Add bubblewrap support for running nix2gpu without a container runtime#12
Add bubblewrap support for running nix2gpu without a container runtime#12baileylu121 merged 13 commits intomainfrom
Conversation
This stack of pull requests is managed by Graphite. Learn more about stacking. |
baileylu121
changed the title
nix flake update + switch nimi feature branch
|
baileylu121
changed the title
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix prepared a fix for the issue found in the latest run.
- ✅ Fixed: Bubblewrap environment skips uppercase variable name assertion
- Bubblewrap now forces evaluation of the same validated env mapping used for container env strings via deepSeq so lowercase variable names trigger the uppercase assertion in both paths.
Or push these changes by commenting:
@cursor push c803cb3b85
Preview (c803cb3b85)
diff --git a/nix2gpu/env.nix b/nix2gpu/env.nix
--- a/nix2gpu/env.nix
+++ b/nix2gpu/env.nix
@@ -84,6 +84,6 @@
totalEnv = config.env // config.extraEnv;
in
lib.mapAttrsToList translateToGoEnvString totalEnv;
- bubblewrap.environment = config.env // config.extraEnv;
+ bubblewrap.environment = builtins.deepSeq (lib.mapAttrsToList translateToGoEnvString totalEnv) totalEnv;
};
}| totalEnv = config.env // config.extraEnv; | ||
| in | ||
| lib.mapAttrsToList translateToGoEnvString totalEnv; | ||
| bubblewrap.environment = config.env // config.extraEnv; |
There was a problem hiding this comment.
Bubblewrap environment skips uppercase variable name assertion
Low Severity
The bubblewrap.environment is set to config.env // config.extraEnv directly, bypassing the translateToGoEnvString assertion that validates all environment variable names are uppercase. The container path checks this via lib.assertMsg (lib.toUpper var == var), but the bubblewrap path does not. Due to Nix laziness, building only the bubblewrap target would never trigger the validation, allowing lowercase env vars to slip through undetected.
1 participant
Add bubblewrap support for running nix2gpu without a container runtime
This PR updates the flake dependencies and switches from the
baileylu/minimize-flakebranch to thebaileylu/bubblewrapbranch of nimi.Allow creation of the template
Adds a templates module and renames the basic template to default, making it available via
nix flake init -t github:weyl-ai/nix2gpu.Fix typo
Fixes a missing colon in the getting-started.md documentation.
Bind to nimi's bubblewrap with equivalency to the container config
Adds bubblewrap configuration to match container behavior, allowing nix2gpu containers to run in bubblewrap sandboxes. This includes:
Optimize the calling to only evaluate the nimi module once
Refactors the container creation to evaluate the nimi module once and reuse the configuration for both container image and bubblewrap.
Properly bind gpu drivers
Adds comprehensive GPU device bindings for NVIDIA devices and configures the proper procfs access needed for GPU drivers to function in bubblewrap.
Note
Medium Risk
Adds a new execution path (bubblewrap sandbox) and updates startup/SSH/GPU binding logic, which may change runtime behavior and host integration. Dependency bumps (notably
nimi) can also shift behavior outside this repo.Overview
Adds bubblewrap mode by wiring Nimi’s
mkBwrapWithConfiginto container builds and exposing it as arunInBubblewrappassthru output, alongside a refactor to evaluate the Nimi module once and reuse the resulting config.Updates nix2gpu modules to translate existing container settings into bubblewrap equivalents:
copyToRootis now also turned into read-only bind mounts (excluding tmpfs dirs), env vars/user/working dir are passed through to bubblewrap, and CUDA enables host GPU library/device binds plus host/procusage for NVIDIA driver visibility.Extends the startup script to better support bubblewrap (tmpfs-backed
/etc, copy-in of/etcfromcopyToRootEnv, SSH key generation and port rewrite to2222in bubblewrap mode, and tightened directory permissions), adds a new NixOS test that boots and validates bubblewrap execution, and updates docs (newbubblewrap.md, nav links, typo fix) plus flake/template and dependency updates (switchnimiinput to upstream and refreshflake.lock).Written by Cursor Bugbot for commit 41bd76d. This will update automatically on new commits. Configure here.