pkgs/build-support/oci-tools/default.nix at devShellTools-shell

Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)
nixpkgs / pkgs / build-support / oci-tools / default.nix
at devShellTools-shell 143 lines 2.9 kB view raw
wrap content
  1{
  2  lib,
  3  writeText,
  4  runCommand,
  5  writeClosure,
  6}:
  7
  8{
  9  buildContainer =
 10    {
 11      args,
 12      mounts ? { },
 13      os ? "linux",
 14      arch ? "x86_64",
 15      readonly ? false,
 16    }:
 17    let
 18      sysMounts = {
 19        "/proc" = {
 20          type = "proc";
 21          source = "proc";
 22        };
 23        "/dev" = {
 24          type = "tmpfs";
 25          source = "tmpfs";
 26          options = [
 27            "nosuid"
 28            "strictatime"
 29            "mode=755"
 30            "size=65536k"
 31          ];
 32        };
 33        "/dev/pts" = {
 34          type = "devpts";
 35          source = "devpts";
 36          options = [
 37            "nosuid"
 38            "noexec"
 39            "newinstance"
 40            "ptmxmode=0666"
 41            "mode=755"
 42            "gid=5"
 43          ];
 44        };
 45        "/dev/shm" = {
 46          type = "tmpfs";
 47          source = "shm";
 48          options = [
 49            "nosuid"
 50            "noexec"
 51            "nodev"
 52            "mode=1777"
 53            "size=65536k"
 54          ];
 55        };
 56        "/dev/mqueue" = {
 57          type = "mqueue";
 58          source = "mqueue";
 59          options = [
 60            "nosuid"
 61            "noexec"
 62            "nodev"
 63          ];
 64        };
 65        "/sys" = {
 66          type = "sysfs";
 67          source = "sysfs";
 68          options = [
 69            "nosuid"
 70            "noexec"
 71            "nodev"
 72            "ro"
 73          ];
 74        };
 75        "/sys/fs/cgroup" = {
 76          type = "cgroup";
 77          source = "cgroup";
 78          options = [
 79            "nosuid"
 80            "noexec"
 81            "nodev"
 82            "relatime"
 83            "ro"
 84          ];
 85        };
 86      };
 87      config = writeText "config.json" (
 88        builtins.toJSON {
 89          ociVersion = "1.0.0";
 90          platform = {
 91            inherit os arch;
 92          };
 93
 94          linux = {
 95            namespaces = map (type: { inherit type; }) [
 96              "pid"
 97              "network"
 98              "mount"
 99              "ipc"
100              "uts"
101            ];
102          };
103
104          root = {
105            path = "rootfs";
106            inherit readonly;
107          };
108
109          process = {
110            inherit args;
111            user = {
112              uid = 0;
113              gid = 0;
114            };
115            cwd = "/";
116          };
117
118          mounts = lib.mapAttrsToList (
119            destination:
120            {
121              type,
122              source,
123              options ? null,
124            }:
125            {
126              inherit
127                destination
128                type
129                source
130                options
131                ;
132            }
133          ) sysMounts;
134        }
135      );
136    in
137    runCommand "join" { } ''
138      set -o pipefail
139      mkdir -p $out/rootfs/{dev,proc,sys}
140      cp ${config} $out/config.json
141      xargs tar c < ${writeClosure args} | tar -xC $out/rootfs/
142    '';
143}