diff options
author | Justin Bedő <cu@cua0.org> | 2023-02-08 23:47:32 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-02-08 23:47:32 +0000 |
commit | f2ab8c706d266e3d4e7926445d26335328fca983 (patch) | |
tree | 92d16e0fb53b1690a86905b8f2d8033a3f491d06 /pkgs | |
parent | 806cb7f9e90c04401b7e8b5c331fb05c82f3910d (diff) | |
parent | d35f5c2695ee27e69229b870e74b7fb0c5e976e8 (diff) | |
download | nixpkgs-f2ab8c706d266e3d4e7926445d26335328fca983.tar nixpkgs-f2ab8c706d266e3d4e7926445d26335328fca983.tar.gz nixpkgs-f2ab8c706d266e3d4e7926445d26335328fca983.tar.bz2 nixpkgs-f2ab8c706d266e3d4e7926445d26335328fca983.tar.lz nixpkgs-f2ab8c706d266e3d4e7926445d26335328fca983.tar.xz nixpkgs-f2ab8c706d266e3d4e7926445d26335328fca983.tar.zst nixpkgs-f2ab8c706d266e3d4e7926445d26335328fca983.zip |
Merge pull request #158486 from ShamrockLee/singularity-apptainer
singularity: fix defaultPath and reflect upstream changes
Diffstat (limited to 'pkgs')
-rw-r--r-- | pkgs/applications/virtualization/singularity/default.nix | 73 | ||||
-rw-r--r-- | pkgs/applications/virtualization/singularity/generic.nix | 236 | ||||
-rw-r--r-- | pkgs/applications/virtualization/singularity/packages.nix | 94 | ||||
-rw-r--r-- | pkgs/build-support/singularity-tools/default.nix | 80 | ||||
-rw-r--r-- | pkgs/top-level/all-packages.nix | 9 |
5 files changed, 383 insertions, 109 deletions
diff --git a/pkgs/applications/virtualization/singularity/default.nix b/pkgs/applications/virtualization/singularity/default.nix deleted file mode 100644 index 5ec5b19ce04..00000000000 --- a/pkgs/applications/virtualization/singularity/default.nix +++ /dev/null @@ -1,73 +0,0 @@ -{ lib -, fetchurl -, util-linux -, gpgme -, openssl -, libuuid -, coreutils -, which -, makeWrapper -, cryptsetup -, squashfsTools -, buildGoPackage}: - -with lib; - -buildGoPackage rec { - pname = "singularity"; - version = "3.8.7"; - - src = fetchurl { - url = "https://github.com/hpcng/singularity/releases/download/v${version}/singularity-${version}.tar.gz"; - sha256 = "sha256-Myny5YP4SoNDyywDgKHWy86vrn0eYztcvK33FD6shZs="; - }; - - goPackagePath = "github.com/sylabs/singularity"; - - buildInputs = [ gpgme openssl libuuid ]; - nativeBuildInputs = [ util-linux which makeWrapper cryptsetup ]; - propagatedBuildInputs = [ coreutils squashfsTools ]; - - postPatch = '' - substituteInPlace internal/pkg/build/files/copy.go \ - --replace /bin/cp ${coreutils}/bin/cp - ''; - - postConfigure = '' - cd go/src/github.com/sylabs/singularity - - patchShebangs . - sed -i 's|defaultPath := "[^"]*"|defaultPath := "${lib.makeBinPath propagatedBuildInputs}"|' cmd/internal/cli/actions.go - - ./mconfig -V ${version} -p $out --localstatedir=/var - - # Don't install SUID binaries - sed -i 's/-m 4755/-m 755/g' builddir/Makefile - ''; - - buildPhase = '' - runHook preBuild - make -C builddir - runHook postBuild - ''; - - installPhase = '' - runHook preInstall - make -C builddir install LOCALSTATEDIR=$out/var - chmod 755 $out/libexec/singularity/bin/starter-suid - - # Explicitly configure paths in the config file - sed -i 's|^# mksquashfs path =.*$|mksquashfs path = ${lib.makeBinPath [squashfsTools]}/mksquashfs|' $out/etc/singularity/singularity.conf - sed -i 's|^# cryptsetup path =.*$|cryptsetup path = ${lib.makeBinPath [cryptsetup]}/cryptsetup|' $out/etc/singularity/singularity.conf - - runHook postInstall - ''; - - meta = with lib; { - homepage = "http://www.sylabs.io/"; - description = "Application containers for linux"; - license = licenses.bsd3; - platforms = platforms.linux; - maintainers = [ maintainers.jbedo ]; - }; -} diff --git a/pkgs/applications/virtualization/singularity/generic.nix b/pkgs/applications/virtualization/singularity/generic.nix new file mode 100644 index 00000000000..562781b09a3 --- /dev/null +++ b/pkgs/applications/virtualization/singularity/generic.nix @@ -0,0 +1,236 @@ +# Configurations that should only be overrided by +# overrideAttrs +{ pname +, version +, src +, projectName # "apptainer" or "singularity" +, vendorHash ? null +, deleteVendor ? false +, proxyVendor ? false +, extraConfigureFlags ? [ ] +, extraDescription ? "" +, extraMeta ? { } +}: + +let + # Workaround for vendor-related attributes not overridable (#86349) + # should be removed when the issue is resolved + _defaultGoVendorArgs = { + inherit + vendorHash + deleteVendor + proxyVendor + ; + }; +in +{ lib +, buildGoModule +, runCommandLocal + # Native build inputs +, makeWrapper +, pkg-config +, util-linux +, which + # Build inputs +, bash +, conmon +, coreutils +, cryptsetup +, fakeroot +, go +, gpgme +, libseccomp +, libuuid + # This is for nvidia-container-cli +, nvidia-docker +, openssl +, squashfsTools +, squashfuse + # Overridable configurations +, enableNvidiaContainerCli ? true + # Compile with seccomp support + # SingularityCE 3.10.0 and above requires explicit --without-seccomp when libseccomp is not available. +, enableSeccomp ? true + # Whether the configure script treat SUID support as default +, defaultToSuid ? true + # Whether to compile with SUID support +, enableSuid ? false +, starterSuidPath ? null + # newuidmapPath and newgidmapPath are to support --fakeroot + # where those SUID-ed executables are unavailable from the FHS system PATH. + # Path to SUID-ed newuidmap executable +, newuidmapPath ? null + # Path to SUID-ed newgidmap executable +, newgidmapPath ? null + # Remove the symlinks to `singularity*` when projectName != "singularity" +, removeCompat ? false + # Workaround #86349 + # should be removed when the issue is resolved +, vendorHash ? _defaultGoVendorArgs.vendorHash +, deleteVendor ? _defaultGoVendorArgs.deleteVendor +, proxyVendor ? _defaultGoVendorArgs.proxyVendor +}: + +let + defaultPathOriginal = "/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin"; + privileged-un-utils = if ((isNull newuidmapPath) && (isNull newgidmapPath)) then null else + (runCommandLocal "privileged-un-utils" { } '' + mkdir -p "$out/bin" + ln -s ${lib.escapeShellArg newuidmapPath} "$out/bin/newuidmap" + ln -s ${lib.escapeShellArg newgidmapPath} "$out/bin/newgidmap" + ''); +in +buildGoModule { + inherit pname version src; + + # Override vendorHash with the output got from + # nix-prefetch -E "{ sha256 }: ((import ./. { }).apptainer.override { vendorHash = sha256; }).go-modules" + # or with `null` when using vendored source tarball. + inherit vendorHash deleteVendor proxyVendor; + + # go is used to compile extensions when building container images + allowGoReference = true; + + strictDeps = true; + + passthru = { + inherit + enableSeccomp + enableSuid + projectName + removeCompat + starterSuidPath + ; + }; + + nativeBuildInputs = [ + makeWrapper + pkg-config + util-linux + which + ]; + + buildInputs = [ + bash # To patch /bin/sh shebangs. + conmon + cryptsetup + gpgme + libuuid + openssl + squashfsTools + squashfuse + ] + ++ lib.optional enableNvidiaContainerCli nvidia-docker + ++ lib.optional enableSeccomp libseccomp + ; + + configureScript = "./mconfig"; + + configureFlags = [ + "--localstatedir=/var/lib" + "--runstatedir=/var/run" + ] + ++ lib.optional (!enableSeccomp) "--without-seccomp" + ++ lib.optional (defaultToSuid && !enableSuid) "--without-suid" + ++ lib.optional (!defaultToSuid && enableSuid) "--with-suid" + ++ extraConfigureFlags + ; + + # Packages to prefix to the Apptainer/Singularity container runtime default PATH + # Use overrideAttrs to override + defaultPathInputs = [ + bash + coreutils + cryptsetup # cryptsetup + go + privileged-un-utils + squashfsTools # mksquashfs unsquashfs # Make / unpack squashfs image + squashfuse # squashfuse_ll squashfuse # Mount (without unpacking) a squashfs image without privileges + ] + ++ lib.optional enableNvidiaContainerCli nvidia-docker + ; + + postPatch = '' + if [[ ! -e .git || ! -e VERSION ]]; then + echo "${version}" > VERSION + fi + # Patch shebangs for script run during build + patchShebangs --build "$configureScript" makeit e2e scripts mlocal/scripts + # Patching the hard-coded defaultPath by prefixing the packages in defaultPathInputs + substituteInPlace cmd/internal/cli/actions.go \ + --replace "defaultPath = \"${defaultPathOriginal}\"" "defaultPath = \"''${defaultPathInputs// /\/bin:}''${defaultPathInputs:+/bin:}${defaultPathOriginal}\"" + ''; + + postConfigure = '' + # Code borrowed from pkgs/stdenv/generic/setup.sh configurePhase() + + # set to empty if unset + : ''${configureFlags=} + + # shellcheck disable=SC2086 + $configureScript -V ${version} "''${prefixKey:---prefix=}$prefix" $configureFlags "''${configureFlagsArray[@]}" + + # End of the code from pkgs/stdenv/generic/setup.sh configurPhase() + ''; + + buildPhase = '' + runHook preBuild + make -C builddir -j"$NIX_BUILD_CORES" + runHook postBuild + ''; + + installPhase = '' + runHook preInstall + make -C builddir install LOCALSTATEDIR="$out/var/lib" + runHook postInstall + ''; + + postFixup = '' + substituteInPlace "$out/bin/run-singularity" \ + --replace "/usr/bin/env ${projectName}" "$out/bin/${projectName}" + wrapProgram "$out/bin/${projectName}" \ + --prefix PATH : "${lib.makeBinPath [ + fakeroot + squashfsTools # Singularity (but not Apptainer) expects unsquashfs from the host PATH + ]}" + # Make changes in the config file + ${lib.optionalString enableNvidiaContainerCli '' + substituteInPlace "$out/etc/${projectName}/${projectName}.conf" \ + --replace "use nvidia-container-cli = no" "use nvidia-container-cli = yes" + ''} + ${lib.optionalString (removeCompat && (projectName != "singularity")) '' + unlink "$out/bin/singularity" + for file in "$out"/share/man/man?/singularity*.gz; do + if [[ -L "$file" ]]; then + unlink "$file" + fi + done + for file in "$out"/share/*-completion/completions/singularity; do + if [[ -e "$file" ]] + rm "$file" + done + ''} + ${lib.optionalString enableSuid (lib.warnIf (isNull starterSuidPath) "${projectName}: Null starterSuidPath when enableSuid produces non-SUID-ed starter-suid and run-time permission denial." '' + chmod +x $out/libexec/${projectName}/bin/starter-suid + '')} + ${lib.optionalString (enableSuid && !isNull starterSuidPath) '' + mv "$out"/libexec/${projectName}/bin/starter-suid{,.orig} + ln -s ${lib.escapeShellArg starterSuidPath} "$out/libexec/${projectName}/bin/starter-suid" + ''} + ''; + + meta = with lib; { + description = "Application containers for linux" + extraDescription; + longDescription = '' + Singularity (the upstream) renamed themselves to Apptainer + to distinguish themselves from a fork made by Sylabs Inc.. See + + https://sylabs.io/2021/05/singularity-community-edition + https://apptainer.org/news/community-announcement-20211130 + ''; + license = licenses.bsd3; + platforms = platforms.linux; + maintainers = with maintainers; [ jbedo ShamrockLee ]; + mainProgram = projectName; + } // extraMeta; +} diff --git a/pkgs/applications/virtualization/singularity/packages.nix b/pkgs/applications/virtualization/singularity/packages.nix new file mode 100644 index 00000000000..06c8c4fcc0d --- /dev/null +++ b/pkgs/applications/virtualization/singularity/packages.nix @@ -0,0 +1,94 @@ +{ callPackage +, fetchFromGitHub +, nixos +, conmon +}: +let + apptainer = callPackage + (import ./generic.nix rec { + pname = "apptainer"; + # TODO: Upgrade to 1.1.4 only after https://github.com/apptainer/apptainer/pull/967 get merge + # and https://github.com/apptainer/apptainer/issues/958 get fixed + version = "1.1.3"; + projectName = "apptainer"; + + src = fetchFromGitHub { + owner = "apptainer"; + repo = "apptainer"; + rev = "v${version}"; + hash = "sha256-QFg6RC77OE/a6Qlzn6Zi5I7Iaq/U3/m0eI9yLArzuNc="; + }; + + # Update by running + # nix-prefetch -E "{ sha256 }: ((import ./. { }).apptainer.override { vendorHash = sha256; }).go-modules" + # at the root directory of the Nixpkgs repository + vendorHash = "sha256-tAnh7A8Lw5KtY7hq+sqHMEUlgXvgeeCKKIfRZFoRtug="; + + extraDescription = " (previously known as Singularity)"; + extraMeta.homepage = "https://apptainer.org"; + }) + { + # Apptainer doesn't depend on conmon + conmon = null; + + # defaultToSuid becomes false since Apptainer 1.1.0 + # https://github.com/apptainer/apptainer/pull/495 + # https://github.com/apptainer/apptainer/releases/tag/v1.1.0 + defaultToSuid = false; + }; + + singularity = callPackage + (import ./generic.nix rec { + pname = "singularity-ce"; + version = "3.10.4"; + projectName = "singularity"; + + src = fetchFromGitHub { + owner = "sylabs"; + repo = "singularity"; + rev = "v${version}"; + hash = "sha256-bUnQXQVwaVA3Lkw3X9TBWqNBgiPxAVCHnkq0vc+CIsM="; + }; + + # Update by running + # nix-prefetch -E "{ sha256 }: ((import ./. { }).singularity.override { vendorHash = sha256; }).go-modules" + # at the root directory of the Nixpkgs repository + vendorHash = "sha256-K8helLcOuz3E4LzBE9y3pnZqwdwhO/iMPTN1o22ipVg="; + + # Do not build conmon from the Git submodule source, + # Use Nixpkgs provided version + extraConfigureFlags = [ + "--without-conmon" + ]; + + extraDescription = " (Sylabs Inc's fork of Singularity, a.k.a. SingularityCE)"; + extraMeta.homepage = "https://sylabs.io/"; + }) + { + defaultToSuid = true; + }; + + genOverridenNixos = package: packageName: (nixos { + programs.singularity = { + enable = true; + inherit package; + }; + }).config.programs.singularity.packageOverriden.overrideAttrs (oldAttrs: { + meta = oldAttrs.meta // { + description = ""; + longDescription = '' + This package produces identical store derivations to `pkgs.${packageName}` + overriden and installed by the NixOS module `programs.singularity` + with default configuration. + + This is for binary substitutes only. Use pkgs.${packageName} instead. + ''; + }; + }); +in +{ + inherit apptainer singularity; + + apptainer-overriden-nixos = genOverridenNixos apptainer "apptainer"; + singularity-overriden-nixos = genOverridenNixos singularity "singularity"; +} diff --git a/pkgs/build-support/singularity-tools/default.nix b/pkgs/build-support/singularity-tools/default.nix index 46df792bdf6..9689e412459 100644 --- a/pkgs/build-support/singularity-tools/default.nix +++ b/pkgs/build-support/singularity-tools/default.nix @@ -10,8 +10,8 @@ , gawk , util-linux , runtimeShell -, e2fsprogs }: - +, e2fsprogs +}: rec { shellScript = name: text: writeScript name '' @@ -20,40 +20,51 @@ rec { ${text} ''; - mkLayer = { - name, - contents ? [], - }: - runCommand "singularity-layer-${name}" { - inherit contents; - } '' + mkLayer = + { name + , contents ? [ ] + # May be "apptainer" instead of "singularity" + , projectName ? (singularity.projectName or "singularity") + }: + runCommand "${projectName}-layer-${name}" + { + inherit contents; + } '' mkdir $out for f in $contents ; do cp -ra $f $out/ done ''; - buildImage = { - name, - contents ? [], - diskSize ? 1024, - runScript ? "#!${stdenv.shell}\nexec /bin/sh", - runAsRoot ? null, - memSize ? 512 - }: - let layer = mkLayer { - inherit name; - contents = contents ++ [ bash runScriptFile ]; - }; - runAsRootFile = shellScript "run-as-root.sh" runAsRoot; - runScriptFile = shellScript "run-script.sh" runScript; - result = vmTools.runInLinuxVM ( - runCommand "singularity-image-${name}.img" { + buildImage = + let + defaultSingularity = singularity; + in + { name + , contents ? [ ] + , diskSize ? 1024 + , runScript ? "#!${stdenv.shell}\nexec /bin/sh" + , runAsRoot ? null + , memSize ? 512 + , singularity ? defaultSingularity + }: + let + projectName = singularity.projectName or "singularity"; + layer = mkLayer { + inherit name; + contents = contents ++ [ bash runScriptFile ]; + inherit projectName; + }; + runAsRootFile = shellScript "run-as-root.sh" runAsRoot; + runScriptFile = shellScript "run-script.sh" runScript; + result = vmTools.runInLinuxVM ( + runCommand "${projectName}-image-${name}.img" + { buildInputs = [ singularity e2fsprogs util-linux gawk ]; layerClosure = writeReferencesToFile layer; preVM = vmTools.createEmptyImage { size = diskSize; - fullName = "singularity-run-disk"; + fullName = "${projectName}-run-disk"; }; inherit memSize; } @@ -92,19 +103,20 @@ rec { if [ ! -e bin/sh ]; then ln -s ${runtimeShell} bin/sh fi - mkdir -p .singularity.d - ln -s ${runScriptFile} .singularity.d/runscript + mkdir -p .${projectName}.d + ln -s ${runScriptFile} .${projectName}.d/runscript - # Fill out .singularity.d - mkdir -p .singularity.d/env - touch .singularity.d/env/94-appsbase.sh + # Fill out .${projectName}.d + mkdir -p .${projectName}.d/env + touch .${projectName}.d/env/94-appsbase.sh cd .. - mkdir -p /var/singularity/mnt/{container,final,overlay,session,source} + mkdir -p /var/lib/${projectName}/mnt/{container,final,overlay,session,source} echo "root:x:0:0:System administrator:/root:/bin/sh" > /etc/passwd echo > /etc/resolv.conf - TMPDIR=$(pwd -P) singularity build $out ./img + TMPDIR=$(pwd -P) ${projectName} build $out ./img ''); - in result; + in + result; } diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index d9557e18f8a..b4c8c04d7d1 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -30209,6 +30209,13 @@ with pkgs; shepherd = nodePackages."@nerdwallet/shepherd"; + inherit (callPackage ../applications/virtualization/singularity/packages.nix { }) + apptainer + singularity + apptainer-overriden-nixos + singularity-overriden-nixos + ; + skate = callPackage ../applications/misc/skate { }; slack = callPackage ../applications/networking/instant-messengers/slack { }; @@ -30219,8 +30226,6 @@ with pkgs; slweb = callPackage ../applications/misc/slweb { }; - singularity = callPackage ../applications/virtualization/singularity { }; - sonixd = callPackage ../applications/audio/sonixd { }; sosreport = python3Packages.callPackage ../applications/logging/sosreport { }; |