From 899e1f5ae51341774ac91564e1a8d17026c8f5fa Mon Sep 17 00:00:00 2001 From: Darnell Andries Date: Mon, 7 Oct 2024 22:00:36 -0700 Subject: [PATCH] Add Nix reproducible build --- .gitignore | 2 ++ Dockerfile | 35 ---------------------------- Makefile | 20 +++++++--------- flake.lock | 61 +++++++++++++++++++++++++++++++++++++++++++++++++ flake.nix | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ start.sh | 2 +- 6 files changed, 139 insertions(+), 48 deletions(-) delete mode 100644 Dockerfile create mode 100644 flake.lock create mode 100644 flake.nix diff --git a/.gitignore b/.gitignore index cf32f9a..e65cb5e 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,5 @@ star-randsrv target include +result +*.tar.gz diff --git a/Dockerfile b/Dockerfile deleted file mode 100644 index c549947..0000000 --- a/Dockerfile +++ /dev/null @@ -1,35 +0,0 @@ -# In this image, we avoid using alpine due to performance issues -# with musl. We use debian slim so we can use glibc for best performance. - -# Start by building the nitriding proxy daemon. -FROM public.ecr.aws/docker/library/golang:1.23.0-bookworm@sha256:31dc846dd1bcca84d2fa231bcd16c09ff271bcc1a5ae2c48ff10f13b039688f3 as go-builder - -RUN CGO_ENABLED=0 go install -trimpath -ldflags="-s -w" -buildvcs=false github.com/brave/nitriding-daemon@v1.4.2 - -# Build the web server application itself. -FROM public.ecr.aws/docker/library/rust:1.80.1-bookworm@sha256:29fe4376919e25b7587a1063d7b521d9db735fc137d3cf30ae41eb326d209471 as rust-builder - -WORKDIR /src/ -COPY Cargo.toml Cargo.lock ./ -COPY src src/ -# The '--locked' argument is important for reproducibility because it ensures -# that we use specific dependencies. -RUN cargo build --locked --release - -# Set up the run-time environment -FROM public.ecr.aws/docker/library/debian:12.6-slim@sha256:2ccc7e39b0a6f504d252f807da1fc4b5bcd838e83e4dec3e2f57b2a4a64e7214 - -RUN apt update && apt install -y ca-certificates - -COPY start.sh /usr/local/bin -RUN chown root:root /usr/local/bin/start.sh -RUN chmod 755 /usr/local/bin/start.sh - -COPY --from=go-builder /go/bin/nitriding-daemon /usr/local/bin/nitriding -COPY --from=rust-builder /src/target/release/star-randsrv /usr/local/bin/ - -EXPOSE 443 -# Switch to the UID that's typically reserved for the user "nobody". -USER 65534 - -CMD ["/usr/local/bin/start.sh"] diff --git a/Makefile b/Makefile index 0849644..6172c1a 100644 --- a/Makefile +++ b/Makefile @@ -1,8 +1,8 @@ prog := star-randsrv version := $(shell git describe --tag --dirty) image_tag := $(prog):$(version) -image_tar := $(prog)-$(version)-kaniko.tar -image_eif := $(image_tar:%.tar=%.eif) +image_tar := $(prog)-$(version).tar.gz +image_eif := $(image_tar:%.tar.gz=%.eif) RUST_DEPS := $(wildcard Cargo.* src/*.rs) @@ -29,24 +29,20 @@ clean: eif: $(image_eif) $(image_eif): $(image_tar) - docker load -i $< + gunzip -c $(image_tar) | docker load nitro-cli build-enclave --docker-uri $(image_tag) --output-file $@ image: $(image_tar) -$(image_tar): Dockerfile $(RUST_DEPS) - docker run -v $$PWD:/workspace gcr.io/kaniko-project/executor:v1.9.2 \ - --context dir:///workspace/ \ - --reproducible \ - --no-push \ - --tarPath $(image_tar) \ - --destination $(image_tag) \ - --custom-platform linux/amd64 +$(image_tar): default.nix $(RUST_DEPS) + nix-build -v --arg tag \"$(version)\" + rm -f $(image_tar) + cp -L ./result $(image_tar) run: $(image_eif) $(eval ENCLAVE_ID=$(shell nitro-cli describe-enclaves | jq -r '.[0].EnclaveID')) @if [ "$(ENCLAVE_ID)" != "null" ]; then nitro-cli terminate-enclave --enclave-id $(ENCLAVE_ID); fi @echo "Starting enclave." - nitro-cli run-enclave --cpu-count 2 --memory 512 --eif-path $(image_eif) --debug-mode + nitro-cli run-enclave --cpu-count 4 --memory 2048 --eif-path $(image_eif) --debug-mode @echo "Showing enclave logs." nitro-cli console --enclave-id $$(nitro-cli describe-enclaves | jq -r '.[0].EnclaveID') diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..196434c --- /dev/null +++ b/flake.lock @@ -0,0 +1,61 @@ +{ + "nodes": { + "nitriding": { + "inputs": { + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1729224899, + "narHash": "sha256-YmCtDNierxQB1oI3p3WIp0BbfLV7iEG+U0VrKjJ6hCI=", + "owner": "brave", + "repo": "nitriding-daemon", + "rev": "255fa70056b35b86ea493a0157d7a0b49a82579b", + "type": "github" + }, + "original": { + "owner": "brave", + "repo": "nitriding-daemon", + "rev": "255fa70056b35b86ea493a0157d7a0b49a82579b", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1728500571, + "narHash": "sha256-dOymOQ3AfNI4Z337yEwHGohrVQb4yPODCW9MDUyAc4w=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d51c28603def282a24fa034bcb007e2bcb5b5dd0", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-24.05", + "type": "indirect" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1728500571, + "narHash": "sha256-dOymOQ3AfNI4Z337yEwHGohrVQb4yPODCW9MDUyAc4w=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d51c28603def282a24fa034bcb007e2bcb5b5dd0", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-24.05", + "type": "indirect" + } + }, + "root": { + "inputs": { + "nitriding": "nitriding", + "nixpkgs": "nixpkgs_2" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..870aea5 --- /dev/null +++ b/flake.nix @@ -0,0 +1,67 @@ +{ + description = "A very basic flake"; + + inputs = { + nixpkgs.url = "nixpkgs/nixos-24.05"; + nitriding.url = "github:brave/nitriding-daemon/255fa70056b35b86ea493a0157d7a0b49a82579b"; + }; + + outputs = { self, nixpkgs, nitriding }: + let + tag = "latest"; + system = "x86_64-linux"; + + pkgs = import nixpkgs { + inherit system; + }; + + startSh = pkgs.writeTextFile { + name = "start.sh"; + text = builtins.readFile ./start.sh; + executable = true; + destination = "/bin/start.sh"; + }; + + in rec { + dockerImage = pkgs.dockerTools.buildImage { + name = "star-randsrv"; + tag = tag; + + config = { + Cmd = [ "/bin/start.sh" ]; + ExposedPorts = { + "443/tcp" = {}; + }; + User = "65534"; + }; + + copyToRoot = pkgs.buildEnv { + name = "image-root"; + paths = [ + pkgs.bash + pkgs.coreutils + startSh + nitriding.outputs.packages.${system}.default + rustApp + ]; + pathsToLink = [ "/bin" ]; + }; + }; + rustApp = pkgs.rustPlatform.buildRustPackage { + pname = "star-randsrv"; + version = "0.2.0"; + + src = builtins.filterSource + (path: type: + let relPath = pkgs.lib.removePrefix (toString ./. + "/") path; + in (relPath == "src" && type == "directory") || pkgs.lib.hasSuffix ".rs" relPath || + relPath == "Cargo.toml" || relPath == "Cargo.lock") + ./.; + cargoLock = { + lockFile = ./Cargo.lock; + }; + }; + + packages.x86_64-linux.default = dockerImage; + }; +} diff --git a/start.sh b/start.sh index 6dddf68..4e4ef41 100755 --- a/start.sh +++ b/start.sh @@ -1,6 +1,6 @@ #!/bin/sh -nitriding \ +nitriding-daemon \ -fqdn "star-randsrv.bsg.brave.com" \ -appurl "https://github.com/brave/star-randsrv" \ -appwebsrv "http://127.0.0.1:8080" \