Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gvisor: init at 2019-11-14 #73097

Merged
merged 3 commits into from Dec 5, 2019
Merged

gvisor: init at 2019-11-14 #73097

merged 3 commits into from Dec 5, 2019

Conversation

@andrew-d
Copy link
Contributor

andrew-d commented Nov 9, 2019

Motivation for this change

This is a revamp of #50218 after enough upstream changes that it's possible to build inside a Nix sandbox. This was requested in #39889, but there were some problems with Bazel at the time. I've managed to get this working with buildBazelPackage. At the end of the whole process, gvisor is runnable:

$ /nix/store/7k1c1jikms1pjimk8561x18xpj51dm5l-gvisor-2019-11-08/bin/runsc --help
Usage: runsc <flags> <subcommand> <subcommand args>

Subcommands:
	checkpoint       checkpoint current state of container (experimental)
	create           create a secure container
	delete           delete resources held by a container
	do               Simplistic way to execute a command inside the sandbox. It's to be used for testing only.
	events           display container events such as OOM notifications, cpu, memory, and IO usage statistics

(I also added the containerd shim as well, since it didn't feel worth another PR)

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
Notify maintainers

cc original reviewers @nlewo, @Profpatsch, and commenters @dtzWill, @benpye and @ghuntley

Closes #50218
Closes #39889

@ofborg ofborg bot requested a review from kalbasit Nov 9, 2019
@andrew-d andrew-d force-pushed the andrew-d:andrew/gvisor-redux branch from 39b32fd to fc15db2 Nov 9, 2019
@Profpatsch

This comment has been minimized.

Copy link
Member

Profpatsch commented Nov 21, 2019

Do you have sandboxing enabled in your local nix? The build fails, because it tries to download some repository dependencies. Most of the nix world has sandboxing enabled, which restricts network access to fixed-output derivations.

@andrew-d andrew-d force-pushed the andrew-d:andrew/gvisor-redux branch from fc15db2 to 6448357 Nov 22, 2019
@andrew-d

This comment has been minimized.

Copy link
Contributor Author

andrew-d commented Nov 22, 2019

@Profpatsch - I do, yes. I think the problem is that the buildBazelPackage tools remove rules_cc, which is now an external dependency and then can't be downloaded. There's also some issues with rules_go and x/net/nettest that I'm trying to debug as well.

@andrew-d andrew-d force-pushed the andrew-d:andrew/gvisor-redux branch 2 times, most recently from e79b2a1 to 593b61d Nov 24, 2019
@andrew-d

This comment has been minimized.

Copy link
Contributor Author

andrew-d commented Nov 25, 2019

@Profpatsch - Okay, between #74013 and this PR, it's building successfully and reproducibly 🎉

@flokli

This comment has been minimized.

Copy link
Contributor

flokli commented Nov 26, 2019

Can you add a simple nixos vm test starting a container, so we can verify it works?

@andrew-d andrew-d force-pushed the andrew-d:andrew/gvisor-redux branch from 593b61d to 726559a Nov 27, 2019
@andrew-d

This comment has been minimized.

Copy link
Contributor Author

andrew-d commented Nov 27, 2019

@flokli - Okay, added a test that exercises both the gvisor do subcommand and gvisor when it's being used as a Docker runtime. I hadn't previously tested the gvisor do subcommand, so I also added a patch to ensure that the path to ip/ipconfig/sysctl is absolute.

@ofborg ofborg bot added the 6.topic: nixos label Nov 27, 2019
@andrew-d andrew-d force-pushed the andrew-d:andrew/gvisor-redux branch from 726559a to 34344de Nov 28, 2019
@andrew-d

This comment has been minimized.

Copy link
Contributor Author

andrew-d commented Nov 28, 2019

@Profpatsch / @flokli - Okay, rebased now that #74103 is merged. This should be ready to merge now, and tests pass locally.

@andrew-d andrew-d force-pushed the andrew-d:andrew/gvisor-redux branch from 34344de to ba2e010 Nov 28, 2019
@andrew-d andrew-d force-pushed the andrew-d:andrew/gvisor-redux branch 2 times, most recently from a852a36 to eddf8c2 Nov 28, 2019
# available in the $PATH; patch these now.
patches = [ ./gvisor-do-paths.patch ];
postPatch = ''
substituteInPlace runsc/cmd/do.go \

This comment has been minimized.

Copy link
@flokli

flokli Dec 2, 2019

Contributor

For the sake of maintainability:

Could we just do a wrapProgram $out/bin/runsc --prefix PATH : ${stdenv.lib.makeBinPath [ iproute iptables procps ]} in installPhase, instead of patching the source code?

This comment has been minimized.

Copy link
@andrew-d

andrew-d Dec 4, 2019

Author Contributor

@flokli - Done! And confirmed that it works in the NixOS test as well.

@andrew-d andrew-d force-pushed the andrew-d:andrew/gvisor-redux branch from eddf8c2 to 903eba6 Dec 4, 2019
@andrew-d andrew-d force-pushed the andrew-d:andrew/gvisor-redux branch from 903eba6 to c37902d Dec 4, 2019
@andrew-d andrew-d changed the title gvisor: init at 2019-11-08 gvisor: init at 2019-11-14 Dec 4, 2019
@andrew-d

This comment has been minimized.

Copy link
Contributor Author

andrew-d commented Dec 4, 2019

I also just bumped to an actual tagged release of gvisor, since they tagged release-20191114.0 after I'd opened this PR.

@flokli flokli merged commit 3140fa8 into NixOS:master Dec 5, 2019
15 checks passed
15 checks passed
gvisor, gvisor-containerd-shim on aarch64-linux No attempt
Details
Evaluation Performance Report Evaluator Performance Report
Details
grahamcofborg-eval ^.^!
Details
grahamcofborg-eval-check-maintainers matching changed paths to changed attrs...
Details
grahamcofborg-eval-check-meta config.nix: checkMeta = true
Details
grahamcofborg-eval-darwin nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A darwin-tested
Details
grahamcofborg-eval-nixos nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release-combined.nix -A tested
Details
grahamcofborg-eval-nixos-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release.nix -A manual
Details
grahamcofborg-eval-nixos-options nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release.nix -A options
Details
grahamcofborg-eval-nixpkgs-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A manual
Details
grahamcofborg-eval-nixpkgs-tarball nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A tarball
Details
grahamcofborg-eval-nixpkgs-unstable-jobset nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A unstable
Details
grahamcofborg-eval-package-list nix-env -qa --json --file .
Details
grahamcofborg-eval-package-list-no-aliases nix-env -qa --json --file . --arg config { allowAliases = false; }
Details
gvisor, gvisor-containerd-shim on x86_64-linux Success
Details
@flokli

This comment has been minimized.

Copy link
Contributor

flokli commented Dec 5, 2019

Thanks!

dtzWill added a commit to dtzWill/nixpkgs that referenced this pull request Dec 5, 2019
gvisor: init at 2019-11-14
(cherry picked from commit 3140fa8)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.