91 lines
2.2 KiB
Nix
91 lines
2.2 KiB
Nix
{ lib, writeText, runCommand, writeClosure }:
|
|
|
|
{
|
|
buildContainer =
|
|
{ args, mounts ? { }, os ? "linux", arch ? "x86_64", readonly ? false }:
|
|
let
|
|
sysMounts = {
|
|
"/proc" = {
|
|
type = "proc";
|
|
source = "proc";
|
|
};
|
|
"/dev" = {
|
|
type = "tmpfs";
|
|
source = "tmpfs";
|
|
options = [ "nosuid" "strictatime" "mode=755" "size=65536k" ];
|
|
};
|
|
"/dev/pts" = {
|
|
type = "devpts";
|
|
source = "devpts";
|
|
options = [
|
|
"nosuid"
|
|
"noexec"
|
|
"newinstance"
|
|
"ptmxmode=0666"
|
|
"mode=755"
|
|
"gid=5"
|
|
];
|
|
};
|
|
"/dev/shm" = {
|
|
type = "tmpfs";
|
|
source = "shm";
|
|
options = [ "nosuid" "noexec" "nodev" "mode=1777" "size=65536k" ];
|
|
};
|
|
"/dev/mqueue" = {
|
|
type = "mqueue";
|
|
source = "mqueue";
|
|
options = [ "nosuid" "noexec" "nodev" ];
|
|
};
|
|
"/sys" = {
|
|
type = "sysfs";
|
|
source = "sysfs";
|
|
options = [ "nosuid" "noexec" "nodev" "ro" ];
|
|
};
|
|
"/sys/fs/cgroup" = {
|
|
type = "cgroup";
|
|
source = "cgroup";
|
|
options = [ "nosuid" "noexec" "nodev" "relatime" "ro" ];
|
|
};
|
|
};
|
|
config = writeText "config.json" (builtins.toJSON {
|
|
ociVersion = "1.0.0";
|
|
platform = { inherit os arch; };
|
|
|
|
linux = {
|
|
namespaces = map (type: { inherit type; }) [
|
|
"pid"
|
|
"network"
|
|
"mount"
|
|
"ipc"
|
|
"uts"
|
|
];
|
|
};
|
|
|
|
root = {
|
|
path = "rootfs";
|
|
inherit readonly;
|
|
};
|
|
|
|
process = {
|
|
inherit args;
|
|
user = {
|
|
uid = 0;
|
|
gid = 0;
|
|
};
|
|
cwd = "/";
|
|
};
|
|
|
|
mounts = lib.mapAttrsToList (destination:
|
|
{ type, source, options ? null }: {
|
|
inherit destination type source options;
|
|
}) sysMounts;
|
|
});
|
|
in runCommand "join" { } ''
|
|
set -o pipefail
|
|
mkdir -p $out/rootfs/{dev,proc,sys}
|
|
cp ${config} $out/config.json
|
|
xargs tar c < ${writeClosure args} | tar -xC $out/rootfs/
|
|
'';
|
|
}
|
|
|