Implement Linux sandboxes #72
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Move configuration checking logic to a new `config` module. - Move logging functions to a new `log` module. - Remove redundant `render_package` function from `main.rs`. - Update `main.rs` to use new `config` and `log` modules. - Simplify `load_config_build` function in `nickel.rs`. - Add new logging functions in `worker.rs` for better output formatting. - Clean up and refactor `build` function in `worker.rs` for clarity.
… references - Renamed the `cache-dev` job to `sandbox` in the GitHub Actions workflow file. - Updated cache keys and paths to use `sandbox` instead of `dev`. - Replaced references to `dev.sh` with `sandbox.sh` in the workflow file. - Deleted `dev.sh` script and replaced it with `sandbox.sh` which includes additional dependency checks and installations. - Removed the `install-vorpal` script as it is no longer needed.
…ke commands - Updated variable name from SANDBOX_PATH to PREFIX_PATH for clarity and consistency. - Enhanced make commands to utilize all available processors with -j"$(nproc)" for faster builds. - Adjusted PATH handling in gcc.sh to be commented out for potential future use. - Modified nickel.sh to reflect the new variable name and ensure correct binary installation paths.
Added bubblewrap to the list of packages installed by the debian setup script to enhance security and sandboxing capabilities.
- Renamed `SANDBOX_PATH` to `SANDBOX_STORE_PATH` for clarity. - Renamed `SANDBOX_PATH_PACKAGE` to `SANDBOX_STORE_PATH_PACKAGE` for consistency. - Updated all references to the new variable names. - Added a step to compress the sandbox package directory using `zstd`.
- Change SCRIPT_PATH in dev.sh to point to the correct directory. - Add VORPAL_PATH to directories array in sandbox.sh. - Ensure directories are created only if they do not exist and set correct ownership. - Update messages to include specific hashes for sandbox, bash, binutils, coreutils, and zstd to avoid confusion. - Add execution of sandbox.sh in dev.sh.
- Updated README.md to include detailed requirements for macOS and Linux. - Added instructions for installing native tools on macOS and Linux. - Modified setup steps to include new commands for generating keys, starting worker, and checking build. - Updated makefile to retain the dist directory after creating the tarball. - Enhanced script/dev.sh to export PATH for environment setup. - Fixed script/sandbox.sh to correctly exit with status 0 if the sandbox package directory exists.
The log statement "Building package" has been removed from the build function in the darwin package module to clean up the code.
The tracing::info import was not being used in the darwin module and has been removed to clean up the code.
- Removed the `sandbox` job from the workflow. - Added a new job `package-sandbox` with the same steps as the removed `sandbox` job. - Updated the `test` job to depend on the new `package-sandbox` job instead of the removed `sandbox` job.
Changed the removal command for the include directory to use `rm -rf` instead of `rm -f` to ensure that the directory and its contents are deleted recursively. This prevents potential issues with non-empty directories.
- Add condition to skip running `debian.sh` script on `macos-latest` runner in both `dev` and `sandbox` jobs.
- Updated the conditional syntax for checking the runner type from `${{ matrix.runner }} != 'macos-latest'` to `matrix.runner != 'macos-latest'` in the vorpal.yaml workflow file.
- Ensured consistency in the conditional checks for both the 'dev' and 'sandbox' steps.
- Added nproc package to the list of packages installed in the debian.sh script. - Updated both the 'case "$1"' sections to include nproc. - This change ensures that the nproc utility is available for use.
Updated the CI workflow to include 'sudo' for apt-get update and install commands to ensure proper permissions on 'ubuntu-latest' runner.
This commit removes the ubuntu-latest-arm64 runner from the GitHub Actions workflow configuration file vorpal.yaml. The changes affect both job definitions in the workflow.
- Removed amber.sh script and its reference from dev.sh - Added zstd to the list of scripts in dev.sh - Updated zstd.sh to include CPU_COUNT for macOS and removed unnecessary pushd/popd commands
Updated the build directory path in the gcc.ncl configuration file to use a relative path instead of an absolute path. This change ensures that the script navigates to the correct build directory.
Added bubblewrap to the list of packages installed in the vorpal.yaml GitHub Actions workflow to ensure all necessary dependencies are available.
- Add command to set 'kernel.apparmor_restrict_unprivileged_userns' to 0 in /etc/sysctl.d/60-apparmor-namespace.conf - Ensure the new setting is applied during the workflow execution
- Removed the command to modify AppArmor settings for unprivileged user namespaces. - Added a command to change ownership permissions for /usr/bin/bubblewrap.
Changed the command from `chown` to `chmod` to set the correct file permissions for `/usr/bin/bubblewrap` in the GitHub Actions workflow configuration.
…ions for bubblewrap - Added logic to dynamically find the path of bubblewrap using `which -a bwrap | head -n 1` - Updated the script to set the correct permissions for the dynamically found bubblewrap path - Added a command to print the bubblewrap version for verification
Modified the binding for lib64 directory to use --ro-bind-try instead of --ro-bind to handle cases where the directory might not exist. Removed redundant binding for /nix/store.
- Added support for x86_64-macos in the cross-platform configuration. - Changed default shell from /bin/sh to /bin/bash for better compatibility. - Enhanced script execution by adding 'set -euxo pipefail' for stricter error handling.
Added `ls -alh` and `cat` commands to the sandbox script generation process for debugging purposes. This change allows for listing the contents of the output directory and displaying the contents of the generated sandbox.sh script.
Refactor the bwrap setup by adding a custom AppArmor profile for bwrap in the workflow. This change replaces the previous method of setting the suid bit on the bwrap binary with a more secure AppArmor configuration.
Added a step to restart the apparmor service in the GitHub Actions workflow after updating custom rules to ensure changes take effect.
Add a command to change the user permissions for the bwrap binary in the vorpal GitHub Actions workflow. This ensures that the bwrap command can be executed with the necessary privileges during the workflow execution.
- Removed conditional execution of debian.sh for non-macos runners in vorpal.yaml. - Added execution of debian.sh in dev.sh for Linux systems. - Renamed and moved debian.sh to dev/debian.sh. - Updated package installation in debian.sh with additional dependencies: build-essential, make, rsync, zlib1g-dev. - Corrected indentation in fusion-13.pkrvars.hcl.
Simplified the Ubuntu setup process by removing redundant package installations and apparmor configuration. Updated the checkout action to v4 and ensured necessary repositories are added before installing apparmor.
- Removed redundant AppArmor installation steps in vorpal.yaml and added commands to disable and remove AppArmor configurations. - Introduced OS_TYPE variable in makefile to generalize build-packer and validate-packer targets for different operating systems. - Updated paths in makefile to use OS_TYPE variable, allowing for more flexible Packer builds.
The package system mapping for "aarch64-linux" and "x86_64-linux" targets has been updated to use `packages_system_macos` instead of `packages_system_linux`. This change ensures consistency across different architectures and platforms.
The 'x' option in the 'set' command has been removed from both sandbox and build scripts to prevent unnecessary command tracing output. This change ensures cleaner logs and focuses on essential error handling and pipefail behavior.
…gets The conditional script for linux targets was removed as it was not being utilized in the current configuration. This change simplifies the code by eliminating unnecessary conditions.
Updated the bind options from --ro-bind to --ro-bind-try for several paths including /bin, /etc, /lib, /libexec, /sbin, /share, and /usr. This change ensures that the binding process is more flexible and can handle cases where the source paths may not exist, improving the robustness of the build process.
Added mxschmitt/action-tmate@v3 to the workflow steps to enable tmate sessions for debugging purposes. The session access is limited to the actor for security reasons.
The tmate action has been moved from the initial steps to execute only when a failure occurs. This change optimizes the workflow by limiting the use of tmate to scenarios where debugging is necessary, ensuring resources are used efficiently.
Added a timeout of 10 minutes to the tmate action in the GitHub workflow to prevent indefinite execution. fix(config): correct package system mapping for Linux Updated the package system mapping for "aarch64-linux" and "x86_64-linux" to use `packages_system_linux` instead of `packages_system_macos`. Added conditional script execution for Linux targets.
- Added `serde_json::Value` to handle JSON manipulation. - Modified package serialization to exclude "packages" and "sandbox" fields from the JSON object before converting it to a string. fix(sandbox): update script to set locale - Updated the sandbox script to set `LC_ALL` to "C" before executing the script. chore(vorpal): update source excludes - Added "config" to the list of source excludes in `vorpal.ncl`.
The "packages" field is no longer removed from the package JSON serialization, as it was deemed unnecessary. feat(bash): enable static linking in configuration Added the --enable-static-link option to the bash package configuration to support static linking. fix(sandbox): ensure proper command execution Wrapped the command execution in quotes and set the CC environment variable to "gcc" for consistent behavior. chore(makefile): clean distribution directory Added a command to remove the distribution directory during the clean process to ensure a fresh build environment.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes
vagrantsupport for developing Linux on macOS (currently only supports vmware fusion)bubblewrapsupport for sandboxing in LInuxsandboximplementation and bootstrapping in bash