pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #306656 from ShamrockLee/apptainer-format

apptainer, singularity: format Nix expression according to Nix RFC 166

authored by

Someone and committed by
GitHub 5e05a5e3 a4abfa29

+263 -225
+20 -16
nixos/modules/programs/singularity.nix
··· 1 - { config, pkgs, lib, ... }: 1 + { 2 + config, 3 + pkgs, 4 + lib, 5 + ... 6 + }: 2 7 3 8 with lib; 4 9 let ··· 12 17 Whether to install Singularity/Apptainer with system-level overriding such as SUID support. 13 18 ''; 14 19 }; 15 - package = mkPackageOption pkgs "singularity" { 16 - example = "apptainer"; 17 - }; 20 + package = mkPackageOption pkgs "singularity" { example = "apptainer"; }; 18 21 packageOverriden = mkOption { 19 22 type = types.nullOr types.package; 20 23 default = null; ··· 75 78 }; 76 79 77 80 config = mkIf cfg.enable { 78 - programs.singularity.packageOverriden = (cfg.package.override ( 79 - optionalAttrs cfg.enableExternalLocalStateDir { 80 - externalLocalStateDir = "/var/lib"; 81 - } // optionalAttrs cfg.enableFakeroot { 82 - newuidmapPath = "/run/wrappers/bin/newuidmap"; 83 - newgidmapPath = "/run/wrappers/bin/newgidmap"; 84 - } // optionalAttrs cfg.enableSuid { 85 - enableSuid = true; 86 - starterSuidPath = "/run/wrappers/bin/${cfg.package.projectName}-suid"; 87 - } 88 - )); 81 + programs.singularity.packageOverriden = ( 82 + cfg.package.override ( 83 + optionalAttrs cfg.enableExternalLocalStateDir { externalLocalStateDir = "/var/lib"; } 84 + // optionalAttrs cfg.enableFakeroot { 85 + newuidmapPath = "/run/wrappers/bin/newuidmap"; 86 + newgidmapPath = "/run/wrappers/bin/newgidmap"; 87 + } 88 + // optionalAttrs cfg.enableSuid { 89 + enableSuid = true; 90 + starterSuidPath = "/run/wrappers/bin/${cfg.package.projectName}-suid"; 91 + } 92 + ) 93 + ); 89 94 environment.systemPackages = [ cfg.packageOverriden ]; 90 95 security.wrappers."${cfg.packageOverriden.projectName}-suid" = mkIf cfg.enableSuid { 91 96 setuid = true; ··· 97 102 "d /var/lib/${cfg.packageOverriden.projectName}/mnt/session 0770 root root -" 98 103 ]; 99 104 }; 100 - 101 105 }
+161 -136
pkgs/applications/virtualization/singularity/generic.nix
··· 1 1 # Configurations that should only be overrided by 2 2 # overrideAttrs 3 - { pname 4 - , version 5 - , src 6 - , projectName # "apptainer" or "singularity" 7 - , vendorHash ? null 8 - , deleteVendor ? false 9 - , proxyVendor ? false 10 - , extraConfigureFlags ? [ ] 11 - , extraDescription ? "" 12 - , extraMeta ? { } 3 + { 4 + pname, 5 + version, 6 + src, 7 + projectName, # "apptainer" or "singularity" 8 + vendorHash ? null, 9 + deleteVendor ? false, 10 + proxyVendor ? false, 11 + extraConfigureFlags ? [ ], 12 + extraDescription ? "", 13 + extraMeta ? { }, 13 14 }: 14 15 15 16 let 16 17 # Workaround for vendor-related attributes not overridable (#86349) 17 18 # should be removed when the issue is resolved 18 19 _defaultGoVendorArgs = { 19 - inherit 20 - vendorHash 21 - deleteVendor 22 - proxyVendor 23 - ; 20 + inherit vendorHash deleteVendor proxyVendor; 24 21 }; 25 22 in 26 - { lib 27 - , buildGoModule 28 - , runCommandLocal 23 + { 24 + lib, 25 + buildGoModule, 26 + runCommandLocal, 27 + substituteAll, 29 28 # Native build inputs 30 - , addDriverRunpath 31 - , makeWrapper 32 - , pkg-config 33 - , util-linux 34 - , which 29 + addDriverRunpath, 30 + makeWrapper, 31 + pkg-config, 32 + util-linux, 33 + which, 35 34 # Build inputs 36 - , bash 37 - , callPackage 38 - , conmon 39 - , coreutils 40 - , cryptsetup 41 - , e2fsprogs 42 - , fakeroot 43 - , fuse2fs ? e2fsprogs.fuse2fs 44 - , go 45 - , gpgme 46 - , libseccomp 47 - , libuuid 35 + bash, 36 + callPackage, 37 + conmon, 38 + coreutils, 39 + cryptsetup, 40 + e2fsprogs, 41 + fakeroot, 42 + fuse2fs ? e2fsprogs.fuse2fs, 43 + go, 44 + gpgme, 45 + libseccomp, 46 + libuuid, 48 47 # This is for nvidia-container-cli 49 - , nvidia-docker 50 - , openssl 51 - , squashfsTools 52 - , squashfuse 48 + nvidia-docker, 49 + openssl, 50 + squashfsTools, 51 + squashfuse, 53 52 # Test dependencies 54 - , singularity-tools 55 - , cowsay 56 - , hello 53 + singularity-tools, 54 + cowsay, 55 + hello, 57 56 # Overridable configurations 58 - , enableNvidiaContainerCli ? true 57 + enableNvidiaContainerCli ? true, 59 58 # --nvccli currently requires extra privileges: 60 59 # https://github.com/apptainer/apptainer/issues/1893#issuecomment-1881240800 61 - , forceNvcCli ? false 60 + forceNvcCli ? false, 62 61 # Compile with seccomp support 63 62 # SingularityCE 3.10.0 and above requires explicit --without-seccomp when libseccomp is not available. 64 - , enableSeccomp ? true 63 + enableSeccomp ? true, 65 64 # Whether the configure script treat SUID support as default 66 65 # When equal to enableSuid, it supress the --with-suid / --without-suid build flag 67 66 # It can be set to `null` to always pass either --with-suid or --without-suided 68 67 # Type: null or boolean 69 - , defaultToSuid ? true 68 + defaultToSuid ? true, 70 69 # Whether to compile with SUID support 71 - , enableSuid ? false 72 - , starterSuidPath ? null 73 - , substituteAll 70 + enableSuid ? false, 71 + starterSuidPath ? null, 74 72 # newuidmapPath and newgidmapPath are to support --fakeroot 75 73 # where those SUID-ed executables are unavailable from the FHS system PATH. 76 74 # Path to SUID-ed newuidmap executable 77 - , newuidmapPath ? null 75 + newuidmapPath ? null, 78 76 # Path to SUID-ed newgidmap executable 79 - , newgidmapPath ? null 77 + newgidmapPath ? null, 80 78 # External LOCALSTATEDIR 81 - , externalLocalStateDir ? null 79 + externalLocalStateDir ? null, 82 80 # Remove the symlinks to `singularity*` when projectName != "singularity" 83 - , removeCompat ? false 81 + removeCompat ? false, 84 82 # Workaround #86349 85 83 # should be removed when the issue is resolved 86 - , vendorHash ? _defaultGoVendorArgs.vendorHash 87 - , deleteVendor ? _defaultGoVendorArgs.deleteVendor 88 - , proxyVendor ? _defaultGoVendorArgs.proxyVendor 84 + vendorHash ? _defaultGoVendorArgs.vendorHash, 85 + deleteVendor ? _defaultGoVendorArgs.deleteVendor, 86 + proxyVendor ? _defaultGoVendorArgs.proxyVendor, 89 87 }: 90 88 91 89 let 92 90 defaultPathOriginal = "/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin"; 93 - privileged-un-utils = if ((newuidmapPath == null) && (newgidmapPath == null)) then null else 94 - (runCommandLocal "privileged-un-utils" { } '' 95 - mkdir -p "$out/bin" 96 - ln -s ${lib.escapeShellArg newuidmapPath} "$out/bin/newuidmap" 97 - ln -s ${lib.escapeShellArg newgidmapPath} "$out/bin/newgidmap" 98 - ''); 91 + privileged-un-utils = 92 + if ((newuidmapPath == null) && (newgidmapPath == null)) then 93 + null 94 + else 95 + (runCommandLocal "privileged-un-utils" { } '' 96 + mkdir -p "$out/bin" 97 + ln -s ${lib.escapeShellArg newuidmapPath} "$out/bin/newuidmap" 98 + ln -s ${lib.escapeShellArg newgidmapPath} "$out/bin/newgidmap" 99 + ''); 99 100 in 100 101 (buildGoModule { 101 102 inherit pname version src; 102 103 103 104 patches = lib.optionals (projectName == "apptainer") [ 104 - (substituteAll { src = ./apptainer/0001-ldCache-patch-for-driverLink.patch; inherit (addDriverRunpath) driverLink; }) 105 + (substituteAll { 106 + src = ./apptainer/0001-ldCache-patch-for-driverLink.patch; 107 + inherit (addDriverRunpath) driverLink; 108 + }) 105 109 ]; 106 110 107 111 # Override vendorHash with the output got from ··· 138 142 # apptainer/apptainer: https://github.com/apptainer/apptainer/blob/main/dist/debian/control 139 143 # sylabs/singularity: https://github.com/sylabs/singularity/blob/main/debian/control 140 144 141 - buildInputs = [ 142 - bash # To patch /bin/sh shebangs. 143 - conmon 144 - cryptsetup 145 - gpgme 146 - libuuid 147 - openssl 148 - squashfsTools # Required at build time by SingularityCE 149 - ] 150 - ++ lib.optional enableNvidiaContainerCli nvidia-docker 151 - ++ lib.optional enableSeccomp libseccomp 152 - ; 145 + buildInputs = 146 + [ 147 + bash # To patch /bin/sh shebangs. 148 + conmon 149 + cryptsetup 150 + gpgme 151 + libuuid 152 + openssl 153 + squashfsTools # Required at build time by SingularityCE 154 + ] 155 + # Optional dependencies. 156 + # Formatting: Optional dependencies are likely to increase. 157 + # Don't squash them into the same line. 158 + ++ lib.optional enableNvidiaContainerCli nvidia-docker 159 + ++ lib.optional enableSeccomp libseccomp; 153 160 154 161 configureScript = "./mconfig"; 155 162 156 - configureFlags = [ 157 - "--localstatedir=${if externalLocalStateDir != null then externalLocalStateDir else "${placeholder "out"}/var/lib"}" 158 - "--runstatedir=/var/run" 159 - ] 160 - ++ lib.optional (!enableSeccomp) "--without-seccomp" 161 - ++ lib.optional (enableSuid != defaultToSuid) (if enableSuid then "--with-suid" else "--without-suid") 162 - ++ extraConfigureFlags 163 - ; 163 + configureFlags = 164 + [ 165 + "--localstatedir=${ 166 + if externalLocalStateDir != null then externalLocalStateDir else "${placeholder "out"}/var/lib" 167 + }" 168 + "--runstatedir=/var/run" 169 + ] 170 + ++ lib.optional (!enableSeccomp) "--without-seccomp" 171 + ++ lib.optional (enableSuid != defaultToSuid) ( 172 + if enableSuid then "--with-suid" else "--without-suid" 173 + ) 174 + ++ extraConfigureFlags; 164 175 165 176 # causes redefinition of _FORTIFY_SOURCE 166 177 hardeningDisable = [ "fortify3" ]; ··· 177 188 privileged-un-utils 178 189 squashfsTools # mksquashfs unsquashfs # Make / unpack squashfs image 179 190 squashfuse # squashfuse_ll squashfuse # Mount (without unpacking) a squashfs image without privileges 180 - ] 181 - ++ lib.optional enableNvidiaContainerCli nvidia-docker 182 - ; 191 + ] ++ lib.optional enableNvidiaContainerCli nvidia-docker; 183 192 184 193 postPatch = '' 185 194 if [[ ! -e .git || ! -e VERSION ]]; then ··· 249 258 rm "$file" 250 259 done 251 260 ''} 252 - ${lib.optionalString enableSuid (lib.warnIf (starterSuidPath == null) "${projectName}: Null starterSuidPath when enableSuid produces non-SUID-ed starter-suid and run-time permission denial." '' 253 - chmod +x $out/libexec/${projectName}/bin/starter-suid 254 - '')} 261 + ${lib.optionalString enableSuid ( 262 + lib.warnIf (starterSuidPath == null) 263 + "${projectName}: Null starterSuidPath when enableSuid produces non-SUID-ed starter-suid and run-time permission denial." 264 + '' 265 + chmod +x $out/libexec/${projectName}/bin/starter-suid 266 + '' 267 + )} 255 268 ${lib.optionalString (enableSuid && (starterSuidPath != null)) '' 256 269 mv "$out"/libexec/${projectName}/bin/starter-suid{,.orig} 257 270 ln -s ${lib.escapeShellArg starterSuidPath} "$out/libexec/${projectName}/bin/starter-suid" 258 271 ''} 259 272 ''; 260 273 261 - meta = with lib; { 262 - description = "Application containers for linux" + extraDescription; 263 - longDescription = '' 264 - Singularity (the upstream) renamed themselves to Apptainer 265 - to distinguish themselves from a fork made by Sylabs Inc.. See 274 + meta = 275 + with lib; 276 + { 277 + description = "Application containers for linux" + extraDescription; 278 + longDescription = '' 279 + Singularity (the upstream) renamed themselves to Apptainer 280 + to distinguish themselves from a fork made by Sylabs Inc.. See 266 281 267 - https://sylabs.io/2021/05/singularity-community-edition 268 - https://apptainer.org/news/community-announcement-20211130 269 - ''; 270 - license = licenses.bsd3; 271 - platforms = platforms.linux; 272 - maintainers = with maintainers; [ jbedo ShamrockLee ]; 273 - mainProgram = projectName; 274 - } // extraMeta; 275 - }).overrideAttrs (finalAttrs: prevAttrs: { 276 - passthru = prevAttrs.passthru or { } // { 277 - tests = { 278 - image-hello-cowsay = singularity-tools.buildImage { 279 - name = "hello-cowsay"; 280 - contents = [ hello cowsay ]; 281 - singularity = finalAttrs.finalPackage; 282 - }; 283 - }; 284 - gpuChecks = lib.optionalAttrs (projectName == "apptainer") { 285 - # Should be in tests, but Ofborg would skip image-hello-cowsay because 286 - # saxpy is unfree. 287 - image-saxpy = callPackage 288 - ({ singularity-tools, cudaPackages }: 289 - singularity-tools.buildImage { 290 - name = "saxpy"; 291 - contents = [ cudaPackages.saxpy ]; 292 - memSize = 2048; 293 - diskSize = 2048; 282 + https://sylabs.io/2021/05/singularity-community-edition 283 + https://apptainer.org/news/community-announcement-20211130 284 + ''; 285 + license = licenses.bsd3; 286 + platforms = platforms.linux; 287 + maintainers = with maintainers; [ 288 + jbedo 289 + ShamrockLee 290 + ]; 291 + mainProgram = projectName; 292 + } 293 + // extraMeta; 294 + }).overrideAttrs 295 + ( 296 + finalAttrs: prevAttrs: { 297 + passthru = prevAttrs.passthru or { } // { 298 + tests = { 299 + image-hello-cowsay = singularity-tools.buildImage { 300 + name = "hello-cowsay"; 301 + contents = [ 302 + hello 303 + cowsay 304 + ]; 294 305 singularity = finalAttrs.finalPackage; 295 - }) 296 - { }; 297 - saxpy = 298 - callPackage 299 - ({ runCommand, writeShellScriptBin }: 306 + }; 307 + }; 308 + gpuChecks = lib.optionalAttrs (projectName == "apptainer") { 309 + # Should be in tests, but Ofborg would skip image-hello-cowsay because 310 + # saxpy is unfree. 311 + image-saxpy = callPackage ( 312 + { singularity-tools, cudaPackages }: 313 + singularity-tools.buildImage { 314 + name = "saxpy"; 315 + contents = [ cudaPackages.saxpy ]; 316 + memSize = 2048; 317 + diskSize = 2048; 318 + singularity = finalAttrs.finalPackage; 319 + } 320 + ) { }; 321 + saxpy = callPackage ( 322 + { runCommand, writeShellScriptBin }: 300 323 let 301 - unwrapped = writeShellScriptBin "apptainer-cuda-saxpy" 302 - '' 303 - ${lib.getExe finalAttrs.finalPackage} exec --nv $@ ${finalAttrs.passthru.gpuChecks.image-saxpy} saxpy 304 - ''; 324 + unwrapped = writeShellScriptBin "apptainer-cuda-saxpy" '' 325 + ${lib.getExe finalAttrs.finalPackage} exec --nv $@ ${finalAttrs.passthru.gpuChecks.image-saxpy} saxpy 326 + ''; 305 327 in 306 328 runCommand "run-apptainer-cuda-saxpy" 307 329 { 308 330 requiredSystemFeatures = [ "cuda" ]; 309 331 nativeBuildInputs = [ unwrapped ]; 310 - passthru = { inherit unwrapped; }; 332 + passthru = { 333 + inherit unwrapped; 334 + }; 311 335 } 312 336 '' 313 337 apptainer-cuda-saxpy 314 - '') 315 - { }; 316 - }; 317 - }; 318 - }) 338 + '' 339 + ) { }; 340 + }; 341 + }; 342 + } 343 + )
+82 -73
pkgs/applications/virtualization/singularity/packages.nix
··· 1 - { callPackage 2 - , fetchFromGitHub 3 - , nixos 4 - , conmon 1 + { 2 + callPackage, 3 + fetchFromGitHub, 4 + nixos, 5 + conmon, 5 6 }: 6 7 let 7 - apptainer = callPackage 8 - (import ./generic.nix rec { 9 - pname = "apptainer"; 10 - version = "1.3.1"; 11 - projectName = "apptainer"; 8 + apptainer = 9 + callPackage 10 + (import ./generic.nix rec { 11 + pname = "apptainer"; 12 + version = "1.3.1"; 13 + projectName = "apptainer"; 12 14 13 - src = fetchFromGitHub { 14 - owner = "apptainer"; 15 - repo = "apptainer"; 16 - rev = "refs/tags/v${version}"; 17 - hash = "sha256-XhJecINx8jC6pRzIoM4nC6Aunj40xL8EmYIA4UizfAY="; 18 - }; 15 + src = fetchFromGitHub { 16 + owner = "apptainer"; 17 + repo = "apptainer"; 18 + rev = "refs/tags/v${version}"; 19 + hash = "sha256-XhJecINx8jC6pRzIoM4nC6Aunj40xL8EmYIA4UizfAY="; 20 + }; 19 21 20 - # Update by running 21 - # nix-prefetch -E "{ sha256 }: ((import ./. { }).apptainer.override { vendorHash = sha256; }).goModules" 22 - # at the root directory of the Nixpkgs repository 23 - vendorHash = "sha256-MXW1U13uDRAx4tqZvqsuJvoD22nEL2gcxiGaa/6zwU0="; 22 + # Update by running 23 + # nix-prefetch -E "{ sha256 }: ((import ./. { }).apptainer.override { vendorHash = sha256; }).goModules" 24 + # at the root directory of the Nixpkgs repository 25 + vendorHash = "sha256-MXW1U13uDRAx4tqZvqsuJvoD22nEL2gcxiGaa/6zwU0="; 24 26 25 - extraDescription = " (previously known as Singularity)"; 26 - extraMeta.homepage = "https://apptainer.org"; 27 - }) 28 - { 29 - # Apptainer doesn't depend on conmon 30 - conmon = null; 27 + extraDescription = " (previously known as Singularity)"; 28 + extraMeta.homepage = "https://apptainer.org"; 29 + }) 30 + { 31 + # Apptainer doesn't depend on conmon 32 + conmon = null; 31 33 32 - # Apptainer builders require explicit --with-suid / --without-suid flag 33 - # when building on a system with disabled unprivileged namespace. 34 - # See https://github.com/NixOS/nixpkgs/pull/215690#issuecomment-1426954601 35 - defaultToSuid = null; 36 - }; 34 + # Apptainer builders require explicit --with-suid / --without-suid flag 35 + # when building on a system with disabled unprivileged namespace. 36 + # See https://github.com/NixOS/nixpkgs/pull/215690#issuecomment-1426954601 37 + defaultToSuid = null; 38 + }; 37 39 38 - singularity = callPackage 39 - (import ./generic.nix rec { 40 - pname = "singularity-ce"; 41 - version = "4.1.2"; 42 - projectName = "singularity"; 40 + singularity = 41 + callPackage 42 + (import ./generic.nix rec { 43 + pname = "singularity-ce"; 44 + version = "4.1.2"; 45 + projectName = "singularity"; 43 46 44 - src = fetchFromGitHub { 45 - owner = "sylabs"; 46 - repo = "singularity"; 47 - rev = "refs/tags/v${version}"; 48 - hash = "sha256-/KTDdkCMkZ5hO+VYHzw9vB8FDWxg7PS1yb2waRJQngY="; 49 - }; 47 + src = fetchFromGitHub { 48 + owner = "sylabs"; 49 + repo = "singularity"; 50 + rev = "refs/tags/v${version}"; 51 + hash = "sha256-/KTDdkCMkZ5hO+VYHzw9vB8FDWxg7PS1yb2waRJQngY="; 52 + }; 50 53 51 - # Update by running 52 - # nix-prefetch -E "{ sha256 }: ((import ./. { }).singularity.override { vendorHash = sha256; }).goModules" 53 - # at the root directory of the Nixpkgs repository 54 - vendorHash = "sha256-4Nxj2PzZmFdvouWKyXLFDk8iuRhFuvyPW/+VRTw75Zw="; 54 + # Update by running 55 + # nix-prefetch -E "{ sha256 }: ((import ./. { }).singularity.override { vendorHash = sha256; }).goModules" 56 + # at the root directory of the Nixpkgs repository 57 + vendorHash = "sha256-4Nxj2PzZmFdvouWKyXLFDk8iuRhFuvyPW/+VRTw75Zw="; 55 58 56 - # Do not build conmon and squashfuse from the Git submodule sources, 57 - # Use Nixpkgs provided version 58 - extraConfigureFlags = [ 59 - "--without-conmon" 60 - "--without-squashfuse" 61 - ]; 59 + # Do not build conmon and squashfuse from the Git submodule sources, 60 + # Use Nixpkgs provided version 61 + extraConfigureFlags = [ 62 + "--without-conmon" 63 + "--without-squashfuse" 64 + ]; 62 65 63 - extraDescription = " (Sylabs Inc's fork of Singularity, a.k.a. SingularityCE)"; 64 - extraMeta.homepage = "https://sylabs.io/"; 65 - }) 66 - { 67 - defaultToSuid = true; 68 - }; 66 + extraDescription = " (Sylabs Inc's fork of Singularity, a.k.a. SingularityCE)"; 67 + extraMeta.homepage = "https://sylabs.io/"; 68 + }) 69 + { 70 + # Sylabs SingularityCE builders defaults to set the SUID flag 71 + # on UNIX-like platforms, 72 + # and only have --without-suid but not --with-suid. 73 + defaultToSuid = true; 74 + }; 69 75 70 - genOverridenNixos = package: packageName: (nixos { 71 - programs.singularity = { 72 - enable = true; 73 - inherit package; 74 - }; 75 - }).config.programs.singularity.packageOverriden.overrideAttrs (oldAttrs: { 76 - meta = oldAttrs.meta // { 77 - description = ""; 78 - longDescription = '' 79 - This package produces identical store derivations to `pkgs.${packageName}` 80 - overriden and installed by the NixOS module `programs.singularity` 81 - with default configuration. 76 + genOverridenNixos = 77 + package: packageName: 78 + (nixos { 79 + programs.singularity = { 80 + enable = true; 81 + inherit package; 82 + }; 83 + }).config.programs.singularity.packageOverriden.overrideAttrs 84 + (oldAttrs: { 85 + meta = oldAttrs.meta // { 86 + description = ""; 87 + longDescription = '' 88 + This package produces identical store derivations to `pkgs.${packageName}` 89 + overriden and installed by the NixOS module `programs.singularity` 90 + with default configuration. 82 91 83 - This is for binary substitutes only. Use pkgs.${packageName} instead. 84 - ''; 85 - }; 86 - }); 92 + This is for binary substitutes only. Use pkgs.${packageName} instead. 93 + ''; 94 + }; 95 + }); 87 96 in 88 97 { 89 98 inherit apptainer singularity;