From 761bf758b73fec189613d48171d2a94908ad9e70 Mon Sep 17 00:00:00 2001 From: Nick Spinale Date: Mon, 25 Dec 2023 01:17:47 -0500 Subject: [PATCH 01/18] Don't default to -j$(nproc) in Makefile Signed-off-by: Nick Spinale --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index b698a21c9..4211251e3 100644 --- a/Makefile +++ b/Makefile @@ -11,7 +11,7 @@ endif ifneq ($(J),) jobs_arg := -j$(J) else - jobs_arg := -j$$(nproc) + jobs_arg := endif ifneq ($(CORES),) From 18eb46a0bdfc6e67562fa9d682b6e9a2bf8f040f Mon Sep 17 00:00:00 2001 From: Nick Spinale Date: Mon, 25 Dec 2023 01:19:08 -0500 Subject: [PATCH 02/18] Improve cache maintenance Makefile Signed-off-by: Nick Spinale --- hacking/cache-maintenance/Makefile | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/hacking/cache-maintenance/Makefile b/hacking/cache-maintenance/Makefile index ab4a5ef36..6c5ae6cc2 100644 --- a/hacking/cache-maintenance/Makefile +++ b/hacking/cache-maintenance/Makefile @@ -4,11 +4,13 @@ # SPDX-License-Identifier: BSD-2-Clause # -expr_path = ../.. +P ?= ../.. +A ?= everythingWithExcess -attr_args := -A everythingWithExcess +path := $(P) +attr := $(A) -nix_build_cmd := nix-build $(expr_path) $(attr_args) -j1 --no-out-link +nix_build_cmd := nix-build $(path) -A $(attr) --no-out-link cache_name := coliasgroup From 92209cf4b2420923cd83f5a4cf20db4c6604c72d Mon Sep 17 00:00:00 2001 From: Nick Spinale Date: Mon, 25 Dec 2023 01:19:42 -0500 Subject: [PATCH 03/18] nix: Remove unecessary CMAKE_TOOLCHAIN_FILE assignment Fixes build on aarch64 Signed-off-by: Nick Spinale --- hacking/nix/scope/sel4/default.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/hacking/nix/scope/sel4/default.nix b/hacking/nix/scope/sel4/default.nix index 7d8de97e1..82145c342 100644 --- a/hacking/nix/scope/sel4/default.nix +++ b/hacking/nix/scope/sel4/default.nix @@ -53,7 +53,6 @@ stdenv.mkDerivation { cmake \ -DCROSS_COMPILER_PREFIX=${stdenv.cc.targetPrefix} \ - -DCMAKE_TOOLCHAIN_FILE=gcc.cmake \ -DCMAKE_INSTALL_PREFIX=$out \ -C ${settings} \ -G Ninja \ From ad8247397d631d832aaee2c4466958df9182b173 Mon Sep 17 00:00:00 2001 From: Nick Spinale Date: Mon, 25 Dec 2023 01:20:41 -0500 Subject: [PATCH 04/18] nix: Add more utilities to shell Signed-off-by: Nick Spinale --- hacking/nix/scope/shell.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/hacking/nix/scope/shell.nix b/hacking/nix/scope/shell.nix index 99a60bda1..07a0ab32a 100644 --- a/hacking/nix/scope/shell.nix +++ b/hacking/nix/scope/shell.nix @@ -13,6 +13,9 @@ , rustPlatform , reuse , cargo-audit +, strace +, cntr +, cachix }: mkShell { @@ -28,6 +31,9 @@ mkShell { python3Packages.jinja2 reuse cargo-audit + strace + cntr + cachix ]; nativeBuildInputs = [ From 16f4e21902b83381c1831ea19062f2f821b60a7c Mon Sep 17 00:00:00 2001 From: Nick Spinale Date: Mon, 25 Dec 2023 01:21:10 -0500 Subject: [PATCH 05/18] nix: Change local source path Signed-off-by: Nick Spinale --- hacking/nix/scope/sources.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hacking/nix/scope/sources.nix b/hacking/nix/scope/sources.nix index 200be5c72..ea4c1ae0a 100644 --- a/hacking/nix/scope/sources.nix +++ b/hacking/nix/scope/sources.nix @@ -35,7 +35,7 @@ let srcRoot = ../../..; # TODO - localRoot = srcRoot + "/../x"; + localRoot = srcRoot + "/tmp/src"; mkKeepRef = rev: "refs/tags/keep/${builtins.substring 0 32 rev}"; From 68e26ba5f7e4a9ceb50afca270f260815719b31d Mon Sep 17 00:00:00 2001 From: Nick Spinale Date: Mon, 25 Dec 2023 01:21:33 -0500 Subject: [PATCH 06/18] nix: Enable relaxing KVM requirement Signed-off-by: Nick Spinale --- hacking/nix/default.nix | 14 +++++++------- .../instances/microkit/http-server/default.nix | 7 ++++++- 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/hacking/nix/default.nix b/hacking/nix/default.nix index 209772327..2ef840110 100644 --- a/hacking/nix/default.nix +++ b/hacking/nix/default.nix @@ -6,21 +6,21 @@ let - defaultNixpkgsSource = + defaultNixpkgsPath = let - rev = "185442f0f70497d8a02f26f8bc36688933a7b5eb"; + rev = "1811c4fec88995679397d6fa20f4f3395a0bebe5"; in builtins.fetchTarball { url = "https://github.com/coliasgroup/nixpkgs/archive/refs/tags/keep/${builtins.substring 0 32 rev}.tar.gz"; - sha256 = "sha256:0swvdlw1qb2xxp50in78lqkx3gkjvzmj4zrhlhnzzjf3aqdqn722"; + sha256 = "sha256:0ad2c7vlr9fidzjjg8szigfhmp1gvlf62ckd6cir8ymrxc93pby7"; }; - defaultNixpkgsFn = import defaultNixpkgsSource; - defaultNixpkgsLib = import (defaultNixpkgsSource + "/lib"); - in -{ lib ? defaultNixpkgsLib, nixpkgsFn ? defaultNixpkgsFn }: +{ nixpkgsPath ? defaultNixpkgsPath +, nixpkgsFn ? import nixpkgsPath +, lib ? import (nixpkgsPath + "/lib") +}: let diff --git a/hacking/nix/scope/world/instances/microkit/http-server/default.nix b/hacking/nix/scope/world/instances/microkit/http-server/default.nix index 6c943cf3c..4bbbf4f30 100644 --- a/hacking/nix/scope/world/instances/microkit/http-server/default.nix +++ b/hacking/nix/scope/world/instances/microkit/http-server/default.nix @@ -39,11 +39,16 @@ let diskImage = mkDiskImage {}; smallDiskImage = mkDiskImage { excludePatterns = [ "*.mp4" "*.pdf" ]; }; + vmTools = buildPackages.vmTools.override { + # HACK + requireKVM = false; + }; + mkDiskImage = { maxIndividualFileSize ? null , excludePatterns ? null }: - buildPackages.vmTools.runInLinuxVM (runCommand "disk-image" { + vmTools.runInLinuxVM (runCommand "disk-image" { nativeBuildInputs = [ python3 kmod parted fatresize dosfstools ]; preVM = '' mkdir scratch From 3a4f44ab9c01b27cfd649b6f17a0f7b94f33b9c3 Mon Sep 17 00:00:00 2001 From: Nick Spinale Date: Wed, 27 Dec 2023 23:35:02 -0500 Subject: [PATCH 07/18] Improve Kani scripts Signed-off-by: Nick Spinale --- hacking/kani/docker/Dockerfile | 36 +++++++++++++++++++++++----------- hacking/kani/docker/Makefile | 19 +++++++++--------- 2 files changed, 35 insertions(+), 20 deletions(-) diff --git a/hacking/kani/docker/Dockerfile b/hacking/kani/docker/Dockerfile index 0bf721d40..95fd38ea5 100644 --- a/hacking/kani/docker/Dockerfile +++ b/hacking/kani/docker/Dockerfile @@ -6,34 +6,48 @@ FROM debian:bookworm -RUN apt-get update -q && apt-get install -y --no-install-recommends \ - bash-completion \ +RUN apt-get update && apt-get install -y \ build-essential \ - ca-certificates \ curl \ - make \ - man \ - procps \ python3-pip \ sudo \ + man \ + procps \ vim \ + bash-completion \ && rm -rf /var/lib/apt/lists/* +RUN echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers + ARG UID ARG GID -RUN groupadd -f -g $GID x && useradd -u $UID -g $GID -G sudo -m -p x x -RUN echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers # for convenience +RUN set -eux; \ + if ! [ $UID = 0 -a $GID = 0 ]; then \ + ! getent passwd $UID; \ + if ! getent group $GID; then \ + groupadd -g $GID x; \ + fi; \ + useradd -u $UID -g $GID -G sudo -m -p x x; \ + fi + +ENV RUSTUP_HOME=/opt/rustup +ENV CARGO_HOME=/opt/cargo + +RUN set -eux; \ + dirs="$RUSTUP_HOME $CARGO_HOME"; \ + mkdir -p -m 0755 $dirs; \ + chown $UID:$GID $dirs -USER x +USER $UID # Optimize by matching rust-toolchain.toml ENV DEFAULT_TOOLCHAIN=nightly-2023-08-02 -RUN curl -sSf https://sh.rustup.rs | \ +RUN curl -sSf -L https://sh.rustup.rs | \ bash -s -- -y --no-modify-path --default-toolchain $DEFAULT_TOOLCHAIN -ENV PATH=/home/x/.cargo/bin:$PATH +ENV PATH=$CARGO_HOME/bin:$PATH RUN cargo install --locked kani-verifier && cargo kani setup diff --git a/hacking/kani/docker/Makefile b/hacking/kani/docker/Makefile index 57fc414df..60a6a0cc4 100644 --- a/hacking/kani/docker/Makefile +++ b/hacking/kani/docker/Makefile @@ -25,18 +25,19 @@ build: --build-arg UID=$(uid) --build-arg GID=$(gid) \ -t $(image_tag) . +.PHONY: runi +runi: build + docker run --rm -it \ + --mount $(mount_params) \ + $(image_tag) bash + .PHONY: run run: build - docker run -d --name $(container_name) \ + docker run -d \ --mount $(mount_params) \ + --name $(container_name) \ $(image_tag) sleep inf -.PHONY: runi -runi: build - docker run --rm \ - --mount $(mount_params) \ - -it $(image_tag) bash - .PHONY: exec exec: docker exec -it $(container_name) bash @@ -49,7 +50,7 @@ rm-container: .PHONY: check check: build - docker run --rm \ + docker run --rm -it \ --mount $(mount_params),readonly \ - -i $(image_tag) \ + $(image_tag) \ make -C $(here_relative) check BUILD=/tmp/build From b539e7a0596ab4ec9dd14c68f5d838d4c71a8af7 Mon Sep 17 00:00:00 2001 From: Nick Spinale Date: Wed, 27 Dec 2023 23:35:22 -0500 Subject: [PATCH 08/18] Rework Docker setup Signed-off-by: Nick Spinale --- hacking/docker/Dockerfile | 110 ++++++++++++++++++++++++++++-------- hacking/docker/Makefile | 2 + hacking/docker/bashrc_extra | 20 ------- hacking/docker/nix.conf | 10 ++-- hacking/docker/setup.sh | 15 ----- 5 files changed, 91 insertions(+), 66 deletions(-) delete mode 100644 hacking/docker/bashrc_extra delete mode 100644 hacking/docker/setup.sh diff --git a/hacking/docker/Dockerfile b/hacking/docker/Dockerfile index 80e5d0d67..732885d05 100644 --- a/hacking/docker/Dockerfile +++ b/hacking/docker/Dockerfile @@ -7,42 +7,102 @@ FROM debian:bookworm RUN apt-get update && apt-get install -y \ + build-essential \ + curl \ xz-utils \ - curl git make \ - sudo man vim rsync procps \ + make \ + git \ + # general utilities + sudo \ + man \ + procps \ + rsync \ + file \ + less \ + vim \ bash-completion \ && rm -rf /var/lib/apt/lists/* -ARG UID -ARG GID +# # Install bash completion for Nix +# RUN set -eux; \ +# d=/usr/local/share/bash-completion/completions; \ +# mkdir -p $d; \ +# cd $d; \ +# curl -sSf -L -o _nix \ +# https://raw.githubusercontent.com/hedning/nix-bash-completions/v0.6.8/_nix; \ +# commands=$(bash -c ' \ +# function complete() { shift 2; echo "$@"; }; \ +# shopt -s extglob; \ +# source _nix; \ +# '); \ +# for c in $commands; do \ +# ln -s _nix $c; \ +# done -RUN groupadd -f -g $GID x && useradd -u $UID -g $GID -G sudo -m -p x x RUN echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers # for convenience -RUN mkdir -m 0755 /nix && chown x:x /nix - -USER x - -WORKDIR /home/x - -# Convenient shell completion and aliases -RUN mkdir -p .bash_completion.d && \ - curl -sSL -o .bash_completion.d/nix \ - https://raw.githubusercontent.com/hedning/nix-bash-completions/e6db3081fe1f221470a26e345a96855e5f09ddec/_nix - -COPY bashrc_extra .bashrc_extra -RUN echo ". ~/.bashrc_extra" >> .bashrc - -WORKDIR /tmp - -ARG STATEFUL - -COPY setup.sh . +ARG UID +ARG GID -RUN if [ "$STATEFUL" = "1" ]; then bash setup.sh; fi +RUN set -eux; \ + if ! [ $UID = 0 -a $GID = 0 ]; then \ + ! getent passwd $UID; \ + if ! getent group $GID; then \ + groupadd -g $GID x; \ + fi; \ + useradd -u $UID -g $GID -G sudo -m -p x x; \ + fi + + # NOTE would prefer this, but "staff" on MacOS is "dialout" on debian + # if getent group $GID; then \ + # group_name="$(getent group $GID | cut -d: -f1)"; \ + # [ "$group_name" = "users" -o "$group_name" = "staff" ]; \ + # else \ + # groupadd -g $GID x; \ + # fi; \ + +# So that they don't depend on $HOME +ENV RUSTUP_HOME=/opt/rustup +ENV CARGO_HOME=/opt/cargo + +RUN set -eux; \ + dirs="/nix $RUSTUP_HOME $CARGO_HOME"; \ + mkdir -p -m 0755 $dirs; \ + chown $UID:$GID $dirs + +USER $UID + +RUN curl -sSf -L https://sh.rustup.rs | \ + bash -s -- -y --no-modify-path --default-toolchain none + +ENV PATH=$CARGO_HOME/bin:$PATH + +RUN curl -sSf -L https://nixos.org/nix/install | \ + bash -s -- --yes --no-modify-profile --no-channel-add + +# # Install bash completion for Nix +RUN set -eux; \ + export USER=$(whoami); \ + . ~/.nix-profile/etc/profile.d/nix.sh; \ + nix-channel --add https://nixos.org/channels/nixos-23.11 nixpkgs; \ + nix-channel --update; \ + nix-env -i nix-bash-completions; \ + nix-channel --remove nixpkgs; \ + nix-collect-garbage -d; \ + nix-store --optimize COPY nix.conf /etc/nix/ ENV NIX_BUILD_SHELL=bash +RUN ( \ + echo 'export USER=$(whoami)'; \ + echo '. ~/.nix-profile/etc/profile.d/nix.sh'; \ + ) >> ~/.bashrc + +RUN ( \ + echo 'set show-mode-in-prompt on'; \ + echo 'set editing-mode vi'; \ + ) >> ~/.inputrc + WORKDIR /work diff --git a/hacking/docker/Makefile b/hacking/docker/Makefile index 4354d1f07..a5e8e0add 100644 --- a/hacking/docker/Makefile +++ b/hacking/docker/Makefile @@ -45,6 +45,8 @@ run: build $(statefulness_run_prerequisites) docker run --privileged -d --name $(container_name) --label $(label) \ $(statefulness_docker_run_args) \ --mount type=bind,src=$(abspath $(work_root)),dst=/work \ + --publish 8080:8080/tcp \ + --publish 8443:8443/tcp \ $(image_tag) sleep inf .PHONY: exec diff --git a/hacking/docker/bashrc_extra b/hacking/docker/bashrc_extra deleted file mode 100644 index f76bd3a6f..000000000 --- a/hacking/docker/bashrc_extra +++ /dev/null @@ -1,20 +0,0 @@ -# -# Copyright 2023, Colias Group, LLC -# -# SPDX-License-Identifier: BSD-2-Clause -# - -export USER=$(whoami) - -nix_profile_src=$HOME/.nix-profile -nix_profile_dst=/nix/var/nix/the-profile - -if [ ! -L "$nix_profile_src" ]; then - ln -s $nix_profile_dst $nix_profile_src -fi - -. "$nix_profile_src/etc/profile.d/nix.sh" - -for f in ~/.bash_completion.d/*; do - . $f -done diff --git a/hacking/docker/nix.conf b/hacking/docker/nix.conf index b8edeea02..9afe73f35 100644 --- a/hacking/docker/nix.conf +++ b/hacking/docker/nix.conf @@ -4,14 +4,12 @@ # SPDX-License-Identifier: BSD-2-Clause # -max-jobs = auto -cores = 0 - sandbox-fallback = false keep-outputs = true +keep-derivations = true -experimental-features = flakes +experimental-features = nix-command flakes -substituters = https://cache.nixos.org https://coliasgroup.cachix.org -trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= coliasgroup.cachix.org-1:vYRVaHS5FCjsGmVVXlzF5LaIWjeEK17W+MHxK886zIE= +extra-substituters = https://coliasgroup.cachix.org +extra-trusted-public-keys = coliasgroup.cachix.org-1:vYRVaHS5FCjsGmVVXlzF5LaIWjeEK17W+MHxK886zIE= diff --git a/hacking/docker/setup.sh b/hacking/docker/setup.sh deleted file mode 100644 index 06ae8b949..000000000 --- a/hacking/docker/setup.sh +++ /dev/null @@ -1,15 +0,0 @@ -# -# Copyright 2023, Colias Group, LLC -# -# SPDX-License-Identifier: BSD-2-Clause -# - -set -e - -if [ ! -f /nix/.installed ]; then - curl -L https://nixos.org/nix/install | \ - sh -s -- --yes --no-channel-add --no-modify-profile - ln -s $(readlink --canonicalize $HOME/.nix-profile) /nix/var/nix/the-profile - rm -r $HOME/.nix-profile $HOME/.nix-defexpr $HOME/.local/state/nix - touch /nix/.installed -fi From b4c7bdc96930000125d47726e935e4acee46604e Mon Sep 17 00:00:00 2001 From: Nick Spinale Date: Thu, 28 Dec 2023 00:20:19 -0500 Subject: [PATCH 09/18] Improve Docker setup Signed-off-by: Nick Spinale --- hacking/docker/Dockerfile | 18 ++++++++++++++---- hacking/docker/Makefile | 39 +++++++++++++++------------------------ 2 files changed, 29 insertions(+), 28 deletions(-) diff --git a/hacking/docker/Dockerfile b/hacking/docker/Dockerfile index 732885d05..f0c1496ca 100644 --- a/hacking/docker/Dockerfile +++ b/hacking/docker/Dockerfile @@ -53,7 +53,7 @@ RUN set -eux; \ useradd -u $UID -g $GID -G sudo -m -p x x; \ fi - # NOTE would prefer this, but "staff" on MacOS is "dialout" on debian + # NOTE would prefer this, but GID for "staff" on MacOS is "dialout" on debian # if getent group $GID; then \ # group_name="$(getent group $GID | cut -d: -f1)"; \ # [ "$group_name" = "users" -o "$group_name" = "staff" ]; \ @@ -80,7 +80,7 @@ ENV PATH=$CARGO_HOME/bin:$PATH RUN curl -sSf -L https://nixos.org/nix/install | \ bash -s -- --yes --no-modify-profile --no-channel-add -# # Install bash completion for Nix +# Install bash completion for Nix RUN set -eux; \ export USER=$(whoami); \ . ~/.nix-profile/etc/profile.d/nix.sh; \ @@ -88,8 +88,16 @@ RUN set -eux; \ nix-channel --update; \ nix-env -i nix-bash-completions; \ nix-channel --remove nixpkgs; \ - nix-collect-garbage -d; \ - nix-store --optimize + nix-collect-garbage -d + +# Add gcroot for store paths required by this image so that fresh images can use +# persistent /nix volumes. +RUN set -eux; \ + export USER=$(whoami); \ + . ~/.nix-profile/etc/profile.d/nix.sh; \ + nix-store -r \ + --add-root /nix/var/nix/gcroots-for-image/profile \ + $(readlink --canonicalize-existing ~/.nix-profile) COPY nix.conf /etc/nix/ @@ -105,4 +113,6 @@ RUN ( \ echo 'set editing-mode vi'; \ ) >> ~/.inputrc +VOLUME /nix + WORKDIR /work diff --git a/hacking/docker/Makefile b/hacking/docker/Makefile index a5e8e0add..afeb2c9e3 100644 --- a/hacking/docker/Makefile +++ b/hacking/docker/Makefile @@ -4,22 +4,20 @@ # SPDX-License-Identifier: BSD-2-Clause # -STATEFUL ?= $(if $(findstring Linux,$(shell uname -s)),0,1) +PERSIST ?= 1 work_root := ../.. id := rust-sel4 -label := $(id) image_tag := $(id) container_name := $(id) -volume_name := $(id)-nix-root +volume_name := $(id) uid := $(shell id -u) gid := $(shell id -g) -ifneq ($(STATEFUL),1) - statefulness_run_prerequisites := initialize-volume - statefulness_docker_run_args := --mount type=volume,src=$(volume_name),dst=/nix +ifeq ($(PERSIST),1) + persist_docker_run_args := --mount type=volume,src=$(volume_name),dst=/nix endif .PHONY: none @@ -28,22 +26,15 @@ none: .PHONY: build build: docker build \ - --build-arg UID=$(uid) --build-arg GID=$(gid) --build-arg STATEFUL=$(STATEFUL) \ - --label $(label) -t $(image_tag) . - -.PHONY: initialize-volume -initialize-volume: build - if [ -z "$$(docker volume ls -q -f "name=^$(volume_name)$$")" ]; then \ - docker volume create --label $(label) $(volume_name) && \ - docker run --privileged --rm --label $(label) -w /tmp \ - $(statefulness_docker_run_args) \ - $(image_tag) flock /nix/.installed.lock bash setup.sh; \ - fi + --build-arg UID=$(uid) \ + --build-arg GID=$(gid) \ + -t $(image_tag) . .PHONY: run -run: build $(statefulness_run_prerequisites) - docker run --privileged -d --name $(container_name) --label $(label) \ - $(statefulness_docker_run_args) \ +run: build + docker run --privileged -d \ + --name $(container_name) \ + $(persist_docker_run_args) \ --mount type=bind,src=$(abspath $(work_root)),dst=/work \ --publish 8080:8080/tcp \ --publish 8443:8443/tcp \ @@ -55,16 +46,16 @@ exec: .PHONY: show-nix-root show-nix-root: - docker inspect $(volume_name) --format='{{.Mountpoint}}' + docker volume inspect $(volume_name) --format='{{.Mountpoint}}' .PHONY: rm-container rm-container: for id in $$(docker ps -aq -f "name=^$(container_name)$$"); do \ - docker rm -f $$id; \ + docker rm -f --volumes $$id; \ done .PHONY: rm-volume rm-volume: - for volume in $$(docker volume ls -q -f "name=^$(volume_name)$$"); do \ - docker volume rm $$volume; \ + for id in $$(docker volume ls -q -f "name=^$(volume_name)$$"); do \ + docker volume rm $$id; \ done From f072809d4a778e703b5f7ccb5dea9a8107d626a1 Mon Sep 17 00:00:00 2001 From: Nick Spinale Date: Thu, 28 Dec 2023 00:50:26 -0500 Subject: [PATCH 10/18] Remove verbose note in Dockerfile Signed-off-by: Nick Spinale --- hacking/docker/Dockerfile | 29 +++++------------------------ 1 file changed, 5 insertions(+), 24 deletions(-) diff --git a/hacking/docker/Dockerfile b/hacking/docker/Dockerfile index f0c1496ca..55b15c19e 100644 --- a/hacking/docker/Dockerfile +++ b/hacking/docker/Dockerfile @@ -23,22 +23,6 @@ RUN apt-get update && apt-get install -y \ bash-completion \ && rm -rf /var/lib/apt/lists/* -# # Install bash completion for Nix -# RUN set -eux; \ -# d=/usr/local/share/bash-completion/completions; \ -# mkdir -p $d; \ -# cd $d; \ -# curl -sSf -L -o _nix \ -# https://raw.githubusercontent.com/hedning/nix-bash-completions/v0.6.8/_nix; \ -# commands=$(bash -c ' \ -# function complete() { shift 2; echo "$@"; }; \ -# shopt -s extglob; \ -# source _nix; \ -# '); \ -# for c in $commands; do \ -# ln -s _nix $c; \ -# done - RUN echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers # for convenience ARG UID @@ -47,20 +31,17 @@ ARG GID RUN set -eux; \ if ! [ $UID = 0 -a $GID = 0 ]; then \ ! getent passwd $UID; \ + # NOTE + # This is a bit of a hack. For example, GID for "staff" on MacOS is + # "dialout" on Debian. In an ideal world, we'd ensure that an + # already-occupied GID corresponds to either "users" or "staff" on + # Debian. if ! getent group $GID; then \ groupadd -g $GID x; \ fi; \ useradd -u $UID -g $GID -G sudo -m -p x x; \ fi - # NOTE would prefer this, but GID for "staff" on MacOS is "dialout" on debian - # if getent group $GID; then \ - # group_name="$(getent group $GID | cut -d: -f1)"; \ - # [ "$group_name" = "users" -o "$group_name" = "staff" ]; \ - # else \ - # groupadd -g $GID x; \ - # fi; \ - # So that they don't depend on $HOME ENV RUSTUP_HOME=/opt/rustup ENV CARGO_HOME=/opt/cargo From 1389b53cbcd3d5242741c13e97fcb5ec781fa9a6 Mon Sep 17 00:00:00 2001 From: Nick Spinale Date: Thu, 28 Dec 2023 00:55:33 -0500 Subject: [PATCH 11/18] Improve Makefiles Signed-off-by: Nick Spinale --- Makefile | 12 ++++++------ hacking/docker/Makefile | 5 ++++- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/Makefile b/Makefile index 4211251e3..0529975fd 100644 --- a/Makefile +++ b/Makefile @@ -5,24 +5,24 @@ # ifeq ($(K),1) - keep_going := -k + keep_going_args := -k endif ifneq ($(J),) - jobs_arg := -j$(J) + jobs_args := -j$(J) else - jobs_arg := + jobs_args := endif ifneq ($(CORES),) - cores_arg := --cores $(CORES) + cores_args := --cores $(CORES) else - cores_arg := + cores_args := endif out := out -nix_build := nix-build $(keep_going) $(jobs_arg) $(cores_arg) +nix_build := nix-build $(keep_going_args) $(jobs_args) $(cores_args) nix_shell := nix-shell -A shell --pure diff --git a/hacking/docker/Makefile b/hacking/docker/Makefile index afeb2c9e3..3bdd07159 100644 --- a/hacking/docker/Makefile +++ b/hacking/docker/Makefile @@ -23,6 +23,9 @@ endif .PHONY: none none: +.PHONY: clean +clean: rm-container rm-volume + .PHONY: build build: docker build \ @@ -55,7 +58,7 @@ rm-container: done .PHONY: rm-volume -rm-volume: +rm-volume: rm-container for id in $$(docker volume ls -q -f "name=^$(volume_name)$$"); do \ docker volume rm $$id; \ done From c3be0a5c5850baa70993ed6bd0366e3969004702 Mon Sep 17 00:00:00 2001 From: Nick Spinale Date: Thu, 28 Dec 2023 01:06:59 -0500 Subject: [PATCH 12/18] Improve nix-shells Signed-off-by: Nick Spinale --- Makefile | 27 ++++++++--- hacking/nix/scope/default.nix | 3 +- .../{shell.nix => shell-for-hacking.nix} | 45 ++++++++++--------- hacking/nix/scope/shell-for-makefile.nix | 32 +++++++++++++ hacking/nix/top-level/default.nix | 2 +- 5 files changed, 80 insertions(+), 29 deletions(-) rename hacking/nix/scope/{shell.nix => shell-for-hacking.nix} (58%) create mode 100644 hacking/nix/scope/shell-for-makefile.nix diff --git a/Makefile b/Makefile index 0529975fd..1a557fa2b 100644 --- a/Makefile +++ b/Makefile @@ -22,9 +22,22 @@ endif out := out -nix_build := nix-build $(keep_going_args) $(jobs_args) $(cores_args) +nix_args := $(keep_going_args) $(jobs_args) $(cores_args) -nix_shell := nix-shell -A shell --pure +nix_build := nix-build $(nix_args) + +nix_shell := nix-shell $(nix_args) + +run_in_nix_shell := $(nix_shell) --run + +ifeq ($(IN_NIX_SHELL_FOR_MAKEFILE),) + # TODO + # Should this use --pure? One consideration is that 'make shell' below + # doesn't, and consistency might be more important here. + run_in_nix_shell := $(nix_shell) -A shellForMakefile --pure --run +else + run_in_nix_shell := $(SHELL) -c +endif .PHONY: none none: @@ -36,6 +49,10 @@ clean: $(out): mkdir -p $@ +.PHONY: shell +shell: + $(nix_shell) -A shellForHacking + rustc_target_spec_dir := support/targets .PHONY: generate-target-specs @@ -71,19 +88,19 @@ check-fmt: .PHONY: check-generic-formatting check-generic-formatting: - $(nix_shell) --run "sh hacking/scripts/check-generic-formatting.sh" + $(run_in_nix_shell) "sh hacking/scripts/check-generic-formatting.sh" .PHONY: check-source check-source: check-generated-sources check-fmt check-generic-formatting .PHONY: check-licenses check-licenses: - $(nix_shell) --run "reuse lint" + $(run_in_nix_shell) "reuse lint" .PHONY: check-dependencies check-dependencies: lockfile=$$($(nix_build) -A pkgs.build.this.publicCratesCargoLock --no-out-link) && \ - $(nix_shell) --run "cargo-audit audit -f $$lockfile" + $(run_in_nix_shell) "cargo-audit audit -f $$lockfile" try_restore_terminal := tput smam 2> /dev/null || true diff --git a/hacking/nix/scope/default.nix b/hacking/nix/scope/default.nix index e6866268b..b9160e489 100644 --- a/hacking/nix/scope/default.nix +++ b/hacking/nix/scope/default.nix @@ -166,7 +166,8 @@ superCallPackage ../rust-utils {} self // embedDebugInfo = callPackage ./embed-debug-info.nix {}; - shell = callPackage ./shell.nix {}; + shellForMakefile = callPackage ./shell-for-makefile.nix {}; + shellForHacking = callPackage ./shell-for-hacking.nix {}; ### kernel diff --git a/hacking/nix/scope/shell.nix b/hacking/nix/scope/shell-for-hacking.nix similarity index 58% rename from hacking/nix/scope/shell.nix rename to hacking/nix/scope/shell-for-hacking.nix index 07a0ab32a..bc7c91e5a 100644 --- a/hacking/nix/scope/shell.nix +++ b/hacking/nix/scope/shell-for-hacking.nix @@ -6,43 +6,44 @@ { lib, stdenv, hostPlatform, buildPackages , mkShell -, cacert, git -, defaultRustToolchain -, pkgconfig, openssl -, cmake, perl, python3Packages -, rustPlatform -, reuse -, cargo-audit + +, pkgconfig +, git +, cacert +, rustup, rustPlatform +, perl +, python3Packages +, cmake + , strace , cntr , cachix + +, openssl + +, shellForMakefile }: -mkShell { - hardeningDisable = [ "all" ]; +mkShell (shellForMakefile.apply { depsBuildBuild = [ buildPackages.stdenv.cc - cacert - git - cmake - perl - python3Packages.jsonschema - python3Packages.jinja2 - reuse - cargo-audit - strace - cntr - cachix ]; nativeBuildInputs = [ pkgconfig + git + cacert + rustup + perl + cmake rustPlatform.bindgenHook - defaultRustToolchain + strace + cntr + cachix ]; buildInputs = [ openssl ]; -} +}) diff --git a/hacking/nix/scope/shell-for-makefile.nix b/hacking/nix/scope/shell-for-makefile.nix new file mode 100644 index 000000000..fa66129d8 --- /dev/null +++ b/hacking/nix/scope/shell-for-makefile.nix @@ -0,0 +1,32 @@ +# +# Copyright 2023, Colias Group, LLC +# +# SPDX-License-Identifier: BSD-2-Clause +# + +{ mkShell +, python3 +, reuse +, cargo-audit +}: + +let + # HACK for composability + apply = attrs: attrs // { + IN_NIX_SHELL_FOR_MAKEFILE = 1; + + hardeningDisable = [ "all" ]; + + nativeBuildInputs = (attrs.nativeBuildInputs or []) ++ [ + python3 + reuse + cargo-audit + ]; + }; + +in +mkShell (apply { + passthru = { + inherit apply; + }; +}) diff --git a/hacking/nix/top-level/default.nix b/hacking/nix/top-level/default.nix index fcdfeec11..57d79c013 100644 --- a/hacking/nix/top-level/default.nix +++ b/hacking/nix/top-level/default.nix @@ -12,7 +12,7 @@ let in { - shell = pkgs.build.this.shell; + inherit (pkgs.build.this) shellForMakefile shellForHacking; worldsForEverythingInstances = [ pkgs.host.aarch64.none.this.worlds.default From 85540938d78db6f5a373aeda5455ba5bc2025c1e Mon Sep 17 00:00:00 2001 From: Nick Spinale Date: Thu, 28 Dec 2023 02:20:24 -0500 Subject: [PATCH 13/18] Fix Docker tty issue for CI Signed-off-by: Nick Spinale --- hacking/kani/docker/Makefile | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/hacking/kani/docker/Makefile b/hacking/kani/docker/Makefile index 60a6a0cc4..80f8e4f70 100644 --- a/hacking/kani/docker/Makefile +++ b/hacking/kani/docker/Makefile @@ -50,7 +50,10 @@ rm-container: .PHONY: check check: build - docker run --rm -it \ + if [ -t 0 ]; then \ + tty_args="-it"; \ + fi && \ + docker run --rm $$tty_args \ --mount $(mount_params),readonly \ $(image_tag) \ make -C $(here_relative) check BUILD=/tmp/build From 0f4f28765d4e7e9f002516f90e3dc63534338380 Mon Sep 17 00:00:00 2001 From: Nick Spinale Date: Thu, 28 Dec 2023 04:40:37 -0500 Subject: [PATCH 14/18] Improve Makefile style Signed-off-by: Nick Spinale --- Makefile | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/Makefile b/Makefile index 1a557fa2b..672f34110 100644 --- a/Makefile +++ b/Makefile @@ -10,24 +10,15 @@ endif ifneq ($(J),) jobs_args := -j$(J) -else - jobs_args := endif ifneq ($(CORES),) cores_args := --cores $(CORES) -else - cores_args := endif -out := out - nix_args := $(keep_going_args) $(jobs_args) $(cores_args) - nix_build := nix-build $(nix_args) - nix_shell := nix-shell $(nix_args) - run_in_nix_shell := $(nix_shell) --run ifeq ($(IN_NIX_SHELL_FOR_MAKEFILE),) @@ -39,6 +30,8 @@ else run_in_nix_shell := $(SHELL) -c endif +out := out + .PHONY: none none: From 187723ff08c8662e2748db7b7cf5f2cfcf76d82e Mon Sep 17 00:00:00 2001 From: Nick Spinale Date: Thu, 28 Dec 2023 05:23:20 -0500 Subject: [PATCH 15/18] Configure cache in Makefile Signed-off-by: Nick Spinale --- Makefile | 8 +++++--- README.md | 17 ++++++++++------- .../Makefile | 0 hacking/binary-cache/fragment.nix.conf | 8 ++++++++ 4 files changed, 23 insertions(+), 10 deletions(-) rename hacking/{cache-maintenance => binary-cache}/Makefile (100%) create mode 100644 hacking/binary-cache/fragment.nix.conf diff --git a/Makefile b/Makefile index 672f34110..2211fdda9 100644 --- a/Makefile +++ b/Makefile @@ -17,9 +17,11 @@ ifneq ($(CORES),) endif nix_args := $(keep_going_args) $(jobs_args) $(cores_args) -nix_build := nix-build $(nix_args) -nix_shell := nix-shell $(nix_args) -run_in_nix_shell := $(nix_shell) --run + +append_to_nix_config := NIX_CONFIG="$$(printf "%s\n" "$$NIX_CONFIG" && cat hacking/binary-cache/fragment.nix.conf)" + +nix_build := $(append_to_nix_config) nix-build $(nix_args) +nix_shell := $(append_to_nix_config) nix-shell $(nix_args) ifeq ($(IN_NIX_SHELL_FOR_MAKEFILE),) # TODO diff --git a/README.md b/README.md index e6cb371fe..038372a0a 100644 --- a/README.md +++ b/README.md @@ -121,7 +121,10 @@ the crates which use them: ### Quick start for running the tests in this repository -The only requirements for running the tests in this repository are Git, Make, and Docker. +The only requirements for building and running the tests in this repository are +Linux, Make, and [Nix](https://nix.dev/). This repository contains scripts for +setting up a Docker container with a suitable development environment in case +you aren't on Linux or don't want to install Nix. First, clone this repository: @@ -130,22 +133,22 @@ git clone https://github.com/seL4/rust-sel4 cd rust-sel4 ``` -Next, build, run, and enter a Docker container for development: +If you are using Docker, build, run, and enter a Docker container for +development. This container mounts this repository's top-level at `/work`. ``` cd hacking/docker && make run && make exec ``` -Inside the container at the repository's top-level directory, build and simulate a simple seL4-based -system with a [root task](./crates/examples/root-task/example-root-task) written in Rust (this will -take a few minutes): +At this repository's top-level directory, build and simulate a simple seL4-based +system with a [root task](./crates/examples/root-task/example-root-task) written +in Rust (this will take a few minutes): ``` make example ``` -Also inside the container at the repository's top-level directory, build and run all of this -repository's automated tests: +Build and run all of this repository's automated tests: ``` make run-tests diff --git a/hacking/cache-maintenance/Makefile b/hacking/binary-cache/Makefile similarity index 100% rename from hacking/cache-maintenance/Makefile rename to hacking/binary-cache/Makefile diff --git a/hacking/binary-cache/fragment.nix.conf b/hacking/binary-cache/fragment.nix.conf new file mode 100644 index 000000000..91b532b7c --- /dev/null +++ b/hacking/binary-cache/fragment.nix.conf @@ -0,0 +1,8 @@ +# +# Copyright 2023, Colias Group, LLC +# +# SPDX-License-Identifier: BSD-2-Clause +# + +extra-substituters = https://coliasgroup.cachix.org +extra-trusted-public-keys = coliasgroup.cachix.org-1:vYRVaHS5FCjsGmVVXlzF5LaIWjeEK17W+MHxK886zIE= From afc6e88c3dd4db97f2413cdd78208b1a7e8d55f7 Mon Sep 17 00:00:00 2001 From: Nick Spinale Date: Thu, 28 Dec 2023 05:40:05 -0500 Subject: [PATCH 16/18] Organize Makefile Signed-off-by: Nick Spinale --- Makefile | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/Makefile b/Makefile index 2211fdda9..c1b6e6acd 100644 --- a/Makefile +++ b/Makefile @@ -48,13 +48,6 @@ $(out): shell: $(nix_shell) -A shellForHacking -rustc_target_spec_dir := support/targets - -.PHONY: generate-target-specs -generate-target-specs: - rm -f $(rustc_target_spec_dir)/*.json && \ - cargo run -p sel4-generate-target-specs -- write --target-dir $(rustc_target_spec_dir) --all - .PHONY: update-generated-sources update-generated-sources: $(MAKE) -C hacking/cargo-manifest-management update @@ -97,6 +90,13 @@ check-dependencies: lockfile=$$($(nix_build) -A pkgs.build.this.publicCratesCargoLock --no-out-link) && \ $(run_in_nix_shell) "cargo-audit audit -f $$lockfile" +rustc_target_spec_dir := support/targets + +.PHONY: generate-target-specs +generate-target-specs: + rm -f $(rustc_target_spec_dir)/*.json && \ + cargo run -p sel4-generate-target-specs -- write --target-dir $(rustc_target_spec_dir) --all + try_restore_terminal := tput smam 2> /dev/null || true .PHONY: run-tests From 17a483dd7231d863194dce0996074c38c80f8734 Mon Sep 17 00:00:00 2001 From: Nick Spinale Date: Thu, 28 Dec 2023 05:44:29 -0500 Subject: [PATCH 17/18] Mention rustup in README.md Signed-off-by: Nick Spinale --- README.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 038372a0a..d590251ec 100644 --- a/README.md +++ b/README.md @@ -122,9 +122,10 @@ the crates which use them: ### Quick start for running the tests in this repository The only requirements for building and running the tests in this repository are -Linux, Make, and [Nix](https://nix.dev/). This repository contains scripts for -setting up a Docker container with a suitable development environment in case -you aren't on Linux or don't want to install Nix. +Linux, Make, [rustup](https://rustup.rs/), and [Nix](https://nix.dev/). This +repository contains scripts for setting up a Docker container with a suitable +development environment in case you aren't on Linux or don't want to install +Nix. First, clone this repository: From c79efdf3da272b456a39a6dc39ba88294d3acfea Mon Sep 17 00:00:00 2001 From: Nick Spinale Date: Thu, 28 Dec 2023 05:46:23 -0500 Subject: [PATCH 18/18] Improve comment wrap width consistency Signed-off-by: Nick Spinale --- README.md | 18 ++++++++---------- hacking/docker/Dockerfile | 11 +++++------ 2 files changed, 13 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index d590251ec..067a1030f 100644 --- a/README.md +++ b/README.md @@ -121,11 +121,10 @@ the crates which use them: ### Quick start for running the tests in this repository -The only requirements for building and running the tests in this repository are -Linux, Make, [rustup](https://rustup.rs/), and [Nix](https://nix.dev/). This -repository contains scripts for setting up a Docker container with a suitable -development environment in case you aren't on Linux or don't want to install -Nix. +The only requirements for building and running the tests in this repository are Linux, Make, +[rustup](https://rustup.rs/), and [Nix](https://nix.dev/). This repository contains scripts for +setting up a Docker container with a suitable development environment in case you aren't on Linux or +don't want to install Nix. First, clone this repository: @@ -134,16 +133,15 @@ git clone https://github.com/seL4/rust-sel4 cd rust-sel4 ``` -If you are using Docker, build, run, and enter a Docker container for -development. This container mounts this repository's top-level at `/work`. +If you are using Docker, build, run, and enter a Docker container for development. This container +mounts this repository's top-level at `/work`. ``` cd hacking/docker && make run && make exec ``` -At this repository's top-level directory, build and simulate a simple seL4-based -system with a [root task](./crates/examples/root-task/example-root-task) written -in Rust (this will take a few minutes): +At this repository's top-level directory, build and simulate a simple seL4-based system with a [root +task](./crates/examples/root-task/example-root-task) written in Rust (this will take a few minutes): ``` make example diff --git a/hacking/docker/Dockerfile b/hacking/docker/Dockerfile index 55b15c19e..2f90a24f9 100644 --- a/hacking/docker/Dockerfile +++ b/hacking/docker/Dockerfile @@ -32,10 +32,9 @@ RUN set -eux; \ if ! [ $UID = 0 -a $GID = 0 ]; then \ ! getent passwd $UID; \ # NOTE - # This is a bit of a hack. For example, GID for "staff" on MacOS is - # "dialout" on Debian. In an ideal world, we'd ensure that an - # already-occupied GID corresponds to either "users" or "staff" on - # Debian. + # This is a bit of a hack. For example, GID for "staff" on MacOS is "dialout" on Debian. In + # an ideal world, we'd ensure that an already-occupied GID corresponds to either "users" or + # "staff" on Debian. if ! getent group $GID; then \ groupadd -g $GID x; \ fi; \ @@ -71,8 +70,8 @@ RUN set -eux; \ nix-channel --remove nixpkgs; \ nix-collect-garbage -d -# Add gcroot for store paths required by this image so that fresh images can use -# persistent /nix volumes. +# Add gcroot for store paths required by this image so that fresh images can use persistent /nix +# volumes. RUN set -eux; \ export USER=$(whoami); \ . ~/.nix-profile/etc/profile.d/nix.sh; \