-
Notifications
You must be signed in to change notification settings - Fork 125
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This PR adds an example system extension for gvisor. Signed-off-by: Andrew Rynhard <andrew@rynhard.io>
- Loading branch information
1 parent
a46b3f2
commit 81b2fd3
Showing
8 changed files
with
323 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,124 @@ | ||
kind: pipeline | ||
name: default | ||
type: kubernetes | ||
|
||
steps: | ||
- name: setup-ci | ||
image: autonomy/build-container:latest | ||
commands: | ||
- git fetch --tags | ||
- install-ci-key | ||
- setup-buildx-amd64-arm64 | ||
environment: | ||
SSH_KEY: | ||
from_secret: ssh_key | ||
DOCKER_CLI_EXPERIMENTAL: enabled | ||
resources: | ||
requests: | ||
cpu: 24000 | ||
memory: 48GiB | ||
volumes: | ||
- name: docker-socket | ||
path: /var/run | ||
- name: ssh | ||
path: /root/.ssh | ||
- name: docker | ||
path: /root/.docker/buildx | ||
|
||
- name: build-pull-request | ||
image: autonomy/build-container:latest | ||
pull: always | ||
environment: | ||
DOCKER_CLI_EXPERIMENTAL: enabled | ||
commands: | ||
- make | ||
when: | ||
event: | ||
include: | ||
- pull_request | ||
volumes: | ||
- name: docker-socket | ||
path: /var/run | ||
- name: ssh | ||
path: /root/.ssh | ||
- name: docker | ||
path: /root/.docker/buildx | ||
|
||
- name: build-nonfree-pull-request | ||
image: autonomy/build-container:latest | ||
pull: always | ||
environment: | ||
DOCKER_CLI_EXPERIMENTAL: enabled | ||
commands: | ||
- make nonfree | ||
when: | ||
event: | ||
include: | ||
- pull_request | ||
volumes: | ||
- name: docker-socket | ||
path: /var/run | ||
- name: ssh | ||
path: /root/.ssh | ||
- name: docker | ||
path: /root/.docker/buildx | ||
|
||
- name: build-and-publish | ||
image: autonomy/build-container:latest | ||
pull: always | ||
environment: | ||
GHCR_USERNAME: | ||
from_secret: ghcr_username | ||
GHCR_PASSWORD: | ||
from_secret: ghcr_token | ||
commands: | ||
- docker login ghcr.io --username "$${GHCR_USERNAME}" --password "$${GHCR_PASSWORD}" | ||
- make PUSH=true | ||
when: | ||
event: | ||
exclude: | ||
- pull_request | ||
volumes: | ||
- name: docker-socket | ||
path: /var/run | ||
- name: ssh | ||
path: /root/.ssh | ||
- name: docker | ||
path: /root/.docker/buildx | ||
|
||
volumes: | ||
- name: docker-socket | ||
host: | ||
path: /var/ci-docker | ||
- name: docker | ||
temp: {} | ||
- name: ssh | ||
temp: {} | ||
--- | ||
kind: pipeline | ||
type: kubernetes | ||
name: notify | ||
|
||
clone: | ||
disable: true | ||
|
||
steps: | ||
- name: slack | ||
image: plugins/slack | ||
settings: | ||
webhook: | ||
from_secret: slack_webhook | ||
channel: proj-talos-maintainers | ||
when: | ||
status: | ||
- success | ||
- failure | ||
|
||
trigger: | ||
status: | ||
- success | ||
- failure | ||
|
||
depends_on: | ||
- default | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
REGISTRY ?= ghcr.io | ||
USERNAME ?= talos-systems | ||
SHA ?= $(shell git describe --match=none --always --abbrev=8 --dirty) | ||
TAG ?= $(shell git describe --tag --always --dirty) | ||
BRANCH ?= $(shell git rev-parse --abbrev-ref HEAD) | ||
REGISTRY_AND_USERNAME := $(REGISTRY)/$(USERNAME) | ||
|
||
BUILD := docker buildx build | ||
PLATFORM ?= linux/amd64,linux/arm64 | ||
PROGRESS ?= auto | ||
PUSH ?= false | ||
COMMON_ARGS := --file=Pkgfile | ||
COMMON_ARGS += --progress=$(PROGRESS) | ||
COMMON_ARGS += --platform=$(PLATFORM) | ||
COMMON_ARGS += --build-arg=http_proxy=$(http_proxy) | ||
COMMON_ARGS += --build-arg=https_proxy=$(https_proxy) | ||
|
||
, := , | ||
empty := | ||
space = $(empty) $(empty) | ||
|
||
TARGETS = gvisor | ||
NONFREE_TARGETS = | ||
|
||
all: $(TARGETS) ## Builds all known pkgs. | ||
|
||
nonfree: $(NONFREE_TARGETS) ## Builds all known non-free pkgs. | ||
|
||
.PHONY: help | ||
help: ## This help menu. | ||
@grep -E '^[a-zA-Z%_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' | ||
|
||
local-%: ## Builds the specified target defined in the Dockerfile using the local output type. The build result will be output to the specified local destination. | ||
@$(MAKE) target-$* TARGET_ARGS="--output=type=local,dest=$(DEST) $(TARGET_ARGS)" | ||
@PLATFORM=$(PLATFORM) \ | ||
|
||
target-%: ## Builds the specified target defined in the Dockerfile. The build result will only remain in the build cache. | ||
@$(BUILD) \ | ||
--target=$* \ | ||
$(COMMON_ARGS) \ | ||
$(TARGET_ARGS) . | ||
|
||
docker-%: ## Builds the specified target defined in the Dockerfile using the docker output type. The build result will be loaded into docker. | ||
@$(MAKE) target-$* TARGET_ARGS="$(TARGET_ARGS)" | ||
|
||
.PHONY: $(TARGETS) $(NONFREE_TARGETS) | ||
$(TARGETS) $(NONFREE_TARGETS): | ||
@$(MAKE) docker-$@ TARGET_ARGS="--tag=$(REGISTRY)/$(USERNAME)/$@:$(TAG) --push=$(PUSH)" | ||
|
||
.PHONY: deps.png | ||
deps.png: | ||
bldr graph | dot -Tpng > deps.png | ||
|
||
kernel-%: ## Updates the kernel configs: e.g. make kernel-olddefconfig; make kernel-menuconfig; etc. | ||
for platform in $(subst $(,),$(space),$(PLATFORM)); do \ | ||
arch=`basename $$platform` ; \ | ||
$(MAKE) docker-kernel-prepare PLATFORM=$$platform TARGET_ARGS="--tag=$(REGISTRY)/$(USERNAME)/kernel:$(TAG)-$$arch --load"; \ | ||
docker run --rm -it --entrypoint=/toolchain/bin/bash -e PATH=/toolchain/bin:/bin -w /src -v $$PWD/kernel/build/config-$$arch:/host/.hostconfig $(REGISTRY)/$(USERNAME)/kernel:$(TAG)-$$arch -c 'cp /host/.hostconfig .config && make $* && cp .config /host/.hostconfig'; \ | ||
done | ||
|
||
# Utilities | ||
|
||
.PHONY: conformance | ||
conformance: ## Performs policy checks against the commit and source code. | ||
docker run --rm -it -v $(PWD):/src -w /src ghcr.io/talos-systems/conform:v0.1.0-alpha.22 enforce | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
# syntax = ghcr.io/talos-systems/bldr:v0.2.0-alpha.6-frontend | ||
|
||
format: v1alpha2 | ||
|
||
vars: | ||
TOOLS_IMAGE: ghcr.io/talos-systems/tools:v0.10.0-alpha.0-1-g67314b1 | ||
|
||
labels: | ||
org.opencontainers.image.source: https://github.com/talos-systems/extensions |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
name: base | ||
variant: scratch | ||
shell: /toolchain/bin/bash | ||
dependencies: | ||
- image: "{{ .TOOLS_IMAGE }}" | ||
- stage: musl | ||
runtime: yes | ||
steps: | ||
- prepare: | ||
- | | ||
cp -R /toolchain/lib/gcc /lib | ||
cp -R /toolchain/lib/libgcc* /lib | ||
cp -R /toolchain/lib/libz* /lib | ||
mkdir /bin | ||
ln -sv /toolchain/bin/bash /bin/bash | ||
ln -sv /toolchain/bin/bash /bin/sh | ||
ln -sv /toolchain/bin/pwd /bin/pwd | ||
adjust.sh | ||
finalize: | ||
- from: / | ||
to: / |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runsc] | ||
runtime_type = "io.containerd.runsc.v1" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
version: v1alpha1 | ||
metadata: | ||
name: gvisor | ||
version: 20220117.0-v1.0.0 | ||
author: Andrew Rynhard | ||
description: | | ||
This system extension provides gVisor using containerd's runtime handler. | ||
compatibility: | ||
talos: | ||
version: ">= v1.0.0" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
name: gvisor | ||
variant: scratch | ||
shell: /toolchain/bin/bash | ||
dependencies: | ||
- stage: base | ||
steps: | ||
- sources: | ||
# sync with commit in build | ||
- url: https://github.com/google/gvisor/archive/c1512ec8067c772473a4d6bad12953848eab8552.tar.gz | ||
destination: gvisor.tar.gz | ||
sha256: df41a38cc4d6068e6475f2f0a29c083bf11fd682869957b1b325980d3892725b | ||
sha512: f4fd4bd5fbf482fceb7c46311c5dfd808cbf40e921c5f92ce4011f9b58e477af0dc3d5da8e1175c7ff22ad42d8351d6e8b9d8cc4d8339ded7cd782d617331002 | ||
env: | ||
GOPATH: /go | ||
prepare: | ||
- | | ||
mkdir -p /etc/ssl/certs/ | ||
ln -s /toolchain/etc/ssl/certs/ca-certificates /etc/ssl/certs/ca-certificates | ||
mkdir -p ${GOPATH}/src/github.com/google/gvisor | ||
tar -xzf gvisor.tar.gz --strip-components=1 -C ${GOPATH}/src/github.com/google/gvisor | ||
build: | ||
- | | ||
export PATH=${PATH}:${TOOLCHAIN}/go/bin | ||
cd ${GOPATH}/src/github.com/google/gvisor | ||
mkdir ./bin | ||
CGO_ENABLED=0 go build -o ./bin/runsc ./runsc | ||
CGO_ENABLED=0 go build -o ./bin/containerd-shim-runsc-v1 ./shim | ||
install: | ||
- | | ||
mkdir -p /rootfs/usr/local/bin | ||
cd ${GOPATH}/src/github.com/google/gvisor | ||
cp ./bin/runsc /rootfs/usr/local/bin/runsc | ||
chmod +x /rootfs/usr/local/bin/runsc | ||
cp ./bin/containerd-shim-runsc-v1 /rootfs/usr/local/bin/containerd-shim-runsc-v1 | ||
chmod +x /rootfs/usr/local/bin/containerd-shim-runsc-v1 | ||
finalize: | ||
- from: /rootfs | ||
to: /rootfs | ||
- from: /pkg/manifest.yaml | ||
to: / | ||
- from: /pkg/gvisor.part | ||
to: /rootfs/etc/cri/conf.d/gvisor.part |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
name: musl | ||
variant: scratch | ||
shell: /toolchain/bin/bash | ||
dependencies: | ||
- image: "{{ .TOOLS_IMAGE }}" | ||
steps: | ||
- sources: | ||
- url: https://www.musl-libc.org/releases/musl-1.2.2.tar.gz | ||
destination: musl.tar.gz | ||
sha256: 9b969322012d796dc23dda27a35866034fa67d8fb67e0e2c45c913c3d43219dd | ||
sha512: 5344b581bd6463d71af8c13e91792fa51f25a96a1ecbea81e42664b63d90b325aeb421dfbc8c22e187397ca08e84d9296a0c0c299ba04fa2b751d6864914bd82 | ||
prepare: | ||
- | | ||
export PATH=${TOOLCHAIN}/cross/bin:${PATH} | ||
tar -xzf musl.tar.gz --strip-components=1 | ||
mkdir /bin | ||
ln -sv /toolchain/bin/bash /bin/sh | ||
mkdir build | ||
cd build | ||
# From https://www.musl-libc.org/doc/1.0.0/manual.html: | ||
# $(syslibdir), $(includedir), and $(libdir) refer to the paths | ||
# chosen at build time (by default, /lib, $(prefix)/include, and | ||
# $(prefix)/lib, respectively) | ||
../configure \ | ||
--prefix=/usr | ||
build: | ||
- | | ||
cd build | ||
make -j $(nproc) | ||
install: | ||
- | | ||
cd build | ||
make DESTDIR=/rootfs install | ||
finalize: | ||
- from: /rootfs | ||
to: / | ||
|