harald/nixsgx
1
0
Fork 0
mirror of https://github.com/matter-labs/nixsgx.git synced 2025-07-22 15:54:47 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #49 from matter-labs/repro_func

Browse source 
fix: make containers reproducible again
This commit is contained in:
Harald Hoyer 2024-07-02 11:22:56 +02:00 committed by GitHub
commit 3897de057d
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 21 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

24
overlays/nixsgxLib/default.nix
View file

@ -8,11 +8,13 @@ final: _:
( (
{ lib { lib
, pkgs , pkgs
, writeClosure
, coreutils , coreutils
, curl , curl
, nixsgx , nixsgx
, openssl , openssl
, packages , packages
, rsync
, entrypoint , entrypoint
, name , name
, tag ? null , tag ? null
@ -191,6 +193,16 @@ final: _:
appImage = pkgs.dockerTools.buildLayeredImage { name = "${name}-app"; inherit contents; }; appImage = pkgs.dockerTools.buildLayeredImage { name = "${name}-app"; inherit contents; };
addGramineManifest = fromImage: addGramineManifest = fromImage:
let
mkNixStore = contents:
let
contentsList = if builtins.isList contents then contents else [ contents ];
in
''
${rsync}/bin/rsync -ar --files-from=${writeClosure contentsList} / ./
'';
in
pkgs.dockerTools.buildLayeredImage pkgs.dockerTools.buildLayeredImage
{ {
name = "${name}-manifest-${appName}"; name = "${name}-manifest-${appName}";
@ -200,16 +212,22 @@ final: _:
includeStorePaths = false; includeStorePaths = false;
enableFakechroot = true; enableFakechroot = true;
fakeRootCommands = '' extraCommands = (mkNixStore contents) + ''
( (
set -e set -e
cd ${appDir} CHROOT=$(pwd)
HOME=${appDir} ${nixsgx.gramine}/bin/gramine-manifest ${manifestFile} ${appName}.manifest; appDir="${appDir}"
cd "''${appDir#/}"
HOME="''${appDir#/}" ${nixsgx.gramine}/bin/gramine-manifest ${manifestFile} ${appName}.manifest;
${nixsgx.gramine}/bin/gramine-sgx-sign \ ${nixsgx.gramine}/bin/gramine-sgx-sign \
--chroot "$CHROOT" \
--manifest ${appName}.manifest \ --manifest ${appName}.manifest \
--output ${appName}.manifest.sgx \ --output ${appName}.manifest.sgx \
--key ${keyfile}; --key ${keyfile};
eval "${extraChrootCommands}" eval "${extraChrootCommands}"
cd "$CHROOT"
chmod u+wx -R nix
rm -fr nix
) )
''; '';
}; };