Share /lib64 into the container (#109)

* Share /lib64 into the container

* Don't attempt to mount host directories that don't exist
This commit is contained in:
Graham Christensen 2024-07-22 11:40:01 -04:00 committed by GitHub
parent 0d82cb015a
commit ab6bcb2d5a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 99 additions and 29 deletions

62
dist/index.js generated vendored
View file

@ -102169,6 +102169,51 @@ ${stderrBuffer}`
} }
{ {
core.debug("Starting the Nix daemon through Docker..."); core.debug("Starting the Nix daemon through Docker...");
const candidateDirectories = [
{
dir: "/bin",
readOnly: true
},
{
dir: "/etc",
readOnly: true
},
{
dir: "/home",
readOnly: true
},
{
dir: "/lib",
readOnly: true
},
{
dir: "/lib64",
readOnly: true
},
{
dir: "/tmp",
readOnly: false
},
{
dir: "/nix",
readOnly: false
}
];
const mountArguments = [];
for (const { dir, readOnly } of candidateDirectories) {
try {
await (0,promises_namespaceObject.access)(dir);
core.debug(`Will mount ${dir} in the docker shim.`);
mountArguments.push("--mount");
mountArguments.push(
`type=bind,src=${dir},dst=${dir}${readOnly ? ",readonly" : ""}`
);
} catch {
core.debug(
`Not mounting ${dir} in the docker shim: it doesn't appear to exist.`
);
}
}
this.recordEvent(EVENT_START_DOCKER_SHIM); this.recordEvent(EVENT_START_DOCKER_SHIM);
const exitCode = await exec.exec( const exitCode = await exec.exec(
"docker", "docker",
@ -102180,25 +102225,12 @@ ${stderrBuffer}`
"--network=host", "--network=host",
"--userns=host", "--userns=host",
"--pid=host", "--pid=host",
"--mount",
"type=bind,src=/bin,dst=/bin,readonly",
"--mount",
"type=bind,src=/lib,dst=/lib,readonly",
"--mount",
"type=bind,src=/home,dst=/home,readonly",
"--mount",
"type=bind,src=/tmp,dst=/tmp",
"--mount",
"type=bind,src=/nix,dst=/nix",
"--mount",
"type=bind,src=/etc,dst=/etc,readonly",
"--restart", "--restart",
"always", "always",
"--init", "--init",
"--name", "--name",
`determinate-nix-shim-${this.getUniqueId()}-${(0,external_node_crypto_namespaceObject.randomUUID)()}`, `determinate-nix-shim-${this.getUniqueId()}-${(0,external_node_crypto_namespaceObject.randomUUID)()}`
"determinate-nix-shim:latest" ].concat(mountArguments).concat(["determinate-nix-shim:latest"]),
],
{ {
silent: true, silent: true,
listeners: { listeners: {

View file

@ -688,6 +688,55 @@ class NixInstallerAction extends DetSysAction {
{ {
actionsCore.debug("Starting the Nix daemon through Docker..."); actionsCore.debug("Starting the Nix daemon through Docker...");
const candidateDirectories = [
{
dir: "/bin",
readOnly: true,
},
{
dir: "/etc",
readOnly: true,
},
{
dir: "/home",
readOnly: true,
},
{
dir: "/lib",
readOnly: true,
},
{
dir: "/lib64",
readOnly: true,
},
{
dir: "/tmp",
readOnly: false,
},
{
dir: "/nix",
readOnly: false,
},
];
const mountArguments = [];
for (const { dir, readOnly } of candidateDirectories) {
try {
await access(dir);
actionsCore.debug(`Will mount ${dir} in the docker shim.`);
mountArguments.push("--mount");
mountArguments.push(
`type=bind,src=${dir},dst=${dir}${readOnly ? ",readonly" : ""}`,
);
} catch {
actionsCore.debug(
`Not mounting ${dir} in the docker shim: it doesn't appear to exist.`,
);
}
}
this.recordEvent(EVENT_START_DOCKER_SHIM); this.recordEvent(EVENT_START_DOCKER_SHIM);
const exitCode = await actionsExec.exec( const exitCode = await actionsExec.exec(
"docker", "docker",
@ -699,25 +748,14 @@ class NixInstallerAction extends DetSysAction {
"--network=host", "--network=host",
"--userns=host", "--userns=host",
"--pid=host", "--pid=host",
"--mount",
"type=bind,src=/bin,dst=/bin,readonly",
"--mount",
"type=bind,src=/lib,dst=/lib,readonly",
"--mount",
"type=bind,src=/home,dst=/home,readonly",
"--mount",
"type=bind,src=/tmp,dst=/tmp",
"--mount",
"type=bind,src=/nix,dst=/nix",
"--mount",
"type=bind,src=/etc,dst=/etc,readonly",
"--restart", "--restart",
"always", "always",
"--init", "--init",
"--name", "--name",
`determinate-nix-shim-${this.getUniqueId()}-${randomUUID()}`, `determinate-nix-shim-${this.getUniqueId()}-${randomUUID()}`,
"determinate-nix-shim:latest", ]
], .concat(mountArguments)
.concat(["determinate-nix-shim:latest"]),
{ {
silent: true, silent: true,
listeners: { listeners: {