78 lines
1.9 KiB
Nix
78 lines
1.9 KiB
Nix
{ lib, writeText, runCommand, writeClosure }:
|
|
|
|
{
|
|
buildContainer =
|
|
{ args
|
|
, mounts ? {}
|
|
, os ? "linux"
|
|
, arch ? "x86_64"
|
|
, readonly ? false
|
|
}:
|
|
let
|
|
sysMounts = {
|
|
"/proc" = {
|
|
type = "proc";
|
|
source = "proc";
|
|
};
|
|
"/dev" = {
|
|
type = "tmpfs";
|
|
source = "tmpfs";
|
|
options = [ "nosuid" "strictatime" "mode=755" "size=65536k" ];
|
|
};
|
|
"/dev/pts" = {
|
|
type = "devpts";
|
|
source = "devpts";
|
|
options = [ "nosuid" "noexec" "newinstance" "ptmxmode=0666" "mode=755" "gid=5" ];
|
|
};
|
|
"/dev/shm" = {
|
|
type = "tmpfs";
|
|
source = "shm";
|
|
options = [ "nosuid" "noexec" "nodev" "mode=1777" "size=65536k" ];
|
|
};
|
|
"/dev/mqueue" = {
|
|
type = "mqueue";
|
|
source = "mqueue";
|
|
options = [ "nosuid" "noexec" "nodev" ];
|
|
};
|
|
"/sys" = {
|
|
type = "sysfs";
|
|
source = "sysfs";
|
|
options = [ "nosuid" "noexec" "nodev" "ro" ];
|
|
};
|
|
"/sys/fs/cgroup" = {
|
|
type = "cgroup";
|
|
source = "cgroup";
|
|
options = [ "nosuid" "noexec" "nodev" "relatime" "ro" ];
|
|
};
|
|
};
|
|
config = writeText "config.json" (builtins.toJSON {
|
|
ociVersion = "1.0.0";
|
|
platform = {
|
|
inherit os arch;
|
|
};
|
|
|
|
linux = {
|
|
namespaces = map (type: { inherit type; }) [ "pid" "network" "mount" "ipc" "uts" ];
|
|
};
|
|
|
|
root = { path = "rootfs"; inherit readonly; };
|
|
|
|
process = {
|
|
inherit args;
|
|
user = { uid = 0; gid = 0; };
|
|
cwd = "/";
|
|
};
|
|
|
|
mounts = lib.mapAttrsToList (destination: { type, source, options ? null }: {
|
|
inherit destination type source options;
|
|
}) sysMounts;
|
|
});
|
|
in
|
|
runCommand "join" {} ''
|
|
set -o pipefail
|
|
mkdir -p $out/rootfs/{dev,proc,sys}
|
|
cp ${config} $out/config.json
|
|
xargs tar c < ${writeClosure args} | tar -xC $out/rootfs/
|
|
'';
|
|
}
|
|
|