commit 39db1c03ef2ff50a8fb33e60b444be3ab1fef22a · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

fork atom

apptainer, singularity: format Nix expression with nixfmt

Make the Nix expression generic.nix and package.nix conformant to Nix
RFC 166.

Yueh-Shun Li 2 years ago 39db1c03 770818b7

+229 -204

2 changed files

expand all

unified split

pkgs

applications

virtualization

singularity

generic.nix

packages.nix

+147 -128

pkgs/applications/virtualization/singularity/generic.nix

··· 1 # Configurations that should only be overrided by 2 # overrideAttrs 3 - { pname 4 - , version 5 - , src 6 - , projectName # "apptainer" or "singularity" 7 - , vendorHash ? null 8 - , deleteVendor ? false 9 - , proxyVendor ? false 10 - , extraConfigureFlags ? [ ] 11 - , extraDescription ? "" 12 - , extraMeta ? { } 13 }: 14 15 let 16 # Workaround for vendor-related attributes not overridable (#86349) 17 # should be removed when the issue is resolved 18 _defaultGoVendorArgs = { 19 - inherit 20 - vendorHash 21 - deleteVendor 22 - proxyVendor 23 - ; 24 }; 25 in 26 - { lib 27 - , buildGoModule 28 - , runCommandLocal 29 - , substituteAll 30 # Native build inputs 31 - , addDriverRunpath 32 - , makeWrapper 33 - , pkg-config 34 - , util-linux 35 - , which 36 # Build inputs 37 - , bash 38 - , callPackage 39 - , conmon 40 - , coreutils 41 - , cryptsetup 42 - , e2fsprogs 43 - , fakeroot 44 - , fuse2fs ? e2fsprogs.fuse2fs 45 - , go 46 - , gpgme 47 - , libseccomp 48 - , libuuid 49 # This is for nvidia-container-cli 50 - , nvidia-docker 51 - , openssl 52 - , squashfsTools 53 - , squashfuse 54 # Test dependencies 55 - , singularity-tools 56 - , cowsay 57 - , hello 58 # Overridable configurations 59 - , enableNvidiaContainerCli ? true 60 # --nvccli currently requires extra privileges: 61 # https://github.com/apptainer/apptainer/issues/1893#issuecomment-1881240800 62 - , forceNvcCli ? false 63 # Compile with seccomp support 64 # SingularityCE 3.10.0 and above requires explicit --without-seccomp when libseccomp is not available. 65 - , enableSeccomp ? true 66 # Whether the configure script treat SUID support as default 67 # When equal to enableSuid, it supress the --with-suid / --without-suid build flag 68 # It can be set to `null` to always pass either --with-suid or --without-suided 69 # Type: null or boolean 70 - , defaultToSuid ? true 71 # Whether to compile with SUID support 72 - , enableSuid ? false 73 - , starterSuidPath ? null 74 # newuidmapPath and newgidmapPath are to support --fakeroot 75 # where those SUID-ed executables are unavailable from the FHS system PATH. 76 # Path to SUID-ed newuidmap executable 77 - , newuidmapPath ? null 78 # Path to SUID-ed newgidmap executable 79 - , newgidmapPath ? null 80 # External LOCALSTATEDIR 81 - , externalLocalStateDir ? null 82 # Remove the symlinks to `singularity*` when projectName != "singularity" 83 - , removeCompat ? false 84 # Workaround #86349 85 # should be removed when the issue is resolved 86 - , vendorHash ? _defaultGoVendorArgs.vendorHash 87 - , deleteVendor ? _defaultGoVendorArgs.deleteVendor 88 - , proxyVendor ? _defaultGoVendorArgs.proxyVendor 89 }: 90 91 let 92 defaultPathOriginal = "/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin"; 93 - privileged-un-utils = if ((newuidmapPath == null) && (newgidmapPath == null)) then null else 94 - (runCommandLocal "privileged-un-utils" { } '' 95 - mkdir -p "$out/bin" 96 - ln -s ${lib.escapeShellArg newuidmapPath} "$out/bin/newuidmap" 97 - ln -s ${lib.escapeShellArg newgidmapPath} "$out/bin/newgidmap" 98 - ''); 99 in 100 (buildGoModule { 101 inherit pname version src; 102 103 patches = lib.optionals (projectName == "apptainer") [ 104 - (substituteAll { src = ./apptainer/0001-ldCache-patch-for-driverLink.patch; inherit (addDriverRunpath) driverLink; }) 105 ]; 106 107 # Override vendorHash with the output got from ··· 146 libuuid 147 openssl 148 squashfsTools # Required at build time by SingularityCE 149 - ] 150 - ++ lib.optional enableNvidiaContainerCli nvidia-docker 151 - ++ lib.optional enableSeccomp libseccomp 152 - ; 153 154 configureScript = "./mconfig"; 155 156 - configureFlags = [ 157 - "--localstatedir=${if externalLocalStateDir != null then externalLocalStateDir else "${placeholder "out"}/var/lib"}" 158 - "--runstatedir=/var/run" 159 - ] 160 - ++ lib.optional (!enableSeccomp) "--without-seccomp" 161 - ++ lib.optional (enableSuid != defaultToSuid) (if enableSuid then "--with-suid" else "--without-suid") 162 - ++ extraConfigureFlags 163 - ; 164 165 # causes redefinition of _FORTIFY_SOURCE 166 hardeningDisable = [ "fortify3" ]; ··· 177 privileged-un-utils 178 squashfsTools # mksquashfs unsquashfs # Make / unpack squashfs image 179 squashfuse # squashfuse_ll squashfuse # Mount (without unpacking) a squashfs image without privileges 180 - ] 181 - ++ lib.optional enableNvidiaContainerCli nvidia-docker 182 - ; 183 184 postPatch = '' 185 if [[ ! -e .git || ! -e VERSION ]]; then ··· 249 rm "$file" 250 done 251 ''} 252 - ${lib.optionalString enableSuid (lib.warnIf (starterSuidPath == null) "${projectName}: Null starterSuidPath when enableSuid produces non-SUID-ed starter-suid and run-time permission denial." '' 253 - chmod +x $out/libexec/${projectName}/bin/starter-suid 254 - '')} 255 ${lib.optionalString (enableSuid && (starterSuidPath != null)) '' 256 mv "$out"/libexec/${projectName}/bin/starter-suid{,.orig} 257 ln -s ${lib.escapeShellArg starterSuidPath} "$out/libexec/${projectName}/bin/starter-suid" 258 ''} 259 ''; 260 261 - meta = with lib; { 262 - description = "Application containers for linux" + extraDescription; 263 - longDescription = '' 264 - Singularity (the upstream) renamed themselves to Apptainer 265 - to distinguish themselves from a fork made by Sylabs Inc.. See 266 267 - https://sylabs.io/2021/05/singularity-community-edition 268 - https://apptainer.org/news/community-announcement-20211130 269 - ''; 270 - license = licenses.bsd3; 271 - platforms = platforms.linux; 272 - maintainers = with maintainers; [ jbedo ShamrockLee ]; 273 - mainProgram = projectName; 274 - } // extraMeta; 275 - }).overrideAttrs (finalAttrs: prevAttrs: { 276 - passthru = prevAttrs.passthru or { } // { 277 - tests = { 278 - image-hello-cowsay = singularity-tools.buildImage { 279 - name = "hello-cowsay"; 280 - contents = [ hello cowsay ]; 281 - singularity = finalAttrs.finalPackage; 282 - }; 283 - }; 284 - gpuChecks = lib.optionalAttrs (projectName == "apptainer") { 285 - # Should be in tests, but Ofborg would skip image-hello-cowsay because 286 - # saxpy is unfree. 287 - image-saxpy = callPackage 288 - ({ singularity-tools, cudaPackages }: 289 - singularity-tools.buildImage { 290 - name = "saxpy"; 291 - contents = [ cudaPackages.saxpy ]; 292 - memSize = 2048; 293 - diskSize = 2048; 294 singularity = finalAttrs.finalPackage; 295 - }) 296 - { }; 297 - saxpy = 298 - callPackage 299 - ({ runCommand, writeShellScriptBin }: 300 let 301 - unwrapped = writeShellScriptBin "apptainer-cuda-saxpy" 302 - '' 303 - ${lib.getExe finalAttrs.finalPackage} exec --nv $@ ${finalAttrs.passthru.gpuChecks.image-saxpy} saxpy 304 - ''; 305 in 306 runCommand "run-apptainer-cuda-saxpy" 307 { 308 requiredSystemFeatures = [ "cuda" ]; 309 nativeBuildInputs = [ unwrapped ]; 310 - passthru = { inherit unwrapped; }; 311 } 312 '' 313 apptainer-cuda-saxpy 314 - '') 315 - { }; 316 - }; 317 - }; 318 - })

··· 1 # Configurations that should only be overrided by 2 # overrideAttrs 3 + { 4 + pname, 5 + version, 6 + src, 7 + projectName, # "apptainer" or "singularity" 8 + vendorHash ? null, 9 + deleteVendor ? false, 10 + proxyVendor ? false, 11 + extraConfigureFlags ? [ ], 12 + extraDescription ? "", 13 + extraMeta ? { }, 14 }: 15 16 let 17 # Workaround for vendor-related attributes not overridable (#86349) 18 # should be removed when the issue is resolved 19 _defaultGoVendorArgs = { 20 + inherit vendorHash deleteVendor proxyVendor; 21 }; 22 in 23 + { 24 + lib, 25 + buildGoModule, 26 + runCommandLocal, 27 + substituteAll, 28 # Native build inputs 29 + addDriverRunpath, 30 + makeWrapper, 31 + pkg-config, 32 + util-linux, 33 + which, 34 # Build inputs 35 + bash, 36 + callPackage, 37 + conmon, 38 + coreutils, 39 + cryptsetup, 40 + e2fsprogs, 41 + fakeroot, 42 + fuse2fs ? e2fsprogs.fuse2fs, 43 + go, 44 + gpgme, 45 + libseccomp, 46 + libuuid, 47 # This is for nvidia-container-cli 48 + nvidia-docker, 49 + openssl, 50 + squashfsTools, 51 + squashfuse, 52 # Test dependencies 53 + singularity-tools, 54 + cowsay, 55 + hello, 56 # Overridable configurations 57 + enableNvidiaContainerCli ? true, 58 # --nvccli currently requires extra privileges: 59 # https://github.com/apptainer/apptainer/issues/1893#issuecomment-1881240800 60 + forceNvcCli ? false, 61 # Compile with seccomp support 62 # SingularityCE 3.10.0 and above requires explicit --without-seccomp when libseccomp is not available. 63 + enableSeccomp ? true, 64 # Whether the configure script treat SUID support as default 65 # When equal to enableSuid, it supress the --with-suid / --without-suid build flag 66 # It can be set to `null` to always pass either --with-suid or --without-suided 67 # Type: null or boolean 68 + defaultToSuid ? true, 69 # Whether to compile with SUID support 70 + enableSuid ? false, 71 + starterSuidPath ? null, 72 # newuidmapPath and newgidmapPath are to support --fakeroot 73 # where those SUID-ed executables are unavailable from the FHS system PATH. 74 # Path to SUID-ed newuidmap executable 75 + newuidmapPath ? null, 76 # Path to SUID-ed newgidmap executable 77 + newgidmapPath ? null, 78 # External LOCALSTATEDIR 79 + externalLocalStateDir ? null, 80 # Remove the symlinks to `singularity*` when projectName != "singularity" 81 + removeCompat ? false, 82 # Workaround #86349 83 # should be removed when the issue is resolved 84 + vendorHash ? _defaultGoVendorArgs.vendorHash, 85 + deleteVendor ? _defaultGoVendorArgs.deleteVendor, 86 + proxyVendor ? _defaultGoVendorArgs.proxyVendor, 87 }: 88 89 let 90 defaultPathOriginal = "/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin"; 91 + privileged-un-utils = 92 + if ((newuidmapPath == null) && (newgidmapPath == null)) then 93 + null 94 + else 95 + (runCommandLocal "privileged-un-utils" { } '' 96 + mkdir -p "$out/bin" 97 + ln -s ${lib.escapeShellArg newuidmapPath} "$out/bin/newuidmap" 98 + ln -s ${lib.escapeShellArg newgidmapPath} "$out/bin/newgidmap" 99 + ''); 100 in 101 (buildGoModule { 102 inherit pname version src; 103 104 patches = lib.optionals (projectName == "apptainer") [ 105 + (substituteAll { 106 + src = ./apptainer/0001-ldCache-patch-for-driverLink.patch; 107 + inherit (addDriverRunpath) driverLink; 108 + }) 109 ]; 110 111 # Override vendorHash with the output got from ··· 150 libuuid 151 openssl 152 squashfsTools # Required at build time by SingularityCE 153 + ] ++ lib.optional enableNvidiaContainerCli nvidia-docker ++ lib.optional enableSeccomp libseccomp; 154 155 configureScript = "./mconfig"; 156 157 + configureFlags = 158 + [ 159 + "--localstatedir=${ 160 + if externalLocalStateDir != null then externalLocalStateDir else "${placeholder "out"}/var/lib" 161 + }" 162 + "--runstatedir=/var/run" 163 + ] 164 + ++ lib.optional (!enableSeccomp) "--without-seccomp" 165 + ++ lib.optional (enableSuid != defaultToSuid) ( 166 + if enableSuid then "--with-suid" else "--without-suid" 167 + ) 168 + ++ extraConfigureFlags; 169 170 # causes redefinition of _FORTIFY_SOURCE 171 hardeningDisable = [ "fortify3" ]; ··· 182 privileged-un-utils 183 squashfsTools # mksquashfs unsquashfs # Make / unpack squashfs image 184 squashfuse # squashfuse_ll squashfuse # Mount (without unpacking) a squashfs image without privileges 185 + ] ++ lib.optional enableNvidiaContainerCli nvidia-docker; 186 187 postPatch = '' 188 if [[ ! -e .git || ! -e VERSION ]]; then ··· 252 rm "$file" 253 done 254 ''} 255 + ${lib.optionalString enableSuid ( 256 + lib.warnIf (starterSuidPath == null) 257 + "${projectName}: Null starterSuidPath when enableSuid produces non-SUID-ed starter-suid and run-time permission denial." 258 + '' 259 + chmod +x $out/libexec/${projectName}/bin/starter-suid 260 + '' 261 + )} 262 ${lib.optionalString (enableSuid && (starterSuidPath != null)) '' 263 mv "$out"/libexec/${projectName}/bin/starter-suid{,.orig} 264 ln -s ${lib.escapeShellArg starterSuidPath} "$out/libexec/${projectName}/bin/starter-suid" 265 ''} 266 ''; 267 268 + meta = 269 + with lib; 270 + { 271 + description = "Application containers for linux" + extraDescription; 272 + longDescription = '' 273 + Singularity (the upstream) renamed themselves to Apptainer 274 + to distinguish themselves from a fork made by Sylabs Inc.. See 275 276 + https://sylabs.io/2021/05/singularity-community-edition 277 + https://apptainer.org/news/community-announcement-20211130 278 + ''; 279 + license = licenses.bsd3; 280 + platforms = platforms.linux; 281 + maintainers = with maintainers; [ 282 + jbedo 283 + ShamrockLee 284 + ]; 285 + mainProgram = projectName; 286 + } 287 + // extraMeta; 288 + }).overrideAttrs 289 + ( 290 + finalAttrs: prevAttrs: { 291 + passthru = prevAttrs.passthru or { } // { 292 + tests = { 293 + image-hello-cowsay = singularity-tools.buildImage { 294 + name = "hello-cowsay"; 295 + contents = [ 296 + hello 297 + cowsay 298 + ]; 299 singularity = finalAttrs.finalPackage; 300 + }; 301 + }; 302 + gpuChecks = lib.optionalAttrs (projectName == "apptainer") { 303 + # Should be in tests, but Ofborg would skip image-hello-cowsay because 304 + # saxpy is unfree. 305 + image-saxpy = callPackage ( 306 + { singularity-tools, cudaPackages }: 307 + singularity-tools.buildImage { 308 + name = "saxpy"; 309 + contents = [ cudaPackages.saxpy ]; 310 + memSize = 2048; 311 + diskSize = 2048; 312 + singularity = finalAttrs.finalPackage; 313 + } 314 + ) { }; 315 + saxpy = callPackage ( 316 + { runCommand, writeShellScriptBin }: 317 let 318 + unwrapped = writeShellScriptBin "apptainer-cuda-saxpy" '' 319 + ${lib.getExe finalAttrs.finalPackage} exec --nv $@ ${finalAttrs.passthru.gpuChecks.image-saxpy} saxpy 320 + ''; 321 in 322 runCommand "run-apptainer-cuda-saxpy" 323 { 324 requiredSystemFeatures = [ "cuda" ]; 325 nativeBuildInputs = [ unwrapped ]; 326 + passthru = { 327 + inherit unwrapped; 328 + }; 329 } 330 '' 331 apptainer-cuda-saxpy 332 + '' 333 + ) { }; 334 + }; 335 + }; 336 + } 337 + )

+82 -76

pkgs/applications/virtualization/singularity/packages.nix

··· 1 - { callPackage 2 - , fetchFromGitHub 3 - , nixos 4 - , conmon 5 }: 6 let 7 - apptainer = callPackage 8 - (import ./generic.nix rec { 9 - pname = "apptainer"; 10 - version = "1.3.1"; 11 - projectName = "apptainer"; 12 13 - src = fetchFromGitHub { 14 - owner = "apptainer"; 15 - repo = "apptainer"; 16 - rev = "refs/tags/v${version}"; 17 - hash = "sha256-XhJecINx8jC6pRzIoM4nC6Aunj40xL8EmYIA4UizfAY="; 18 - }; 19 20 - # Update by running 21 - # nix-prefetch -E "{ sha256 }: ((import ./. { }).apptainer.override { vendorHash = sha256; }).goModules" 22 - # at the root directory of the Nixpkgs repository 23 - vendorHash = "sha256-MXW1U13uDRAx4tqZvqsuJvoD22nEL2gcxiGaa/6zwU0="; 24 25 - extraDescription = " (previously known as Singularity)"; 26 - extraMeta.homepage = "https://apptainer.org"; 27 - }) 28 - { 29 - # Apptainer doesn't depend on conmon 30 - conmon = null; 31 32 - # Apptainer builders require explicit --with-suid / --without-suid flag 33 - # when building on a system with disabled unprivileged namespace. 34 - # See https://github.com/NixOS/nixpkgs/pull/215690#issuecomment-1426954601 35 - defaultToSuid = null; 36 - }; 37 38 - singularity = callPackage 39 - (import ./generic.nix rec { 40 - pname = "singularity-ce"; 41 - version = "4.1.2"; 42 - projectName = "singularity"; 43 44 - src = fetchFromGitHub { 45 - owner = "sylabs"; 46 - repo = "singularity"; 47 - rev = "refs/tags/v${version}"; 48 - hash = "sha256-/KTDdkCMkZ5hO+VYHzw9vB8FDWxg7PS1yb2waRJQngY="; 49 - }; 50 51 - # Update by running 52 - # nix-prefetch -E "{ sha256 }: ((import ./. { }).singularity.override { vendorHash = sha256; }).goModules" 53 - # at the root directory of the Nixpkgs repository 54 - vendorHash = "sha256-4Nxj2PzZmFdvouWKyXLFDk8iuRhFuvyPW/+VRTw75Zw="; 55 56 - # Do not build conmon and squashfuse from the Git submodule sources, 57 - # Use Nixpkgs provided version 58 - extraConfigureFlags = [ 59 - "--without-conmon" 60 - "--without-squashfuse" 61 - ]; 62 63 - extraDescription = " (Sylabs Inc's fork of Singularity, a.k.a. SingularityCE)"; 64 - extraMeta.homepage = "https://sylabs.io/"; 65 - }) 66 - { 67 - # Sylabs SingularityCE builders defaults to set the SUID flag 68 - # on UNIX-like platforms, 69 - # and only have --without-suid but not --with-suid. 70 - defaultToSuid = true; 71 - }; 72 73 - genOverridenNixos = package: packageName: (nixos { 74 - programs.singularity = { 75 - enable = true; 76 - inherit package; 77 - }; 78 - }).config.programs.singularity.packageOverriden.overrideAttrs (oldAttrs: { 79 - meta = oldAttrs.meta // { 80 - description = ""; 81 - longDescription = '' 82 - This package produces identical store derivations to `pkgs.${packageName}` 83 - overriden and installed by the NixOS module `programs.singularity` 84 - with default configuration. 85 86 - This is for binary substitutes only. Use pkgs.${packageName} instead. 87 - ''; 88 - }; 89 - }); 90 in 91 { 92 inherit apptainer singularity;

··· 1 + { 2 + callPackage, 3 + fetchFromGitHub, 4 + nixos, 5 + conmon, 6 }: 7 let 8 + apptainer = 9 + callPackage 10 + (import ./generic.nix rec { 11 + pname = "apptainer"; 12 + version = "1.3.1"; 13 + projectName = "apptainer"; 14 15 + src = fetchFromGitHub { 16 + owner = "apptainer"; 17 + repo = "apptainer"; 18 + rev = "refs/tags/v${version}"; 19 + hash = "sha256-XhJecINx8jC6pRzIoM4nC6Aunj40xL8EmYIA4UizfAY="; 20 + }; 21 22 + # Update by running 23 + # nix-prefetch -E "{ sha256 }: ((import ./. { }).apptainer.override { vendorHash = sha256; }).goModules" 24 + # at the root directory of the Nixpkgs repository 25 + vendorHash = "sha256-MXW1U13uDRAx4tqZvqsuJvoD22nEL2gcxiGaa/6zwU0="; 26 27 + extraDescription = " (previously known as Singularity)"; 28 + extraMeta.homepage = "https://apptainer.org"; 29 + }) 30 + { 31 + # Apptainer doesn't depend on conmon 32 + conmon = null; 33 34 + # Apptainer builders require explicit --with-suid / --without-suid flag 35 + # when building on a system with disabled unprivileged namespace. 36 + # See https://github.com/NixOS/nixpkgs/pull/215690#issuecomment-1426954601 37 + defaultToSuid = null; 38 + }; 39 40 + singularity = 41 + callPackage 42 + (import ./generic.nix rec { 43 + pname = "singularity-ce"; 44 + version = "4.1.2"; 45 + projectName = "singularity"; 46 47 + src = fetchFromGitHub { 48 + owner = "sylabs"; 49 + repo = "singularity"; 50 + rev = "refs/tags/v${version}"; 51 + hash = "sha256-/KTDdkCMkZ5hO+VYHzw9vB8FDWxg7PS1yb2waRJQngY="; 52 + }; 53 54 + # Update by running 55 + # nix-prefetch -E "{ sha256 }: ((import ./. { }).singularity.override { vendorHash = sha256; }).goModules" 56 + # at the root directory of the Nixpkgs repository 57 + vendorHash = "sha256-4Nxj2PzZmFdvouWKyXLFDk8iuRhFuvyPW/+VRTw75Zw="; 58 59 + # Do not build conmon and squashfuse from the Git submodule sources, 60 + # Use Nixpkgs provided version 61 + extraConfigureFlags = [ 62 + "--without-conmon" 63 + "--without-squashfuse" 64 + ]; 65 66 + extraDescription = " (Sylabs Inc's fork of Singularity, a.k.a. SingularityCE)"; 67 + extraMeta.homepage = "https://sylabs.io/"; 68 + }) 69 + { 70 + # Sylabs SingularityCE builders defaults to set the SUID flag 71 + # on UNIX-like platforms, 72 + # and only have --without-suid but not --with-suid. 73 + defaultToSuid = true; 74 + }; 75 76 + genOverridenNixos = 77 + package: packageName: 78 + (nixos { 79 + programs.singularity = { 80 + enable = true; 81 + inherit package; 82 + }; 83 + }).config.programs.singularity.packageOverriden.overrideAttrs 84 + (oldAttrs: { 85 + meta = oldAttrs.meta // { 86 + description = ""; 87 + longDescription = '' 88 + This package produces identical store derivations to `pkgs.${packageName}` 89 + overriden and installed by the NixOS module `programs.singularity` 90 + with default configuration. 91 92 + This is for binary substitutes only. Use pkgs.${packageName} instead. 93 + ''; 94 + }; 95 + }); 96 in 97 { 98 inherit apptainer singularity;