harald/nixsgx
1
0
Fork 0
mirror of https://github.com/matter-labs/nixsgx.git synced 2025-07-22 07:44:47 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: make containers reproducible again

Browse source 
by providing the `--chroot` argument to `gramine-sgx-sign` and with
a careful assembled `nix` directory, containing no build root artifacts.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
This commit is contained in:
Harald Hoyer 2024-07-02 11:13:10 +02:00
parent 07ae787761
commit 4a6aff1d2e
Signed by: harald
GPG key ID: F519A1143B3FBE32
1 changed files with 21 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

24
overlays/nixsgxLib/default.nix
View file

@ -8,11 +8,13 @@ final: _:
( (
{ lib { lib
, pkgs , pkgs
, writeClosure
, coreutils , coreutils
, curl , curl
, nixsgx , nixsgx
, openssl , openssl
, packages , packages
, rsync
, entrypoint , entrypoint
, name , name
, tag ? null , tag ? null
@ -191,6 +193,16 @@ final: _:
appImage = pkgs.dockerTools.buildLayeredImage { name = "${name}-app"; inherit contents; }; appImage = pkgs.dockerTools.buildLayeredImage { name = "${name}-app"; inherit contents; };
addGramineManifest = fromImage: addGramineManifest = fromImage:
let
mkNixStore = contents:
let
contentsList = if builtins.isList contents then contents else [ contents ];
in
''
${rsync}/bin/rsync -ar --files-from=${writeClosure contentsList} / ./
'';
in
pkgs.dockerTools.buildLayeredImage pkgs.dockerTools.buildLayeredImage
{ {
name = "${name}-manifest-${appName}"; name = "${name}-manifest-${appName}";
@ -200,16 +212,22 @@ final: _:
includeStorePaths = false; includeStorePaths = false;
enableFakechroot = true; enableFakechroot = true;
fakeRootCommands = '' extraCommands = (mkNixStore contents) + ''
( (
set -e set -e
cd ${appDir} CHROOT=$(pwd)
HOME=${appDir} ${nixsgx.gramine}/bin/gramine-manifest ${manifestFile} ${appName}.manifest; appDir="${appDir}"
cd "''${appDir#/}"
HOME="''${appDir#/}" ${nixsgx.gramine}/bin/gramine-manifest ${manifestFile} ${appName}.manifest;
${nixsgx.gramine}/bin/gramine-sgx-sign \ ${nixsgx.gramine}/bin/gramine-sgx-sign \
--chroot "$CHROOT" \
--manifest ${appName}.manifest \ --manifest ${appName}.manifest \
--output ${appName}.manifest.sgx \ --output ${appName}.manifest.sgx \
--key ${keyfile}; --key ${keyfile};
eval "${extraChrootCommands}" eval "${extraChrootCommands}"
cd "$CHROOT"
chmod u+wx -R nix
rm -fr nix
) )
''; '';
}; };