From 61979dedb51ccabf962785c7ea05fd28153e0c2e Mon Sep 17 00:00:00 2001 From: DavHau Date: Tue, 25 Jan 2022 19:48:12 +0700 Subject: [PATCH 1/2] add support for aarch64 --- .github/workflows/nix-portable.yml | 21 +++++++-- flake.nix | 69 +++++++++++++++++++++++------- testing/qemu-efi.nix | 20 +++++++++ 3 files changed, 90 insertions(+), 20 deletions(-) create mode 100644 testing/qemu-efi.nix diff --git a/.github/workflows/nix-portable.yml b/.github/workflows/nix-portable.yml index 0921570..2ccff7d 100644 --- a/.github/workflows/nix-portable.yml +++ b/.github/workflows/nix-portable.yml @@ -1,5 +1,5 @@ -name: "Build" +name: "build and test" on: pull_request: push: @@ -10,6 +10,10 @@ jobs: build: runs-on: ubuntu-latest + strategy: + matrix: + system: [ x86_64-linux, aarch64-linux ] + steps: - uses: actions/checkout@v2 @@ -28,7 +32,16 @@ jobs: name: nix-portable authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' - - run: nix build -L . + - name: Set up QEMU + uses: docker/setup-qemu-action@v1 + with: + image: tonistiigi/binfmt@sha256:8de6f2decb92e9001d094534bf8a92880c175bd5dfb4a9d8579f26f09821cfa2 + platforms: all + + - name: Install binfmt support + run: sudo apt-get install -y + + - run: 'nix build --option system ${{ matrix.system }} -L .#defaultPackage.${{ matrix.system }}' - name: Archive result uses: actions/upload-artifact@v2 @@ -47,7 +60,7 @@ jobs: matrix: # qemu_os: [ arch, centos7, centos8, debian, nixos, ubuntu ] # TODO: fix and re-activate tests - qemu_os: [ centos7, debian, ubuntu ] + qemu_os: [ centos7, debian, ubuntu, debian-aarch64 ] steps: - uses: actions/checkout@v2 @@ -66,7 +79,7 @@ jobs: name: nix-portable authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' - - run: nix run -L .#job-qemu-${{ matrix.qemu_os }} + - run: 'nix run -L .#job-qemu-${{ matrix.qemu_os }}' diff --git a/flake.nix b/flake.nix index 72722d6..1fc2ba9 100644 --- a/flake.nix +++ b/flake.nix @@ -19,7 +19,7 @@ lib = inp.nixpkgs.lib; - supportedSystems = [ "x86_64-linux" ]; + supportedSystems = [ "x86_64-linux" "aarch64-linux" "armv7l-linux" ]; forAllSystems = f: genAttrs supportedSystems (system: f system (import inp.nixpkgs { inherit system; })); @@ -28,6 +28,7 @@ # After adding a new system, don't forget to add the name also in ./.github/workflows testImages = { arch = { + system = "x86_64-linux"; url = "https://mirror.pkgbuild.com/images/v20211201.40458/Arch-Linux-x86_64-basic-20211201.40458.qcow2"; sha256 = "0xxhb92rn2kskq9pvfmbf9h6fy75x4czl58rfq5969kbbb49yn19"; extraVirtCustomizeCommands = [ @@ -36,22 +37,26 @@ ]; }; centos7 = { + system = "x86_64-linux"; url = "https://cloud.centos.org/altarch/7/images/CentOS-7-x86_64-GenericCloud-2009.qcow2c"; sha256 = "09wqzlhb858qm548ak4jj4adchxn7rgf5fq778hrc52rjqym393v"; # user namespaces are disabled on centos 7 excludeRuntimes = [ "bwrap" ]; }; centos8 = { + system = "x86_64-linux"; url = "https://cloud.centos.org/altarch/8/x86_64/images/CentOS-8-GenericCloud-8.3.2011-20201204.2.x86_64.qcow2"; sha256 = "7ec97062618dc0a7ebf211864abf63629da1f325578868579ee70c495bed3ba0"; }; debian = { + system = "x86_64-linux"; url = "https://cdimage.debian.org/cdimage/openstack/archive/10.9.0/debian-10.9.0-openstack-amd64.qcow2"; sha256 = "0mf9k3pgzighibly1sy3cjq7c761r3akp8mlgd878lwf006vqrky"; # permissions for user namespaces not enabled by default excludeRuntimes = [ "bwrap" ]; }; nixos = { + system = "x86_64-linux"; # use iso image for nixos because building a qcow2 would require KVM img = (toString (nixosSystem { system = "x86_64-linux"; @@ -59,12 +64,30 @@ }).config.system.build.isoImage) + "/iso/nixos.iso"; }; ubuntu = { + system = "x86_64-linux"; url = "https://cloud-images.ubuntu.com/releases/focal/release-20220118/ubuntu-20.04-server-cloudimg-amd64.img"; sha256 = "05p2qbmp6sbykm1iszb2zvbwbnydqg6pdrplj9z56v3cr964s9p1"; extraVirtCustomizeCommands = [ "--copy-in ${./testing/ubuntu}/01-netplan.yaml:/etc/netplan/" ]; }; + + # aarch64 tests + nixos-aarch64 = { + system = "aarch64-linux"; + # use iso image for nixos because building a qcow2 would require KVM + img = (toString (nixosSystem { + system = "aarch64-linux"; + modules = [(import ./testing/nixos-iso.nix)]; + }).config.system.build.isoImage) + "/iso/nixos.iso"; + }; + debian-aarch64 = { + system = "aarch64-linux"; + url = "https://cdimage.debian.org/cdimage/openstack/archive/10.9.0/debian-10.9.0-openstack-arm64.qcow2"; + sha256 = "0mz868j1k8jwhgg9a21dv7dr4rsy1bhklbqqw3qig06acy0vg8yi"; + # permissions for user namespaces not enabled by default + excludeRuntimes = [ "bwrap" ]; + }; }; commandsToTest = [ @@ -96,7 +119,7 @@ pkgs = pkgsDefaultChannel; lib = inp.nixpkgs.lib; - compression = "zstd -18 -T0"; + compression = "zstd -3 -T1"; nix = inp.nix.packages."${system}".nix; @@ -139,6 +162,12 @@ img = if testImages."${os}" ? img then testImages."${os}".img else fetchurl { inherit (testImages."${os}") url sha256 ;}; + system = testImages."${os}".system; + qemu-bin = + if pkgs.buildPlatform.system == system then + "qemu-kvm" + else + "qemu-system-${lib.head (lib.splitString "-" system)}"; in nameValuePair "job-qemu-${os}${optionalString debug "-debug"}" @@ -162,28 +191,31 @@ nixPortable=${self.packages."${system}".nix-portable}/bin/nix-portable ssh="${pkgs.openssh}/bin/ssh -p $port -i $privKey -o StrictHostKeyChecking=no test@localhost" sshRoot="${pkgs.openssh}/bin/ssh -p $port -i $privKey -o StrictHostKeyChecking=no root@localhost" + scp="${pkgs.openssh}/bin/scp -P $port -i $privKey -o StrictHostKeyChecking=no" setup_and_start_vm() { cat $img > /tmp/${os}-img - if [ "${os}" != "nixos" ]; then + if [[ "${os}" != nixos* ]]; then ${pkgs.libguestfs-with-appliance}/bin/virt-customize -a /tmp/${os}-img \ - --run-command 'useradd test && mkdir -p /home/test && chown test.test /home/test' \ - --run-command 'ssh-keygen -A' \ - --ssh-inject test:file:$pubKey \ + --firstboot ${pkgs.writeScript "firstboot" "#!/usr/bin/env bash \nuseradd test && mkdir -p /home/test && chown test.test /home/test; ssh-keygen -A"} \ --ssh-inject root:file:$pubKey \ ${concatStringsSep " " (testImages."${os}".extraVirtCustomizeCommands or [])} \ ${optionalString debug "--root-password file:${pkgs.writeText "pw" "root"}"} \ --selinux-relabel fi - ${pkgs.qemu}/bin/qemu-kvm \ - -hda /tmp/${os}-img \ + cp ${pkgs.callPackage ./testing/qemu-efi.nix {}} ./QEMU_EFI.img + + ${pkgs.qemu}/bin/${qemu-bin} \ + -drive file=/tmp/${os}-img \ + -smp 2 \ -m 2500 \ - -cpu max \ -netdev user,hostfwd=tcp::$port-:22,id=n1 \ -device virtio-net-pci,netdev=n1 \ ${optionalString (! debug) "-nographic"} \ + ${optionalString (system == "aarch64-linux") + "-cpu cortex-a53 -machine virt -drive if=pflash,format=raw,file=./QEMU_EFI.img"} \ & } @@ -193,18 +225,23 @@ ''} setup_and_start_vm - while ! $ssh -o ConnectTimeout=2 true 2>/dev/null ; do + while ! $sshRoot -o ConnectTimeout=2 true 2>/dev/null ; do echo "waiting for ssh" sleep 1 done - # upload the nix-portable executable - ${pkgs.openssh}/bin/scp -P $port -i $privKey -o StrictHostKeyChecking=no ${self.packages."${system}".nix-portable}/bin/nix-portable test@localhost:/home/test/nix-portable - - - echo -e "\n\ncreating tmpfs" - $sshRoot mkdir /np_tmp + echo -e "\n\nsetting up machine via ssh" + $sshRoot mkdir -p /np_tmp $sshRoot mount -t tmpfs /bin/true /np_tmp + $sshRoot mkdir -p /home/test/.ssh + echo "uploading ssh key" + $scp ${./testing}/id_ed25519.pub root@localhost:/home/test/.ssh/authorized_keys + $sshRoot chown -R test /home/test + $sshRoot chmod 600 /home/test/.ssh/authorized_keys + echo "finished uploading ssh key" + + echo "upload the nix-portable executable" + $scp ${self.packages."${system}".nix-portable}/bin/nix-portable test@localhost:/home/test/nix-portable echo -e "\n\nstarting to test nix-portable" diff --git a/testing/qemu-efi.nix b/testing/qemu-efi.nix new file mode 100644 index 0000000..a8ece87 --- /dev/null +++ b/testing/qemu-efi.nix @@ -0,0 +1,20 @@ +# http://snapshots.linaro.org/components/kernel/leg-virt-tianocore-edk2-upstream/4443/QEMU-ARM/RELEASE_GCC5/QEMU_EFI.img.gz + +{ + fetchurl, + gzip, + runCommand, +}: + +let + qemu-efi-gz = fetchurl { + url = "http://snapshots.linaro.org/components/kernel/leg-virt-tianocore-edk2-upstream/4443/QEMU-AARCH64/RELEASE_GCC5/QEMU_EFI.img.gz"; + sha256 = "sha256-bOO6bsiwHaf39TWdkxOYWOw9p+/EzCkZLzi5YQPZTLY="; + }; +in + +runCommand "QEMU_EFI.img" {} '' + cp ${qemu-efi-gz} QEMU_EFI.img.gz + ${gzip}/bin/gunzip QEMU_EFI.img.gz + mv QEMU_EFI.img $out +'' From ceb4c1c0d323db08e934eb2b5ba4ca013c723a63 Mon Sep 17 00:00:00 2001 From: DavHau Date: Wed, 26 Jan 2022 20:31:32 +0700 Subject: [PATCH 2/2] update proot to 5.3.0 & fix race cond by disabling seccomp --- .github/workflows/nix-portable.yml | 2 +- default.nix | 17 +++++++++++++---- flake.nix | 10 ++++++++-- proot/github.nix | 6 +++--- 4 files changed, 25 insertions(+), 10 deletions(-) diff --git a/.github/workflows/nix-portable.yml b/.github/workflows/nix-portable.yml index 2ccff7d..fa9cbd3 100644 --- a/.github/workflows/nix-portable.yml +++ b/.github/workflows/nix-portable.yml @@ -41,7 +41,7 @@ jobs: - name: Install binfmt support run: sudo apt-get install -y - - run: 'nix build --option system ${{ matrix.system }} -L .#defaultPackage.${{ matrix.system }}' + - run: 'nix build --option extra-platforms ${{ matrix.system }} -L .#defaultPackage.${{ matrix.system }}' - name: Archive result uses: actions/upload-artifact@v2 diff --git a/default.nix b/default.nix index 309e348..26733d9 100644 --- a/default.nix +++ b/default.nix @@ -16,6 +16,8 @@ with builtins; pkgs ? import {}, xz ? pkgs.pkgsStatic.xz, zstd ? pkgs.pkgsStatic.zstd, + + buildSystem ? builtins.currentSystem, ... }@inp: with lib; @@ -23,19 +25,23 @@ let nixpkgsSrc = pkgs.path; + pkgsBuild = import pkgs.path { system = buildSystem; }; + + # TODO: git could be more minimal via: + # perlSupport=false; guiSupport=false; nlsSupport=false; gitAttribute = "gitMinimal"; git = pkgs."${gitAttribute}"; maketar = targets: - pkgs.stdenv.mkDerivation { + pkgsBuild.stdenv.mkDerivation { name = "maketar"; - nativeBuildInputs = [ perl zstd ]; + nativeBuildInputs = [ pkgsBuild.perl pkgsBuild.zstd ]; exportReferencesGraph = map (x: [("closure-" + baseNameOf x) x]) targets; buildCommand = '' - storePaths=$(perl ${pkgs.pathsFromGraph} ./closure-*) + storePaths=$(perl ${pkgsBuild.pathsFromGraph} ./closure-*) mkdir $out echo $storePaths > $out/index - cp -r ${pkgs.closureInfo { rootPaths = targets; }} $out/closureInfo + cp -r ${pkgsBuild.closureInfo { rootPaths = targets; }} $out/closureInfo tar -cf - \ --owner=0 --group=0 --mode=u+rw,uga+r \ @@ -76,6 +82,9 @@ let runtimeScript = '' #!/usr/bin/env bash + # there seem to be less issues with proot when disabling seccomp + export PROOT_NO_SECCOMP=\''${PROOT_NO_SECCOMP:-1} + set -e if [ -n "\$NP_DEBUG" ] && [ "\$NP_DEBUG" -ge 2 ]; then set -x diff --git a/flake.nix b/flake.nix index 1fc2ba9..3de884a 100644 --- a/flake.nix +++ b/flake.nix @@ -129,6 +129,9 @@ perl = pkgs.pkgsBuildBuild.perl; xz = pkgs.pkgsStatic.xz; zstd = pkgs.pkgsStatic.zstd; + + # tar crashed on emulated aarch64 system + buildSystem = "x86_64-linux"; }; in @@ -206,11 +209,13 @@ fi cp ${pkgs.callPackage ./testing/qemu-efi.nix {}} ./QEMU_EFI.img + chmod +w ./QEMU_EFI.img ${pkgs.qemu}/bin/${qemu-bin} \ -drive file=/tmp/${os}-img \ + -cpu max \ -smp 2 \ - -m 2500 \ + -m 4000 \ -netdev user,hostfwd=tcp::$port-:22,id=n1 \ -device virtio-net-pci,netdev=n1 \ ${optionalString (! debug) "-nographic"} \ @@ -232,7 +237,7 @@ echo -e "\n\nsetting up machine via ssh" $sshRoot mkdir -p /np_tmp - $sshRoot mount -t tmpfs /bin/true /np_tmp + $sshRoot "test -e /np_tmp/.nix-portable || mount -t tmpfs -o size=3g /bin/true /np_tmp" $sshRoot mkdir -p /home/test/.ssh echo "uploading ssh key" $scp ${./testing}/id_ed25519.pub root@localhost:/home/test/.ssh/authorized_keys @@ -242,6 +247,7 @@ echo "upload the nix-portable executable" $scp ${self.packages."${system}".nix-portable}/bin/nix-portable test@localhost:/home/test/nix-portable + $ssh chmod +w /home/test/nix-portable echo -e "\n\nstarting to test nix-portable" diff --git a/proot/github.nix b/proot/github.nix index 93f40c7..4078dce 100644 --- a/proot/github.nix +++ b/proot/github.nix @@ -6,16 +6,16 @@ with builtins; let - version = "5.2.0"; + version = "5.3.0"; systems = { x86_64-linux = { url = "https://github.com/proot-me/proot/releases/download/v${version}/proot-v${version}-x86_64-static"; - sha256 = "1w729a5fz9wcxshn7vy4yg96qj59sxmd2by1gcl6nz57qjrl61pb"; + sha256 = "1nmllvdhlbdlgffq6x351p0zfgv202qfy8vhf26z0v8y435j1syi"; }; aarch64-linux = { url = "https://github.com/proot-me/proot/releases/download/v${version}/proot-v${version}-aarch64-static"; - sha256 = "17ghp5n2jz38c4qk88yjc9cvdx9pcinmf2v7i7klnmzq5wzbkrzi"; + sha256 = "0icaag29a6v214am4cbdyvncjs63f02lad2qrcfmnbwch6kv247s"; }; armv7l-linux = { url = "https://github.com/proot-me/proot/releases/download/v${version}/proot-v${version}-arm-static";