Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pythonPackages: add new 'seccomp' library #103952

Merged

Conversation

thoughtpolice
Copy link
Member

See #99553. This implementation ensures we don't build a copy of libseccomp for every version of python, but only build the cython extension for every version of python. See the commit message (or patch) for details.

Motivation for this change
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
    (https://github.com/NixOS/nixpkgs/blob/master/nixos/tests))
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@thoughtpolice
Copy link
Member Author

@deliciouslytyped If you want to try the Python library, please check out this branch and try it:

$ cd /path/to/nixpkgs

$ nix-shell -p 'python3.withPackages (ps: [ ps.seccomp ])'

[nix-shell:~]$ python
Python 3.8.6 (default, Sep 23 2020, 13:54:27)
[GCC 9.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import seccomp
>>> dir(seccomp)
...

As requested in NixOS#99553. Closes NixOS#99553.

Libraries that install python modules as part of the build are
problematic, because they either

  - only support a single python version, because the input for
    pythonPackages gets fixed in all-packages.nix, or

  - need to be rebuild the underlying C code for *every* python version
    resulting in libfoo-python37, libfoo-python38, and so on

We would prefer to use the second approach because it works correctly
for all versions of python. However, it creates duplicate copies of
libseccomp.so and that can be expensive. Instead we 'deduplicate' the
copies of libseccomp.so by

  - attaching a new $pythonsrc output to the libseccomp deriv, and
  - exposing a new 'seccomp' package in python-packages.nix using
    libseccomp as input, and
  - having a custom python.nix derivation that builds the cython
    extension using libseccomp to get the python source and the
    package version

This means we build 1 copy of the seccomp python package, one for each
version of python, but all of those packages refer to a single instance
of the libseccomp C library, giving us the best of both worlds.

NOTE: because this requires changing the postInstall of libseccomp, it
requires a mass rebuild.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
@thoughtpolice thoughtpolice force-pushed the nixpkgs/pythonPackages/add-seccomp branch from 010b0b8 to 381a368 Compare November 20, 2020 02:46
@FRidh FRidh merged commit 75e683d into NixOS:staging Nov 20, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants