mirror of
https://github.com/DeterminateSystems/nix-installer-action.git
synced 2024-12-23 13:32:06 +01:00
Share /lib64 into the container (#109)
* Share /lib64 into the container * Don't attempt to mount host directories that don't exist
This commit is contained in:
parent
0d82cb015a
commit
ab6bcb2d5a
2 changed files with 99 additions and 29 deletions
62
dist/index.js
generated
vendored
62
dist/index.js
generated
vendored
|
@ -102169,6 +102169,51 @@ ${stderrBuffer}`
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
core.debug("Starting the Nix daemon through Docker...");
|
core.debug("Starting the Nix daemon through Docker...");
|
||||||
|
const candidateDirectories = [
|
||||||
|
{
|
||||||
|
dir: "/bin",
|
||||||
|
readOnly: true
|
||||||
|
},
|
||||||
|
{
|
||||||
|
dir: "/etc",
|
||||||
|
readOnly: true
|
||||||
|
},
|
||||||
|
{
|
||||||
|
dir: "/home",
|
||||||
|
readOnly: true
|
||||||
|
},
|
||||||
|
{
|
||||||
|
dir: "/lib",
|
||||||
|
readOnly: true
|
||||||
|
},
|
||||||
|
{
|
||||||
|
dir: "/lib64",
|
||||||
|
readOnly: true
|
||||||
|
},
|
||||||
|
{
|
||||||
|
dir: "/tmp",
|
||||||
|
readOnly: false
|
||||||
|
},
|
||||||
|
{
|
||||||
|
dir: "/nix",
|
||||||
|
readOnly: false
|
||||||
|
}
|
||||||
|
];
|
||||||
|
const mountArguments = [];
|
||||||
|
for (const { dir, readOnly } of candidateDirectories) {
|
||||||
|
try {
|
||||||
|
await (0,promises_namespaceObject.access)(dir);
|
||||||
|
core.debug(`Will mount ${dir} in the docker shim.`);
|
||||||
|
mountArguments.push("--mount");
|
||||||
|
mountArguments.push(
|
||||||
|
`type=bind,src=${dir},dst=${dir}${readOnly ? ",readonly" : ""}`
|
||||||
|
);
|
||||||
|
} catch {
|
||||||
|
core.debug(
|
||||||
|
`Not mounting ${dir} in the docker shim: it doesn't appear to exist.`
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
this.recordEvent(EVENT_START_DOCKER_SHIM);
|
this.recordEvent(EVENT_START_DOCKER_SHIM);
|
||||||
const exitCode = await exec.exec(
|
const exitCode = await exec.exec(
|
||||||
"docker",
|
"docker",
|
||||||
|
@ -102180,25 +102225,12 @@ ${stderrBuffer}`
|
||||||
"--network=host",
|
"--network=host",
|
||||||
"--userns=host",
|
"--userns=host",
|
||||||
"--pid=host",
|
"--pid=host",
|
||||||
"--mount",
|
|
||||||
"type=bind,src=/bin,dst=/bin,readonly",
|
|
||||||
"--mount",
|
|
||||||
"type=bind,src=/lib,dst=/lib,readonly",
|
|
||||||
"--mount",
|
|
||||||
"type=bind,src=/home,dst=/home,readonly",
|
|
||||||
"--mount",
|
|
||||||
"type=bind,src=/tmp,dst=/tmp",
|
|
||||||
"--mount",
|
|
||||||
"type=bind,src=/nix,dst=/nix",
|
|
||||||
"--mount",
|
|
||||||
"type=bind,src=/etc,dst=/etc,readonly",
|
|
||||||
"--restart",
|
"--restart",
|
||||||
"always",
|
"always",
|
||||||
"--init",
|
"--init",
|
||||||
"--name",
|
"--name",
|
||||||
`determinate-nix-shim-${this.getUniqueId()}-${(0,external_node_crypto_namespaceObject.randomUUID)()}`,
|
`determinate-nix-shim-${this.getUniqueId()}-${(0,external_node_crypto_namespaceObject.randomUUID)()}`
|
||||||
"determinate-nix-shim:latest"
|
].concat(mountArguments).concat(["determinate-nix-shim:latest"]),
|
||||||
],
|
|
||||||
{
|
{
|
||||||
silent: true,
|
silent: true,
|
||||||
listeners: {
|
listeners: {
|
||||||
|
|
66
src/index.ts
66
src/index.ts
|
@ -688,6 +688,55 @@ class NixInstallerAction extends DetSysAction {
|
||||||
|
|
||||||
{
|
{
|
||||||
actionsCore.debug("Starting the Nix daemon through Docker...");
|
actionsCore.debug("Starting the Nix daemon through Docker...");
|
||||||
|
|
||||||
|
const candidateDirectories = [
|
||||||
|
{
|
||||||
|
dir: "/bin",
|
||||||
|
readOnly: true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
dir: "/etc",
|
||||||
|
readOnly: true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
dir: "/home",
|
||||||
|
readOnly: true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
dir: "/lib",
|
||||||
|
readOnly: true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
dir: "/lib64",
|
||||||
|
readOnly: true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
dir: "/tmp",
|
||||||
|
readOnly: false,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
dir: "/nix",
|
||||||
|
readOnly: false,
|
||||||
|
},
|
||||||
|
];
|
||||||
|
|
||||||
|
const mountArguments = [];
|
||||||
|
|
||||||
|
for (const { dir, readOnly } of candidateDirectories) {
|
||||||
|
try {
|
||||||
|
await access(dir);
|
||||||
|
actionsCore.debug(`Will mount ${dir} in the docker shim.`);
|
||||||
|
mountArguments.push("--mount");
|
||||||
|
mountArguments.push(
|
||||||
|
`type=bind,src=${dir},dst=${dir}${readOnly ? ",readonly" : ""}`,
|
||||||
|
);
|
||||||
|
} catch {
|
||||||
|
actionsCore.debug(
|
||||||
|
`Not mounting ${dir} in the docker shim: it doesn't appear to exist.`,
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
this.recordEvent(EVENT_START_DOCKER_SHIM);
|
this.recordEvent(EVENT_START_DOCKER_SHIM);
|
||||||
const exitCode = await actionsExec.exec(
|
const exitCode = await actionsExec.exec(
|
||||||
"docker",
|
"docker",
|
||||||
|
@ -699,25 +748,14 @@ class NixInstallerAction extends DetSysAction {
|
||||||
"--network=host",
|
"--network=host",
|
||||||
"--userns=host",
|
"--userns=host",
|
||||||
"--pid=host",
|
"--pid=host",
|
||||||
"--mount",
|
|
||||||
"type=bind,src=/bin,dst=/bin,readonly",
|
|
||||||
"--mount",
|
|
||||||
"type=bind,src=/lib,dst=/lib,readonly",
|
|
||||||
"--mount",
|
|
||||||
"type=bind,src=/home,dst=/home,readonly",
|
|
||||||
"--mount",
|
|
||||||
"type=bind,src=/tmp,dst=/tmp",
|
|
||||||
"--mount",
|
|
||||||
"type=bind,src=/nix,dst=/nix",
|
|
||||||
"--mount",
|
|
||||||
"type=bind,src=/etc,dst=/etc,readonly",
|
|
||||||
"--restart",
|
"--restart",
|
||||||
"always",
|
"always",
|
||||||
"--init",
|
"--init",
|
||||||
"--name",
|
"--name",
|
||||||
`determinate-nix-shim-${this.getUniqueId()}-${randomUUID()}`,
|
`determinate-nix-shim-${this.getUniqueId()}-${randomUUID()}`,
|
||||||
"determinate-nix-shim:latest",
|
]
|
||||||
],
|
.concat(mountArguments)
|
||||||
|
.concat(["determinate-nix-shim:latest"]),
|
||||||
{
|
{
|
||||||
silent: true,
|
silent: true,
|
||||||
listeners: {
|
listeners: {
|
||||||
|
|
Loading…
Reference in a new issue