mirror of
https://github.com/SebastianWendel/nixpkgs.git
synced 2024-09-30 09:00:19 +02:00
2a8d05627b
flat hashes can be substituted through hashed-mirrors, while recursive hashes can’t. This is especially important for Bazel since the bazel fetch dependencies can come from multiple different methods (git, http, ftp, etc.). To do this, we create tar archives from the output/external directory, which is then extracted to build. All of the Bazel hashes are all updated.
102 lines
3.1 KiB
Nix
102 lines
3.1 KiB
Nix
{ stdenv
|
|
, buildBazelPackage
|
|
, fetchFromGitHub
|
|
, cacert
|
|
, git
|
|
, glibcLocales
|
|
, go
|
|
, iproute
|
|
, iptables
|
|
, makeWrapper
|
|
, procps
|
|
, python3
|
|
}:
|
|
|
|
let
|
|
preBuild = ''
|
|
patchShebangs .
|
|
|
|
# Tell rules_go to use the Go binary found in the PATH
|
|
sed -E -i \
|
|
-e 's|go_version\s*=\s*"[^"]+",|go_version = "host",|g' \
|
|
WORKSPACE
|
|
|
|
# The gazelle Go tooling needs CA certs
|
|
export SSL_CERT_FILE="${cacert}/etc/ssl/certs/ca-bundle.crt"
|
|
|
|
# If we don't reset our GOPATH, the rules_go stdlib builder tries to
|
|
# install something into it. Ideally that wouldn't happen, but for now we
|
|
# can also get around it by unsetting GOPATH entirely, since rules_go
|
|
# doesn't need it.
|
|
export GOPATH=
|
|
'';
|
|
|
|
in buildBazelPackage rec {
|
|
name = "gvisor-${version}";
|
|
version = "2019-11-14";
|
|
|
|
src = fetchFromGitHub {
|
|
owner = "google";
|
|
repo = "gvisor";
|
|
rev = "release-20191114.0";
|
|
sha256 = "0kyixjjlws9iz2r2srgpdd4rrq94vpxkmh2rmmzxd9mcqy2i9bg1";
|
|
};
|
|
|
|
nativeBuildInputs = [ git glibcLocales go makeWrapper python3 ];
|
|
|
|
bazelTarget = "//runsc:runsc";
|
|
|
|
# gvisor uses the Starlark implementation of rules_cc, not the built-in one,
|
|
# so we shouldn't delete it from our dependencies.
|
|
removeRulesCC = false;
|
|
|
|
fetchAttrs = {
|
|
inherit preBuild;
|
|
|
|
preInstall = ''
|
|
# Remove the go_sdk (it's just a copy of the go derivation) and all
|
|
# references to it from the marker files. Bazel does not need to download
|
|
# this sdk because we have patched the WORKSPACE file to point to the one
|
|
# currently present in PATH. Without removing the go_sdk from the marker
|
|
# file, the hash of it will change anytime the Go derivation changes and
|
|
# that would lead to impurities in the marker files which would result in
|
|
# a different sha256 for the fetch phase.
|
|
rm -rf $bazelOut/external/{go_sdk,\@go_sdk.marker}
|
|
|
|
# Remove the gazelle tools, they contain go binaries that are built
|
|
# non-deterministically. As long as the gazelle version matches the tools
|
|
# should be equivalent.
|
|
rm -rf $bazelOut/external/{bazel_gazelle_go_repository_tools,\@bazel_gazelle_go_repository_tools.marker}
|
|
|
|
# Remove the gazelle repository cache
|
|
chmod -R +w $bazelOut/external/bazel_gazelle_go_repository_cache
|
|
rm -rf $bazelOut/external/{bazel_gazelle_go_repository_cache,\@bazel_gazelle_go_repository_cache.marker}
|
|
|
|
# Remove log file(s)
|
|
rm -f "$bazelOut"/java.log "$bazelOut"/java.log.*
|
|
'';
|
|
|
|
sha256 = "0r11kbyp1ambgcj35gvjjmxrsrdg7b9jb9sq3kih4lik7zyljp25";
|
|
};
|
|
|
|
buildAttrs = {
|
|
inherit preBuild;
|
|
|
|
installPhase = ''
|
|
install -Dm755 bazel-bin/runsc/*_pure_stripped/runsc $out/bin/runsc
|
|
|
|
# Needed for the 'runsc do' subcomand
|
|
wrapProgram $out/bin/runsc \
|
|
--prefix PATH : ${stdenv.lib.makeBinPath [ iproute iptables procps ]}
|
|
'';
|
|
};
|
|
|
|
meta = with stdenv.lib; {
|
|
description = "Container Runtime Sandbox";
|
|
homepage = "https://github.com/google/gvisor";
|
|
license = licenses.asl20;
|
|
maintainers = with maintainers; [ andrew-d ];
|
|
platforms = [ "x86_64-linux" ];
|
|
};
|
|
}
|