pkgs/development/misc/resholve/README.md at devShellTools-shell · tjh.dev/nixpkgs

tjh.dev / nixpkgs
Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)
nixpkgs / pkgs / development / misc / resholve / README.md
at devShellTools-shell 12 kB view raw view rendered
  1# Using resholve's Nix API
  2resholve replaces bare references (subject to a PATH search at runtime) to external commands and scripts with absolute paths.
  3
  4This small super-power helps ensure script dependencies are declared, present, and don't unexpectedly shift when the PATH changes.
  5
  6resholve is developed to enable the Nix package manager to package and integrate Shell projects, but its features are not Nix-specific and inevitably have other applications.
  7
  8<!-- generated from resholve's repo; best to suggest edits there (or at least notify me) -->
  9
 10This will hopefully make its way into the Nixpkgs manual soon, but
 11until then I'll outline how to use the functions:
 12- `resholve.mkDerivation` (formerly `resholvePackage`)
 13- `resholve.writeScript` (formerly `resholveScript`)
 14- `resholve.writeScriptBin` (formerly `resholveScriptBin`)
 15- `resholve.phraseSolution` (new in resholve 0.8.0)
 16
 17> Fair warning: resholve does *not* aspire to resolving all valid Shell
 18> scripts. It depends on the OSH/Oil parser, which aims to support most (but
 19> not all) Bash. resholve aims to be a ~90% sort of solution.
 20
 21## API Concepts
 22
 23The main difference between `resholve.mkDerivation` and other builder functions
 24is the `solutions` attrset, which describes which scripts to resolve and how.
 25Each "solution" (k=v pair) in this attrset describes one resholve invocation.
 26
 27> NOTE: For most shell packages, one invocation will probably be enough:
 28> - Packages with a single script will only need one solution.
 29> - Packages with multiple scripts can still use one solution if the scripts
 30>   don't require conflicting directives.
 31> - Packages with scripts that require conflicting directives can use multiple
 32>   solutions to resolve the scripts separately, but produce a single package.
 33
 34`resholve.writeScript` and `resholve.writeScriptBin` support a _single_
 35`solution` attrset. This is basically the same as any single solution in `resholve.mkDerivation`, except that it doesn't need a `scripts` attr (it is automatically added). `resholve.phraseSolution` also only accepts a single solution--but it _does_ still require the `scripts` attr.
 36
 37## Basic `resholve.mkDerivation` Example
 38
 39Here's a simple example of how `resholve.mkDerivation` is already used in nixpkgs:
 40
 41<!-- TODO: figure out how to pull this externally? -->
 42
 43```nix
 44{
 45  bash,
 46  coreutils,
 47  gnused,
 48  goss,
 49  lib,
 50  resholve,
 51  which,
 52}:
 53
 54resholve.mkDerivation rec {
 55  pname = "dgoss";
 56  version = goss.version;
 57  src = goss.src;
 58
 59  dontConfigure = true;
 60  dontBuild = true;
 61
 62  installPhase = ''
 63    sed -i '2i GOSS_PATH=${goss}/bin/goss' extras/dgoss/dgoss
 64    install -D extras/dgoss/dgoss $out/bin/dgoss
 65  '';
 66
 67  solutions = {
 68    default = {
 69      scripts = [ "bin/dgoss" ];
 70      interpreter = "${bash}/bin/bash";
 71      inputs = [
 72        coreutils
 73        gnused
 74        which
 75      ];
 76      keep = {
 77        "$CONTAINER_RUNTIME" = true;
 78      };
 79    };
 80  };
 81
 82  meta = {
 83    homepage = "https://github.com/goss-org/goss/blob/v${version}/extras/dgoss/README.md";
 84    changelog = "https://github.com/goss-org/goss/releases/tag/v${version}";
 85    description = "Convenience wrapper around goss that aims to bring the simplicity of goss to docker containers";
 86    license = lib.licenses.asl20;
 87    platforms = lib.platforms.linux;
 88    maintainers = with lib.maintainers; [
 89      hyzual
 90      anthonyroussel
 91    ];
 92    mainProgram = "dgoss";
 93  };
 94}
 95```
 96
 97
 98## Basic `resholve.writeScript` and `resholve.writeScriptBin` examples
 99
100Both of these functions have the same basic API. The examples are a little
101trivial, so I'll also link to some real-world examples:
102- [shell.nix from abathur/tdverpy](https://github.com/abathur/tdverpy/blob/e1f956df3ed1c7097a5164e0c85b178772e277f5/shell.nix#L6-L13)
103
104```nix
105{
106  resholvedScript =
107    resholve.writeScript "name"
108      {
109        inputs = [ file ];
110        interpreter = "${bash}/bin/bash";
111      }
112      ''
113        echo "Hello"
114        file .
115      '';
116  resholvedScriptBin =
117    resholve.writeScriptBin "name"
118      {
119        inputs = [ file ];
120        interpreter = "${bash}/bin/bash";
121      }
122      ''
123        echo "Hello"
124        file .
125      '';
126}
127```
128
129
130## Basic `resholve.phraseSolution` example
131
132This function has a similar API to `writeScript` and `writeScriptBin`, except it does require a `scripts` attr. It is intended to make resholve a little easier to mix into more types of build. This example is a little
133trivial for now. If you have a real usage that you find helpful, please PR it.
134
135```nix
136{
137  stdenv,
138  resholve,
139  module1,
140}:
141
142stdenv.mkDerivation {
143  # pname = "testmod3";
144  # version = "unreleased";
145  # src = ...;
146
147  installPhase = ''
148    mkdir -p $out/bin
149    install conjure.sh $out/bin/conjure.sh
150    ${resholve.phraseSolution "conjure" {
151      scripts = [ "bin/conjure.sh" ];
152      interpreter = "${bash}/bin/bash";
153      inputs = [ module1 ];
154      fake = {
155        external = [
156          "jq"
157          "openssl"
158        ];
159      };
160    }}
161  '';
162}
163```
164
165
166## Options
167
168`resholve.mkDerivation` maps Nix types/idioms into the flags and environment variables
169that the `resholve` CLI expects. Here's an overview:
170
171| Option | Type | Containing |
172|--------|------|------------|
173| scripts | `<list>` | scripts to resolve (`$out`-relative paths) |
174| interpreter | `"none"` `<path>` | The absolute interpreter `<path>` for the script's shebang. The special value `none` ensures there is no shebang. |
175| inputs | `<packages>` `<paths>` | A list of packages and string paths to directories/files to resolve external dependencies from. |
176| fake | `<directives>` | pretend some commands exist |
177| fix | `<directives>` | fix things we can't auto-fix/ignore |
178| keep | `<directives>` | keep things we can't auto-fix/ignore |
179| lore | `<directory>` | control nested resolution |
180| execer | `<statements>` | modify nested resolution |
181| wrapper | `<statements>` | modify nested resolution |
182| prologue | `<file>` | insert file before resolved script |
183| epilogue | `<file>` | insert file after resolved script |
184
185<!-- TODO: section below is largely custom for nixpkgs, but I would LIKE to wurst it. -->
186
187## Controlling resolution with directives
188
189In order to resolve a script, resholve will make you disambiguate how it should
190handle any potential problems it encounters with directives. There are currently
1913 types:
1921. `fake` directives tell resholve to pretend it knows about an identifier
193   such as a function, builtin, external command, etc. if there's a good reason
194   it doesn't already know about it. Common examples:
195   - builtins for a non-bash shell
196   - loadable builtins
197   - platform-specific external commands in cross-platform conditionals
1982. `fix` directives give resholve permission to fix something that it can't
199   safely fix automatically. Common examples:
200   - resolving commands in aliases (this is appropriate for standalone scripts
201     that use aliases non-interactively--but it would prevent profile/rc
202     scripts from using the latest current-system symlinks.)
203   - resolve commands in a variable definition
204   - resolve an absolute command path from inputs as if it were a bare reference
205   - force resholve to resolve known security wrappers
2063. `keep` directives tell resholve not to raise an error (i.e., ignore)
207   something it would usually object to. Common examples:
208   - variables used as/within the first word of a command
209   - pre-existing absolute or user-relative (~) command paths
210   - dynamic (variable) arguments to commands known to accept/run other commands
211
212> NOTE: resholve has a (growing) number of directives detailed in `man resholve`
213> via `nixpkgs.resholve` (though protections against run-time use of python2 in nixpkgs mean you'll have to set `NIXPKGS_ALLOW_INSECURE=1` to pull resholve into nix-shell).
214
215Each of these 3 types is represented by its own attrset, where you can think
216of the key as a scope. The value should be:
217- `true` for any directives that the resholve CLI accepts as a single word
218- a list of strings for all other options
219<!--
220TODO: these should be fully-documented here, but I'm already maintaining
221more copies of their specification/behavior than I like, and continuing to
222add more at this early date will only ensure that I spend more time updating
223docs and less time filling in feature gaps.
224
225Full documentation may be greatly accelerated if someone can help me sort out
226single-sourcing. See: https://github.com/abathur/resholve/issues/19
227-->
228
229This will hopefully make more sense when you see it. Here are CLI examples
230from the manpage, and the Nix equivalents:
231
232```nix
233{
234  # --fake 'f:setUp;tearDown builtin:setopt source:/etc/bashrc'
235  fake = {
236    # fake accepts the initial of valid identifier types as a CLI convenience.
237    # Use full names in the Nix API.
238    function = [
239      "setUp"
240      "tearDown"
241    ];
242    builtin = [ "setopt" ];
243    source = [ "/etc/bashrc" ];
244  };
245
246  # --fix 'aliases $GIT:gix /bin/bash'
247  fix = {
248    # all single-word directives use `true` as value
249    aliases = true;
250    "$GIT" = [ "gix" ];
251    "/bin/bash" = true;
252  };
253
254  # --keep 'source:$HOME /etc/bashrc ~/.bashrc'
255  keep = {
256    source = [ "$HOME" ];
257    "/etc/bashrc" = true;
258    "~/.bashrc" = true;
259  };
260}
261```
262
263
264> **Note:** For now, at least, you'll need to reference the manpage to completely understand these examples.
265
266## Controlling nested resolution with lore
267
268Initially, resolution of commands in the arguments to command-executing
269commands was limited to one level for a hard-coded list of builtins and
270external commands. resholve can now resolve these recursively.
271
272This feature combines information (_lore_) that the resholve Nix API
273obtains via binlore ([nixpkgs](../../tools/analysis/binlore), [repo](https://github.com/abathur/resholve)),
274with some rules (internal to resholve) for locating sub-executions in
275some of the more common commands.
276
277- "execer" lore identifies whether an executable can, cannot,
278  or might execute its arguments. Every "can" or "might" verdict requires:
279  - an update to the matching rules in [binlore](https://github.com/abathur/binlore)
280    if there's absolutely no exec in the executable and binlore just lacks
281    rules for understanding this
282  - an override in [binlore](https://github.com/abathur/binlore) if there is
283    exec but it isn't actually under user control
284  - a parser in [resholve](https://github.com/abathur/resholve) capable of
285    isolating the exec'd words if the command does have exec under user
286    control
287  - overriding the execer lore for the executable if manual triage indicates
288    that all of the invocations in the current package don't include any
289    commands that the executable would exec
290  - if manual triage turns up any commands that would be exec'd, use some
291    non-resholve tool to patch/substitute/replace them before or after you
292    run resholve on them (if before, you may need to also add keep directives
293    for these absolute paths)
294
295- "wrapper" lore maps shell exec wrappers to the programs they exec so
296  that resholve can substitute an executable's verdict for its wrapper's.
297
298> **Caution:** At least when it comes to common utilities, it's best to treat
299> overrides as a stopgap until they can be properly handled in resholve and/or
300> binlore. Please report things you have to override and, if possible, help
301> get them sorted.
302
303There will be more mechanisms for controlling this process in the future
304(and your reports/experiences will play a role in shaping them...) For now,
305the main lever is the ability to substitute your own lore. This is how you'd
306do it piecemeal:
307
308```nix
309{
310  # --execer 'cannot:${openssl.bin}/bin/openssl can:${openssl.bin}/bin/c_rehash'
311  execer = [
312    /*
313      This is the same verdict binlore will
314      come up with. It's a no-op just to demo
315      how to fiddle lore via the Nix API.
316    */
317    "cannot:${openssl.bin}/bin/openssl"
318    # different verdict, but not used
319    "can:${openssl.bin}/bin/c_rehash"
320  ];
321
322  # --wrapper '${gnugrep}/bin/egrep:${gnugrep}/bin/grep'
323  wrapper = [
324    /*
325      This is the same verdict binlore will
326      come up with. It's a no-op just to demo
327      how to fiddle lore via the Nix API.
328    */
329    "${gnugrep}/bin/egrep:${gnugrep}/bin/grep"
330  ];
331}
332```
333
334
335The format is fairly simple to generate--you can script your own generator if
336you need to modify the lore.