Add nix-wrap, which enables isolated environment in clusters

2023-09-01 19:05:41 +02:00 · 2023-09-01 19:05:41 +02:00 · 8597bb97ab
commit 8597bb97ab
parent 7d4c9a57c6
2 changed files with 91 additions and 0 deletions
--- a/bsc/nix-wrap/default.nix
+++ b/bsc/nix-wrap/default.nix
@ -0,0 +1,89 @@
+{
+  stdenv
+, bashInteractive
+, busybox
+, nix
+, writeText
+, pkgsStatic
+}:
+
+let
+  bubblewrap = pkgsStatic.bubblewrap;
+  nixPrefix = "/gpfs/projects/bsc15/nix";
+  nixConfDir = "share";
+  nix_wrap_sh = writeText "nix-wrap.sh" ''
+    #!/usr/bin/env bash
+    #
+    busybox_bin="${nixPrefix}${busybox}/bin"
+    bubblewrap_bin="${nixPrefix}/${bubblewrap}/bin"
+
+    bashInteractive_bin="${bashInteractive}/bin"
+    nix_bin="${nix}/bin"
+    
+    rootdir=$(mktemp -d)
+    tmpdir=$(mktemp -d)
+    
+    args=(
+      --bind "$rootdir/" /
+      --bind "${nixPrefix}/nix" /nix
+      --bind "$busybox_bin" /bin
+      --dev-bind /dev /dev
+      --bind /boot /boot
+      --proc /proc
+      --bind /run /run
+      --bind /sys /sys
+      --bind "$tmpdir" /tmp
+      --bind "$PWD" "$PWD"
+      --bind /etc/host.conf /etc/host.conf
+      --bind /etc/hosts /etc/hosts
+      --bind /etc/networks /etc/networks
+      --bind /etc/passwd /etc/passwd
+      --bind /etc/group /etc/group
+      --bind /etc/nsswitch.conf /etc/nsswitch.conf
+      --bind /etc/resolv.conf /etc/resolv.conf
+    )
+    
+    export PATH="/bin:$bashInteractive_bin"
+    export PATH="$nix_bin:$PATH"
+    export TMPDIR=/tmp
+    export PS1="[nix-wrap] \u@\h \W $ "
+    export NIX_CONF_DIR=@out@/share
+
+    if [ $# -eq 0 ]; then
+      "$bubblewrap_bin/bwrap" ''${args[@]} /bin/sh
+    else
+      "$bubblewrap_bin/bwrap" ''${args[@]} "''${@}"
+    fi
+    
+  '';
+  nix_conf = writeText "nix.conf" ''
+    experimental-features = nix-command flakes
+    sandbox-fallback = false
+  '';
+
+in
+
+stdenv.mkDerivation rec {
+  version = "0.0.1";
+  name = "nix-wrap";
+  buildInputs = [
+    bashInteractive
+    busybox
+    nix
+  ];
+  src = null;
+  dontUnpack = true;
+  dontConfigure = true;
+  dontBuild = true;
+  NIX_DEBUG = 0;
+
+  installPhase = ''
+    mkdir -p $out/bin
+    substituteAll ${nix_wrap_sh} $out/bin/nix-wrap
+    chmod +x $out/bin/nix-wrap
+
+    mkdir -p $out/share
+    cp ${nix_conf} $out/share/nix.conf
+  '';
+}
+
--- a/overlay.nix
+++ b/overlay.nix
@ -340,6 +340,8 @@ let
    cpuid = callPackage ./bsc/cpuid/default.nix { };
    bench6 = callPackage ./bsc/bench6/default.nix { };

+    nix-wrap = callPackage ./bsc/nix-wrap/default.nix { };
+
    # =================================================================
    #  Garlic benchmark
    # =================================================================