mirror/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-09-29 15:43:00 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #306716 from ShamrockLee/apptainer-default-path-substitution

Browse Source 
apptainer, singularity: refactor defaultPath substitution
This commit is contained in:
Someone 2024-06-02 22:33:55 +00:00 committed by GitHub
commit 9f48aac218
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 53 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
pkgs/applications/virtualization/singularity/generic.nix
View File

@ -44,6 +44,7 @@ in
gpgme, gpgme,
libseccomp, libseccomp,
libuuid, libuuid,
mount,
# This is for nvidia-container-cli # This is for nvidia-container-cli
nvidia-docker, nvidia-docker,
openssl, openssl,
@ -79,6 +80,20 @@ in
externalLocalStateDir ? null, externalLocalStateDir ? null,
# Remove the symlinks to `singularity*` when projectName != "singularity" # Remove the symlinks to `singularity*` when projectName != "singularity"
removeCompat ? false, removeCompat ? false,
# The defaultPath values to substitute in each source files.
#
# `defaultPath` are PATH variables hard-coded inside Apptainer/Singularity
# binaries to search for third-party utilities, as a hardening for
# `$out/bin/starter-suid`.
#
# The upstream provided values are suitable for FHS-conformant environment.
# We substitute them and insert Nixpkgs-specific values.
#
# Example:
# {
# "path/to/source/file1" = [ "<originalDefaultPath11>" "<originalDefaultPath12>" ... ];
# }
sourceFilesWithDefaultPaths ? { },
# Workaround #86349 # Workaround #86349
# should be removed when the issue is resolved # should be removed when the issue is resolved
vendorHash ? _defaultGoVendorArgs.vendorHash, vendorHash ? _defaultGoVendorArgs.vendorHash,
@ -87,7 +102,6 @@ in
}: }:
let let
defaultPathOriginal = "/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin";
privileged-un-utils = privileged-un-utils =
if ((newuidmapPath == null) && (newgidmapPath == null)) then if ((newuidmapPath == null) && (newgidmapPath == null)) then
null null
@ -97,6 +111,12 @@ let
ln -s ${lib.escapeShellArg newuidmapPath} "$out/bin/newuidmap" ln -s ${lib.escapeShellArg newuidmapPath} "$out/bin/newuidmap"
ln -s ${lib.escapeShellArg newgidmapPath} "$out/bin/newgidmap" ln -s ${lib.escapeShellArg newgidmapPath} "$out/bin/newgidmap"
''); '');
concatMapStringAttrsSep =
sep: f: attrs:
lib.concatMapStringsSep sep (name: f name attrs.${name}) (lib.attrNames attrs);
addShellDoubleQuotes = s: lib.escapeShellArg ''"'' + s + lib.escapeShellArg ''"'';
in in
(buildGoModule { (buildGoModule {
inherit pname version src; inherit pname version src;
@ -185,6 +205,7 @@ in
fakeroot fakeroot
fuse2fs # Mount ext3 filesystems fuse2fs # Mount ext3 filesystems
go go
mount # mount
privileged-un-utils privileged-un-utils
squashfsTools # mksquashfs unsquashfs # Make / unpack squashfs image squashfsTools # mksquashfs unsquashfs # Make / unpack squashfs image
squashfuse # squashfuse_ll squashfuse # Mount (without unpacking) a squashfs image without privileges squashfuse # squashfuse_ll squashfuse # Mount (without unpacking) a squashfs image without privileges
@ -199,8 +220,19 @@ in
patchShebangs --build "$configureScript" makeit e2e scripts mlocal/scripts patchShebangs --build "$configureScript" makeit e2e scripts mlocal/scripts
# Patching the hard-coded defaultPath by prefixing the packages in defaultPathInputs # Patching the hard-coded defaultPath by prefixing the packages in defaultPathInputs
substituteInPlace cmd/internal/cli/actions.go \ ${concatMapStringAttrsSep "\n" (fileName: originalDefaultPaths: ''
--replace "defaultPath = \"${defaultPathOriginal}\"" "defaultPath = \"''${defaultPathInputs// /\/bin:}''${defaultPathInputs:+/bin:}${defaultPathOriginal}\"" substituteInPlace ${lib.escapeShellArg fileName} \
${
lib.concatMapStringsSep " \\\n " (
originalDefaultPath:
lib.concatStringsSep " " [
"--replace-fail"
(addShellDoubleQuotes (lib.escapeShellArg originalDefaultPath))
(addShellDoubleQuotes ''$inputsDefaultPath''${inputsDefaultPath:+:}${lib.escapeShellArg originalDefaultPath}'')
]
) originalDefaultPaths
}
'') sourceFilesWithDefaultPaths}
substituteInPlace internal/pkg/util/gpu/nvidia.go \ substituteInPlace internal/pkg/util/gpu/nvidia.go \
--replace \ --replace \
@ -236,7 +268,7 @@ in
substituteInPlace "$out/bin/run-singularity" \ substituteInPlace "$out/bin/run-singularity" \
--replace "/usr/bin/env ${projectName}" "$out/bin/${projectName}" --replace "/usr/bin/env ${projectName}" "$out/bin/${projectName}"
wrapProgram "$out/bin/${projectName}" \ wrapProgram "$out/bin/${projectName}" \
--prefix PATH : "''${defaultPathInputs// /\/bin:}''${defaultPathInputs:+/bin:}" --prefix PATH : "$inputsDefaultPath"
# Make changes in the config file # Make changes in the config file
${lib.optionalString forceNvcCli '' ${lib.optionalString forceNvcCli ''
substituteInPlace "$out/etc/${projectName}/${projectName}.conf" \ substituteInPlace "$out/etc/${projectName}/${projectName}.conf" \
@ -294,7 +326,9 @@ in
}).overrideAttrs }).overrideAttrs
( (
finalAttrs: prevAttrs: { finalAttrs: prevAttrs: {
inputsDefaultPath = lib.makeBinPath finalAttrs.defaultPathInputs;
passthru = prevAttrs.passthru or { } // { passthru = prevAttrs.passthru or { } // {
inherit sourceFilesWithDefaultPaths;
tests = { tests = {
image-hello-cowsay = singularity-tools.buildImage { image-hello-cowsay = singularity-tools.buildImage {
name = "hello-cowsay"; name = "hello-cowsay";

14
pkgs/applications/virtualization/singularity/packages.nix
View File

@ -35,6 +35,12 @@ let
# when building on a system with disabled unprivileged namespace. # when building on a system with disabled unprivileged namespace.
# See https://github.com/NixOS/nixpkgs/pull/215690#issuecomment-1426954601 # See https://github.com/NixOS/nixpkgs/pull/215690#issuecomment-1426954601
defaultToSuid = null; defaultToSuid = null;
sourceFilesWithDefaultPaths = {
"cmd/internal/cli/actions.go" = [ "/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin" ];
"e2e/env/env.go" = [ "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ];
"internal/pkg/util/env/env.go" = [ "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ];
};
}; };
singularity = singularity =
@ -71,6 +77,14 @@ let
# on UNIX-like platforms, # on UNIX-like platforms,
# and only have --without-suid but not --with-suid. # and only have --without-suid but not --with-suid.
defaultToSuid = true; defaultToSuid = true;
sourceFilesWithDefaultPaths = {
"cmd/internal/cli/actions.go" = [ "/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin" ];
"e2e/env/env.go" = [ "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ];
"internal/pkg/util/env/clean.go" = [
"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
];
};
}; };
genOverridenNixos = genOverridenNixos =

2
pkgs/build-support/singularity-tools/default.nix
View File

@ -45,7 +45,7 @@ rec {
, diskSize ? 1024 , diskSize ? 1024
, runScript ? "#!${stdenv.shell}\nexec /bin/sh" , runScript ? "#!${stdenv.shell}\nexec /bin/sh"
, runAsRoot ? null , runAsRoot ? null
, memSize ? 512 , memSize ? 1024
, singularity ? defaultSingularity , singularity ? defaultSingularity
}: }:
let let