mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-11 23:49:30 -05:00
140 lines
3.6 KiB
Nix
140 lines
3.6 KiB
Nix
{ pkgs
|
|
, pkgsLinux
|
|
, stdenv
|
|
}:
|
|
let
|
|
passwd = pkgs.writeTextDir "etc/passwd" ''
|
|
root:x:0:0:root:/root:/bin/sh
|
|
bin:x:1:1:bin:/bin:/sbin/nologin
|
|
daemon:x:2:2:daemon:/sbin:/sbin/nologin
|
|
adm:x:3:4:adm:/var/adm:/sbin/nologin
|
|
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
|
|
sync:x:5:0:sync:/sbin:/bin/sync
|
|
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
|
|
halt:x:7:0:halt:/sbin:/sbin/halt
|
|
nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin
|
|
tss:x:59:59:Account used for TPM access:/:/usr/sbin/nologin
|
|
saslauth:x:998:76:Saslauthd user:/run/saslauthd:/sbin/nologin
|
|
polkitd:x:996:996:User for polkitd:/:/sbin/nologin
|
|
dnsmasq:x:994:994:Dnsmasq DHCP and DNS server:/var/lib/dnsmasq:/usr/sbin/nologin
|
|
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
|
|
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
|
|
qemu:x:107:107:qemu user:/:/sbin/nologin
|
|
'';
|
|
group = pkgs.writeTextDir "etc/group" ''
|
|
root:x:0:
|
|
bin:x:1:
|
|
daemon:x:2:
|
|
sys:x:3:
|
|
adm:x:4:
|
|
tty:x:5:
|
|
disk:x:6:
|
|
lp:x:7:
|
|
mem:x:8:
|
|
kmem:x:9:
|
|
wheel:x:10:
|
|
lock:x:54:
|
|
users:x:100:
|
|
nobody:x:65534:
|
|
tss:x:59:
|
|
utmp:x:22:
|
|
utempter:x:35:
|
|
saslauth:x:76:saslauth
|
|
input:x:104:
|
|
kvm:x:36:qemu
|
|
sgx:x:106:
|
|
polkitd:x:996:
|
|
dnsmasq:x:994:
|
|
rpc:x:32:
|
|
rpcuser:x:29:
|
|
qemu:x:107:
|
|
libvirt:x:990:
|
|
'';
|
|
libvirtdConf = pkgs.writeTextDir "etc/libvirt/libvirtd.conf" ''
|
|
listen_tls = 0
|
|
listen_tcp = 1
|
|
tcp_port = "16599"
|
|
listen_addr = "localhost"
|
|
auth_tcp = "none"
|
|
'';
|
|
qemuConf = pkgs.writeTextDir "var/lib/libvirt/qemu.conf" ''
|
|
cgroup_controllers = []
|
|
'';
|
|
startScript = pkgsLinux.writeShellApplication {
|
|
name = "start.sh";
|
|
runtimeInputs = with pkgsLinux; [
|
|
shadow
|
|
coreutils
|
|
libvirt
|
|
qemu
|
|
swtpm
|
|
];
|
|
text = ''
|
|
set -euo pipefail
|
|
shopt -s inherit_errexit
|
|
|
|
# Assign qemu the GID of the host system's 'kvm' group to avoid permission issues for environments defaulting to 660 for /dev/kvm (e.g. Debian-based distros)
|
|
KVM_HOST_GID="$(stat -c '%g' /dev/kvm)"
|
|
|
|
groupadd -o -g "''${KVM_HOST_GID}" host-kvm || true
|
|
usermod -a -G host-kvm qemu || true
|
|
|
|
# Start libvirt daemon
|
|
libvirtd -f /etc/libvirt/libvirtd.conf --daemon --listen
|
|
virtlogd --daemon
|
|
|
|
sleep infinity
|
|
'';
|
|
};
|
|
ovmf = stdenv.mkDerivation {
|
|
name = "OVMF";
|
|
postInstall = ''
|
|
mkdir -p $out/usr/share/
|
|
ln -s ${pkgsLinux.OVMFFull.fd}/FV $out/usr/share/OVMF
|
|
'';
|
|
propagatedBuildInputs = with pkgsLinux; [
|
|
OVMF
|
|
];
|
|
dontUnpack = true;
|
|
};
|
|
in
|
|
pkgs.dockerTools.buildImage {
|
|
name = "ghcr.io/edgelesssys/constellation/libvirtd-base";
|
|
copyToRoot = with pkgsLinux.dockerTools; [
|
|
passwd
|
|
group
|
|
libvirtdConf
|
|
qemuConf
|
|
ovmf
|
|
startScript
|
|
usrBinEnv
|
|
caCertificates
|
|
pkgsLinux.busybox
|
|
];
|
|
config = {
|
|
Cmd = [ "/bin/start.sh" ];
|
|
};
|
|
runAsRoot = ''
|
|
#!${pkgs.runtimeShell}
|
|
mkdir -p /tmp
|
|
mkdir -p /run
|
|
mkdir -p /var/lock
|
|
mkdir -p /var/log/libvirt
|
|
mkdir -p /var/lib/swtpm-localca
|
|
mkdir -p /var/lib/libvirt/boot
|
|
mkdir -p /var/lib/libvirt/dnsmasq
|
|
mkdir -p /var/lib/libvirt/filesystems
|
|
mkdir -p /var/lib/libvirt/images
|
|
mkdir -p /var/lib/libvirt/libxl
|
|
mkdir -p /var/lib/libvirt/lxc
|
|
mkdir -p /var/lib/libvirt/network
|
|
mkdir -p /var/lib/libvirt/qemu
|
|
mkdir -p /var/lib/libvirt/swtpm
|
|
|
|
chmod 1777 /tmp
|
|
chown -R tss:root /var/lib/swtpm-localca
|
|
chown -R qemu:qemu /var/lib/libvirt/qemu
|
|
chown -R root:libvirt /var/log/libvirt/
|
|
'';
|
|
}
|