diff --git a/.github/actions/release_artifacts/action.yml b/.github/actions/release_artifacts/action.yml index 779a4ebadf7..ca449517614 100644 --- a/.github/actions/release_artifacts/action.yml +++ b/.github/actions/release_artifacts/action.yml @@ -30,12 +30,12 @@ runs: CONTAINER_REGISTRY: ${{ inputs.container_registry }} SET: base run: | - coordinatorImg=$(nix run ".#${SET}.containers.push-coordinator" -- "${CONTAINER_REGISTRY}/contrast/coordinator") - nodeInstallerKataImg=$(nix run ".#${SET}.containers.push-node-installer-kata" -- "${CONTAINER_REGISTRY}/contrast/node-installer-kata") - nodeInstallerKataGPUImg=$(nix run ".#${SET}.containers.push-node-installer-kata-gpu" -- "${CONTAINER_REGISTRY}/contrast/node-installer-kata-gpu") - initializerImg=$(nix run ".#${SET}.containers.push-initializer" -- "${CONTAINER_REGISTRY}/contrast/initializer") - serviceMeshImg=$(nix run ".#${SET}.containers.push-service-mesh-proxy" -- "${CONTAINER_REGISTRY}/contrast/service-mesh-proxy") - debugShellImg=$(nix run ".#${SET}.containers.push-debugshell" -- "${CONTAINER_REGISTRY}/contrast/debugshell") + coordinatorImg=$(nix run ".#${SET}.scripts.containers.push-coordinator" -- "${CONTAINER_REGISTRY}/contrast/coordinator") + nodeInstallerKataImg=$(nix run ".#${SET}.scripts.containers.push-node-installer-kata" -- "${CONTAINER_REGISTRY}/contrast/node-installer-kata") + nodeInstallerKataGPUImg=$(nix run ".#${SET}.scripts.containers.push-node-installer-kata-gpu" -- "${CONTAINER_REGISTRY}/contrast/node-installer-kata-gpu") + initializerImg=$(nix run ".#${SET}.scripts.containers.push-initializer" -- "${CONTAINER_REGISTRY}/contrast/initializer") + serviceMeshImg=$(nix run ".#${SET}.scripts.containers.push-service-mesh-proxy" -- "${CONTAINER_REGISTRY}/contrast/service-mesh-proxy") + debugShellImg=$(nix run ".#${SET}.scripts.containers.push-debugshell" -- "${CONTAINER_REGISTRY}/contrast/debugshell") echo "coordinatorImg=$coordinatorImg" | tee -a "$GITHUB_OUTPUT" echo "nodeInstallerMsftImg=$nodeInstallerMsftImg" | tee -a "$GITHUB_OUTPUT" echo "nodeInstallerKataImg=$nodeInstallerKataImg" | tee -a "$GITHUB_OUTPUT" diff --git a/.github/actions/setup_nix/action.yml b/.github/actions/setup_nix/action.yml index f97a5f2915c..c197cadca15 100644 --- a/.github/actions/setup_nix/action.yml +++ b/.github/actions/setup_nix/action.yml @@ -13,6 +13,7 @@ runs: using: "composite" steps: - name: Allow unrestricted user namespaces + if: runner.os == 'Linux' # Ubuntu 24.04 ships strict apparmor defaults, so we have to disable them to be able to call # unshare in the Nix sansbox without beeing root. shell: bash @@ -20,6 +21,7 @@ runs: sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_unconfined=0 sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_userns=0 - name: use btrfs for nix builds + if: runner.os == 'Linux' shell: bash run: | echo "Setting up btrfs /nix volume..." @@ -33,7 +35,7 @@ runs: - uses: cachix/install-nix-action@2126ae7fc54c9df00dd18f7f18754393182c73cd # v31.9.1 with: github_access_token: ${{ inputs.githubToken }} - extra_nix_config: "build-dir = /nix/bld" + extra_nix_config: ${{ runner.os == 'Linux' && 'build-dir = /nix/bld' || '' }} - uses: cachix/cachix-action@3ba601ff5bbb07c7220846facfa2cd81eeee15a1 # v16 with: name: edgelesssys diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml index fdece4cb099..76894227d74 100644 --- a/.github/workflows/static.yml +++ b/.github/workflows/static.yml @@ -158,3 +158,26 @@ jobs: - name: Build CLI run: | nix build ".#${SET}.contrast.cli" + + darwin-cli-build: + needs: cli-build + runs-on: macos-latest + timeout-minutes: 60 + permissions: + contents: read + env: + SET: base + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: ./.github/actions/setup_nix + with: + githubToken: ${{ secrets.GITHUB_TOKEN }} + cachixToken: ${{ secrets.CACHIX_AUTH_TOKEN }} + - name: Build darwin formatter + run: | + nix build .#formatter.aarch64-darwin + - name: Build darwin CLI + run: | + nix build ".#${SET}.contrast.cli" diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index bbe36b599a6..94de0f6882a 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -49,6 +49,9 @@ If you are struggling with your git history during the review process, please as ### Development setup +> [!NOTE] +> If you are developing on macOS/Darwin, you have to first follow the **experimental** [developer documentation for macOS](./dev-docs/macos.md), and then proceed with the rest of the setup. + 1. [Install Nix](https://nixos.org/download/#multi-user-installation-recommended) Enable the experimental features `nix-command` and `flakes` in your Nix configuration. diff --git a/dev-docs/macos.md b/dev-docs/macos.md new file mode 100644 index 00000000000..29ca8b4a282 --- /dev/null +++ b/dev-docs/macos.md @@ -0,0 +1,70 @@ +# Development setup for macOS (experimental) + +Contrast uses `just` and Nix as its build system. Several packages Contrast needs to build, such as container images (`nix build .#base.containers.*`), need to be built for `x86_64-linux` so when building from a different architecture such as `aarch64-darwin`, those builds need to be delegated to a builder that can build for `x86_64-linux`. + +## Canonical setup + +1. Install Nix. You have several options such the [Lix installer](https://lix.systems/install/) (recommended), the [Determinate Nix installer](https://docs.determinate.systems/) or by following the [official instructions](https://nixos.org/download/). It's recommended to use one of the automated installers as they also make the uninstall on macOS easy. + +2. Setup a `x86_64-linux` builder. There are 2 options: + + - setup a remote builder by following Nix's [distributed builds tutorial](https://nix.dev/tutorials/nixos/distributed-builds-setup.html). If you are working for Edgeless Systems, you can use one of our office machines by following the instructions in https://github.com/edgelesssys/nix-remote-builders. + - setup a local VM-based builder that emulates x86, by installing [nix-rosetta-builder](https://github.com/cpick/nix-rosetta-builder). Not that the performance of this option might not be great but it's helpful if you need to work offline. + +It's recommended to setup both. Nix will automatically offload packages that need to be built for `x86_64-linux` to any builder available for that architecture. So if one of the remote machines isn't available, builds will use the VM-based builder. + +## Alternative setup using a Linux VM + +Alternatively you can setup a VM with Nix which you can use to build contrast. Since this option will be also using emulation, the performance might not be great. + +1. Follow the instructions on [nixos-lima](https://github.com/nixos-lima/nixos-lima) and [nixos-lima-config-sample](https://github.com/nixos-lima/nixos-lima-config-sample) to create a `x86_64-linux` VM. + +2. To avoid having to authenticate twice either with your container registry or kubectl, you can forward the local credentials to the VM by adding the following in the VM configuration: + + ```yaml + - location: "~/.docker" + mountPoint: "/home/lima.linux/.docker" + writable: true + 9p: + cache: "mmap" + - location: "~/.kube" + mountPoint: "/home/lima.linux/.kube" + writable: true + ``` + +3. Forward contrast project path as well: + + ```yaml + - location: "~/contrast" + writable: true + 9p: + cache: "mmap" + ``` + +4. Add the lima user to trusted-users by adding the following in the VM's NixOS configuration (`configuration.nix`): + + ```nix + nix.settings.trusted-users = [ "root" "@wheel" ]; + ``` + +5. (Optional) You might have to add the hosts you are deploying to in the VM's NixOS configuration: + + ```nix + networking.hosts = { + "XXX.YYY.ZZZ.XXX" = [ "" ]; + }; + ``` + +6. Start a `x86_64` VM with: + + ```bash + limactl start --yes --set '.user.name = "lima"' nixos.yaml --arch=x86_64 + ``` + +7. Connect to the VM with: + + ``` + cd ~/contrast + limactl shell nixos + nix develop .# + ``` diff --git a/flake.nix b/flake.nix index ef498a03f83..3a09ed3e7bf 100644 --- a/flake.nix +++ b/flake.nix @@ -45,9 +45,9 @@ setsFromDirectory = dir: builtins.listToAttrs ( - map (file: { + map (file: rec { name = builtins.substring 0 (builtins.stringLength file - 4) (baseNameOf file); - value = mkSet (defaultOverlays ++ [ (import (dir + "/${file}")) ]); + value = mkSet ((defaultOverlays name) ++ [ (import (dir + "/${file}")) ]); }) (builtins.attrNames (builtins.readDir dir)) ); @@ -65,10 +65,12 @@ ]; }; - defaultOverlays = [ + defaultOverlays = set: [ (final: _prev: { fenix = self.inputs.fenix.packages.${final.stdenv.hostPlatform.system}; }) + (_final: _prev: { runtimePkgs = self.legacyPackages.x86_64-linux.${set}; }) (import ./overlays/nixpkgs.nix) (import ./overlays/contrast.nix) + (import ./overlays/runtimepkgs.nix) ]; sets = setsFromDirectory ./overlays/sets; diff --git a/justfile b/justfile index 072eb67426b..ff226c5ed75 100644 --- a/justfile +++ b/justfile @@ -13,7 +13,7 @@ push target set=default_set: set -euo pipefail mkdir -p {{ workspace_dir }} echo "Pushing container $container_registry/contrast/{{ target }}" - nix run -L .#{{ set }}.containers.push-{{ target }} -- "$container_registry/contrast/{{ target }}" "{{ workspace_dir }}/just.containerlookup" "{{ workspace_dir }}/layers-cache.json" + nix run -L .#{{ set }}.scripts.containers.push-{{ target }} -- "$container_registry/contrast/{{ target }}" "{{ workspace_dir }}/just.containerlookup" "{{ workspace_dir }}/layers-cache.json" coordinator: (push "coordinator") @@ -34,7 +34,7 @@ k8s-log-collector: (push "k8s-log-collector") containerd-reproducer set=default_set: #!/usr/bin/env bash set -euo pipefail - read tag digest < <(nix run -L .#{{ set }}.scripts.push-containerd-reproducer -- $container_registry | tail -n 1) + read tag digest < <(nix run -L .#{{ set }}.scripts.containers.push-containerd-reproducer -- $container_registry | tail -n 1) echo "ghcr.io/edgelesssys/contrast/containerd-reproducer:latest-tag=$container_registry/contrast/containerd-reproducer:$tag" >> {{ workspace_dir }}/just.containerlookup echo "ghcr.io/edgelesssys/contrast/containerd-reproducer:latest-digest=$container_registry/contrast/containerd-reproducer@$digest" >> {{ workspace_dir }}/just.containerlookup diff --git a/overlays/runtimepkgs.nix b/overlays/runtimepkgs.nix new file mode 100644 index 00000000000..e0b9c720b8b --- /dev/null +++ b/overlays/runtimepkgs.nix @@ -0,0 +1,71 @@ +# Copyright 2026 Edgeless Systems GmbH +# SPDX-License-Identifier: BUSL-1.1 + +final: prev: + +if prev.stdenv.hostPlatform.system == "x86_64-linux" then + { } +else + { + contrastPkgs = prev.contrastPkgs.overrideScope ( + _cFinal: cPrev: { + # genpolicy needs to be built natively since macOS doesn't support static binaries. + contrastPkgsStatic = final.runtimePkgs.contrastPkgsStatic.overrideScope ( + _: _: { + kata = final.runtimePkgs.contrastPkgsStatic.kata.overrideScope ( + _: _: { inherit (cPrev.kata) genpolicy; } + ); + } + ); + + kata = cPrev.kata.overrideScope ( + _: _: { + inherit (final.runtimePkgs.kata) + contrast-node-installer-image + agent + image + kernel-uvm + calculateSnpLaunchDigest + calculateTdxLaunchDigests + ; + } + ); + + contrast = cPrev.contrast.overrideScope ( + _: _: { + inherit (final.runtimePkgs.contrast) + coordinator + initializer + node-installer-image + nodeinstaller + ; + } + ); + + inherit (final.runtimePkgs) + debugshell + service-mesh + k8s-log-collector + boot-image + boot-microvm + qemu-cc + pause-bundle + OVMF-TDX + calculateSnpIDBlock + ; + + scripts = cPrev.scripts.overrideScope ( + _: _: { + inherit (final.runtimePkgs.scripts) + cleanup-bare-metal + cleanup-images + cleanup-containerd + nix-gc + ; + } + ); + + inherit (final.runtimePkgs) containers; + } + ); + } diff --git a/packages/by-name/kata/genpolicy/package.nix b/packages/by-name/kata/genpolicy/package.nix index ac2eff4adbc..a9757ab0b77 100644 --- a/packages/by-name/kata/genpolicy/package.nix +++ b/packages/by-name/kata/genpolicy/package.nix @@ -33,6 +33,8 @@ rustPlatform.buildRustPackage rec { }; env.OPENSSL_NO_VENDOR = 1; + env.OPENSSL_DIR = "${openssl.dev}"; + env.OPENSSL_LIB_DIR = "${lib.getLib openssl}/lib"; nativeBuildInputs = [ cmake diff --git a/packages/by-name/scripts/containers/package.nix b/packages/by-name/scripts/containers/package.nix new file mode 100644 index 00000000000..7be0c3f01be --- /dev/null +++ b/packages/by-name/scripts/containers/package.nix @@ -0,0 +1,41 @@ +# Copyright 2026 Edgeless Systems GmbH +# SPDX-License-Identifier: BUSL-1.1 + +{ + lib, + pkgs, + contrastPkgs, + writeShellApplication, +}: + +let + pushOCIDir = + name: dir: tag: + writeShellApplication { + name = "push-${name}"; + runtimeInputs = with pkgs; [ crane ]; + text = '' + imageName="$1" + containerlookup="''${2:-/dev/null}" + layersCache="''${3:-$(mktemp)}" + hash=$(crane push "${dir}" "$imageName:${tag}") + printf "ghcr.io/edgelesssys/contrast/%s:latest=%s\n" "${name}" "$hash" >> "$containerlookup" + if [ ! -f "$layersCache" ]; then + echo -n "[]" > "$layersCache" + fi + jq -s 'add' "$layersCache" "${dir}/layers-cache.json" > tmp.json && mv tmp.json "$layersCache" + echo "$hash" + ''; + }; +in +{ + push-node-installer-kata = + pushOCIDir "node-installer-kata" contrastPkgs.contrast.node-installer-image + "v${contrastPkgs.contrast.nodeinstaller.version}"; + push-node-installer-kata-gpu = + pushOCIDir "node-installer-kata-gpu" contrastPkgs.contrast.node-installer-image.gpu + "v${contrastPkgs.contrast.nodeinstaller.version}"; +} +// (lib.concatMapAttrs (name: container: { + "push-${name}" = pushOCIDir name container.outPath container.meta.tag; +}) contrastPkgs.containers) diff --git a/packages/containers.nix b/packages/containers.nix index ae78393c795..02ca6b407cc 100644 --- a/packages/containers.nix +++ b/packages/containers.nix @@ -5,204 +5,170 @@ lib, pkgs, contrastPkgs, - writeShellApplication, dockerTools, }: -let - pushOCIDir = - name: dir: tag: - writeShellApplication { - name = "push-${name}"; - runtimeInputs = with pkgs; [ crane ]; - text = '' - imageName="$1" - containerlookup="''${2:-/dev/null}" - layersCache="''${3:-$(mktemp)}" - hash=$(crane push "${dir}" "$imageName:${tag}") - printf "ghcr.io/edgelesssys/contrast/%s:latest=%s\n" "${name}" "$hash" >> "$containerlookup" - if [ ! -f "$layersCache" ]; then - echo -n "[]" > "$layersCache" - fi - jq -s 'add' "$layersCache" "${dir}/layers-cache.json" > tmp.json && mv tmp.json "$layersCache" - echo "$hash" - ''; - }; - - containers = { - coordinator = contrastPkgs.buildOciImage { - name = "coordinator"; - tag = "v${contrastPkgs.contrast.coordinator.version}"; - copyToRoot = - (with pkgs; [ - busybox - e2fsprogs # mkfs.ext4 - libuuid # blkid - iptables-legacy - ]) - ++ (with dockerTools; [ caCertificates ]); - config = { - Cmd = [ "${contrastPkgs.contrast.coordinator}/bin/coordinator" ]; - Env = [ - "PATH=/bin" # Explicitly setting this prevents containerd from setting a default PATH. - "XTABLES_LOCKFILE=/dev/shm/xtables.lock" # Tells iptables where to create the lock file, since the default path does not exist in our image. - ]; - }; - }; - - initializer = contrastPkgs.buildOciImage { - name = "initializer"; - tag = "v${contrastPkgs.contrast.initializer.version}"; - copyToRoot = - (with pkgs; [ - busybox - cryptsetup - e2fsprogs # mkfs.ext4 - libuuid # blkid - iptables-legacy - ]) - ++ (with dockerTools; [ caCertificates ]); - config = { - # Use Entrypoint so we can append arguments. - Entrypoint = [ "${contrastPkgs.contrast.initializer}/bin/initializer" ]; - Env = [ - "PATH=/bin" # Explicitly setting this prevents containerd from setting a default PATH. - "XTABLES_LOCKFILE=/dev/shm/xtables.lock" # Tells iptables where to create the lock file, since the default path does not exist in our image. - ]; - }; - }; - - openssl = contrastPkgs.buildOciImage { - name = "openssl"; - tag = "v${contrastPkgs.contrast.cli.version}"; - copyToRoot = with pkgs; [ +{ + coordinator = contrastPkgs.buildOciImage { + name = "coordinator"; + tag = "v${contrastPkgs.contrast.coordinator.version}"; + copyToRoot = + (with pkgs; [ busybox - openssl - curlMinimal - ]; - config = { - Cmd = [ "bash" ]; - Env = [ "PATH=/bin" ]; # This is only here for policy generation. - }; - }; - - port-forwarder = contrastPkgs.buildOciImage { - name = "port-forwarder"; - tag = "v${contrastPkgs.contrast.cli.version}"; - copyToRoot = with pkgs; [ - bash - socat + e2fsprogs # mkfs.ext4 + libuuid # blkid + iptables-legacy + ]) + ++ (with dockerTools; [ caCertificates ]); + config = { + Cmd = [ "${contrastPkgs.contrast.coordinator}/bin/coordinator" ]; + Env = [ + "PATH=/bin" # Explicitly setting this prevents containerd from setting a default PATH. + "XTABLES_LOCKFILE=/dev/shm/xtables.lock" # Tells iptables where to create the lock file, since the default path does not exist in our image. ]; }; + }; - service-mesh-proxy = contrastPkgs.buildOciImage { - name = "service-mesh-proxy"; - tag = "v${contrastPkgs.service-mesh.version}"; - copyToRoot = with pkgs; [ + initializer = contrastPkgs.buildOciImage { + name = "initializer"; + tag = "v${contrastPkgs.contrast.initializer.version}"; + copyToRoot = + (with pkgs; [ busybox - envoy-bin + cryptsetup + e2fsprogs # mkfs.ext4 + libuuid # blkid iptables-legacy + ]) + ++ (with dockerTools; [ caCertificates ]); + config = { + # Use Entrypoint so we can append arguments. + Entrypoint = [ "${contrastPkgs.contrast.initializer}/bin/initializer" ]; + Env = [ + "PATH=/bin" # Explicitly setting this prevents containerd from setting a default PATH. + "XTABLES_LOCKFILE=/dev/shm/xtables.lock" # Tells iptables where to create the lock file, since the default path does not exist in our image. ]; - config = { - # Use Entrypoint so we can append arguments. - Entrypoint = [ "${contrastPkgs.service-mesh}/bin/service-mesh" ]; - Env = [ - "PATH=/bin" - "XTABLES_LOCKFILE=/dev/shm/xtables.lock" # Tells iptables where to create the lock file, since the default path does not exist in our image. - ]; - }; }; + }; - dmesg = contrastPkgs.buildOciImage { - name = "dmesg"; - tag = "v0.0.1"; - copyToRoot = with pkgs; [ - busybox - libuuid - ]; - config = { - Cmd = [ - "sh" - "-c" - "mknod /dev/kmsg c 1 11 && dmesg --follow --color=always --nopager" - ]; - Env = [ "PATH=/bin" ]; # This is only here for policy generation. - }; + openssl = contrastPkgs.buildOciImage { + name = "openssl"; + tag = "v${contrastPkgs.contrast.cli.version}"; + copyToRoot = with pkgs; [ + busybox + openssl + curlMinimal + ]; + config = { + Cmd = [ "bash" ]; + Env = [ "PATH=/bin" ]; # This is only here for policy generation. }; + }; + + port-forwarder = contrastPkgs.buildOciImage { + name = "port-forwarder"; + tag = "v${contrastPkgs.contrast.cli.version}"; + copyToRoot = with pkgs; [ + bash + socat + ]; + }; - cleanup-bare-metal = contrastPkgs.buildOciImage { - name = "cleanup-bare-metal"; - tag = "latest"; - copyToRoot = - (with pkgs; [ - cacert - busybox - ]) - ++ (with contrastPkgs.scripts; [ - cleanup-bare-metal - cleanup-namespaces - cleanup-containerd - nix-gc - ]); - config = { - Cmd = [ "cleanup-bare-metal" ]; - }; + service-mesh-proxy = contrastPkgs.buildOciImage { + name = "service-mesh-proxy"; + tag = "v${contrastPkgs.service-mesh.version}"; + copyToRoot = with pkgs; [ + busybox + envoy-bin + iptables-legacy + ]; + config = { + # Use Entrypoint so we can append arguments. + Entrypoint = [ "${contrastPkgs.service-mesh}/bin/service-mesh" ]; + Env = [ + "PATH=/bin" + "XTABLES_LOCKFILE=/dev/shm/xtables.lock" # Tells iptables where to create the lock file, since the default path does not exist in our image. + ]; }; + }; - memdump = contrastPkgs.buildOciImage { - name = "memdump"; - tag = "latest"; - copyToRoot = with pkgs; [ - busybox - socat - gdb - jq + dmesg = contrastPkgs.buildOciImage { + name = "dmesg"; + tag = "v0.0.1"; + copyToRoot = with pkgs; [ + busybox + libuuid + ]; + config = { + Cmd = [ + "sh" + "-c" + "mknod /dev/kmsg c 1 11 && dmesg --follow --color=always --nopager" ]; + Env = [ "PATH=/bin" ]; # This is only here for policy generation. }; + }; - debugshell = contrastPkgs.buildOciImage { - name = "debugshell"; - tag = contrastPkgs.contrast.contrast.version; - copyToRoot = with pkgs; [ + cleanup-bare-metal = contrastPkgs.buildOciImage { + name = "cleanup-bare-metal"; + tag = "latest"; + copyToRoot = + (with pkgs; [ + cacert busybox - bash - coreutils - contrastPkgs.debugshell - openssh - contrastPkgs.tdx-tools - ]; - config = { - Entrypoint = [ "/bin/debugshell" ]; - Cmd = [ "journalctl --no-tail --no-pager -f" ]; - }; + ]) + ++ (with contrastPkgs.scripts; [ + cleanup-bare-metal + cleanup-namespaces + cleanup-containerd + nix-gc + ]); + config = { + Cmd = [ "cleanup-bare-metal" ]; }; + }; - k8s-log-collector = contrastPkgs.buildOciImage { - name = "k8s-log-collector"; - tag = "0.1.0"; - copyToRoot = with pkgs; [ - # Used when execing into the container to collect logs. - bash - coreutils - gnutar - gzip - ]; - config = { - Cmd = [ "${lib.getExe contrastPkgs.k8s-log-collector}" ]; - Volumes."/logs" = { }; - }; + memdump = contrastPkgs.buildOciImage { + name = "memdump"; + tag = "latest"; + copyToRoot = with pkgs; [ + busybox + socat + gdb + jq + ]; + }; + + debugshell = contrastPkgs.buildOciImage { + name = "debugshell"; + tag = contrastPkgs.contrast.contrast.version; + copyToRoot = with pkgs; [ + busybox + bash + coreutils + contrastPkgs.debugshell + openssh + contrastPkgs.tdx-tools + ]; + config = { + Entrypoint = [ "/bin/debugshell" ]; + Cmd = [ "journalctl --no-tail --no-pager -f" ]; + }; + }; + + k8s-log-collector = contrastPkgs.buildOciImage { + name = "k8s-log-collector"; + tag = "0.1.0"; + copyToRoot = with pkgs; [ + # Used when execing into the container to collect logs. + bash + coreutils + gnutar + gzip + ]; + config = { + Cmd = [ "${lib.getExe contrastPkgs.k8s-log-collector}" ]; + Volumes."/logs" = { }; }; }; -in -containers -// { - push-node-installer-kata = - pushOCIDir "node-installer-kata" contrastPkgs.contrast.node-installer-image - "v${contrastPkgs.contrast.nodeinstaller.version}"; - push-node-installer-kata-gpu = - pushOCIDir "node-installer-kata-gpu" contrastPkgs.contrast.node-installer-image.gpu - "v${contrastPkgs.contrast.nodeinstaller.version}"; } -// (lib.concatMapAttrs (name: container: { - "push-${name}" = pushOCIDir name container.outPath container.meta.tag; -}) containers) diff --git a/packages/default.nix b/packages/default.nix index 17cc2e05f35..75d2bc16d64 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -19,6 +19,7 @@ byName.overrideScope ( contrastPkgsStatic = pkgs.pkgsStatic.contrastPkgs; scripts = prev.scripts.overrideScope (_: _: pkgs.callPackages ./scripts.nix { }); containers = pkgs.callPackages ./containers.nix { }; + container-scripts = pkgs.callPackages ./container-scripts.nix { }; contrast-releases = pkgs.callPackages ./contrast-releases.nix { }; } ) diff --git a/packages/scripts.nix b/packages/scripts.nix index c8ee022758e..bbbbc0796ea 100644 --- a/packages/scripts.nix +++ b/packages/scripts.nix @@ -778,7 +778,6 @@ lib.makeScope pkgs.newScope (scripts: { name = "mdsh-fmt"; runtimeInputs = with pkgs; [ mdsh - busybox jq ]; text = '' diff --git a/tools/vale/styles/config/vocabularies/edgeless/accept.txt b/tools/vale/styles/config/vocabularies/edgeless/accept.txt index 6f9c3fb4f95..670e202bbe3 100644 --- a/tools/vale/styles/config/vocabularies/edgeless/accept.txt +++ b/tools/vale/styles/config/vocabularies/edgeless/accept.txt @@ -102,6 +102,7 @@ kubelet Kustomization leaderboard libcryptsetup +lima Logstash loopback Mbps diff --git a/treefmt.nix b/treefmt.nix index 69c84b639e1..9a09c6f2252 100644 --- a/treefmt.nix +++ b/treefmt.nix @@ -104,7 +104,9 @@ "docs/docs/**/*.md" ]; }; - renovate = { + # TODO: remove mkIf once nixpkgs includes NixOS/nixpkgs#494993 + # (renovate: add Darwin libtool dependency). + renovate = lib.mkIf pkgs.stdenv.isLinux { command = "${lib.getExe' pkgs.renovate "renovate-config-validator"}"; options = [ "--strict" ]; includes = [ "renovate.json5" ];