From 0d266992ee156302a5911f70fe221cb92e053eda Mon Sep 17 00:00:00 2001 From: Malte Poll <1780588+malt3@users.noreply.github.com> Date: Thu, 23 Nov 2023 16:52:39 +0100 Subject: [PATCH] wip --- .../org_libvirt_go_libvirt/go_libvirt.need | 2 +- WORKSPACE.bazel | 15 +++----- bazel/patchelf/BUILD.bazel | 0 bazel/patchelf/patchelf.bzl | 37 +++++++++++++++++++ bazel/platforms/BUILD.bazel | 35 ++++++++++++++---- bootstrapper/cmd/bootstrapper/BUILD.bazel | 15 ++++++-- cli/internal/libvirt/BUILD.bazel | 4 +- debugd/cmd/debugd/BUILD.bazel | 11 +++--- disk-mapper/cmd/BUILD.bazel | 14 +++++-- flake.nix | 2 +- hack/qemu-metadata-api/BUILD.bazel | 17 +++++++-- image/BUILD.bazel | 9 +++++ image/base/BUILD.bazel | 1 + image/initrd/BUILD.bazel | 1 + image/system/mkosi.repart/00-esp.conf | 4 +- measurement-reader/cmd/BUILD.bazel | 13 ++++--- nix/cc/BUILD.bazel | 26 ++++++++++--- nix/cc/cryptsetup.nix | 13 ++++++- nix/cc/libvirt.nix | 17 +++++++++ nix/cc/nixpkgs_cc_libraries.bzl | 2 + upgrade-agent/cmd/BUILD.bazel | 11 +++--- 21 files changed, 191 insertions(+), 58 deletions(-) create mode 100644 bazel/patchelf/BUILD.bazel create mode 100644 nix/cc/libvirt.nix diff --git a/3rdparty/bazel/org_libvirt_go_libvirt/go_libvirt.need b/3rdparty/bazel/org_libvirt_go_libvirt/go_libvirt.need index 7c33852ea..dd57bb7a3 100644 --- a/3rdparty/bazel/org_libvirt_go_libvirt/go_libvirt.need +++ b/3rdparty/bazel/org_libvirt_go_libvirt/go_libvirt.need @@ -96,7 +96,7 @@ go_library( "typedparams.go", ], cdeps = [ - "@libvirt//:libvirt", + "@//nix/cc:libvirt", ], cgo = True, importpath = "libvirt.org/go/libvirt", diff --git a/WORKSPACE.bazel b/WORKSPACE.bazel index 251b174b0..ac229d4c0 100644 --- a/WORKSPACE.bazel +++ b/WORKSPACE.bazel @@ -66,6 +66,11 @@ nixpkgs_package( repository = "@nixpkgs", ) +nixpkgs_package( + name = "patchelf", + repository = "@nixpkgs", +) + load("//nix/cc:nixpkgs_cc_libraries.bzl", "nixpkgs_cc_library_deps") nixpkgs_cc_library_deps() @@ -178,16 +183,6 @@ nixpkgs_cc_configure( repository = "@nixpkgs", ) -nixpkgs_cc_configure( - name = "nixpkgs_cc_toolchain_x86_64", - cross_cpu = "k8", - repository = "@nixpkgs", -) - -# register_toolchains( -# "@nixpkgs_cc_toolchain//:toolchain", -# ) - register_toolchains( "@zig_sdk//libc_aware/toolchain:linux_amd64_gnu.2.23", "@zig_sdk//libc_aware/toolchain:linux_arm64_gnu.2.23", diff --git a/bazel/patchelf/BUILD.bazel b/bazel/patchelf/BUILD.bazel new file mode 100644 index 000000000..e69de29bb diff --git a/bazel/patchelf/patchelf.bzl b/bazel/patchelf/patchelf.bzl index e69de29bb..809f68573 100644 --- a/bazel/patchelf/patchelf.bzl +++ b/bazel/patchelf/patchelf.bzl @@ -0,0 +1,37 @@ +""" Bazel rule for postprocessing elf files with patchelf """ + +def _patchelf_impl(ctx): + output = ctx.outputs.out + ctx.actions.run_shell( + inputs = [ctx.file.src, ctx.file.rpath], + tools = [ctx.executable._patchelf_binary], + outputs = [output], + arguments = [ + ctx.executable._patchelf_binary.path, + ctx.file.rpath.path, + output.path, + ctx.file.src.path, + ], + command = "\"$1\" --set-rpath \"$(cat \"$2\")\" --output \"$3\" \"$4\"", + progress_message = "Patching ELF binary " + ctx.file.src.basename, + ) + return DefaultInfo( + files = depset([output]), + executable = output, + ) + +patchelf = rule( + implementation = _patchelf_impl, + attrs = { + "out": attr.output(mandatory = True), + "rpath": attr.label(mandatory = True, allow_single_file = True), + "src": attr.label(mandatory = True, allow_single_file = True), + "_patchelf_binary": attr.label( + default = Label("@patchelf//:bin/patchelf"), + allow_single_file = True, + executable = True, + cfg = "exec", + ), + }, + executable = True, +) diff --git a/bazel/platforms/BUILD.bazel b/bazel/platforms/BUILD.bazel index c5f909b50..eca6072d6 100644 --- a/bazel/platforms/BUILD.bazel +++ b/bazel/platforms/BUILD.bazel @@ -1,10 +1,7 @@ -platform( - name = "constellation_os_x86_64", - constraint_values = [ - "@platforms//cpu:x86_64", - "@platforms//os:linux", - "@rules_nixpkgs_core//constraints:support_nix", - ], +alias( + name = "constellation_os", + actual = ":x86_64-linux_nix", + visibility = ["//visibility:public"], ) platform( @@ -42,3 +39,27 @@ platform( "@rules_nixpkgs_core//constraints:support_nix", ], ) + +alias( + name = "go-pure_aarch64-linux", + actual = "@io_bazel_rules_go//go/toolchain:linux_arm64", + visibility = ["//visibility:public"], +) + +alias( + name = "go-pure_aarch64-darwin", + actual = "@io_bazel_rules_go//go/toolchain:darwin_arm64", + visibility = ["//visibility:public"], +) + +alias( + name = "go-pure_x86_64-linux", + actual = "@io_bazel_rules_go//go/toolchain:linux_amd64", + visibility = ["//visibility:public"], +) + +alias( + name = "go-pure_x86_64-darwin", + actual = "@io_bazel_rules_go//go/toolchain:darwin_amd64", + visibility = ["//visibility:public"], +) diff --git a/bootstrapper/cmd/bootstrapper/BUILD.bazel b/bootstrapper/cmd/bootstrapper/BUILD.bazel index 221023fc7..6c738f7da 100644 --- a/bootstrapper/cmd/bootstrapper/BUILD.bazel +++ b/bootstrapper/cmd/bootstrapper/BUILD.bazel @@ -1,6 +1,7 @@ load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library") load("@rules_pkg//:pkg.bzl", "pkg_tar") load("//bazel/go:platform.bzl", "platform_binary") +load("//bazel/patchelf:patchelf.bzl", "patchelf") go_library( name = "bootstrapper_lib", @@ -61,18 +62,24 @@ go_binary( platform_binary( name = "bootstrapper_linux_amd64", - # platform = "@zig_sdk//libc_aware/platform:linux_amd64_gnu.2.23", - platform = "//bazel/platforms:constellation_os_x86_64", + platform = "//bazel/platforms:constellation_os", target_file = ":bootstrapper", visibility = ["//visibility:public"], ) +patchelf( + name = "bootstrapper_patched", + src = ":bootstrapper_linux_amd64", + out = "bootstrapper_with_nix_rpath", + rpath = "@cryptsetup_x86_64-linux//:rpath", +) + pkg_tar( name = "bootstrapper-package", srcs = [ - ":bootstrapper_linux_amd64", + ":bootstrapper_patched", ], mode = "0755", - remap_paths = {"/platform:linux_amd64_gnu.2.23": "/usr/bin/bootstrapper"}, + remap_paths = {"/bootstrapper_with_nix_rpath": "/usr/bin/bootstrapper"}, visibility = ["//visibility:public"], ) diff --git a/cli/internal/libvirt/BUILD.bazel b/cli/internal/libvirt/BUILD.bazel index 558ccb9f9..ed45a038b 100644 --- a/cli/internal/libvirt/BUILD.bazel +++ b/cli/internal/libvirt/BUILD.bazel @@ -67,7 +67,9 @@ oci_image( entrypoint = ["/start.sh"], os = "linux", tars = [ - "//rpm:containerized-libvirt", + # TODO(malt3): test if libvirt works + "@libvirt_x86_64-linux//:closure.tar", + "@libvirt_x86_64-linux//:bin-linktree.tar", ":start", ], visibility = ["//visibility:public"], diff --git a/debugd/cmd/debugd/BUILD.bazel b/debugd/cmd/debugd/BUILD.bazel index 40d946f36..2ef12d09a 100644 --- a/debugd/cmd/debugd/BUILD.bazel +++ b/debugd/cmd/debugd/BUILD.bazel @@ -1,7 +1,6 @@ -load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library") +load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_cross_binary", "go_library") load("@rules_pkg//:pkg.bzl", "pkg_tar") load("@rules_pkg//pkg:mappings.bzl", "pkg_files") -load("//bazel/go:platform.bzl", "platform_binary") go_library( name = "debugd_lib", @@ -38,10 +37,10 @@ go_binary( visibility = ["//visibility:public"], ) -platform_binary( +go_cross_binary( name = "debugd_linux_amd64", - platform = "@zig_sdk//libc_aware/platform:linux_amd64_gnu.2.23", - target_file = ":debugd", + platform = "//bazel/platforms:go-pure_x86_64-linux", + target = "debugd", visibility = ["//visibility:public"], ) @@ -61,6 +60,6 @@ pkg_tar( ":debugd_unit", ], mode = "0755", - remap_paths = {"/platform:linux_amd64_gnu.2.23": "/usr/bin/debugd"}, + remap_paths = {"/debugd_linux_amd64": "/usr/bin/debugd"}, visibility = ["//visibility:public"], ) diff --git a/disk-mapper/cmd/BUILD.bazel b/disk-mapper/cmd/BUILD.bazel index 93d93222b..e5ff4e654 100644 --- a/disk-mapper/cmd/BUILD.bazel +++ b/disk-mapper/cmd/BUILD.bazel @@ -1,6 +1,7 @@ load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library") load("@rules_pkg//:pkg.bzl", "pkg_tar") load("//bazel/go:platform.bzl", "platform_binary") +load("//bazel/patchelf:patchelf.bzl", "patchelf") go_library( name = "cmd_lib", @@ -41,17 +42,24 @@ go_binary( platform_binary( name = "disk-mapper_linux_amd64", - platform = "@zig_sdk//libc_aware/platform:linux_amd64_gnu.2.23", + platform = "//bazel/platforms:constellation_os", target_file = ":cmd", visibility = ["//visibility:public"], ) +patchelf( + name = "disk-mapper_patched", + src = ":disk-mapper_linux_amd64", + out = "disk-mapper_with_nix_rpath", + rpath = "@cryptsetup_x86_64-linux//:rpath", +) + pkg_tar( name = "disk-mapper-package", srcs = [ - ":disk-mapper_linux_amd64", + ":disk-mapper_patched", ], mode = "0755", - remap_paths = {"/platform:linux_amd64_gnu.2.23": "/usr/sbin/disk-mapper"}, + remap_paths = {"/disk-mapper_with_nix_rpath": "/usr/sbin/disk-mapper"}, visibility = ["//visibility:public"], ) diff --git a/flake.nix b/flake.nix index 74a9152fb..326b5c4c0 100644 --- a/flake.nix +++ b/flake.nix @@ -46,7 +46,7 @@ packages.cryptsetup = callPackage ./nix/cc/cryptsetup.nix { pkgs = pkgsUnstable; }; - packages.libvirt = pkgsUnstable.libvirt; + packages.libvirt = callPackage ./nix/cc/libvirt.nix { pkgs = pkgsUnstable; }; packages.awscli2 = pkgsUnstable.awscli2; diff --git a/hack/qemu-metadata-api/BUILD.bazel b/hack/qemu-metadata-api/BUILD.bazel index 5eeeec91d..5bbb85328 100644 --- a/hack/qemu-metadata-api/BUILD.bazel +++ b/hack/qemu-metadata-api/BUILD.bazel @@ -2,6 +2,7 @@ load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library") load("@rules_oci//oci:defs.bzl", "oci_image") load("@rules_pkg//:pkg.bzl", "pkg_tar") load("//bazel/go:platform.bzl", "platform_binary") +load("//bazel/patchelf:patchelf.bzl", "patchelf") go_library( name = "qemu-metadata-api_lib", @@ -29,18 +30,25 @@ go_binary( platform_binary( name = "qemu_metadata_api_linux_amd64", - platform = "//bazel/platforms:constellation_os_x86_64", + platform = "//bazel/platforms:constellation_os", target_file = ":qemu-metadata-api", visibility = ["//visibility:public"], ) +patchelf( + name = "qemu_metadata_api_patched", + src = ":qemu_metadata_api_linux_amd64", + out = "qemu_metadata_api_with_nix_rpath", + rpath = "@libvirt_x86_64-linux//:rpath", +) + pkg_tar( name = "layer", srcs = [ - ":qemu_metadata_api_linux_amd64", + ":qemu_metadata_api_patched", ], mode = "0755", - remap_paths = {"/platform:linux_amd64_gnu.2.23": "/server"}, + remap_paths = {"/qemu_metadata_api_with_nix_rpath": "/server"}, ) oci_image( @@ -49,7 +57,8 @@ oci_image( entrypoint = ["/server"], os = "linux", tars = [ - "//rpm:libvirt-devel", + # TODO(malt3): test if metadata api works with libvirt from nix + "@libvirt_x86_64-linux//:closure.tar", ":layer", ], visibility = ["//visibility:public"], diff --git a/image/BUILD.bazel b/image/BUILD.bazel index 76acdd212..681c6f385 100644 --- a/image/BUILD.bazel +++ b/image/BUILD.bazel @@ -1,3 +1,4 @@ +load("@aspect_bazel_lib//lib:copy_file.bzl", "copy_file") load("@rules_pkg//:pkg.bzl", "pkg_tar") load("@rules_pkg//pkg:mappings.bzl", "pkg_files", "strip_prefix") @@ -18,3 +19,11 @@ pkg_tar( srcs = [":sysroot"], visibility = ["//visibility:public"], ) + +copy_file( + name = "cryptsetup_closure", + src = "@cryptsetup_x86_64-linux//:closure.tar", + out = "cryptsetup_closure.tar", + allow_symlink = True, + visibility = ["//visibility:public"], +) diff --git a/image/base/BUILD.bazel b/image/base/BUILD.bazel index b226f472d..1d02317b2 100644 --- a/image/base/BUILD.bazel +++ b/image/base/BUILD.bazel @@ -49,6 +49,7 @@ mkosi_image( ], extra_trees = [ "//image:sysroot_tar", + "//image:cryptsetup_closure", ], local_mirror = ["@mkosi_rpms//:repo"], mkosi_conf = "mkosi.conf", diff --git a/image/initrd/BUILD.bazel b/image/initrd/BUILD.bazel index 18372f279..682c9d70e 100644 --- a/image/initrd/BUILD.bazel +++ b/image/initrd/BUILD.bazel @@ -14,6 +14,7 @@ mkosi_image( ], extra_trees = [ "//image:sysroot_tar", + "//image:cryptsetup_closure", "//disk-mapper/cmd:disk-mapper-package.tar", ], local_mirror = ["@mkosi_rpms//:repo"], diff --git a/image/system/mkosi.repart/00-esp.conf b/image/system/mkosi.repart/00-esp.conf index 2876e4107..1b5bc6328 100644 --- a/image/system/mkosi.repart/00-esp.conf +++ b/image/system/mkosi.repart/00-esp.conf @@ -2,5 +2,5 @@ Type=esp Format=vfat CopyFiles=/efi:/ -SizeMinBytes=256M -SizeMaxBytes=512M +SizeMinBytes=512M +SizeMaxBytes=1024M diff --git a/measurement-reader/cmd/BUILD.bazel b/measurement-reader/cmd/BUILD.bazel index 9f9d10257..db81ce3d9 100644 --- a/measurement-reader/cmd/BUILD.bazel +++ b/measurement-reader/cmd/BUILD.bazel @@ -1,6 +1,5 @@ -load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library") +load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_cross_binary", "go_library") load("@rules_pkg//:pkg.bzl", "pkg_tar") -load("//bazel/go:platform.bzl", "platform_binary") go_library( name = "cmd_lib", @@ -22,13 +21,15 @@ go_library( go_binary( name = "cmd", embed = [":cmd_lib"], + # keep + pure = "on", visibility = ["//visibility:public"], ) -platform_binary( +go_cross_binary( name = "measurement-reader_linux_amd64", - platform = "@zig_sdk//libc_aware/platform:linux_amd64_gnu.2.23", - target_file = ":cmd", + platform = "//bazel/platforms:go-pure_x86_64-linux", + target = ":cmd", visibility = ["//visibility:public"], ) @@ -38,6 +39,6 @@ pkg_tar( ":measurement-reader_linux_amd64", ], mode = "0755", - remap_paths = {"/platform:linux_amd64_gnu.2.23": "/usr/sbin/measurement-reader"}, + remap_paths = {"/measurement-reader_linux_amd64": "/usr/sbin/measurement-reader"}, visibility = ["//visibility:public"], ) diff --git a/nix/cc/BUILD.bazel b/nix/cc/BUILD.bazel index ea5badc5d..3854a6eb1 100644 --- a/nix/cc/BUILD.bazel +++ b/nix/cc/BUILD.bazel @@ -3,10 +3,10 @@ load("@bazel_skylib//lib:selects.bzl", "selects") alias( name = "org_openssl", actual = select({ - ":aarch64-linux": "@org_openssl_aarch64-linux//:org_openssl", ":aarch64-darwin": "@org_openssl_aarch64-darwin//:org_openssl", - ":x86_64-linux": "@org_openssl_x86_64-linux//:org_openssl", + ":aarch64-linux": "@org_openssl_aarch64-linux//:org_openssl", ":x86_64-darwin": "@org_openssl_x86_64-darwin//:org_openssl", + ":x86_64-linux": "@org_openssl_x86_64-linux//:org_openssl", }), visibility = ["//visibility:public"], ) @@ -15,9 +15,7 @@ alias( name = "cryptsetup", actual = select({ ":aarch64-linux": "@cryptsetup_aarch64-linux//:cryptsetup", - ":aarch64-darwin": "@cryptsetup_aarch64-darwin//:cryptsetup", ":x86_64-linux": "@cryptsetup_x86_64-linux//:cryptsetup", - ":x86_64-darwin": "@cryptsetup_x86_64-darwin//:cryptsetup", }), visibility = ["//visibility:public"], ) @@ -26,9 +24,25 @@ alias( name = "libvirt", actual = select({ ":aarch64-linux": "@libvirt_aarch64-linux//:libvirt", - ":aarch64-darwin": "@libvirt_aarch64-darwin//:libvirt", ":x86_64-linux": "@libvirt_x86_64-linux//:libvirt", - ":x86_64-darwin": "@libvirt_x86_64-darwin//:libvirt", + }), + visibility = ["//visibility:public"], +) + +alias( + name = "cryptsetup_rpath", + actual = select({ + ":aarch64-linux": "@cryptsetup_aarch64-linux//:rpath", + ":x86_64-linux": "@cryptsetup_x86_64-linux//:rpath", + }), + visibility = ["//visibility:public"], +) + +alias( + name = "libvirt_rpath", + actual = select({ + ":aarch64-linux": "@libvirt_aarch64-linux//:libvirt", + ":x86_64-linux": "@libvirt_x86_64-linux//:libvirt", }), visibility = ["//visibility:public"], ) diff --git a/nix/cc/cryptsetup.nix b/nix/cc/cryptsetup.nix index 71c483af8..a275e9097 100644 --- a/nix/cc/cryptsetup.nix +++ b/nix/cc/cryptsetup.nix @@ -1,5 +1,16 @@ -{ pkgs }: +{ pkgs, buildEnv, closureInfo }: +let + lib = pkgs.lib; + packages = [ pkgs.cryptsetup.out pkgs.cryptsetup.dev ]; + closure = builtins.toString (lib.strings.splitString "\n" (builtins.readFile "${closureInfo {rootPaths = packages;}}/store-paths")); + rpath = pkgs.lib.makeLibraryPath [ pkgs.cryptsetup pkgs.glibc pkgs.libgcc.lib ]; +in pkgs.symlinkJoin { name = "cryptsetup"; paths = [ pkgs.cryptsetup.out pkgs.cryptsetup.dev ]; + buildInputs = packages; + postBuild = '' + tar -cf $out/closure.tar ${closure} + echo "${rpath}" > $out/rpath + ''; } diff --git a/nix/cc/libvirt.nix b/nix/cc/libvirt.nix new file mode 100644 index 000000000..d3fcbcee2 --- /dev/null +++ b/nix/cc/libvirt.nix @@ -0,0 +1,17 @@ +{ pkgs, buildEnv, closureInfo }: +let + lib = pkgs.lib; + packages = [ pkgs.libvirt ]; + closure = builtins.toString (lib.strings.splitString "\n" (builtins.readFile "${closureInfo {rootPaths = packages;}}/store-paths")); + rpath = pkgs.lib.makeLibraryPath [ pkgs.libvirt pkgs.glib pkgs.libxml2 pkgs.readline pkgs.glibc pkgs.libgcc.lib ]; +in +pkgs.symlinkJoin { + name = "libvirt"; + paths = [ pkgs.libvirt ]; + buildInputs = packages; + postBuild = '' + tar -cf $out/closure.tar ${closure} + tar --transform 's+^./+bin/+' -cf $out/bin-linktree.tar -C $out/bin . + echo "${rpath}" > $out/rpath + ''; +} diff --git a/nix/cc/nixpkgs_cc_libraries.bzl b/nix/cc/nixpkgs_cc_libraries.bzl index 75533d0f4..03d5a1f52 100644 --- a/nix/cc/nixpkgs_cc_libraries.bzl +++ b/nix/cc/nixpkgs_cc_libraries.bzl @@ -72,6 +72,7 @@ filegroup( srcs = glob(["include/**/*.h"]), visibility = ["//visibility:public"], ) +exports_files(["closure.tar", "rpath"]) cc_library( name = "cryptsetup", srcs = glob(["lib/**/*.so*"]), @@ -91,6 +92,7 @@ filegroup( srcs = glob(["include/**/*.h"]), visibility = ["//visibility:public"], ) +exports_files(["bin-linktree.tar", "closure.tar", "rpath"]) cc_library( name = "libvirt", srcs = glob([ diff --git a/upgrade-agent/cmd/BUILD.bazel b/upgrade-agent/cmd/BUILD.bazel index 8f1694cfe..ea7b3e2d3 100644 --- a/upgrade-agent/cmd/BUILD.bazel +++ b/upgrade-agent/cmd/BUILD.bazel @@ -1,6 +1,5 @@ -load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library") +load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_cross_binary", "go_library") load("@rules_pkg//:pkg.bzl", "pkg_tar") -load("//bazel/go:platform.bzl", "platform_binary") go_library( name = "cmd_lib", @@ -25,10 +24,10 @@ go_binary( visibility = ["//visibility:public"], ) -platform_binary( +go_cross_binary( name = "upgrade_agent_linux_amd64", - platform = "@zig_sdk//libc_aware/platform:linux_amd64_gnu.2.23", - target_file = ":cmd", + platform = "//bazel/platforms:go-pure_x86_64-linux", + target = ":cmd", visibility = ["//visibility:public"], ) @@ -38,6 +37,6 @@ pkg_tar( ":upgrade_agent_linux_amd64", ], mode = "0755", - remap_paths = {"/platform:linux_amd64_gnu.2.23": "/usr/bin/upgrade-agent"}, + remap_paths = {"/upgrade_agent_linux_amd64": "/usr/bin/upgrade-agent"}, visibility = ["//visibility:public"], )