nixpkgs/pkgs/applications/virtualization/rkt/default.nix

{ stdenv, lib, autoreconfHook, acl, go, file, git, wget, gnupg, trousers, squashfsTools,
  cpio, fetchurl, fetchFromGitHub, iptables, systemd, makeWrapper, glibc }:

let
  # Always get the information from
  # https://github.com/coreos/rkt/blob/v${VERSION}/stage1/usr_from_coreos/coreos-common.mk
  coreosImageRelease = "1478.0.0";
  coreosImageSystemdVersion = "233";

  # TODO: track https://github.com/coreos/rkt/issues/1758 to allow "host" flavor.
  stage1Flavours = [ "coreos" "fly" ];
  stage1Dir = "lib/rkt/stage1-images";

in stdenv.mkDerivation rec {
  version = "1.30.0";
  pname = "rkt";
  BUILDDIR="build-${pname}-${version}";

  src = fetchFromGitHub {
    owner = "coreos";
    repo = "rkt";
    rev = "v${version}";
    sha256 = "0dqf83b7iin1np8k8k1m8i99ybga8vx932q7n2q64yghkw7p6i00";
  };

  stage1BaseImage = fetchurl {
    url = "http://alpha.release.core-os.net/amd64-usr/${coreosImageRelease}/coreos_production_pxe_image.cpio.gz";
    sha256 = "0s4qdkkfp0iirfnm5ds3b3hxq0249kvpygyhflma8z90ivkzk5wq";
  };

  buildInputs = [
    glibc.out glibc.static
    autoreconfHook go file git wget gnupg trousers squashfsTools cpio acl systemd
    makeWrapper
  ];

  preConfigure = ''
    ./autogen.sh
    configureFlagsArray=(
      --with-stage1-flavors=${builtins.concatStringsSep "," stage1Flavours}
      ${if lib.findFirst (p: p == "coreos") null stage1Flavours != null then "
      --with-coreos-local-pxe-image-path=${stage1BaseImage}
      --with-coreos-local-pxe-image-systemd-version=v${coreosImageSystemdVersion}
      " else "" }
      --with-stage1-default-location=$out/${stage1Dir}/stage1-${builtins.elemAt stage1Flavours 0}.aci
    );
  '';

  preBuild = ''
    export BUILDDIR
    export GOCACHE="$TMPDIR/go-cache"
  '';

  installPhase = ''
    mkdir -p $out/bin
    cp -Rv $BUILDDIR/target/bin/rkt $out/bin

    mkdir -p $out/lib/rkt/stage1-images/
    cp -Rv $BUILDDIR/target/bin/stage1-*.aci $out/${stage1Dir}/

    wrapProgram $out/bin/rkt \
      --prefix LD_LIBRARY_PATH : "${systemd.lib}/lib:${acl.out}/lib" \
      --prefix PATH : ${iptables}/bin
  '';

  meta = with lib; {
    description = "A fast, composable, and secure App Container runtime for Linux";
    homepage = "https://github.com/coreos/rkt";
    license = licenses.asl20;
    maintainers = with maintainers; [ ragge steveej ];
    platforms = [ "x86_64-linux" ];
    knownVulnerabilities = [
      "CVE-2019-10144: processes run with `rkt enter` are given all capabilities during stage 2"
      "CVE-2019-10145: processes run with `rkt enter` do not have seccomp filtering during stage 2"
      "CVE-2019-10147: processes run with `rkt enter` are not limited by cgroups during stage 2"
    ];
  };
}
switch users of "gnupg1" to plain "gnupg" gnupg is gnupg 2.2. gnupg1 is also gnupg 2.2, just with a few extra symlinks in the bin directory. None of these packages need those symlinks, and it's confusing for them to say they're depending on "gnupg1", so switch their dep to plain "gnupg". 2019-03-20 18:23:30 +00:00			`{ stdenv, lib, autoreconfHook, acl, go, file, git, wget, gnupg, trousers, squashfsTools,`
rkt: 1.2.0 -> 1.4.0 2016-04-23 19:33:21 +01:00			`cpio, fetchurl, fetchFromGitHub, iptables, systemd, makeWrapper, glibc }:`
rkt: init at 0.8.0 2015-08-19 11:04:34 +01:00
rkt: Don't download stage1 image during build. The rkt build process requires a stage1 image. By default it will try and download one with wget from coreos.com during the build. This change explicitly downloads the image using `fetchurl`, verifying checksum, then passes that to the build using appropriate configure flag. 2015-09-01 10:08:44 +01:00			`let`
rkt: 1.15.0 -> 1.17.0 2016-10-15 04:00:54 +01:00			`# Always get the information from`
rkt: 1.5.1 -> 1.7.0 (#15958) 2016-06-08 16:43:42 +01:00			`# https://github.com/coreos/rkt/blob/v${VERSION}/stage1/usr_from_coreos/coreos-common.mk`
rkt: 1.28.1 -> 1.29.0 2017-10-05 14:47:30 +01:00			`coreosImageRelease = "1478.0.0";`
			`coreosImageSystemdVersion = "233";`
rkt: v0.10.0 -> 0.11.0 Also prepare to support multiple stage1 flavors. The 'host' flavor would be preferred to reuse systemd components instead of downloading/unpacking/processing a CoreOS PXE image. 2015-11-17 11:44:32 +00:00
			`# TODO: track https://github.com/coreos/rkt/issues/1758 to allow "host" flavor.`
rkt: remove incompatible stage1-host 2016-06-24 20:55:03 +01:00			`stage1Flavours = [ "coreos" "fly" ];`
rkt: fix default stage1 location 2016-07-23 02:18:29 +01:00			`stage1Dir = "lib/rkt/stage1-images";`
rkt: Don't download stage1 image during build. Second attempt to resolve this issue. Copies stage1 image into expected place manually. This has been improved in rkt master where there is a configure option for specifying the location of this file. Can update when next stable rkt is released. 2015-09-03 14:04:59 +01:00
rkt: Don't download stage1 image during build. The rkt build process requires a stage1 image. By default it will try and download one with wget from coreos.com during the build. This change explicitly downloads the image using `fetchurl`, verifying checksum, then passes that to the build using appropriate configure flag. 2015-09-01 10:08:44 +01:00			`in stdenv.mkDerivation rec {`
rkt: 1.29.0 -> 1.30.0 2018-04-18 01:41:08 +01:00			`version = "1.30.0";`
treewide: name -> pname (easy cases) (#66585) treewide replacement of stdenv.mkDerivation rec { name = "-${version}"; version = ""; to pname 2019-08-15 13:41:18 +01:00			`pname = "rkt";`
			`BUILDDIR="build-${pname}-${version}";`
rkt: init at 0.8.0 2015-08-19 11:04:34 +01:00
			`src = fetchFromGitHub {`
rkt: 1.26.0 -> 1.27.0 2017-06-24 00:24:19 +01:00			`owner = "coreos";`
			`repo = "rkt";`
			`rev = "v${version}";`
rkt: 1.29.0 -> 1.30.0 2018-04-18 01:41:08 +01:00			`sha256 = "0dqf83b7iin1np8k8k1m8i99ybga8vx932q7n2q64yghkw7p6i00";`
rkt: init at 0.8.0 2015-08-19 11:04:34 +01:00			`};`

rkt: bump to v0.10.0 * bump stage1 base image to v794.1.0 according to upstream release * make use of BUILDDIR environment variable to control output path * make use of the configure option for the stage1 image path and the stage1 base image path * fix homepage URL * add myself to the list of maintianers 2015-10-25 00:57:06 +01:00			`stage1BaseImage = fetchurl {`
rkt: reset stage1 to rkt's recommended version 2016-02-05 19:14:13 +00:00			`url = "http://alpha.release.core-os.net/amd64-usr/${coreosImageRelease}/coreos_production_pxe_image.cpio.gz";`
rkt: 1.28.1 -> 1.29.0 2017-10-05 14:47:30 +01:00			`sha256 = "0s4qdkkfp0iirfnm5ds3b3hxq0249kvpygyhflma8z90ivkzk5wq";`
rkt: Don't download stage1 image during build. The rkt build process requires a stage1 image. By default it will try and download one with wget from coreos.com during the build. This change explicitly downloads the image using `fetchurl`, verifying checksum, then passes that to the build using appropriate configure flag. 2015-09-01 10:08:44 +01:00			`};`
rkt: Don't download stage1 image during build. Second attempt to resolve this issue. Copies stage1 image into expected place manually. This has been improved in rkt master where there is a configure option for specifying the location of this file. Can update when next stable rkt is released. 2015-09-03 14:04:59 +01:00
rkt: 0.14.0 -> 0.15.0 2016-01-15 13:11:08 +00:00			`buildInputs = [`
rkt: 1.2.0 -> 1.4.0 2016-04-23 19:33:21 +01:00			`glibc.out glibc.static`
switch users of "gnupg1" to plain "gnupg" gnupg is gnupg 2.2. gnupg1 is also gnupg 2.2, just with a few extra symlinks in the bin directory. None of these packages need those symlinks, and it's confusing for them to say they're depending on "gnupg1", so switch their dep to plain "gnupg". 2019-03-20 18:23:30 +00:00			`autoreconfHook go file git wget gnupg trousers squashfsTools cpio acl systemd`
rkt: 0.14.0 -> 0.15.0 2016-01-15 13:11:08 +00:00			`makeWrapper`
			`];`
rkt: Don't download stage1 image during build. Second attempt to resolve this issue. Copies stage1 image into expected place manually. This has been improved in rkt master where there is a configure option for specifying the location of this file. Can update when next stable rkt is released. 2015-09-03 14:04:59 +01:00
rkt: init at 0.8.0 2015-08-19 11:04:34 +01:00			`preConfigure = ''`
			`./autogen.sh`
rkt: bump to v0.10.0 * bump stage1 base image to v794.1.0 according to upstream release * make use of BUILDDIR environment variable to control output path * make use of the configure option for the stage1 image path and the stage1 base image path * fix homepage URL * add myself to the list of maintianers 2015-10-25 00:57:06 +01:00			`configureFlagsArray=(`
rkt: v0.10.0 -> 0.11.0 Also prepare to support multiple stage1 flavors. The 'host' flavor would be preferred to reuse systemd components instead of downloading/unpacking/processing a CoreOS PXE image. 2015-11-17 11:44:32 +00:00			`--with-stage1-flavors=${builtins.concatStringsSep "," stage1Flavours}`
			`${if lib.findFirst (p: p == "coreos") null stage1Flavours != null then "`
rkt: bump to v0.10.0 * bump stage1 base image to v794.1.0 according to upstream release * make use of BUILDDIR environment variable to control output path * make use of the configure option for the stage1 image path and the stage1 base image path * fix homepage URL * add myself to the list of maintianers 2015-10-25 00:57:06 +01:00			`--with-coreos-local-pxe-image-path=${stage1BaseImage}`
			`--with-coreos-local-pxe-image-systemd-version=v${coreosImageSystemdVersion}`
rkt: v0.10.0 -> 0.11.0 Also prepare to support multiple stage1 flavors. The 'host' flavor would be preferred to reuse systemd components instead of downloading/unpacking/processing a CoreOS PXE image. 2015-11-17 11:44:32 +00:00			`" else "" }`
rkt: fix default stage1 location 2016-07-23 02:18:29 +01:00			`--with-stage1-default-location=$out/${stage1Dir}/stage1-${builtins.elemAt stage1Flavours 0}.aci`
rkt: bump to v0.10.0 * bump stage1 base image to v794.1.0 according to upstream release * make use of BUILDDIR environment variable to control output path * make use of the configure option for the stage1 image path and the stage1 base image path * fix homepage URL * add myself to the list of maintianers 2015-10-25 00:57:06 +01:00			`);`
rkt: init at 0.8.0 2015-08-19 11:04:34 +01:00			`'';`

rkt: Don't download stage1 image during build. Second attempt to resolve this issue. Copies stage1 image into expected place manually. This has been improved in rkt master where there is a configure option for specifying the location of this file. Can update when next stable rkt is released. 2015-09-03 14:04:59 +01:00			`preBuild = ''`
rkt: bump to v0.10.0 * bump stage1 base image to v794.1.0 according to upstream release * make use of BUILDDIR environment variable to control output path * make use of the configure option for the stage1 image path and the stage1 base image path * fix homepage URL * add myself to the list of maintianers 2015-10-25 00:57:06 +01:00			`export BUILDDIR`
go_1_12: init at go 1.12 2019-02-28 01:46:32 +00:00			`export GOCACHE="$TMPDIR/go-cache"`
rkt: Don't download stage1 image during build. Second attempt to resolve this issue. Copies stage1 image into expected place manually. This has been improved in rkt master where there is a configure option for specifying the location of this file. Can update when next stable rkt is released. 2015-09-03 14:04:59 +01:00			`'';`

rkt: init at 0.8.0 2015-08-19 11:04:34 +01:00			`installPhase = ''`
			`mkdir -p $out/bin`
rkt: install stage1 ACIs to expected path (#17079) Makes rkt's `--stage1-from-dir` CLI argument work. 2016-07-19 08:31:52 +01:00			`cp -Rv $BUILDDIR/target/bin/rkt $out/bin`

			`mkdir -p $out/lib/rkt/stage1-images/`
rkt: fix default stage1 location 2016-07-23 02:18:29 +01:00			`cp -Rv $BUILDDIR/target/bin/stage1-*.aci $out/${stage1Dir}/`
rkt: install stage1 ACIs to expected path (#17079) Makes rkt's `--stage1-from-dir` CLI argument work. 2016-07-19 08:31:52 +01:00
rkt: 0.14.0 -> 0.15.0 2016-01-15 13:11:08 +00:00			`wrapProgram $out/bin/rkt \`
rkt: needs libacl in LD_LIBRARY_PATH at runtime Rkt opens libacl at runtime to apply acls to the journal directory. 2017-12-26 08:08:49 +00:00			`--prefix LD_LIBRARY_PATH : "${systemd.lib}/lib:${acl.out}/lib" \`
rkt: 0.14.0 -> 0.15.0 2016-01-15 13:11:08 +00:00			`--prefix PATH : ${iptables}/bin`
rkt: init at 0.8.0 2015-08-19 11:04:34 +01:00			`'';`
rkt: Don't download stage1 image during build. Second attempt to resolve this issue. Copies stage1 image into expected place manually. This has been improved in rkt master where there is a configure option for specifying the location of this file. Can update when next stable rkt is released. 2015-09-03 14:04:59 +01:00
rkt: init at 0.8.0 2015-08-19 11:04:34 +01:00			`meta = with lib; {`
			`description = "A fast, composable, and secure App Container runtime for Linux";`
treewide: Per RFC45, remove all unquoted URLs 2020-04-01 02:11:51 +01:00			`homepage = "https://github.com/coreos/rkt";`
rkt: init at 0.8.0 2015-08-19 11:04:34 +01:00			`license = licenses.asl20;`
rkt: bump to v0.10.0 * bump stage1 base image to v794.1.0 according to upstream release * make use of BUILDDIR environment variable to control output path * make use of the configure option for the stage1 image path and the stage1 base image path * fix homepage URL * add myself to the list of maintianers 2015-10-25 00:57:06 +01:00			`maintainers = with maintainers; [ ragge steveej ];`
rkt: disable on i686 (ZHF) 2015-08-26 17:55:22 +01:00			`platforms = [ "x86_64-linux" ];`
rkt: add CVEs https://www.twistlock.com/labs-blog/breaking-out-of-coresos-rkt-3-new-cves/ 2020-03-07 21:16:53 +00:00			`knownVulnerabilities = [`
			"CVE-2019-10144: processes run with `rkt enter` are given all capabilities during stage 2"
			"CVE-2019-10145: processes run with `rkt enter` do not have seccomp filtering during stage 2"
			"CVE-2019-10147: processes run with `rkt enter` are not limited by cgroups during stage 2"
			`];`
rkt: init at 0.8.0 2015-08-19 11:04:34 +01:00			`};`
			`}`