/packages/build-support/build-fhs-userenv-bubblewrap/env.nix +++ /dev/null @@ -1,185 +0,0 @@ -{ stdenv, lib, buildEnv, writeText, writeShellScriptBin, pkgs, pkgsi686Linux }: - -{ name, profile ? "" -, targetPkgs ? pkgs: [], multiPkgs ? pkgs: [] -, extraBuildCommands ? "", extraBuildCommandsMulti ? "" -, extraOutputsToInstall ? [] -, ... -}: - -# HOWTO: -# All packages (most likely programs) returned from targetPkgs will only be -# installed once--matching the host's architecture (64bit on x86_64 and 32bit on -# x86). -# -# Packages (most likely libraries) returned from multiPkgs are installed -# once on x86 systems and twice on x86_64 systems. -# On x86 they are merged with packages from targetPkgs. -# On x86_64 they are added to targetPkgs and in addition their 32bit -# versions are also installed. The final directory structure looks as -# follows: -# /lib32 will include 32bit libraries from multiPkgs -# /lib64 will include 64bit libraries from multiPkgs and targetPkgs -# /lib will link to /lib32 - -let - is64Bit = stdenv.hostPlatform.parsed.cpu.bits == 64; - isMultiBuild = multiPkgs != null && is64Bit; - isTargetBuild = !isMultiBuild; - - # list of packages (usually programs) which are only be installed for the - # host's architecture - targetPaths = targetPkgs pkgs ++ (if multiPkgs == null then [] else multiPkgs pkgs); - - # list of packages which are installed for both x86 and x86_64 on x86_64 - # systems - multiPaths = multiPkgs pkgsi686Linux; - - # base packages of the chroot - # these match the host's architecture, glibc_multi is used for multilib - # builds. glibcLocales must be before glibc or glibc_multi as otherwiese - # the wrong LOCALE_ARCHIVE will be used where only C.UTF-8 is available. - basePkgs = with pkgs; - [ glibcLocales - (if isMultiBuild then glibc_multi else glibc) - (toString gcc.cc.lib) bashInteractive coreutils less shadow su - gawk diffutils findutils gnused gnugrep - gnutar gzip bzip2 xz - ]; - baseMultiPkgs = with pkgsi686Linux; - [ (toString gcc.cc.lib) - ]; - - ldconfig = writeShellScriptBin "ldconfig" '' - exec ${pkgs.glibc.bin}/bin/ldconfig -f /etc/ld.so.conf -C /etc/ld.so.cache "$@" - ''; - etcProfile = writeText "profile" '' - export PS1='${name}-chrootenv:\u@\h:\w\$ ' - export LOCALE_ARCHIVE='/usr/lib/locale/locale-archive' - export LD_LIBRARY_PATH="/run/opengl-driver/lib:/run/opengl-driver-32/lib:/usr/lib:/usr/lib32''${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH" - export PATH="/run/wrappers/bin:/usr/bin:/usr/sbin:$PATH" - export TZDIR='/etc/zoneinfo' - - # Force compilers and other tools to look in default search paths - unset NIX_ENFORCE_PURITY - export NIX_CC_WRAPPER_TARGET_HOST_${stdenv.cc.suffixSalt}=1 - export NIX_CFLAGS_COMPILE='-idirafter /usr/include' - export NIX_CFLAGS_LINK='-L/usr/lib -L/usr/lib32' - export NIX_LDFLAGS='-L/usr/lib -L/usr/lib32' - export PKG_CONFIG_PATH=/usr/lib/pkgconfig - export ACLOCAL_PATH=/usr/share/aclocal - - ${profile} - ''; - - # Compose /etc for the chroot environment - etcPkg = stdenv.mkDerivation { - name = "${name}-chrootenv-etc"; - buildCommand = '' - mkdir -p $out/etc - cd $out/etc - - # environment variables - ln -s ${etcProfile} profile - - # symlink /etc/mtab -> /proc/mounts (compat for old userspace progs) - ln -s /proc/mounts mtab - ''; - }; - - # Composes a /usr-like directory structure - staticUsrProfileTarget = buildEnv { - name = "${name}-usr-target"; - # ldconfig wrapper must come first so it overrides the original ldconfig - paths = [ etcPkg ldconfig ] ++ basePkgs ++ targetPaths; - extraOutputsToInstall = [ "out" "lib" "bin" ] ++ extraOutputsToInstall; - ignoreCollisions = true; - }; - - staticUsrProfileMulti = buildEnv { - name = "${name}-usr-multi"; - paths = baseMultiPkgs ++ multiPaths; - extraOutputsToInstall = [ "out" "lib" ] ++ extraOutputsToInstall; - ignoreCollisions = true; - }; - - # setup library paths only for the targeted architecture - setupLibDirsTarget = '' - # link content of targetPaths - cp -rsHf ${staticUsrProfileTarget}/lib lib - ln -s lib lib${if is64Bit then "64" else "32"} - ''; - - # setup /lib, /lib32 and /lib64 - setupLibDirsMulti = '' - mkdir -m0755 lib32 - mkdir -m0755 lib64 - ln -s lib64 lib - - # copy glibc stuff - cp -rsHf ${staticUsrProfileTarget}/lib/32/* lib32/ && chmod u+w -R lib32/ - - # copy content of multiPaths (32bit libs) - [ -d ${staticUsrProfileMulti}/lib ] && cp -rsHf ${staticUsrProfileMulti}/lib/* lib32/ && chmod u+w -R lib32/ - - # copy content of targetPaths (64bit libs) - cp -rsHf ${staticUsrProfileTarget}/lib/* lib64/ && chmod u+w -R lib64/ - - # symlink 32-bit ld-linux.so - ln -Ls ${staticUsrProfileTarget}/lib/32/ld-linux.so.2 lib/ - ''; - - setupLibDirs = if isTargetBuild then setupLibDirsTarget - else setupLibDirsMulti; - - # the target profile is the actual profile that will be used for the chroot - setupTargetProfile = '' - mkdir -m0755 usr - cd usr - ${setupLibDirs} - ${lib.optionalString isMultiBuild '' - if [ -d "${staticUsrProfileMulti}/share" ]; then - cp -rLf ${staticUsrProfileMulti}/share share - fi - ''} - if [ -d "${staticUsrProfileTarget}/share" ]; then - if [ -d share ]; then - chmod -R 755 share - cp -rLTf ${staticUsrProfileTarget}/share share - else - cp -rLf ${staticUsrProfileTarget}/share share - fi - fi - for i in bin sbin include; do - if [ -d "${staticUsrProfileTarget}/$i" ]; then - cp -rsHf "${staticUsrProfileTarget}/$i" "$i" - fi - done - cd .. - - for i in var etc; do - if [ -d "${staticUsrProfileTarget}/$i" ]; then - cp -rsHf "${staticUsrProfileTarget}/$i" "$i" - fi - done - for i in usr/{bin,sbin,lib,lib32,lib64}; do - if [ -d "$i" ]; then - ln -s "$i" - fi - done - ''; - -in stdenv.mkDerivation { - name = "${name}-fhs"; - buildCommand = '' - mkdir -p $out - cd $out - ${setupTargetProfile} - cd $out - ${extraBuildCommands} - cd $out - ${if isMultiBuild then extraBuildCommandsMulti else ""} - ''; - preferLocalBuild = true; - allowSubstitutes = false; -}