Skip to content

gvisor: init at 2019-11-14 #73097

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
flokli merged 3 commits into from
Dec 5, 2019
Merged

gvisor: init at 2019-11-14 #73097

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
3147b0a
gvisor: init at 2019-11-14
andrew-d Oct 27, 2019
1f0512f
gvisor-containerd-shim: init at 2019-10-09
andrew-d Nov 8, 2019
c37902d
nixosTests.gvisor: add test for gvisor and gvisor as a Docker runtime
andrew-d Nov 27, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions nixos/tests/all-tests.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,7 @@ in
grafana = handleTest ./grafana.nix {};
graphite = handleTest ./graphite.nix {};
graylog = handleTest ./graylog.nix {};
gvisor = handleTest ./gvisor.nix {};
hadoop.hdfs = handleTestOn [ "x86_64-linux" ] ./hadoop/hdfs.nix {};
hadoop.yarn = handleTestOn [ "x86_64-linux" ] ./hadoop/yarn.nix {};
handbrake = handleTestOn ["x86_64-linux"] ./handbrake.nix {};
Expand Down
49 changes: 49 additions & 0 deletions nixos/tests/gvisor.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
# This test runs a container through gvisor and checks if simple container starts

import ./make-test-python.nix ({ pkgs, ...} : {
name = "gvisor";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ andrew-d ];
};

nodes = {
gvisor =
{ pkgs, ... }:
{
virtualisation.docker = {
enable = true;
extraOptions = "--add-runtime runsc=${pkgs.gvisor}/bin/runsc";
};

networking = {
dhcpcd.enable = false;
defaultGateway = "192.168.1.1";
interfaces.eth1.ipv4.addresses = pkgs.lib.mkOverride 0 [
{ address = "192.168.1.2"; prefixLength = 24; }
];
};
};
};

testScript = ''
start_all()

gvisor.wait_for_unit("network.target")
gvisor.wait_for_unit("sockets.target")

# Start by verifying that gvisor itself works
output = gvisor.succeed(
"${pkgs.gvisor}/bin/runsc -alsologtostderr do ${pkgs.coreutils}/bin/echo hello world"
)
assert output.strip() == "hello world"

# Also test the Docker runtime
gvisor.succeed("tar cv --files-from /dev/null | docker import - scratchimg")
gvisor.succeed(
"docker run -d --name=sleeping --runtime=runsc -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10"
)
gvisor.succeed("docker ps | grep sleeping")
gvisor.succeed("docker stop sleeping")
'';
})

36 changes: 36 additions & 0 deletions pkgs/applications/virtualization/gvisor/containerd-shim.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
{ lib, fetchFromGitHub, buildGoModule, go-bindata }:

buildGoModule rec {
name = "gvisor-containerd-shim-${version}";
version = "2019-10-09";

src = fetchFromGitHub {
owner = "google";
repo = "gvisor-containerd-shim";
rev = "f299b553afdd8455a0057862004061ea12e660f5";
sha256 = "077bhrmjrpcxv1z020yxhx2c4asn66j21gxlpa6hz0av3lfck9lm";
};

modSha256 = "1jdhgbrn59ahnabwnig99i21f6kimmqx9f3dg10ffwfs3dx0gzlg";

buildPhase = ''
make
'';

doCheck = true;
checkPhase = ''
make test
'';

installPhase = ''
make install DESTDIR="$out"
'';

meta = with lib; {
description = "containerd shim for gVisor";
homepage = https://github.com/google/gvisor-containerd-shim;
license = licenses.asl20;
maintainers = with maintainers; [ andrew-d ];
platforms = [ "x86_64-linux" ];
};
}
101 changes: 101 additions & 0 deletions pkgs/applications/virtualization/gvisor/default.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
{ stdenv
, buildBazelPackage
, fetchFromGitHub
, cacert
, git
, glibcLocales
, go
, iproute
, iptables
, makeWrapper
, procps
, python3
}:

let
preBuild = ''
patchShebangs .

# Tell rules_go to use the Go binary found in the PATH
sed -E -i \
-e 's|go_version\s*=\s*"[^"]+",|go_version = "host",|g' \
WORKSPACE

# The gazelle Go tooling needs CA certs
export SSL_CERT_FILE="${cacert}/etc/ssl/certs/ca-bundle.crt"

# If we don't reset our GOPATH, the rules_go stdlib builder tries to
# install something into it. Ideally that wouldn't happen, but for now we
# can also get around it by unsetting GOPATH entirely, since rules_go
# doesn't need it.
export GOPATH=
'';

in buildBazelPackage rec {
name = "gvisor-${version}";
version = "2019-11-14";

src = fetchFromGitHub {
owner = "google";
repo = "gvisor";
rev = "release-20191114.0";
sha256 = "0kyixjjlws9iz2r2srgpdd4rrq94vpxkmh2rmmzxd9mcqy2i9bg1";
};

nativeBuildInputs = [ git glibcLocales go makeWrapper python3 ];

bazelTarget = "//runsc:runsc";

# gvisor uses the Starlark implementation of rules_cc, not the built-in one,
# so we shouldn't delete it from our dependencies.
removeRulesCC = false;

fetchAttrs = {
inherit preBuild;

preInstall = ''
# Remove the go_sdk (it's just a copy of the go derivation) and all
# references to it from the marker files. Bazel does not need to download
# this sdk because we have patched the WORKSPACE file to point to the one
# currently present in PATH. Without removing the go_sdk from the marker
# file, the hash of it will change anytime the Go derivation changes and
# that would lead to impurities in the marker files which would result in
# a different sha256 for the fetch phase.
rm -rf $bazelOut/external/{go_sdk,\@go_sdk.marker}

# Remove the gazelle tools, they contain go binaries that are built
# non-deterministically. As long as the gazelle version matches the tools
# should be equivalent.
rm -rf $bazelOut/external/{bazel_gazelle_go_repository_tools,\@bazel_gazelle_go_repository_tools.marker}

# Remove the gazelle repository cache
chmod -R +w $bazelOut/external/bazel_gazelle_go_repository_cache
rm -rf $bazelOut/external/{bazel_gazelle_go_repository_cache,\@bazel_gazelle_go_repository_cache.marker}

# Remove log file(s)
rm -f "$bazelOut"/java.log "$bazelOut"/java.log.*
'';

sha256 = "122qk6iv8hd7g2a84y9aqqhij4r0m47vpxzbqhhh6k5livc73qd6";
};

buildAttrs = {
inherit preBuild;

installPhase = ''
install -Dm755 bazel-bin/runsc/*_pure_stripped/runsc $out/bin/runsc

# Needed for the 'runsc do' subcomand
wrapProgram $out/bin/runsc \
--prefix PATH : ${stdenv.lib.makeBinPath [ iproute iptables procps ]}
'';
};

meta = with stdenv.lib; {
description = "Container Runtime Sandbox";
homepage = https://github.com/google/gvisor;
license = licenses.asl20;
maintainers = with maintainers; [ andrew-d ];
platforms = [ "x86_64-linux" ];
};
}
4 changes: 4 additions & 0 deletions pkgs/top-level/all-packages.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19221,6 +19221,10 @@ in

gv = callPackage ../applications/misc/gv { };

gvisor = callPackage ../applications/virtualization/gvisor { };

gvisor-containerd-shim = callPackage ../applications/virtualization/gvisor/containerd-shim.nix { };

guvcview = callPackage ../os-specific/linux/guvcview { };

gxmessage = callPackage ../applications/misc/gxmessage { };
Expand Down