From c1b4a3b8e1bb930a71bd63f8faf965d441fbfcc9 Mon Sep 17 00:00:00 2001 From: Cian Johnston Date: Thu, 30 Jan 2025 17:03:55 +0000 Subject: [PATCH 1/3] fix(dogfood/contents): fix shebang in resource metadata scripts --- dogfood/contents/main.tf | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/dogfood/contents/main.tf b/dogfood/contents/main.tf index 62329c7b1c616..34adf3dcc6fde 100644 --- a/dogfood/contents/main.tf +++ b/dogfood/contents/main.tf @@ -249,7 +249,7 @@ resource "coder_agent" "dev" { key = "swap_usage_host" order = 4 script = <&1 | awk ' $0 ~ "Word of the Day: [A-z]+" { print $5; exit }' EOT interval = 86400 @@ -291,6 +291,7 @@ resource "coder_agent" "dev" { } startup_script = <<-EOT + #!/usr/bin/env bash set -eux -o pipefail # Allow synchronization between scripts. From 11cccb35c5fed40351f5f97a7b927a00bcfc961c Mon Sep 17 00:00:00 2001 From: Thomas Kosiewski Date: Thu, 30 Jan 2025 19:09:09 +0100 Subject: [PATCH 2/3] fix(nix/docker.nix): add sudo and jq.bin Change-Id: Ie978c62ce4164386e55cedd6d7ceae71b07e217e Signed-off-by: Thomas Kosiewski --- flake.nix | 1 + nix/docker.nix | 48 +++++++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 46 insertions(+), 3 deletions(-) diff --git a/flake.nix b/flake.nix index 087be72b855fe..97090d3663407 100644 --- a/flake.nix +++ b/flake.nix @@ -257,6 +257,7 @@ nix curl.bin # Ensure the actual curl binary is included in the PATH glibc.bin # Ensure the glibc binaries are included in the PATH + jq.bin binutils # ld and strings filebrowser # Ensure that we're not redownloading filebrowser on each launch ]) diff --git a/nix/docker.nix b/nix/docker.nix index 64724c79d2f35..ab58e0d45950c 100644 --- a/nix/docker.nix +++ b/nix/docker.nix @@ -19,6 +19,7 @@ zstd, stdenv, glibc, + sudo, }: let inherit (lib) @@ -88,10 +89,11 @@ let staticPath = "${dirOf shell}:${ lib.makeBinPath ( - lib.flatten [ + (lib.flatten [ builder drv.buildInputs - ] + ]) + ++ [ "/usr" ] ) }"; @@ -123,11 +125,38 @@ let experimental-features = nix-command flakes ''; - etcNixConf = runCommand "etcd-nix-conf" { } '' + etcNixConf = runCommand "etc-nix-conf" { } '' mkdir -p $out/etc/nix/ ln -s ${nixConfFile} $out/etc/nix/nix.conf ''; + sudoersFile = writeText "sudoers" '' + root ALL=(ALL) ALL + ${toString uname} ALL=(ALL) NOPASSWD:ALL + ''; + + etcSudoers = runCommand "etc-sudoers" { } '' + mkdir -p $out/etc/ + cp ${sudoersFile} $out/etc/sudoers + chmod 440 $out/etc/sudoers + ''; + + pamSudoFile = writeText "pam-sudo" '' + auth sufficient pam_rootok.so + auth required pam_permit.so + account required pam_permit.so + session required pam_permit.so + session optional pam_xauth.so + ''; + + etcPamSudo = runCommand "etc-pam-sudo" { } '' + mkdir -p $out/etc/pam.d/ + cp ${pamSudoFile} $out/etc/pam.d/sudo + + # We can’t chown in a sandbox, but that’s okay for Nix store. + chmod 644 $out/etc/pam.d/sudo + ''; + # https://github.com/NixOS/nix/blob/2.8.0/src/libstore/globals.hh#L464-L465 sandboxBuildDir = "/build"; @@ -194,6 +223,8 @@ let binSh usrBinEnv etcNixConf + etcSudoers + etcPamSudo (fakeNss.override { # Allows programs to look up the build user's home directory # https://github.com/NixOS/nix/blob/ffe155abd36366a870482625543f9bf924a58281/src/libstore/build/local-derivation-goal.cc#L906-L910 @@ -241,6 +272,17 @@ let mkdir -p ./lib64 ln -s "${glibc}/lib64/ld-linux-x86-64.so.2" ./lib64/ld-linux-x86-64.so.2 fi + + # Copy sudo from the Nix store to a "normal" path in the container + mkdir -p ./usr/bin + cp ${sudo}/bin/sudo ./usr/bin/sudo + + # Ensure root owns it & set setuid bit + chown 0:0 ./usr/bin/sudo + chmod 4755 ./usr/bin/sudo + + chown root:root ./etc/pam.d/sudo + chown root:root ./etc/sudoers ''; # Run this image as the given uid/gid From b1277e9df0c4cbc02b6b767a4c20d2582548955a Mon Sep 17 00:00:00 2001 From: Thomas Kosiewski Date: Thu, 30 Jan 2025 21:10:32 +0100 Subject: [PATCH 3/3] fix(nix/docker.nix): add init.d and docker cli Change-Id: I530de9066ea94ab54488de6e83ed64e7d44a1d72 Signed-off-by: Thomas Kosiewski --- .github/workflows/dogfood.yaml | 3 - flake.nix | 175 ++++++++++++++++++--------------- nix/docker.nix | 70 +++++++++++-- 3 files changed, 158 insertions(+), 90 deletions(-) diff --git a/.github/workflows/dogfood.yaml b/.github/workflows/dogfood.yaml index d0f912454211f..12ba5c1fc0fa8 100644 --- a/.github/workflows/dogfood.yaml +++ b/.github/workflows/dogfood.yaml @@ -37,9 +37,6 @@ jobs: - name: Setup Nix uses: DeterminateSystems/nix-installer-action@e50d5f73bfe71c2dd0aa4218de8f4afa59f8f81d # v16 - - name: Setup GHA Nix cache - uses: DeterminateSystems/magic-nix-cache-action@6221693898146dc97e38ad0e013488a16477a4c4 # v9 - - name: Get branch name id: branch-name uses: tj-actions/branch-names@6871f53176ad61624f978536bbf089c574dc19a2 # v8.0.1 diff --git a/flake.nix b/flake.nix index 97090d3663407..0677349ef5a97 100644 --- a/flake.nix +++ b/flake.nix @@ -71,70 +71,91 @@ vendorHash = null; }; + # Packages required to build the frontend + frontendPackages = + with pkgs; + [ + cairo + pango + pixman + libpng + libjpeg + giflib + librsvg + python312Packages.setuptools # Needed for node-gyp + ] + ++ (lib.optionals stdenv.targetPlatform.isDarwin [ + darwin.apple_sdk.frameworks.Foundation + xcbuild + ]); + # The minimal set of packages to build Coder. - devShellPackages = with pkgs; [ - # google-chrome is not available on aarch64 linux - (lib.optionalDrvAttr (!stdenv.isLinux || !stdenv.isAarch64) google-chrome) - # strace is not available on OSX - (lib.optionalDrvAttr (!pkgs.stdenv.isDarwin) strace) - bat - cairo - curl - delve - dive - drpc.defaultPackage.${system} - formatter - fzf - gcc13 - gdk - getopt - gh - git - (lib.optionalDrvAttr stdenv.isLinux glibcLocales) - gnumake - gnused - go_1_22 - go-migrate - (pinnedPkgs.golangci-lint) - gopls - gotestsum - jq - kubectl - kubectx - kubernetes-helm - lazygit - less - mockgen - moreutils - neovim - nfpm - nix-prefetch-git - nodejs - openssh - openssl - pango - pixman - pkg-config - playwright-driver.browsers - pnpm - postgresql_16 - proto_gen_go_1_30 - protobuf_23 - ripgrep - shellcheck - (pinnedPkgs.shfmt) - sqlc - terraform - typos - # Needed for many LD system libs! - (lib.optional stdenv.isLinux util-linux) - vim - wget - yq-go - zip - zsh - zstd - ]; + devShellPackages = + with pkgs; + [ + # google-chrome is not available on aarch64 linux + (lib.optionalDrvAttr (!stdenv.isLinux || !stdenv.isAarch64) google-chrome) + # strace is not available on OSX + (lib.optionalDrvAttr (!pkgs.stdenv.isDarwin) strace) + bat + cairo + curl + delve + dive + drpc.defaultPackage.${system} + formatter + fzf + gcc13 + gdk + getopt + gh + git + (lib.optionalDrvAttr stdenv.isLinux glibcLocales) + gnumake + gnused + go_1_22 + go-migrate + (pinnedPkgs.golangci-lint) + gopls + gotestsum + jq + kubectl + kubectx + kubernetes-helm + lazygit + less + mockgen + moreutils + neovim + nfpm + nix-prefetch-git + nodejs + openssh + openssl + pango + pixman + pkg-config + playwright-driver.browsers + pnpm + postgresql_16 + proto_gen_go_1_30 + protobuf_23 + ripgrep + shellcheck + (pinnedPkgs.shfmt) + sqlc + terraform + typos + # Needed for many LD system libs! + (lib.optional stdenv.isLinux util-linux) + vim + wget + yq-go + zip + zsh + zstd + ] + ++ frontendPackages; docker = pkgs.callPackage ./nix/docker.nix { }; @@ -144,22 +165,7 @@ src = ./site/.; # Required for the `canvas` package! - extraBuildInputs = - with pkgs; - [ - cairo - pango - pixman - libpng - libjpeg - giflib - librsvg - python312Packages.setuptools - ] - ++ (lib.optionals stdenv.targetPlatform.isDarwin [ - darwin.apple_sdk.frameworks.Foundation - xcbuild - ]); + extraBuildInputs = frontendPackages; installInPlace = true; distDir = "out"; }; @@ -219,6 +225,9 @@ LOCALE_ARCHIVE = with pkgs; lib.optionalDrvAttr stdenv.isLinux "${glibcLocales}/lib/locale/locale-archive"; + + NODE_OPTIONS = "--max-old-space-size=8192"; + GOPRIVATE = "coder.com,cdr.dev,go.coder.com,github.com/cdr,github.com/coder"; }; }; @@ -252,7 +261,6 @@ drv = devShells.default.overrideAttrs (oldAttrs: { buildInputs = (with pkgs; [ - busybox coreutils nix curl.bin # Ensure the actual curl binary is included in the PATH @@ -260,6 +268,13 @@ jq.bin binutils # ld and strings filebrowser # Ensure that we're not redownloading filebrowser on each launch + systemd.out + service-wrapper + docker_26 + shadow.out + su + ncurses # clear + unzip ]) ++ oldAttrs.buildInputs; }); diff --git a/nix/docker.nix b/nix/docker.nix index ab58e0d45950c..fe5b45c75e9d3 100644 --- a/nix/docker.nix +++ b/nix/docker.nix @@ -13,6 +13,7 @@ runCommand, writeShellScriptBin, writeText, + writeTextFile, cacert, storeDir ? builtins.storeDir, pigz, @@ -32,10 +33,18 @@ let inherit (dockerTools) streamLayeredImage - binSh usrBinEnv + caCertificates ; + # This provides /bin/sh, pointing to bashInteractive. + # The use of bashInteractive here is intentional to support cases like `docker run -it `, so keep these use cases in mind if making any changes to how this works. + binSh = runCommand "bin-sh" { } '' + mkdir -p $out/bin + ln -s ${bashInteractive}/bin/bash $out/bin/sh + ln -s ${bashInteractive}/bin/bash $out/bin/bash + ''; + compressors = { none = { ext = ""; @@ -157,6 +166,46 @@ let chmod 644 $out/etc/pam.d/sudo ''; + # Add our Docker init script + dockerInit = writeTextFile { + name = "initd-docker"; + destination = "/etc/init.d/docker"; + executable = true; + + text = '' + #!/usr/bin/env sh + ### BEGIN INIT INFO + # Provides: docker + # Required-Start: $remote_fs $syslog + # Required-Stop: $remote_fs $syslog + # Default-Start: 2 3 4 5 + # Default-Stop: 0 1 6 + # Short-Description: Start and stop Docker daemon + # Description: This script starts and stops the Docker daemon. + ### END INIT INFO + + case "$1" in + start) + echo "Starting dockerd" + SSL_CERT_FILE="${cacert}/etc/ssl/certs/ca-bundle.crt" dockerd --group=${toString gid} & + ;; + stop) + echo "Stopping dockerd" + killall dockerd + ;; + restart) + $0 stop + $0 start + ;; + *) + echo "Usage: $0 {start|stop|restart}" + exit 1 + ;; + esac + exit 0 + ''; + }; + # https://github.com/NixOS/nix/blob/2.8.0/src/libstore/globals.hh#L464-L465 sandboxBuildDir = "/build"; @@ -194,16 +243,15 @@ let LD_LIBRARY_PATH = lib.makeLibraryPath [ stdenv.cc.cc ]; } // drvEnv - // { - + // rec { # https://github.com/NixOS/nix/blob/2.8.0/src/libstore/build/local-derivation-goal.cc#L1008-L1010 NIX_BUILD_TOP = sandboxBuildDir; # https://github.com/NixOS/nix/blob/2.8.0/src/libstore/build/local-derivation-goal.cc#L1012-L1013 - TMPDIR = sandboxBuildDir; - TEMPDIR = sandboxBuildDir; - TMP = sandboxBuildDir; - TEMP = "/tmp"; + TMPDIR = TMP; + TEMPDIR = TMP; + TMP = "/tmp"; + TEMP = TMP; # https://github.com/NixOS/nix/blob/2.8.0/src/libstore/build/local-derivation-goal.cc#L1015-L1019 PWD = homeDirectory; @@ -222,6 +270,7 @@ let contents = [ binSh usrBinEnv + caCertificates etcNixConf etcSudoers etcPamSudo @@ -235,8 +284,10 @@ let ]; extraGroupLines = [ "${toString uname}:!:${toString gid}:" + "docker:!:${toString (builtins.sub gid 1)}:${toString uname}" ]; }) + dockerInit ]; fakeRootCommands = '' @@ -283,6 +334,11 @@ let chown root:root ./etc/pam.d/sudo chown root:root ./etc/sudoers + + # Create /var/run and chown it so docker command + # doesnt encounter permission issues. + mkdir -p ./var/run/ + chown -R ${toString uid}:${toString gid} ./var/run/ ''; # Run this image as the given uid/gid pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy