gvisor: init at 2019-11-14

[andrew-d]

Motivation for this change

This is a revamp of #50218 after enough upstream changes that it's possible to build inside a Nix sandbox. This was requested in #39889, but there were some problems with Bazel at the time. I've managed to get this working with buildBazelPackage. At the end of the whole process, gvisor is runnable:

$ /nix/store/7k1c1jikms1pjimk8561x18xpj51dm5l-gvisor-2019-11-08/bin/runsc --help
Usage: runsc <flags> <subcommand> <subcommand args>

Subcommands:
	checkpoint       checkpoint current state of container (experimental)
	create           create a secure container
	delete           delete resources held by a container
	do               Simplistic way to execute a command inside the sandbox. It's to be used for testing only.
	events           display container events such as OOM notifications, cpu, memory, and IO usage statistics

(I also added the containerd shim as well, since it didn't feel worth another PR)

Things done

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Determined the impact on package closure size (by running nix path-info -S before and after)
• Ensured that relevant documentation is up to date
• Fits CONTRIBUTING.md.

Notify maintainers

cc original reviewers @nlewo, @Profpatsch, and commenters @dtzWill, @benpye and @ghuntley

Closes #50218
Closes #39889

[Profpatsch]

Do you have sandboxing enabled in your local nix? The build fails, because it tries to download some repository dependencies. Most of the nix world has sandboxing enabled, which restricts network access to fixed-output derivations.

[andrew-d]

@Profpatsch - I do, yes. I think the problem is that the buildBazelPackage tools remove rules_cc, which is now an external dependency and then can't be downloaded. There's also some issues with rules_go and x/net/nettest that I'm trying to debug as well.

[andrew-d]

@Profpatsch - Okay, between #74013 and this PR, it's building successfully and reproducibly 🎉

[flokli]

Can you add a simple nixos vm test starting a container, so we can verify it works?

[andrew-d]

@flokli - Okay, added a test that exercises both the gvisor do subcommand and gvisor when it's being used as a Docker runtime. I hadn't previously tested the gvisor do subcommand, so I also added a patch to ensure that the path to ip/ipconfig/sysctl is absolute.

[andrew-d]

@Profpatsch / @flokli - Okay, rebased now that #74103 is merged. This should be ready to merge now, and tests pass locally.

[flokli]

For the sake of maintainability:

Could we just do a wrapProgram $out/bin/runsc --prefix PATH : ${stdenv.lib.makeBinPath [ iproute iptables procps ]} in installPhase, instead of patching the source code?

[andrew-d]

@flokli - Done! And confirmed that it works in the NixOS test as well.

[andrew-d]

I also just bumped to an actual tagged release of gvisor, since they tagged release-20191114.0 after I'd opened this PR.

[flokli]

Thanks!