From 81b2fd3cc324ee66d9c7666fa473c60ce3642614 Mon Sep 17 00:00:00 2001 From: Andrew Rynhard Date: Thu, 20 Jan 2022 11:58:46 -0800 Subject: [PATCH] feat: add gvisor This PR adds an example system extension for gvisor. Signed-off-by: Andrew Rynhard --- .drone.yaml | 124 +++++++++++++++++++++++++++++++++++++++++++ Makefile | 66 +++++++++++++++++++++++ Pkgfile | 9 ++++ base/pkg.yaml | 21 ++++++++ gvisor/gvisor.part | 2 + gvisor/manifest.yaml | 10 ++++ gvisor/pkg.yaml | 50 +++++++++++++++++ musl/pkg.yaml | 41 ++++++++++++++ 8 files changed, 323 insertions(+) create mode 100644 .drone.yaml create mode 100644 Makefile create mode 100644 Pkgfile create mode 100644 base/pkg.yaml create mode 100644 gvisor/gvisor.part create mode 100644 gvisor/manifest.yaml create mode 100644 gvisor/pkg.yaml create mode 100644 musl/pkg.yaml diff --git a/.drone.yaml b/.drone.yaml new file mode 100644 index 00000000..47527f84 --- /dev/null +++ b/.drone.yaml @@ -0,0 +1,124 @@ +kind: pipeline +name: default +type: kubernetes + +steps: + - name: setup-ci + image: autonomy/build-container:latest + commands: + - git fetch --tags + - install-ci-key + - setup-buildx-amd64-arm64 + environment: + SSH_KEY: + from_secret: ssh_key + DOCKER_CLI_EXPERIMENTAL: enabled + resources: + requests: + cpu: 24000 + memory: 48GiB + volumes: + - name: docker-socket + path: /var/run + - name: ssh + path: /root/.ssh + - name: docker + path: /root/.docker/buildx + + - name: build-pull-request + image: autonomy/build-container:latest + pull: always + environment: + DOCKER_CLI_EXPERIMENTAL: enabled + commands: + - make + when: + event: + include: + - pull_request + volumes: + - name: docker-socket + path: /var/run + - name: ssh + path: /root/.ssh + - name: docker + path: /root/.docker/buildx + + - name: build-nonfree-pull-request + image: autonomy/build-container:latest + pull: always + environment: + DOCKER_CLI_EXPERIMENTAL: enabled + commands: + - make nonfree + when: + event: + include: + - pull_request + volumes: + - name: docker-socket + path: /var/run + - name: ssh + path: /root/.ssh + - name: docker + path: /root/.docker/buildx + + - name: build-and-publish + image: autonomy/build-container:latest + pull: always + environment: + GHCR_USERNAME: + from_secret: ghcr_username + GHCR_PASSWORD: + from_secret: ghcr_token + commands: + - docker login ghcr.io --username "$${GHCR_USERNAME}" --password "$${GHCR_PASSWORD}" + - make PUSH=true + when: + event: + exclude: + - pull_request + volumes: + - name: docker-socket + path: /var/run + - name: ssh + path: /root/.ssh + - name: docker + path: /root/.docker/buildx + +volumes: + - name: docker-socket + host: + path: /var/ci-docker + - name: docker + temp: {} + - name: ssh + temp: {} +--- +kind: pipeline +type: kubernetes +name: notify + +clone: + disable: true + +steps: + - name: slack + image: plugins/slack + settings: + webhook: + from_secret: slack_webhook + channel: proj-talos-maintainers + when: + status: + - success + - failure + +trigger: + status: + - success + - failure + +depends_on: + - default + diff --git a/Makefile b/Makefile new file mode 100644 index 00000000..3efa63f5 --- /dev/null +++ b/Makefile @@ -0,0 +1,66 @@ +REGISTRY ?= ghcr.io +USERNAME ?= talos-systems +SHA ?= $(shell git describe --match=none --always --abbrev=8 --dirty) +TAG ?= $(shell git describe --tag --always --dirty) +BRANCH ?= $(shell git rev-parse --abbrev-ref HEAD) +REGISTRY_AND_USERNAME := $(REGISTRY)/$(USERNAME) + +BUILD := docker buildx build +PLATFORM ?= linux/amd64,linux/arm64 +PROGRESS ?= auto +PUSH ?= false +COMMON_ARGS := --file=Pkgfile +COMMON_ARGS += --progress=$(PROGRESS) +COMMON_ARGS += --platform=$(PLATFORM) +COMMON_ARGS += --build-arg=http_proxy=$(http_proxy) +COMMON_ARGS += --build-arg=https_proxy=$(https_proxy) + +, := , +empty := +space = $(empty) $(empty) + +TARGETS = gvisor +NONFREE_TARGETS = + +all: $(TARGETS) ## Builds all known pkgs. + +nonfree: $(NONFREE_TARGETS) ## Builds all known non-free pkgs. + +.PHONY: help +help: ## This help menu. + @grep -E '^[a-zA-Z%_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' + +local-%: ## Builds the specified target defined in the Dockerfile using the local output type. The build result will be output to the specified local destination. + @$(MAKE) target-$* TARGET_ARGS="--output=type=local,dest=$(DEST) $(TARGET_ARGS)" + @PLATFORM=$(PLATFORM) \ + +target-%: ## Builds the specified target defined in the Dockerfile. The build result will only remain in the build cache. + @$(BUILD) \ + --target=$* \ + $(COMMON_ARGS) \ + $(TARGET_ARGS) . + +docker-%: ## Builds the specified target defined in the Dockerfile using the docker output type. The build result will be loaded into docker. + @$(MAKE) target-$* TARGET_ARGS="$(TARGET_ARGS)" + +.PHONY: $(TARGETS) $(NONFREE_TARGETS) +$(TARGETS) $(NONFREE_TARGETS): + @$(MAKE) docker-$@ TARGET_ARGS="--tag=$(REGISTRY)/$(USERNAME)/$@:$(TAG) --push=$(PUSH)" + +.PHONY: deps.png +deps.png: + bldr graph | dot -Tpng > deps.png + +kernel-%: ## Updates the kernel configs: e.g. make kernel-olddefconfig; make kernel-menuconfig; etc. + for platform in $(subst $(,),$(space),$(PLATFORM)); do \ + arch=`basename $$platform` ; \ + $(MAKE) docker-kernel-prepare PLATFORM=$$platform TARGET_ARGS="--tag=$(REGISTRY)/$(USERNAME)/kernel:$(TAG)-$$arch --load"; \ + docker run --rm -it --entrypoint=/toolchain/bin/bash -e PATH=/toolchain/bin:/bin -w /src -v $$PWD/kernel/build/config-$$arch:/host/.hostconfig $(REGISTRY)/$(USERNAME)/kernel:$(TAG)-$$arch -c 'cp /host/.hostconfig .config && make $* && cp .config /host/.hostconfig'; \ + done + +# Utilities + +.PHONY: conformance +conformance: ## Performs policy checks against the commit and source code. + docker run --rm -it -v $(PWD):/src -w /src ghcr.io/talos-systems/conform:v0.1.0-alpha.22 enforce + diff --git a/Pkgfile b/Pkgfile new file mode 100644 index 00000000..37e5d2d1 --- /dev/null +++ b/Pkgfile @@ -0,0 +1,9 @@ +# syntax = ghcr.io/talos-systems/bldr:v0.2.0-alpha.6-frontend + +format: v1alpha2 + +vars: + TOOLS_IMAGE: ghcr.io/talos-systems/tools:v0.10.0-alpha.0-1-g67314b1 + +labels: + org.opencontainers.image.source: https://github.com/talos-systems/extensions diff --git a/base/pkg.yaml b/base/pkg.yaml new file mode 100644 index 00000000..a7c61253 --- /dev/null +++ b/base/pkg.yaml @@ -0,0 +1,21 @@ +name: base +variant: scratch +shell: /toolchain/bin/bash +dependencies: + - image: "{{ .TOOLS_IMAGE }}" + - stage: musl + runtime: yes +steps: + - prepare: + - | + cp -R /toolchain/lib/gcc /lib + cp -R /toolchain/lib/libgcc* /lib + cp -R /toolchain/lib/libz* /lib + mkdir /bin + ln -sv /toolchain/bin/bash /bin/bash + ln -sv /toolchain/bin/bash /bin/sh + ln -sv /toolchain/bin/pwd /bin/pwd + adjust.sh +finalize: + - from: / + to: / diff --git a/gvisor/gvisor.part b/gvisor/gvisor.part new file mode 100644 index 00000000..0f31b5d9 --- /dev/null +++ b/gvisor/gvisor.part @@ -0,0 +1,2 @@ +[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runsc] + runtime_type = "io.containerd.runsc.v1" diff --git a/gvisor/manifest.yaml b/gvisor/manifest.yaml new file mode 100644 index 00000000..deb7cbfe --- /dev/null +++ b/gvisor/manifest.yaml @@ -0,0 +1,10 @@ +version: v1alpha1 +metadata: + name: gvisor + version: 20220117.0-v1.0.0 + author: Andrew Rynhard + description: | + This system extension provides gVisor using containerd's runtime handler. + compatibility: + talos: + version: ">= v1.0.0" diff --git a/gvisor/pkg.yaml b/gvisor/pkg.yaml new file mode 100644 index 00000000..33c338b0 --- /dev/null +++ b/gvisor/pkg.yaml @@ -0,0 +1,50 @@ +name: gvisor +variant: scratch +shell: /toolchain/bin/bash +dependencies: + - stage: base +steps: + - sources: + # sync with commit in build + - url: https://github.com/google/gvisor/archive/c1512ec8067c772473a4d6bad12953848eab8552.tar.gz + destination: gvisor.tar.gz + sha256: df41a38cc4d6068e6475f2f0a29c083bf11fd682869957b1b325980d3892725b + sha512: f4fd4bd5fbf482fceb7c46311c5dfd808cbf40e921c5f92ce4011f9b58e477af0dc3d5da8e1175c7ff22ad42d8351d6e8b9d8cc4d8339ded7cd782d617331002 + env: + GOPATH: /go + prepare: + - | + mkdir -p /etc/ssl/certs/ + ln -s /toolchain/etc/ssl/certs/ca-certificates /etc/ssl/certs/ca-certificates + + mkdir -p ${GOPATH}/src/github.com/google/gvisor + + tar -xzf gvisor.tar.gz --strip-components=1 -C ${GOPATH}/src/github.com/google/gvisor + build: + - | + export PATH=${PATH}:${TOOLCHAIN}/go/bin + cd ${GOPATH}/src/github.com/google/gvisor + + mkdir ./bin + + CGO_ENABLED=0 go build -o ./bin/runsc ./runsc + + CGO_ENABLED=0 go build -o ./bin/containerd-shim-runsc-v1 ./shim + install: + - | + mkdir -p /rootfs/usr/local/bin + + cd ${GOPATH}/src/github.com/google/gvisor + + cp ./bin/runsc /rootfs/usr/local/bin/runsc + chmod +x /rootfs/usr/local/bin/runsc + + cp ./bin/containerd-shim-runsc-v1 /rootfs/usr/local/bin/containerd-shim-runsc-v1 + chmod +x /rootfs/usr/local/bin/containerd-shim-runsc-v1 +finalize: + - from: /rootfs + to: /rootfs + - from: /pkg/manifest.yaml + to: / + - from: /pkg/gvisor.part + to: /rootfs/etc/cri/conf.d/gvisor.part diff --git a/musl/pkg.yaml b/musl/pkg.yaml new file mode 100644 index 00000000..15ba25d9 --- /dev/null +++ b/musl/pkg.yaml @@ -0,0 +1,41 @@ +name: musl +variant: scratch +shell: /toolchain/bin/bash +dependencies: + - image: "{{ .TOOLS_IMAGE }}" +steps: + - sources: + - url: https://www.musl-libc.org/releases/musl-1.2.2.tar.gz + destination: musl.tar.gz + sha256: 9b969322012d796dc23dda27a35866034fa67d8fb67e0e2c45c913c3d43219dd + sha512: 5344b581bd6463d71af8c13e91792fa51f25a96a1ecbea81e42664b63d90b325aeb421dfbc8c22e187397ca08e84d9296a0c0c299ba04fa2b751d6864914bd82 + prepare: + - | + export PATH=${TOOLCHAIN}/cross/bin:${PATH} + + tar -xzf musl.tar.gz --strip-components=1 + + mkdir /bin + ln -sv /toolchain/bin/bash /bin/sh + + mkdir build + cd build + + # From https://www.musl-libc.org/doc/1.0.0/manual.html: + # $(syslibdir), $(includedir), and $(libdir) refer to the paths + # chosen at build time (by default, /lib, $(prefix)/include, and + # $(prefix)/lib, respectively) + ../configure \ + --prefix=/usr + build: + - | + cd build + make -j $(nproc) + install: + - | + cd build + make DESTDIR=/rootfs install +finalize: + - from: /rootfs + to: / +