Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sandbox linux builds using docker and gVisor #252

Closed
wants to merge 96 commits into from
Closed

Sandbox linux builds using docker and gVisor #252

wants to merge 96 commits into from

Conversation

NobodyXu
Copy link
Member

Related: #251

NobodyXu added 30 commits June 16, 2024 19:35
@NobodyXu
Add new reusable workflow docker-setup
89d5abf
@NobodyXu
Run docker-setup in build-package.yml
65cb8b0
@NobodyXu
Run docker-setup selfbuild.yml
fc4dbe8
@NobodyXu
Install gVisor in docker-setup
1d64a12
@NobodyXu
Fix docker-setup
011601f 
Add missing `shell: bash`
@NobodyXu
Create Dockerfile for build-version.sh on Linux
f915a04
@NobodyXu
Add scripts to Dockerfile
dfc0650
@NobodyXu
Update Dockerfile
752d8c4
@NobodyXu
Create build-version composite action
cee3291 
Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
Check if package is built in build-package.yml
65e2640 
Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
Fix setup code in build-version
0050ba4 
Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
Fix env in Dockerfile
f622af4 
Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
Refactor build-version.sh
54592ac 
Move code to github action

Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
Update action.yml
68b0057 
Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
Update action.yml
041ba8f 
Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
Update build-version.sh
0f9e92e 
Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
Update build-version.sh
ed67554 
Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
Update build-version.sh
e254490 
Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
Update Dockerfile
9e1abd2 
Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
Update Dockerfile
d0decd5 
Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
Update action.yml
09fcda0 
Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
Refactor build-version.sh
f947dab 
Tempdir is now read from env

Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
Add skeleton code on how to run docker container
f86d5c8 
Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
Install more dependencies in Dockerfile
49d3f92 
and sepcify `ENTRYPOINT`

Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
Build docker image for package building
ef0c20f 
Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
Pass environments to package-builder docker container
7891f3d 
Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
Add missing shell: bash
deb1e7f 
Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
Bind moung $TEMPDIR in build-version
6034441 
Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
Tune docker-run flags
e245f02 
Use `--init` to use docker provided initd for reaping zombies.
Use `--security-opt="no-new-privileges=true"` to prevent container from gaining any new privileges

Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
Update job self-build-with-build-version in selfbuild.yml
660e034 
To use reusable action `build-version`

Signed-off-by: Jiahao XU <[email protected]>
NobodyXu and others added 24 commits June 19, 2024 23:25
@NobodyXu
Convert build-version into a reusable workflow
4153302 
Composite action is way too limited

Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
Fix build-version workflow: Build docker in a separate job
af45a5a 
Since it requires permission to save into GHA

Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
Fix Dockerfile
3c302f3 
Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
Add debug ls to build-version.sh
3eb2933 
Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
Fix built docker image name
1343b05 
Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
Move docker-setup into build-version
de75954 
Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
Fix build-version: Add needs: build-docker
28eac49 
Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
Fix saving artifacts in build-version on windows
8c4d522 
Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
Fix use of TEMPDIR in step prepare
c9252eb 
Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
Simplify build-version.sh
5a5e402 
Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
Fix shellcheck
2f4b042 
Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
FIx loading of docker image
ad59b0f 
Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
Fix docker-run step
26ee99f 
Rm `-it` flags as there is no terminal to attach to
and no stdin at all.

Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
Fix passing output in build-package.yml
ef20804 
Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
Fix build-version: Make sure job build-version is always run
6d26525 
Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
Improve output of check-if-already-built
0387fe9 
Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
FIx setting of env TEMPDIR in build-version
49a8c0a 
Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
Rm CARGO_HOME in Dockerfile
f7bd99e 
`rust:slim` already sets one and adds it to `PATH`

Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
Fix uploading of artifacts
9492eb7 
 - Give them unique names `CRATE-VERSION-TARGET`
 - Fixed a missing env

Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
Fix docker run: Mount tmpfs to /root/.cache
e3db366 
Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
Fix zig not found error
0efdf2d 
Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
FIx tmpfs mounting: Allow exec in /tmp and /root/.cache
4fba175 
Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
Downgrade zig to 0.10.0
134d5ae 
Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu
Fix glibc version setting build-version.sh
d07f211 
Only apply it to glibc

Signed-off-by: Jiahao XU <[email protected]>
@NobodyXu NobodyXu mentioned this pull request Jun 29, 2024
Closed
@NobodyXu
Copy link
Member Author

The failure is because the old version of zig write to its our installation directory, which is immutable.

The blocker for newer zig is that it rejects unknown linker flag --undefined which is used by cargo-auditable.

I think it makes sense to remove cargo-auditable for now, so that we can upgrade to latest release, since the build-process could modify whatever it likes and leave process behind, it is trivial to modify it to something else to prevemt auditing.

@NobodyXu
Copy link
Member Author

NobodyXu commented Jul 13, 2024
edited
Loading

cc @alsuren I just discovered https://github.com/cackle-rs/cackle

A tool with sandboxing and code auditing built-in, which seems better than my homebrew solution.

I will close this PR, and open a new PR to refactor/rework the build-system of quickinstall instead.

@NobodyXu NobodyXu closed this Jul 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alsuren alsuren alsuren left review comments

@Milo123459 Milo123459 Awaiting requested review from Milo123459

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@NobodyXu @alsuren