{ pkgs
, pkgsLinux
, stdenv
}:
let
passwd = pkgs.writeTextDir "etc/passwd" ''
root:x:0:0:root:/root:/bin/sh
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin
tss:x:59:59:Account used for TPM access:/:/usr/sbin/nologin
saslauth:x:998:76:Saslauthd user:/run/saslauthd:/sbin/nologin
polkitd:x:996:996:User for polkitd:/:/sbin/nologin
dnsmasq:x:994:994:Dnsmasq DHCP and DNS server:/var/lib/dnsmasq:/usr/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
qemu:x:107:107:qemu user:/:/sbin/nologin
'';
group = pkgs.writeTextDir "etc/group" ''
root:x:0:
bin:x:1:
daemon:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mem:x:8:
kmem:x:9:
wheel:x:10:
lock:x:54:
users:x:100:
nobody:x:65534:
tss:x:59:
utmp:x:22:
utempter:x:35:
saslauth:x:76:saslauth
input:x:104:
kvm:x:36:qemu
sgx:x:106:
polkitd:x:996:
dnsmasq:x:994:
rpc:x:32:
rpcuser:x:29:
qemu:x:107:
libvirt:x:990:
'';
libvirtdConf = pkgs.writeTextDir "etc/libvirt/libvirtd.conf" ''
listen_tls = 0
listen_tcp = 1
tcp_port = "16599"
listen_addr = "localhost"
auth_tcp = "none"
'';
qemuConf = pkgs.writeTextDir "var/lib/libvirt/qemu.conf" ''
cgroup_controllers = []
'';
startScript = pkgsLinux.writeShellApplication {
name = "start.sh";
runtimeInputs = with pkgsLinux; [
shadow
coreutils
libvirt
qemu
swtpm
];
text = ''
set -euo pipefail
shopt -s inherit_errexit
# Assign qemu the GID of the host system's 'kvm' group to avoid permission issues for environments defaulting to 660 for /dev/kvm (e.g. Debian-based distros)
KVM_HOST_GID="$(stat -c '%g' /dev/kvm)"
groupadd -o -g "''${KVM_HOST_GID}" host-kvm || true
usermod -a -G host-kvm qemu || true
# Start libvirt daemon
libvirtd -f /etc/libvirt/libvirtd.conf --daemon --listen
virtlogd --daemon
sleep infinity
'';
};
ovmf = stdenv.mkDerivation {
name = "OVMF";
postInstall = ''
mkdir -p $out/usr/share/
ln -s ${pkgsLinux.OVMFFull.fd}/FV $out/usr/share/OVMF
'';
propagatedBuildInputs = with pkgsLinux; [
OVMF
];
dontUnpack = true;
};
in
pkgs.dockerTools.buildImage {
name = "ghcr.io/edgelesssys/constellation/libvirtd-base";
copyToRoot = with pkgsLinux.dockerTools; [
passwd
group
libvirtdConf
qemuConf
ovmf
startScript
usrBinEnv
caCertificates
pkgsLinux.busybox
];
config = {
Cmd = [ "/bin/start.sh" ];
};
runAsRoot = ''
#!${pkgs.runtimeShell}
mkdir -p /tmp
mkdir -p /run
mkdir -p /var/lock
mkdir -p /var/log/libvirt
mkdir -p /var/lib/swtpm-localca
mkdir -p /var/lib/libvirt/boot
mkdir -p /var/lib/libvirt/dnsmasq
mkdir -p /var/lib/libvirt/filesystems
mkdir -p /var/lib/libvirt/images
mkdir -p /var/lib/libvirt/libxl
mkdir -p /var/lib/libvirt/lxc
mkdir -p /var/lib/libvirt/network
mkdir -p /var/lib/libvirt/qemu
mkdir -p /var/lib/libvirt/swtpm
chmod 1777 /tmp
chown -R tss:root /var/lib/swtpm-localca
chown -R qemu:qemu /var/lib/libvirt/qemu
chown -R root:libvirt /var/log/libvirt/
'';
}