From ab6bcb2d5af0e904d04aea750e2089e9dc4cbfdd Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Mon, 22 Jul 2024 11:40:01 -0400 Subject: [PATCH] Share /lib64 into the container (#109) * Share /lib64 into the container * Don't attempt to mount host directories that don't exist --- dist/index.js | 62 +++++++++++++++++++++++++++++++++++------------ src/index.ts | 66 ++++++++++++++++++++++++++++++++++++++++----------- 2 files changed, 99 insertions(+), 29 deletions(-) diff --git a/dist/index.js b/dist/index.js index e14909a..7672c99 100644 --- a/dist/index.js +++ b/dist/index.js @@ -102169,6 +102169,51 @@ ${stderrBuffer}` } { core.debug("Starting the Nix daemon through Docker..."); + const candidateDirectories = [ + { + dir: "/bin", + readOnly: true + }, + { + dir: "/etc", + readOnly: true + }, + { + dir: "/home", + readOnly: true + }, + { + dir: "/lib", + readOnly: true + }, + { + dir: "/lib64", + readOnly: true + }, + { + dir: "/tmp", + readOnly: false + }, + { + dir: "/nix", + readOnly: false + } + ]; + const mountArguments = []; + for (const { dir, readOnly } of candidateDirectories) { + try { + await (0,promises_namespaceObject.access)(dir); + core.debug(`Will mount ${dir} in the docker shim.`); + mountArguments.push("--mount"); + mountArguments.push( + `type=bind,src=${dir},dst=${dir}${readOnly ? ",readonly" : ""}` + ); + } catch { + core.debug( + `Not mounting ${dir} in the docker shim: it doesn't appear to exist.` + ); + } + } this.recordEvent(EVENT_START_DOCKER_SHIM); const exitCode = await exec.exec( "docker", @@ -102180,25 +102225,12 @@ ${stderrBuffer}` "--network=host", "--userns=host", "--pid=host", - "--mount", - "type=bind,src=/bin,dst=/bin,readonly", - "--mount", - "type=bind,src=/lib,dst=/lib,readonly", - "--mount", - "type=bind,src=/home,dst=/home,readonly", - "--mount", - "type=bind,src=/tmp,dst=/tmp", - "--mount", - "type=bind,src=/nix,dst=/nix", - "--mount", - "type=bind,src=/etc,dst=/etc,readonly", "--restart", "always", "--init", "--name", - `determinate-nix-shim-${this.getUniqueId()}-${(0,external_node_crypto_namespaceObject.randomUUID)()}`, - "determinate-nix-shim:latest" - ], + `determinate-nix-shim-${this.getUniqueId()}-${(0,external_node_crypto_namespaceObject.randomUUID)()}` + ].concat(mountArguments).concat(["determinate-nix-shim:latest"]), { silent: true, listeners: { diff --git a/src/index.ts b/src/index.ts index 11c4321..59313bf 100644 --- a/src/index.ts +++ b/src/index.ts @@ -688,6 +688,55 @@ class NixInstallerAction extends DetSysAction { { actionsCore.debug("Starting the Nix daemon through Docker..."); + + const candidateDirectories = [ + { + dir: "/bin", + readOnly: true, + }, + { + dir: "/etc", + readOnly: true, + }, + { + dir: "/home", + readOnly: true, + }, + { + dir: "/lib", + readOnly: true, + }, + { + dir: "/lib64", + readOnly: true, + }, + { + dir: "/tmp", + readOnly: false, + }, + { + dir: "/nix", + readOnly: false, + }, + ]; + + const mountArguments = []; + + for (const { dir, readOnly } of candidateDirectories) { + try { + await access(dir); + actionsCore.debug(`Will mount ${dir} in the docker shim.`); + mountArguments.push("--mount"); + mountArguments.push( + `type=bind,src=${dir},dst=${dir}${readOnly ? ",readonly" : ""}`, + ); + } catch { + actionsCore.debug( + `Not mounting ${dir} in the docker shim: it doesn't appear to exist.`, + ); + } + } + this.recordEvent(EVENT_START_DOCKER_SHIM); const exitCode = await actionsExec.exec( "docker", @@ -699,25 +748,14 @@ class NixInstallerAction extends DetSysAction { "--network=host", "--userns=host", "--pid=host", - "--mount", - "type=bind,src=/bin,dst=/bin,readonly", - "--mount", - "type=bind,src=/lib,dst=/lib,readonly", - "--mount", - "type=bind,src=/home,dst=/home,readonly", - "--mount", - "type=bind,src=/tmp,dst=/tmp", - "--mount", - "type=bind,src=/nix,dst=/nix", - "--mount", - "type=bind,src=/etc,dst=/etc,readonly", "--restart", "always", "--init", "--name", `determinate-nix-shim-${this.getUniqueId()}-${randomUUID()}`, - "determinate-nix-shim:latest", - ], + ] + .concat(mountArguments) + .concat(["determinate-nix-shim:latest"]), { silent: true, listeners: {