├── .gitignore
├── .travis.yml
├── pkgs
    └── linux
    │   ├── rkt.nix
    │   ├── bash.nix
    │   ├── docker.nix
    │   ├── getmail.nix
    │   ├── generic.nix
    │   ├── qemu.nix
    │   ├── dovecot.nix
    │   ├── dnsmasq.nix
    │   ├── pixiecore.nix
    │   ├── dnsfail.nix
    │   ├── etcd2.nix
    │   ├── iperf.nix
    │   ├── flannel.nix
    │   ├── busybox.nix
    │   ├── plex.nix
    │   ├── acserver.nix
    │   ├── busybox-pfwd.nix
    │   ├── rkt-buildenv.nix
    │   └── acserver.patch
├── ci
    └── install-appc.sh
├── default.nix
├── lib
    ├── mkACI.nix
    └── mkACI.py
└── README.md


/.gitignore:
--------------------------------------------------------------------------------
1 | *.swp
2 | ACIs/*
3 | result*
4 | 


--------------------------------------------------------------------------------
/.travis.yml:
--------------------------------------------------------------------------------
1 | language: nix
2 | env:
3 | install:
4 |   - bash ci/install-appc.sh
5 | script:
6 |   - nix-build
7 |   - ~/actool validate result/*.aci
8 | 


--------------------------------------------------------------------------------
/pkgs/linux/rkt.nix:
--------------------------------------------------------------------------------
 1 | { mkACI, pkgs, thin ? false, ... } @ args:
 2 | let
 3 |   pkg = pkgs.rkt;
 4 | in
 5 | 
 6 | mkACI rec {
 7 |   inherit pkgs;
 8 |   inherit thin;
 9 |   dnsquirks = args.dnsquirks;
10 |   packages = [ pkg pkgs.openssl pkgs.iptables ];
11 | }
12 | 


--------------------------------------------------------------------------------
/ci/install-appc.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | set -eux
 3 | 
 4 | env
 5 | APPC_VERSION=${APPC_VERSION:-0.7.4}
 6 | APPC_DIR=~/appc-v${APPC_VERSION}
 7 | 
 8 | wget https://github.com/appc/spec/releases/download/v${APPC_VERSION}/appc-v${APPC_VERSION}.tar.gz -qO- | tar xvz -C ~/
 9 | mv ${APPC_DIR}/actool ~/
10 | rm -Rfv ${APPC_DIR}
11 | 
12 | chmod +x ~/actool
13 | 


--------------------------------------------------------------------------------
/pkgs/linux/bash.nix:
--------------------------------------------------------------------------------
 1 | { mkACI
 2 | , pkgs
 3 | , thin ? false
 4 | , static ? false
 5 | , ... }
 6 | @ args:
 7 | 
 8 | let
 9 |   pkg = pkgs.bash;
10 |   
11 | in
12 | mkACI rec {
13 |   inherit pkgs;
14 |   inherit static;
15 |   thin = false;
16 |   packages = [ pkg pkgs.eject pkgs.eject pkgs.httping pkgs.coreutils ];
17 |   exec = ''/bin/sh'';
18 | }
19 | 
20 | 


--------------------------------------------------------------------------------
/pkgs/linux/docker.nix:
--------------------------------------------------------------------------------
 1 | { mkACI
 2 | , pkgs
 3 | , thin ? false
 4 | , ... } @ args:
 5 | let 
 6 |   pkg = pkgs.docker;
 7 | in
 8 | 
 9 | mkACI rec {
10 |   inherit pkgs;
11 |   inherit thin;
12 |   dnsquirks = args.dnsquirks;
13 | 
14 |   packages = [ pkg pkgs.busybox pkgs.cacert ];
15 | 
16 |   mounts = {
17 |     libdocker = "/var/lib/docker";
18 |     rundocker = "/var/run/docker";
19 |   };
20 | }
21 | 


--------------------------------------------------------------------------------
/pkgs/linux/getmail.nix:
--------------------------------------------------------------------------------
 1 | { mkACI, pkgs, thin ? false, ... } @ args:
 2 | let
 3 |   pkg = pkgs.getmail;
 4 | in
 5 | 
 6 | mkACI rec {
 7 |   inherit pkgs;
 8 |   inherit thin;
 9 |   dnsquirks = args.dnsquirks;
10 | 
11 |   packages = [ pkg pkgs.busybox pkgs.msmtp pkgs.python27Packages.supervisor ];
12 | 
13 |   user = "1000";
14 |   group = "1000";
15 | 
16 |   env = {
17 |     LC_ALL = "en_US.UTF-8";
18 |     LANG = "en_US.UTF-8";
19 |   };
20 | }
21 | 


--------------------------------------------------------------------------------
/pkgs/linux/generic.nix:
--------------------------------------------------------------------------------
 1 | { mkACI
 2 | , pkgs
 3 | , thin ? false
 4 | , static ? false
 5 | , packages ? []
 6 | , mounts ? {}
 7 | , mountsRo ? {}
 8 | , ... }
 9 | @ args:
10 | 
11 | mkACI rec {
12 |   inherit pkgs;
13 |   inherit static;
14 |   inherit thin;
15 |   inherit packages;
16 |   inherit mounts mountsRo;
17 |   versionAddon = if static == true then "-static" else "";
18 | 
19 |   isolators = {
20 |       "os/linux/capabilities-retain-set" = { "set" = [ "CAP_NET_ADMIN" "CAP_SYS_ADMIN" ]; };
21 |   };
22 | }
23 | 


--------------------------------------------------------------------------------
/pkgs/linux/qemu.nix:
--------------------------------------------------------------------------------
 1 | { mkACI
 2 | , pkgs
 3 | , thin ? false
 4 | , ... }
 5 | @ args:
 6 | 
 7 | let
 8 |   pkg = pkgs.qemu;
 9 | in
10 | 
11 | mkACI rec {
12 |   inherit pkgs;
13 |   inherit thin;
14 |   packages = [ pkg ];
15 |   versionAddon = "";
16 |   exec = ''/bin/qemu-kvm -- \
17 |     -spice port=5101,addr=ipv4 \
18 |     -vnc :0 \
19 |     -boot reboot-timeout=60 \
20 |   '';
21 | 
22 |   ports = {
23 |     spice = { protocol = "tcp"; port = "5101"; };
24 |     vnc = { protocol = "tcp"; port = "5900"; };
25 |   };
26 | }
27 | 
28 | 


--------------------------------------------------------------------------------
/pkgs/linux/dovecot.nix:
--------------------------------------------------------------------------------
 1 | { mkACI, pkgs, thin ? false, ... } @ args:
 2 | let
 3 |   pkg = pkgs.dovecot;
 4 | in
 5 | 
 6 | mkACI rec {
 7 |   inherit pkgs;
 8 |   inherit thin;
 9 |   dnsquirks = args.dnsquirks;
10 | 
11 |   packages = [ pkg pkgs.dovecot_pigeonhole ];
12 | 
13 |   ports = {
14 |     imaps = { protocol = "tcp"; port = "993"; };
15 |     sieve = { protocol = "tcp"; port = "4190"; };
16 |   };
17 | 
18 |   mounts = {
19 |     mail = "/var/vmail";
20 |     etc-dovecot = "/etc/dovecot";
21 |   };
22 | 
23 |   env = {
24 |     LC_ALL = "en_US.UTF-8";
25 |     LANG = "en_US.UTF-8";
26 |   };
27 | }
28 | 


--------------------------------------------------------------------------------
/pkgs/linux/dnsmasq.nix:
--------------------------------------------------------------------------------
 1 | { mkACI
 2 | , pkgs
 3 | , thin ? false
 4 | , ... }
 5 | @ args:
 6 | 
 7 | let
 8 |   pkg = pkgs.dnsmasq;
 9 | in
10 | 
11 | mkACI rec {
12 |   inherit pkgs;
13 |   inherit thin;
14 |   dnsquirks = false;
15 |   packages = [ pkg ];
16 |   versionAddon = "";
17 |   exec = ''/bin/dnsmasq'';
18 | 
19 |   mounts = {
20 |     varlibmisc = "/var/lib/misc/";
21 |     varrun = "/var/run/";
22 |     pxe = "/pxe/";
23 |   };
24 | 
25 |   isolators = {
26 |     "os/linux/capabilities-retain-set" = ''{
27 |       "set": [ "CAP_NET_BIND_SERVICE", "CAP_NET_ADMIN"]
28 |     }'';
29 |   };
30 | }
31 | 
32 | 


--------------------------------------------------------------------------------
/pkgs/linux/pixiecore.nix:
--------------------------------------------------------------------------------
 1 | { mkACI, pkgs, thin ? false, ... } @ args:
 2 | let
 3 |   pixiecore = with pkgs.goPackages; buildFromGitHub{
 4 |     rev    = "b9a4006784aec6400b161a214cc16514c0f65900";
 5 |     date   = "2015-10-22";
 6 |     owner  = "danderson";
 7 |     repo   = "pixiecore";
 8 |     sha256 = "1qfhyyxfm48xhyz3cfnz5m695s3vla5zg0sh7fhribd0i949f1vv";
 9 |     buildInputs = [ net crypto ];
10 |   };
11 |   pkg = pixiecore.bin;
12 | 
13 | in mkACI rec {
14 |   inherit pkgs;
15 |   inherit thin;
16 | 
17 |   static = false;
18 |   packages = [ pkg ];
19 | 
20 |   os="linux";
21 |   arch="amd64";
22 | }
23 | 


--------------------------------------------------------------------------------
/pkgs/linux/dnsfail.nix:
--------------------------------------------------------------------------------
 1 | { mkACI, pkgs, thin ? false, static ? true , ... } @ args:
 2 | let 
 3 |   pkg = pkgs.stdenv.mkDerivation rec {
 4 |     version = "0.0.1";
 5 |     name = "dnsfail";
 6 |     src = /home/steveej/src/github/steveej/hello_go/dnsfail;
 7 |     buildInputs = [ pkgs.goPackages.go ];
 8 |     installPhase = ''
 9 |       mkdir -p $out/bin
10 |       CGO_ENABLED=0 go build -o $out/bin/dnsfail -a -tags netgo -ldflags '-w' dnsfail.go
11 |     '';
12 |   };
13 | 
14 | in mkACI rec {
15 |   inherit pkgs;
16 |   inherit thin;
17 |   inherit static;
18 | 
19 |   packages = [ pkg ];
20 |   exec = "/bin/dnsfail";
21 | }
22 | 


--------------------------------------------------------------------------------
/pkgs/linux/etcd2.nix:
--------------------------------------------------------------------------------
 1 | { mkACI, pkgs, thin ? false, ... } @ args:
 2 | let
 3 |   pkg = pkgs.etcd;
 4 | in
 5 | 
 6 | mkACI rec {
 7 |   inherit pkgs;
 8 |   inherit thin;
 9 | 
10 |   acName = "etcd";
11 |   #acVersion = builtins.elemAt (pkgs.stdenv.lib.strings.splitString "v" pkg.name) 1;
12 | 
13 |   packages = [ pkg ];
14 |   exec = "/bin/etcd";
15 | 
16 |   mounts = {
17 |     datadir = "/var/db/etcd2";
18 |   };
19 | 
20 |    mountsRo = {
21 |      resolvconf = "/etc/resolv.conf";
22 |    };
23 | 
24 |   env = {
25 |     ETCD_DATA_DIR = "/var/db/etcd2/";
26 |   };
27 | 
28 |   ports = {
29 |     etcd2 = { protocol = "tcp"; port = 2379; };
30 |   };
31 | }
32 | 


--------------------------------------------------------------------------------
/pkgs/linux/iperf.nix:
--------------------------------------------------------------------------------
 1 | { mkACI
 2 | , pkgs
 3 | , thin ? false
 4 | , static ? false
 5 | , ... }
 6 | @ args:
 7 | 
 8 | let
 9 |   pkg = pkgs.iperf;
10 |   busybox = if static == true
11 |     then
12 |       (pkgs.busybox.override {
13 |          extraConfig = ''
14 |            CONFIG_STATIC y
15 |            CONFIG_INSTALL_APPLET_DONT y
16 |            CONFIG_INSTALL_APPLET_SYMLINKS n
17 |          '';
18 |       })
19 |     else pkgs.busybox;
20 | in
21 | 
22 | mkACI rec {
23 |   inherit pkgs;
24 |   inherit static;
25 |   thin = false;
26 |   packages = [ pkg busybox pkgs.eject ];
27 |   versionAddon = if static == true then "-static" else "";
28 |   exec = ''/bin/busybox -- sh -c "busybox mkdir -p /sbin; /bin/busybox --install -s; sh"'';
29 | }
30 | 
31 | 


--------------------------------------------------------------------------------
/pkgs/linux/flannel.nix:
--------------------------------------------------------------------------------
 1 | { mkACI
 2 | , pkgs
 3 | , thin ? false
 4 | , static ? false
 5 | , ... }
 6 | @ args:
 7 | 
 8 | let
 9 |   pkg = pkgs.flannel;
10 |   busybox = if static == true
11 |     then
12 |       (pkgs.busybox.override {
13 |          extraConfig = ''
14 |            CONFIG_STATIC y
15 |            CONFIG_INSTALL_APPLET_DONT y
16 |            CONFIG_INSTALL_APPLET_SYMLINKS n
17 |          '';
18 |       })
19 |     else pkgs.busybox;
20 | in
21 | 
22 | mkACI rec {
23 |   inherit pkgs;
24 |   inherit static;
25 |   thin = false;
26 |   packages = [ pkg busybox pkgs.eject ];
27 |   versionAddon = if static == true then "-static" else "";
28 |   exec = ''/bin/busybox -- sh -c "busybox mkdir -p /sbin; /bin/busybox --install -s; sh"'';
29 | 
30 |   isolators = {
31 |       "os/linux/capabilities-retain-set" = { "set" = [ "CAP_NET_ADMIN" ]; };
32 |   };
33 | }
34 | 
35 | 


--------------------------------------------------------------------------------
/pkgs/linux/busybox.nix:
--------------------------------------------------------------------------------
 1 | { mkACI
 2 | , pkgs
 3 | , thin ? false
 4 | , static ? false
 5 | , ... }
 6 | @ args:
 7 | 
 8 | let
 9 |   pkg = if static == true
10 |     then
11 |       (pkgs.busybox.override {
12 |          enableStatic = true;
13 |          extraConfig = ''
14 |            CONFIG_STATIC y
15 |            CONFIG_INSTALL_APPLET_DONT y
16 |            CONFIG_INSTALL_APPLET_SYMLINKS n
17 |          '';
18 |       })
19 |     else pkgs.busybox;
20 | in
21 | 
22 | mkACI rec {
23 |   inherit pkgs;
24 |   inherit static;
25 |   inherit thin;
26 |   packages = [ pkg ];
27 |   versionAddon = if static == true then "-static" else "";
28 | 
29 |   exec = [
30 |     "/bin/busybox"
31 |     "sh" "-c" "busybox mkdir -p /sbin; /bin/busybox --install -s; sh"
32 |   ];
33 | 
34 |   isolators = {
35 |       "os/linux/capabilities-retain-set" = { "set" = [ "CAP_NET_ADMIN" ]; };
36 |   };
37 | }
38 | 
39 | 


--------------------------------------------------------------------------------
/pkgs/linux/plex.nix:
--------------------------------------------------------------------------------
 1 | { mkACI, pkgs, thin ? false, ... } @ args:
 2 | let
 3 |   pkg = pkgs.plex;
 4 | in
 5 | 
 6 | mkACI rec {
 7 |   inherit pkgs;
 8 |   inherit thin;
 9 |   packages = [ pkg ];
10 | 
11 |   mounts = {
12 |     config = "/var/lib/plexmediaserver/Library/Application Support";
13 |     media = "/media";
14 |   };
15 | 
16 |   ports = {
17 |     https = { protocol = "tcp"; port = "32400"; };
18 |   };
19 | 
20 |   exec = "\"/usr/lib/plexmediaserver/Plex Media Server\"";
21 | 
22 |   env = {
23 |     PLEX_MEDIA_SERVER_APPLICATION_SUPPORT_DIR = "/var/lib/plexmediaserver/Library/Application Support";
24 |     PLEX_MEDIA_SERVER_HOME = "/usr/lib/plexmediaserver";
25 |     PLEX_MEDIA_SERVER_MAX_PLUGIN_PROCS = "6";
26 |     PLEX_MEDIA_SERVER_TMPDIR = "/tmp";
27 |     LD_LIBRARY_PATH = "/usr/lib/plexmediaserver";
28 |     LC_ALL = "en_US.UTF-8";
29 |     LANG = "en_US.UTF-8";
30 |   };
31 | }
32 | 


--------------------------------------------------------------------------------
/pkgs/linux/acserver.nix:
--------------------------------------------------------------------------------
 1 | { mkACI, pkgs, thin ? false, ... } @ args:
 2 | let
 3 |   acserver = with pkgs; stdenv.mkDerivation rec {
 4 |     date   = "2016-11-11";
 5 |     name = "acserver-"+date;
 6 |     src = fetchFromGitHub { 
 7 |       rev    = "ef1eb24de11f9c7fe74e1a91b82f34687ac13604";
 8 |       owner  = "appc";
 9 |       repo   = "acserver";
10 |       sha256 = "0bwc3c1ax3igwva224di9izyr2wzw7nninn9m7s28z1dqwvjn7bh";
11 |     };
12 | 
13 | 
14 |     buildInputs = [ go ];
15 |     buildPhase = ''
16 |       export GOPATH=$src
17 |       ./build.sh
18 |     '';
19 | 
20 |     installPhase = ''
21 |       mkdir -p $out/bin
22 |       mv acserver $out/bin
23 |     '';
24 |   };
25 |   pkg = acserver;
26 | 
27 | in mkACI rec {
28 |   inherit pkgs;
29 |   inherit thin;
30 | 
31 |   static = false;
32 |   packages = [ pkg ];
33 | 
34 |   ports = { 
35 |     srv = { protocol = "tcp"; port = 3000; };
36 |   };
37 | }
38 | 


--------------------------------------------------------------------------------
/pkgs/linux/busybox-pfwd.nix:
--------------------------------------------------------------------------------
 1 | { mkACI
 2 | , pkgs
 3 | , thin ? false
 4 | , static ? false
 5 | , ... }
 6 | @ args:
 7 | 
 8 | let
 9 |   pkg = if static == true
10 |     then
11 |       (pkgs.busybox.override {
12 |          enableStatic = true;
13 |          extraConfig = ''
14 |            CONFIG_STATIC y
15 |            CONFIG_INSTALL_APPLET_DONT y
16 |            CONFIG_INSTALL_APPLET_SYMLINKS n
17 |          '';
18 |       })
19 |     else pkgs.busybox;
20 | in
21 | 
22 | mkACI rec {
23 |   inherit pkgs;
24 |   inherit static;
25 |   inherit thin;
26 |   packages = [ pkg pkgs.eject ];
27 |   versionAddon = if static == true then "-pfwd-static" else "-pfwd";
28 | 
29 |   exec = [
30 |     "/bin/busybox"
31 |     "sh" "-c" "busybox mkdir -p /sbin; /bin/busybox --install -s; sh"
32 |   ];
33 | 
34 |   mountsRo = {
35 |     rslvc = "/etc/resolv.conf";
36 |   };
37 | 
38 |   ports = {
39 |     nc = { protocol = "tcp"; port = 1024; };
40 |   };
41 | }
42 | 
43 | 


--------------------------------------------------------------------------------
/pkgs/linux/rkt-buildenv.nix:
--------------------------------------------------------------------------------
 1 | { mkACI, pkgs, thin ? false, ... } @ args:
 2 | 
 3 | mkACI rec {
 4 |   inherit pkgs;
 5 |   inherit thin;
 6 |   dnsquirks = args.dnsquirks;
 7 | 
 8 |   acName = "rkt-buildenv";
 9 |   acVersion = "1.0";
10 | 
11 |   packages = with pkgs; [
12 |     bashInteractive
13 | 
14 |     automake
15 |     coreutils
16 |     autoconf
17 |     m4
18 |     gnugrep
19 |     gnused
20 |     gcc
21 |     git
22 |     gzip
23 |     wget
24 |     patch
25 | 
26 |     glibc.out
27 |     glibc.static
28 |     autoreconfHook
29 |     gnupg1
30 |     squashfsTools
31 |     cpio
32 |     tree
33 |     intltool
34 |     libtool
35 |     pkgconfig
36 |     libgcrypt
37 |     gperf
38 |     libcap
39 |     libseccomp
40 |     libzip
41 |     eject
42 |     iptables
43 |     bc
44 |     acl
45 |     trousers
46 |     systemd
47 |   ];
48 | 
49 |   mounts = {
50 |     src = "/usr/src/rkt";
51 |   };
52 | 
53 |   env = {
54 |     LD_LIBRARY_PATH = "";
55 |   };
56 | 
57 | }
58 | 


--------------------------------------------------------------------------------
/pkgs/linux/acserver.patch:
--------------------------------------------------------------------------------
 1 | diff --git a/Godeps/_workspace/src/github.com/codegangsta/negroni/static.go b/Godeps/_workspace/src/github.com/codegangsta/negroni/static.go
 2 | index c5af4e6..1351479 100644
 3 | --- a/Godeps/_workspace/src/github.com/codegangsta/negroni/static.go
 4 | +++ b/Godeps/_workspace/src/github.com/codegangsta/negroni/static.go
 5 | @@ -1,8 +1,11 @@
 6 |  package negroni
 7 |  
 8 |  import (
 9 | +	"fmt"
10 |  	"net/http"
11 | +	"os"
12 |  	"path"
13 | +	"path/filepath"
14 |  	"strings"
15 |  )
16 |  
17 | @@ -43,6 +46,20 @@ func (s *Static) ServeHTTP(rw http.ResponseWriter, r *http.Request, next http.Ha
18 |  			return
19 |  		}
20 |  	}
21 | +
22 | +	stat, err := os.Stat(filepath.Join(fmt.Sprintf("%s", s.Dir), file))
23 | +	if err != nil {
24 | +		next(rw, r)
25 | +		return
26 | +	}
27 | +	if (stat.Mode() & os.ModeSymlink) != 0 {
28 | +		file, err = os.Readlink(file)
29 | +		if err != nil {
30 | +			next(rw, r)
31 | +			return
32 | +		}
33 | +	}
34 | +
35 |  	f, err := s.Dir.Open(file)
36 |  	if err != nil {
37 |  		// discard the error?
38 | 


--------------------------------------------------------------------------------
/default.nix:
--------------------------------------------------------------------------------
 1 | { pkgs ? import (fetchTarball "https://github.com/NixOS/nixpkgs-channels/archive/b69f568f4c3ebaf48a7f66b0f051d28157a61afb.tar.gz") {}
 2 | , mkACI ? import lib/mkACI.nix
 3 | }:
 4 | 
 5 | let
 6 |   callPackage = pkg: args: pkgs.callPackage pkg ({ inherit pkgs mkACI; dnsquirks=false; } // args);
 7 | in {
 8 |   #TODO:broken upstream# acserver = callPackage pkgs/linux/acserver.nix { };
 9 |   bash = callPackage pkgs/linux/bash.nix { };
10 |   busybox = callPackage pkgs/linux/busybox.nix { };
11 |   busyboxThin = callPackage pkgs/linux/busybox.nix { thin=true; };
12 |   busyboxStatic = callPackage pkgs/linux/busybox.nix { static=true; };
13 |   busyboxPfwd = callPackage pkgs/linux/busybox-pfwd.nix { };
14 |   dnsmasq = callPackage pkgs/linux/dnsmasq.nix { };
15 |   docker = callPackage pkgs/linux/docker.nix { };
16 |   flannel = callPackage pkgs/linux/flannel.nix { };
17 |   dovecot = callPackage pkgs/linux/dovecot.nix { };
18 |   etcd2 = callPackage pkgs/linux/etcd2.nix { };
19 |   getmail = callPackage pkgs/linux/getmail.nix { };
20 |   iperf = callPackage pkgs/linux/iperf.nix { };
21 |   #TODO package# pixiecore = callPackage pkgs/linux/pixiecore.nix { };
22 |   qemu = callPackage pkgs/linux/qemu.nix { };
23 |   rkt = callPackage pkgs/linux/rkt.nix { };
24 |   rktBuildenv = callPackage pkgs/linux/rkt-buildenv.nix { };
25 |   tcpdump = callPackage pkgs/linux/generic.nix { packages=[ pkgs.tcpdump ]; };
26 |   gnupg = callPackage pkgs/linux/generic.nix {
27 |     packages=[ 
28 |       pkgs.gnupg
29 |       pkgs.bashInteractive
30 |       pkgs.coreutils
31 |     ];
32 | 
33 |     exec = "/bin/bash";
34 |   
35 |     mounts = {
36 |       keys = "/var/lib/keys";
37 |     };
38 |   
39 |     mountsRo = {
40 |       resolvconf = "/etc/resolv.conf";
41 |     };
42 |   };
43 | }
44 | 


--------------------------------------------------------------------------------
/lib/mkACI.nix:
--------------------------------------------------------------------------------
  1 | args @ { pkgs
  2 | , packages
  3 | , pkg ? builtins.elemAt packages 0
  4 | , acName ? (builtins.parseDrvName pkg.name).name
  5 | , acVersion ? if builtins.hasAttr "version" pkg && pkg.version != "" then pkg.version else (builtins.parseDrvName pkg.name).version
  6 | , versionAddon ? ""
  7 | , arch ? builtins.replaceStrings ["x86_64"] ["amd64"] (builtins.elemAt (pkgs.stdenv.lib.strings.splitString "-" pkg.system) 0)
  8 | , os ? builtins.elemAt (pkgs.stdenv.lib.strings.splitString "-" pkg.system) 1
  9 | , thin ? false
 10 | , acLabels ? {}
 11 | , mounts ? {}
 12 | , mountsRo ? {}
 13 | , ports ? {}
 14 | , env ? {}
 15 | , exec ? ""
 16 | , user ? "0"
 17 | , group ? "0"
 18 | , sign ? true
 19 | , isolators ? {}
 20 | , dnsquirks ? true
 21 | , static ? false
 22 | }:
 23 | 
 24 | let
 25 |   mountPoint = readOnly: mounts: name: {
 26 |      "name" = name;
 27 |      "path" = mounts.${name};
 28 |      "readOnly" = readOnly;
 29 |   };
 30 |   propertyList = (list:
 31 |     builtins.map (l: {"name" = l; "value" = list.${l}; }) (builtins.attrNames list));
 32 | 
 33 |   mountPoints = (builtins.map (mountPoint false mounts) (builtins.attrNames mounts));
 34 |   mountPointsRo = (builtins.map (mountPoint true mountsRo) (builtins.attrNames mountsRo));
 35 |   name = (builtins.replaceStrings ["go1.6-" "go1.5-" "go1.4-" "-"] [ "" "" "" "_"] acName);
 36 |   version = (builtins.replaceStrings ["-"] ["_"] acVersion + versionAddon);
 37 |   execArgv = if (builtins.isString exec) then [exec]
 38 |     else if (builtins.isList exec) then exec
 39 |     else throw "exec should be a list, got: " + (builtins.typeOf exec);
 40 | 
 41 |   portProps = (builtins.map (p: {"name" = p;} // ports.${p}) (builtins.attrNames ports));
 42 | 
 43 |   manifest = {
 44 |     acKind = "ImageManifest";
 45 |     acVersion = "0.7.4";
 46 |     name = name;
 47 |     version = version;
 48 |     labels = (propertyList (acLabels // {
 49 |       os = os;
 50 |       arch = arch;
 51 |     }));
 52 |     app = {
 53 |       exec = execArgv;
 54 |       user = user;
 55 |       group = group;
 56 |       mountPoints = mountPoints ++ mountPointsRo;
 57 |       ports = portProps;
 58 |       isolators = (propertyList isolators);
 59 |       environment = (propertyList env);
 60 |     };
 61 |   };
 62 | 
 63 |   bool_to_str = b: if b then "true" else "false";
 64 | in
 65 |   pkgs.stdenv.mkDerivation rec {
 66 |   inherit name;
 67 |   inherit version;
 68 | 
 69 |   inherit os;
 70 |   inherit arch;
 71 | 
 72 |   buildInputs = [ pkgs.python3 ];
 73 | 
 74 |   # the enclosed environment provides the content for the ACI
 75 |   customEnv = pkgs.buildEnv {
 76 |     name = name + "-env";
 77 |     paths = packages;
 78 |   };
 79 |   exportReferencesGraph = map (x: [("closure-" + baseNameOf x) x]) packages;
 80 | 
 81 |   acname = "${name}-${version}-${os}-${arch}";
 82 | 
 83 |   manifestJson = builtins.toFile "manifest" (builtins.toJSON manifest);
 84 | 
 85 |   phases = "buildPhase";
 86 |   buildPhase = ''
 87 |     set -x
 88 |     set -e
 89 | 
 90 |     # Generic Manifest information
 91 |     python3 ${./mkACI.py} \
 92 |       --thin=${bool_to_str thin} \
 93 |       --dnsquirks=${bool_to_str dnsquirks} \
 94 |       --static=${bool_to_str static} \
 95 |       $out/${acname}.aci ${manifestJson} ${customEnv} \
 96 |       ${if static == true then (builtins.elemAt packages 0) else "closure-*"}
 97 | 
 98 |     postProcScript=$out/postprocess.sh
 99 |     cat > $postProcScript <<EOF
100 |     #!/usr/bin/env bash
101 |     set -e
102 |     script_outdir=\''${1:-ACIs/}
103 |     mkdir -p \$script_outdir
104 |     echo "Linking $out/${acname}.aci into \$script_outdir"
105 |     ln -sf "$out/${acname}.aci" "\$script_outdir/"
106 |     ${if thin == true then
107 |     "echo \"Linking $out/${acname}.mounts into \\$script_outdir\"
108 |     ln -sf \"$out/${acname}.mounts\" \"\\$script_outdir\""
109 |     else ""}
110 |     ${if sign == true then
111 |      "gpg2 --yes --batch --armor --output \"\\$script_outdir/${acname}.aci.asc\" --detach-sig \"$out/${acname}.aci\""
112 |      else ""}
113 |     EOF
114 | 
115 |     chmod +x "$postProcScript"
116 |     set +x
117 |   '';
118 | 
119 | }
120 | 


--------------------------------------------------------------------------------
/lib/mkACI.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | import json
  3 | import os
  4 | from optparse import OptionParser
  5 | from shutil import copyfile
  6 | import subprocess
  7 | import sys
  8 | 
  9 | 
 10 | def parse_opts():
 11 |     usage = "usage: %prog [options] file.aci manifest custom_env paths..."
 12 |     parser = OptionParser(usage=usage)
 13 |     parser.add_option("--thin", dest="thin")
 14 |     parser.add_option("--dnsquirks", dest="dnsquirks")
 15 |     parser.add_option("--static", dest="static")
 16 |     (options, args) = parser.parse_args()
 17 |     if len(args) < 3:
 18 |         sys.stderr.write("not enough arguments")
 19 |         parser.print_help()
 20 |         sys.exit(1)
 21 |     return options, args
 22 | 
 23 | 
 24 | def paths_from_graphs(graphs):
 25 |     paths = {}
 26 |     for graph in graphs:
 27 |         with open(graph) as f:
 28 |             while True:
 29 |                 path = f.readline()
 30 |                 if not path:
 31 |                     break
 32 |                 paths[path.rstrip()] = True
 33 |                 f.readline()
 34 |                 count = f.readline()
 35 |                 for i in range(int(count)):
 36 |                     f.readline()
 37 |     return paths.keys()
 38 | 
 39 | 
 40 | def add_mounts(manifestPath, storePaths, mountArgPath):
 41 |     with open(manifestPath) as f:
 42 |         manifest = json.load(f)
 43 |     with open(mountArgPath, "w+") as f:
 44 |         mount_points = manifest["app"]["mountPoints"]
 45 |         for path in storePaths:
 46 |             name = path.replace(".", "").replace("/", "").lower()
 47 |             mount_points.append({
 48 |                 'name': name,
 49 |                 'path': path,
 50 |                 'readOnly': True
 51 |                })
 52 |             args = "--volume=%s,kind=host,source=%s "
 53 |             f.write(args % (name, path))
 54 |     with open(manifestPath, "w") as f:
 55 |         json.dump(manifest, f, indent=4)
 56 | 
 57 | 
 58 | def tar(file_list, archive, custom_env):
 59 |     # prefix everything with rootfs except "manifest" and "rootfs" itself
 60 |     t = ['flags=rSh',
 61 |          's,^,rootfs/,',
 62 |          's,^rootfs/manifest,manifest,',
 63 |          's,^rootfs/rootfs,rootfs,',
 64 |          's,'+custom_env[1:]+'/,,']
 65 |     cmd = ["tar",
 66 |            "--create",
 67 |            "--file", archive,
 68 |            "--null",
 69 |            "--gzip",
 70 |            "-T", "-",
 71 |            "--transform", ";".join(t)]
 72 |     print("$ " + " ".join(cmd))
 73 |     print(file_list)
 74 |     proc = subprocess.Popen(cmd, stdin=subprocess.PIPE)
 75 |     proc.communicate(input=str.encode("\0".join(file_list)))
 76 | 
 77 | 
 78 | def build_aci(aci,
 79 |               manifest,
 80 |               custom_env,
 81 |               closures,
 82 |               thin=True,
 83 |               static=False,
 84 |               dnsquirks=False):
 85 |     os.mkdir(os.path.dirname(aci))
 86 |     file_list = ["manifest", "rootfs", "etc"]
 87 | 
 88 |     if static:
 89 |         storePaths = closures
 90 |     else:
 91 |         storePaths = paths_from_graphs(closures)
 92 | 
 93 |     for path in os.listdir(custom_env):
 94 |         if path == "etc":
 95 |             cp = ["cp", "-aL", os.path.join(custom_env, "etc"), "etc"]
 96 |             subprocess.call(cp)
 97 |         else:
 98 |             file_list.append(custom_env+'/'+path)
 99 | 
100 |     copyfile(manifest, "manifest")
101 |     if thin:
102 |         mountArgPath = os.path.splitext(aci)[0] + ".mounts"
103 |         add_mounts("manifest", storePaths, mountArgPath)
104 |     else:
105 |         file_list+=storePaths
106 | 
107 |     if dnsquirks:
108 |         if not os.path.exists("etc"):
109 |             os.mkdir("etc")
110 |         with open("etc/hosts", "w+") as f:
111 |             f.write("127.0.0.1 localhost\n::1 localhost\n")
112 | 
113 |     os.mkdir("rootfs")
114 |     tar(file_list, aci, custom_env)
115 | 
116 | 
117 | def main():
118 |     options, args = parse_opts()
119 | 
120 |     def to_bool(s): return s in ["true"]
121 | 
122 |     build_aci(args[0],
123 |               args[1],
124 |               args[2],
125 |               args[3:],
126 |               thin=to_bool(options.thin),
127 |               static=to_bool(options.static),
128 |               dnsquirks=to_bool(options.dnsquirks))
129 | 
130 | if __name__ == "__main__":
131 |     main()
132 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # nix2aci
 2 | 
 3 | [![Build Status](https://travis-ci.org/steveeJ/nix2aci.svg?branch=master)](https://travis-ci.org/steveeJ/nix2aci)
 4 | 
 5 | Let's use Nix' super powers to build [App Container Images](http://github.com/appc/spec)!
 6 | 
 7 | This project should be understood as a proof of concept until stated otherwise.
 8 | You can expect this README to be minimal but it should always contain working examples.
 9 | 
10 | ## ACI Build Requirements
11 | * local copy of this repository
12 | * [nix](http://www.nixos.org/nix) plus the skills to query package names
13 | * python
14 | 
15 | ## ACI Runtime Requirements
16 | * [coreos/rkt](https://github.com/coreos/rkt/)
17 | 
18 | ## Signing Requirements
19 | ~~Including the signing process into the nix workflow seems quite tedious and is not fully satisfactory at this point. I chose to setup a key for the nix build environment. The downside is that every build can read and use the key which is bad if the build system is compromised in any way.~~
20 | 
21 | ~~Please take a look at [the included script](scripts/setup-gpg.sh), which can be used to do the preparation.~~
22 | In order to sign your build you need to have a working setup of gpg with `gpg2` being in your path. After the build, you can run the script(s) located in at `result*/postprocess.sh` and the signatures will be created along with symlinks to the ACI.
23 | 
24 | 
25 | # Building ACIs
26 | There's more than one way to build and use ACIs with Nix, because the filesystem structure allows for side-by-side installations of almost any package. Every package (version) is stored at $NIX\_STORE identified by hash, and can be pulled into different profiles independently. These profiles could be copied, but it should also be possible to bind-mount the host versions into the containers.
27 | 
28 | ## Thin ACIs
29 | * Status: working and under development
30 | 
31 | Thin ACIs don't contain any binary files, but for the most part just the manifest file and a directory skeleton.
32 | The manifest file specifies one host type mount per package, representing the effectively available packages for the ACI.
33 | These mountpoints can add up to a few dozen depending on the target package, and they all have to be passed to the container runtime that consumes the ACI, supplying the correct path from the host to the package's mount.
34 | 
35 | In order to make this usable, a file that can be `cat`ed into the rkt cmdline will be generated alongside the ACI when using the build script.
36 | 
37 | ## Fat ACIs
38 | * Status: working and under development
39 | 
40 | Fat ACIs contain all files that are needed to run the contained application. This is the choice if you want to move the ACI onto a system where for whichever reason the nix store outputs are not available.
41 | 
42 | 
43 | ## Demonstration
44 | The following example builds the busybox ACI expression that is defined in the file [pkgs/linux/busybox.nix](pkgs/linux/busybox.nix).
45 | In order to be available at top level, an import statement in the *default.nix* is necessary.
46 | 
47 | ```
48 | $ grep -n busybox default.nix
49 | 13:  busybox = import pkgs/linux/busybox.nix { inherit pkgs mkACI; static=false; };
50 | 14:  busyboxStatic = import pkgs/linux/busybox.nix { inherit pkgs mkACI; static=true; };
51 | ```
52 | 
53 | Now let's build, sign and run it:
54 | ```
55 | $ nix-build -A busybox
56 | 
57 | $ ./result/postprocess.sh 
58 | Linking /nix/store/y7dh7bfdhafaf530lih071515z8khwva-busybox/busybox-1.23.2-linux-amd64.aci into ACIs/
59 | 
60 | $ tree ACIs/
61 | ACIs/
62 | ├── busybox-1.23.2-linux-amd64.aci -> /nix/store/y7dh7bfdhafaf530lih071515z8khwva-busybox/busybox-1.23.2-linux-amd64.aci
63 | └── busybox-1.23.2-linux-amd64.aci.asc
64 | 
65 | $ sudo rkt run --interactive ACIs/busybox-1.23.2-linux-amd64.aci
66 | rkt: using image from local store for image name coreos.com/rkt/stage1-coreos:0.13.0
67 | rkt: using image from file /home/steveej/src/github/steveej/nix2aci/ACIs/busybox-1.23.2-linux-amd64.aci
68 | rkt: signature verified:
69 |   Stefan Junker <mail@stefanjunker.de>
70 |   Stefan Junker <code@stefanjunker.de>
71 | run: group "rkt" not found, will use default gid when rendering images
72 | / # busybox | head -n1
73 | BusyBox v1.23.2 () multi-call binary.
74 | ```
75 | 
76 | # Tests
77 | 
78 | The test assumes nix-build to be installed.
79 | This can be done using following the instructions [here](https://nixos.org/wiki/How_to_install_nix_in_home_(on_another_distribution)#PRoot_Installation).
80 | Then run:
81 | 
82 | ```
83 | bash ./test.sh
84 | ```
85 | 


--------------------------------------------------------------------------------