pyrox.dev
1{ lib
2, buildBazelPackage
3, fetchFromGitHub
4, callPackage
5, bash
6, cacert
7, git
8, glibcLocales
9, go
10, iproute2
11, iptables
12, makeWrapper
13, procps
14, protobuf
15, python3
16}:
17
18let
19 preBuild = ''
20 patchShebangs .
21
22 substituteInPlace tools/defs.bzl \
23 --replace "#!/bin/bash" "#!${bash}/bin/bash"
24
25 # Tell rules_go to use the Go binary found in the PATH
26 sed -E -i \
27 -e 's|go_version\s*=\s*"[^"]+"|go_version = "host"|g' \
28 WORKSPACE
29
30 # The gazelle Go tooling needs CA certs
31 export SSL_CERT_FILE="${cacert}/etc/ssl/certs/ca-bundle.crt"
32
33 # If we don't reset our GOPATH, the rules_go stdlib builder tries to
34 # install something into it. Ideally that wouldn't happen, but for now we
35 # can also get around it by unsetting GOPATH entirely, since rules_go
36 # doesn't need it.
37 export GOPATH=
38 '';
39
40 # Patch the protoc alias so that it always builds from source.
41 rulesProto = fetchFromGitHub {
42 owner = "bazelbuild";
43 repo = "rules_proto";
44 rev = "f7a30f6f80006b591fa7c437fe5a951eb10bcbcf";
45 sha256 = "10bcw0ir0skk7h33lmqm38n9w4nfs24mwajnngkbs6jb5wsvkqv8";
46 extraPostFetch = ''
47 sed -i 's|name = "protoc"|name = "_protoc_original"|' $out/proto/private/BUILD.release
48 cat <<EOF >>$out/proto/private/BUILD.release
49 alias(name = "protoc", actual = "@com_github_protocolbuffers_protobuf//:protoc", visibility = ["//visibility:public"])
50 EOF
51 '';
52 };
53
54in buildBazelPackage rec {
55 name = "gvisor-${version}";
56 version = "20210518.0";
57
58 src = fetchFromGitHub {
59 owner = "google";
60 repo = "gvisor";
61 rev = "release-${version}";
62 sha256 = "15a6mlclnyfc9mx3bjksnnf4vla0xh0rv9kxdp34la4gw3c4hksn";
63 };
64
65 nativeBuildInputs = [ git glibcLocales go makeWrapper python3 ];
66
67 bazelTarget = "//runsc:runsc";
68 bazelFlags = [
69 "--override_repository=rules_proto=${rulesProto}"
70 ];
71
72 # gvisor uses the Starlark implementation of rules_cc, not the built-in one,
73 # so we shouldn't delete it from our dependencies.
74 removeRulesCC = false;
75
76 fetchAttrs = {
77 inherit preBuild;
78
79 preInstall = ''
80 # Remove the go_sdk (it's just a copy of the go derivation) and all
81 # references to it from the marker files. Bazel does not need to download
82 # this sdk because we have patched the WORKSPACE file to point to the one
83 # currently present in PATH. Without removing the go_sdk from the marker
84 # file, the hash of it will change anytime the Go derivation changes and
85 # that would lead to impurities in the marker files which would result in
86 # a different sha256 for the fetch phase.
87 rm -rf $bazelOut/external/{go_sdk,\@go_sdk.marker}
88
89 # Remove the gazelle tools, they contain go binaries that are built
90 # non-deterministically. As long as the gazelle version matches the tools
91 # should be equivalent.
92 rm -rf $bazelOut/external/{bazel_gazelle_go_repository_tools,\@bazel_gazelle_go_repository_tools.marker}
93
94 # Remove the gazelle repository cache
95 chmod -R +w $bazelOut/external/bazel_gazelle_go_repository_cache
96 rm -rf $bazelOut/external/{bazel_gazelle_go_repository_cache,\@bazel_gazelle_go_repository_cache.marker}
97
98 # Remove log file(s)
99 rm -f "$bazelOut"/java.log "$bazelOut"/java.log.*
100 '';
101
102 sha256 = "13pahppm431m198v5bffrzq5iw8m79riplbfqp0afh384ln669hb";
103 };
104
105 buildAttrs = {
106 inherit preBuild;
107
108 installPhase = ''
109 install -Dm755 bazel-out/*/bin/runsc/runsc_/runsc $out/bin/runsc
110
111 # Needed for the 'runsc do' subcomand
112 wrapProgram $out/bin/runsc \
113 --prefix PATH : ${lib.makeBinPath [ iproute2 iptables procps ]}
114 '';
115 };
116
117 meta = with lib; {
118 description = "Container Runtime Sandbox";
119 homepage = "https://github.com/google/gvisor";
120 license = licenses.asl20;
121 maintainers = with maintainers; [ andrew-d ];
122 platforms = [ "x86_64-linux" ];
123 };
124}