diff options
Diffstat (limited to 'nixpkgs/pkgs/build-support/oci-tools/default.nix')
-rw-r--r-- | nixpkgs/pkgs/build-support/oci-tools/default.nix | 78 |
1 files changed, 78 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/build-support/oci-tools/default.nix b/nixpkgs/pkgs/build-support/oci-tools/default.nix new file mode 100644 index 000000000000..1f5507f2eb75 --- /dev/null +++ b/nixpkgs/pkgs/build-support/oci-tools/default.nix @@ -0,0 +1,78 @@ +{ lib, writeText, runCommand, writeClosure }: + +{ + buildContainer = + { args + , mounts ? {} + , os ? "linux" + , arch ? "x86_64" + , readonly ? false + }: + let + sysMounts = { + "/proc" = { + type = "proc"; + source = "proc"; + }; + "/dev" = { + type = "tmpfs"; + source = "tmpfs"; + options = [ "nosuid" "strictatime" "mode=755" "size=65536k" ]; + }; + "/dev/pts" = { + type = "devpts"; + source = "devpts"; + options = [ "nosuid" "noexec" "newinstance" "ptmxmode=0666" "mode=755" "gid=5" ]; + }; + "/dev/shm" = { + type = "tmpfs"; + source = "shm"; + options = [ "nosuid" "noexec" "nodev" "mode=1777" "size=65536k" ]; + }; + "/dev/mqueue" = { + type = "mqueue"; + source = "mqueue"; + options = [ "nosuid" "noexec" "nodev" ]; + }; + "/sys" = { + type = "sysfs"; + source = "sysfs"; + options = [ "nosuid" "noexec" "nodev" "ro" ]; + }; + "/sys/fs/cgroup" = { + type = "cgroup"; + source = "cgroup"; + options = [ "nosuid" "noexec" "nodev" "relatime" "ro" ]; + }; + }; + config = writeText "config.json" (builtins.toJSON { + ociVersion = "1.0.0"; + platform = { + inherit os arch; + }; + + linux = { + namespaces = map (type: { inherit type; }) [ "pid" "network" "mount" "ipc" "uts" ]; + }; + + root = { path = "rootfs"; inherit readonly; }; + + process = { + inherit args; + user = { uid = 0; gid = 0; }; + cwd = "/"; + }; + + mounts = lib.mapAttrsToList (destination: { type, source, options ? null }: { + inherit destination type source options; + }) sysMounts; + }); + in + runCommand "join" {} '' + set -o pipefail + mkdir -p $out/rootfs/{dev,proc,sys} + cp ${config} $out/config.json + xargs tar c < ${writeClosure args} | tar -xC $out/rootfs/ + ''; +} + |