mirror of
https://github.com/dashpay/dash.git
synced 2024-12-25 03:52:49 +01:00
Merge pull request #5449 from kittywhiskers/alpine_guix
build: add ability to interactively run guix builds, use container that has unprivileged user
This commit is contained in:
commit
e1e07c3b7c
34
.github/workflows/guix-build.yml
vendored
34
.github/workflows/guix-build.yml
vendored
@ -17,10 +17,12 @@ jobs:
|
||||
- name: Set up Docker Buildx
|
||||
uses: docker/setup-buildx-action@v1
|
||||
|
||||
- name: Hash Dockerfile
|
||||
- name: Commit variables
|
||||
id: dockerfile
|
||||
run: |
|
||||
echo "::set-output name=hash::$(sha256sum ./contrib/guix/Dockerfile | cut -d ' ' -f1)"
|
||||
echo "::set-output name=hash::$(sha256sum ./contrib/containers/guix/Dockerfile | cut -d ' ' -f1)"
|
||||
echo "::set-output name=host_user_id::$(id -u)"
|
||||
echo "::set-output name=host_group_id::$(id -g)"
|
||||
|
||||
- name: Cache Docker layers
|
||||
uses: actions/cache@v2
|
||||
@ -33,25 +35,27 @@ jobs:
|
||||
- name: Build Docker image
|
||||
uses: docker/build-push-action@v2
|
||||
with:
|
||||
context: .
|
||||
file: ./contrib/guix/Dockerfile
|
||||
context: ${{ github.workspace }}
|
||||
build-args: |
|
||||
USER_ID=${{ steps.dockerfile.outputs.host_user_id }}
|
||||
GROUP_ID=${{ steps.dockerfile.outputs.host_group_id }}
|
||||
build-contexts: |
|
||||
docker_root=${{ github.workspace }}/contrib/containers/guix
|
||||
file: ./contrib/containers/guix/Dockerfile
|
||||
load: true
|
||||
tags: alpine-guix:latest
|
||||
tags: guix_ubuntu:latest
|
||||
cache-from: type=local,src=/tmp/.buildx-cache
|
||||
cache-to: type=local,dest=/tmp/.buildx-cache
|
||||
|
||||
- name: Run Guix build
|
||||
run: |
|
||||
export ADDITIONAL_GUIX_COMMON_FLAGS='--max-jobs=32' && \
|
||||
mkdir -p depends/SDKs && \
|
||||
mkdir -p /tmp/guix-store && \
|
||||
curl -L https://bitcoincore.org/depends-sources/sdks/Xcode-12.1-12A7403-extracted-SDK-with-libcxx-headers.tar.gz | tar -xz -C depends/SDKs && \
|
||||
docker run --privileged -d --name guix-daemon --rm -v ${{ github.workspace }}:/dash -w /dash alpine-guix:latest && \
|
||||
docker exec guix-daemon bash -c "\
|
||||
chmod 777 /dash/depends && \
|
||||
git config --global --add safe.directory /dash && \
|
||||
cd /dash && \
|
||||
contrib/guix/guix-build"
|
||||
docker run --privileged -d --rm -t \
|
||||
--name guix-daemon \
|
||||
-e ADDITIONAL_GUIX_COMMON_FLAGS='--max-jobs=32' \
|
||||
-v ${{ github.workspace }}:/src/dash \
|
||||
-w /src/dash \
|
||||
guix_ubuntu:latest && \
|
||||
docker exec guix-daemon bash -c "/usr/local/bin/guix-start"
|
||||
|
||||
- name: Ensure build passes
|
||||
run: |
|
||||
|
91
contrib/containers/guix/Dockerfile
Normal file
91
contrib/containers/guix/Dockerfile
Normal file
@ -0,0 +1,91 @@
|
||||
# Note: Using 'docker compose up' will leave you hanging, you need
|
||||
# to use 'docker compose run guix_ubuntu' to drop into an
|
||||
# interactive shell
|
||||
|
||||
FROM ubuntu:focal
|
||||
|
||||
SHELL ["/bin/bash", "-c"]
|
||||
|
||||
RUN apt-get update && \
|
||||
apt-get install -y --no-install-recommends --no-upgrade \
|
||||
build-essential \
|
||||
bzip2 \
|
||||
ca-certificates \
|
||||
curl \
|
||||
git \
|
||||
locales \
|
||||
netbase \
|
||||
sudo \
|
||||
wget \
|
||||
xz-utils && \
|
||||
rm -rf /var/lib/apt/lists/*
|
||||
|
||||
ARG guix_download_path=ftp://ftp.gnu.org/gnu/guix
|
||||
ARG guix_version=1.4.0
|
||||
ARG guix_checksum_aarch64=72d807392889919940b7ec9632c45a259555e6b0942ea7bfd131101e08ebfcf4
|
||||
ARG guix_checksum_x86_64=236ca7c9c5958b1f396c2924fcc5bc9d6fdebcb1b4cf3c7c6d46d4bf660ed9c9
|
||||
ARG builder_count=32
|
||||
|
||||
ENV PATH /usr/local/bin:/usr/local/guix/current/bin:$PATH
|
||||
|
||||
# Application Setup
|
||||
# https://guix.gnu.org/manual/en/html_node/Application-Setup.html
|
||||
ENV GUIX_LOCPATH="/usr/local/guix/profile" \
|
||||
LC_ALL="C"
|
||||
|
||||
RUN guix_file_name=guix-binary-${guix_version}.$(uname -m)-linux.tar.xz && \
|
||||
eval "guix_checksum=\${guix_checksum_$(uname -m)}" && \
|
||||
cd /tmp && \
|
||||
wget -q -O "$guix_file_name" "${guix_download_path}/${guix_file_name}" && \
|
||||
echo "${guix_checksum} ${guix_file_name}" | sha256sum -c && \
|
||||
tar xJf "$guix_file_name" && \
|
||||
mv var/guix /var/ && \
|
||||
mv gnu / && \
|
||||
mkdir -p /usr/local/guix && \
|
||||
ln -sf /var/guix/profiles/per-user/root/current-guix /usr/local/guix/current && \
|
||||
ln -sf /var/guix/profiles/per-user/root/guix-profile /usr/local/guix/profile && \
|
||||
chmod 1777 /tmp /var/tmp && \
|
||||
source /usr/local/guix/current/etc/profile
|
||||
|
||||
RUN touch /etc/nsswitch.conf
|
||||
|
||||
RUN guix archive --authorize < /usr/local/guix/current/share/guix/ci.guix.gnu.org.pub && \
|
||||
guix archive --authorize < /usr/local/guix/current/share/guix/bordeaux.guix.gnu.org.pub
|
||||
|
||||
# Build Environment Setup
|
||||
# https://guix.gnu.org/manual/en/html_node/Build-Environment-Setup.html
|
||||
RUN groupadd --system guixbuild && \
|
||||
for i in $(seq -w 1 ${builder_count}); do \
|
||||
useradd -g guixbuild -G guixbuild \
|
||||
-d /var/empty -s $(which nologin) \
|
||||
-c "Guix build user ${i}" --system \
|
||||
"guixbuilder${i}" ; \
|
||||
done
|
||||
|
||||
# Create unprivileged user
|
||||
ARG USER_ID=1000 \
|
||||
GROUP_ID=1000 \
|
||||
USERNAME=ubuntu
|
||||
RUN groupadd -g ${GROUP_ID} ${USERNAME} && \
|
||||
useradd -u ${USER_ID} -g ${USERNAME} -s /bin/bash -m -d /home/${USERNAME} ${USERNAME}
|
||||
|
||||
# Grant it passwordless admin permissions
|
||||
RUN usermod -aG sudo ${USERNAME} && \
|
||||
echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
|
||||
|
||||
# Copy required files to container
|
||||
COPY --from=docker_root ./motd.txt /etc/motd
|
||||
COPY --from=docker_root ./scripts/entrypoint /usr/local/bin/entrypoint
|
||||
COPY --from=docker_root ./scripts/guix-check /usr/local/bin/guix-check
|
||||
COPY --from=docker_root ./scripts/guix-start /usr/local/bin/guix-start
|
||||
|
||||
# Create directory for mounting and grant necessary permissions
|
||||
RUN mkdir -p /src/dash && \
|
||||
chown -R ${USER_ID}:${GROUP_ID} /src
|
||||
WORKDIR "/src/dash"
|
||||
|
||||
# Switch to unprivileged context
|
||||
USER ${USERNAME}
|
||||
|
||||
# Set entrypoint to copied file
|
||||
ENTRYPOINT ["/usr/local/bin/entrypoint"]
|
18
contrib/containers/guix/docker-compose.yml
Normal file
18
contrib/containers/guix/docker-compose.yml
Normal file
@ -0,0 +1,18 @@
|
||||
version: "3.9"
|
||||
services:
|
||||
guix_ubuntu:
|
||||
build:
|
||||
context: '../../..'
|
||||
additional_contexts:
|
||||
- docker_root=.
|
||||
dockerfile: './contrib/containers/guix/Dockerfile'
|
||||
args:
|
||||
USER_ID: 1000 # set this to $(id -u) of the host
|
||||
GROUP_ID: 1000 # set this to $(id -g) of the host
|
||||
container_name: guix_ubuntu
|
||||
tty: true
|
||||
stdin_open: true
|
||||
privileged: true
|
||||
network_mode: host
|
||||
volumes:
|
||||
- "../../..:/src/dash:rw"
|
4
contrib/containers/guix/motd.txt
Normal file
4
contrib/containers/guix/motd.txt
Normal file
@ -0,0 +1,4 @@
|
||||
#####################################################
|
||||
To get started, run 'guix-start' and then calculate
|
||||
hashes using 'guix-check'
|
||||
#####################################################
|
15
contrib/containers/guix/scripts/entrypoint
Executable file
15
contrib/containers/guix/scripts/entrypoint
Executable file
@ -0,0 +1,15 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
set -eo pipefail
|
||||
|
||||
# Read instructions
|
||||
cat /etc/motd
|
||||
|
||||
# Start the Guix daemon
|
||||
sudo env PATH=${PATH} guix-daemon \
|
||||
--build-users-group='guixbuild' \
|
||||
--substitute-urls='https://bordeaux.guix.gnu.org https://ci.guix.gnu.org' < /dev/null 2>&1 |
|
||||
sudo tee /var/log/guix.log > /dev/null &
|
||||
|
||||
# Hand over control
|
||||
exec bash
|
17
contrib/containers/guix/scripts/guix-check
Executable file
17
contrib/containers/guix/scripts/guix-check
Executable file
@ -0,0 +1,17 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
set -eo pipefail
|
||||
|
||||
cd /src/dash
|
||||
COMMIT_ID=$(git rev-parse --short=12 HEAD)
|
||||
|
||||
printf "Binaries:\n"
|
||||
( \
|
||||
SRC_PATH_PREFIX=guix-build-${COMMIT_ID}/distsrc- && \
|
||||
sha256sum ${SRC_PATH_PREFIX}*/src/dash{d,-cli,-tx,-wallet}{,.exe} && \
|
||||
sha256sum ${SRC_PATH_PREFIX}*/src/qt/dash-qt{,.exe} && \
|
||||
sha256sum ${SRC_PATH_PREFIX}*/src/test/test_dash{,.exe} \
|
||||
) | sort -k 2
|
||||
|
||||
printf "Archives:\n"
|
||||
find guix-build-"${COMMIT_ID}"/output -type f | grep -v SHA256 | xargs sha256sum | sort -k 2
|
20
contrib/containers/guix/scripts/guix-start
Executable file
20
contrib/containers/guix/scripts/guix-start
Executable file
@ -0,0 +1,20 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
set -eo pipefail
|
||||
|
||||
XCODE_VERSION="12.1"
|
||||
XCODE_RELEASE="12A7403"
|
||||
XCODE_ARCHIVE="Xcode-${XCODE_VERSION}-${XCODE_RELEASE}-extracted-SDK-with-libcxx-headers"
|
||||
|
||||
# Check if macOS SDK is present, if not, download it
|
||||
if [ ! -d "/src/dash/depends/SDKs/${XCODE_ARCHIVE}" ]
|
||||
then
|
||||
mkdir -p /src/dash/depends/SDKs
|
||||
curl -L https://bitcoincore.org/depends-sources/sdks/${XCODE_ARCHIVE}.tar.gz | tar -xz -C /src/dash/depends/SDKs
|
||||
fi
|
||||
|
||||
cd /src/dash
|
||||
git status >> /dev/null
|
||||
git config --global --add safe.directory /src/dash
|
||||
|
||||
./contrib/guix/guix-build
|
Loading…
Reference in New Issue
Block a user