containers · giuseppe · May 20, 2020 · May 19, 2020 · saschagrunert · May 20, 2020
diff --git a/.gitignore b/.gitignore
@@ -59,6 +59,7 @@ m4/ltversion.m4
 m4/lt~obsolete.m4
 Makefile
 Makefile.in
+result
 rpm/crun.spec
 stamp-h
 stamp-h.in

diff --git a/build-aux/release.sh b/build-aux/release.sh
@@ -37,8 +37,7 @@ make distclean
 make -C contrib/static-builder-x86_64 build-image RUNTIME=$RUNTIME
 make -C contrib/static-builder-x86_64 build-crun CRUN_SOURCE=$(pwd) RUNTIME=$RUNTIME
 
-strip static-build/crun
-mv static-build/crun $OUTDIR/crun-$VERSION-static-x86_64
+mv crun $OUTDIR/crun-$VERSION-static-x86_64
 
 if test x$SKIP_GPG = x; then
     for i in $OUTDIR/*; do

diff --git a/contrib/static-builder-x86_64/Dockerfile b/contrib/static-builder-x86_64/Dockerfile
@@ -1,21 +1,6 @@
-FROM fedora AS base
-RUN dnf install -y git dnf-utils gcc meson ninja-build libcap-static \
-    make python git gcc automake autoconf libcap-devel systemd-devel yajl-devel libseccomp-devel cmake \
-    go-md2man glibc-static python3-libmount libtool diffutils gperf
-
-FROM base AS systemd
-RUN mkdir /out && yum-builddep -y systemd && git clone --depth 1 https://github.com/systemd/systemd.git \
-    && mkdir systemd/build; cd systemd/build; meson .. -Dselinux=false --buildtype minsize --strip; ninja version.h; ninja libsystemd.a; cp libsystemd.a /out
-
-FROM base AS yajl
-RUN mkdir /out && git clone --depth=1 https://github.com/lloyd/yajl.git; cd yajl; ./configure LDFLAGS=-static; cd build; make -j $(nproc); find . -name '*.a' -exec cp \{\} /out \;
-
-FROM base AS seccomp
-RUN mkdir /out && git clone --depth=1 https://github.com/seccomp/libseccomp.git; cd libseccomp; ./autogen.sh; ./configure --enable-static; make -j $(nproc); find . -name '*.a' -exec cp \{\} /out \;
-
-FROM base
-COPY --from=systemd /out/* /usr/lib64/
-COPY --from=yajl /out/* /usr/lib64/
-COPY --from=seccomp /out/* /usr/lib64/
-COPY build.sh /usr/bin/build.sh
-CMD /usr/bin/build.sh
+FROM nixos/nix
+COPY . /crun
+WORKDIR crun/nix
+RUN nix-build
+WORKDIR /
+RUN rm -rf crun
diff --git a/contrib/static-builder-x86_64/Makefile b/contrib/static-builder-x86_64/Makefile
@@ -6,8 +6,8 @@ all: build-image build-crun
 
 build-crun:
 	@if test "x$(CRUN_SOURCE)" = x; then printf "+--------------------------+\n|Please specify CRUN_SOURCE|\n+--------------------------+\n" >&2; exit 1; fi
-	$(RUNTIME) run --rm -v $(CRUN_SOURCE):/crun $(IMAGE)
-	@printf -- "----------------------------------------------------\ncrun built in $(CRUN_SOURCE)/static-build\n----------------------------------------------------\n"
+	$(RUNTIME) run --rm -v $(CRUN_SOURCE):/crun -w /crun $(IMAGE) sh -c "nix build -f nix && cp result/bin/crun ."
+	@printf -- "----------------------------------------------------\ncrun built in $(CRUN_SOURCE)/crun\n----------------------------------------------------\n"
 
 build-image:
-	$(RUNTIME) $(RUNTIME_OPTS) build $(BUILD_OPTS) -t $(IMAGE) .
+	$(RUNTIME) $(RUNTIME_OPTS) build $(BUILD_OPTS) -f Dockerfile -t $(IMAGE) $(CRUN_SOURCE)
diff --git a/contrib/static-builder-x86_64/build.sh b/contrib/static-builder-x86_64/build.sh
diff --git a/nix/default.nix b/nix/default.nix
@@ -0,0 +1,66 @@
+{ system ? builtins.currentSystem }:
+let
+  pkgs = (import ./nixpkgs.nix {
+    config = {
+      packageOverrides = pkg: {
+        libcap = (static pkg.libcap).overrideAttrs(x: {
+          postInstall = ''
+            mkdir -p "$doc/share/doc/${x.pname}-${x.version}"
+            cp License "$doc/share/doc/${x.pname}-${x.version}/"
+            mkdir -p "$pam/lib/security"
+            mv "$lib"/lib/security "$pam/lib"
+          '';
+        });
+        libseccomp = (static pkg.libseccomp);
+        protobufc = (static pkg.protobufc);
+        systemd = pkg.systemd.overrideAttrs(x: {
+          mesonFlags = x.mesonFlags ++ [ "-Dstatic-libsystemd=true" ];
+          postFixup = ''
+            ${x.postFixup}
+            sed -ri "s;$out/(.*);$nukedRef/\1;g" $lib/lib/libsystemd.a
+          '';
+        });
+      };
+    };
+  });
+
+  static = pkg: pkg.overrideAttrs(x: {
+    configureFlags = (x.configureFlags or []) ++ [ "--disable-shared" ];
+    enableStatic = true;
+  });
+
+  self = with pkgs; {
+    crun-static = (crun.overrideAttrs(x: {
+      name = "crun-static";
+      src = ./..;
+      doCheck = false;
+      nativeBuildInputs = [ autoreconfHook pkgconfig python3 ];
+      buildInputs = x.buildInputs ++ [ criu glibc glibc.static ];
+      configureFlags = [ "--enable-static-nss" ];
+      prePatch = ''
+        export LDFLAGS="-static-libgcc -static"
+        export CRUN_LDFLAGS="-all-static"
+        export LIBS="\
+          ${criu}/lib/libcriu.a \
+          ${glibc.static}/lib/libc.a \
+          ${glibc.static}/lib/libpthread.a \
+          ${glibc.static}/lib/librt.a \
+          ${libcap.lib}/lib/libcap.a \
+          ${libseccomp.lib}/lib/libseccomp.a \
+          ${protobufc}/lib/libprotobuf-c.a \
+          ${protobuf}/lib/libprotobuf.a \
+          ${systemd.lib}/lib/libsystemd.a \
+          ${yajl}/lib/libyajl_s.a \
+        "
+        echo "Using static libs: $LIBS"
+      '';
+    })).override {
+      yajl = yajl.overrideAttrs(x: {
+        buildInputs = [ glibc glibc.static ];
+        preConfigure = ''
+          export CMAKE_STATIC_LINKER_FLAGS="-static"
+        '';
+      });
+    };
+  };
+in self
diff --git a/nix/nixpkgs.json b/nix/nixpkgs.json
@@ -0,0 +1,10 @@
+{
+  "url": "https://github.com/nixos/nixpkgs",
+  "rev": "2b51171fb6eadbe0909dc5f3726371a149044f77",
+  "date": "2020-05-13T14:24:04+02:00",
+  "path": "/nix/store/dnv2wqnkssh7ph5r9gbxv6gxp8ykkqn4-nixpkgs",
+  "sha256": "1f76j4m05sbypc1s9lbdbdp62slryvknsi78ilrb3lnmq17biymi",
+  "fetchSubmodules": false,
+  "deepClone": false,
+  "leaveDotGit": false
+}
diff --git a/nix/nixpkgs.nix b/nix/nixpkgs.nix
@@ -0,0 +1,8 @@
+let
+  json = builtins.fromJSON (builtins.readFile ./nixpkgs.json);
+  nixpkgs = import (builtins.fetchTarball {
+    name = "nixos-unstable";
+    url = "${json.url}/archive/${json.rev}.tar.gz";
+    inherit (json) sha256;
+  });
+in nixpkgs