Merge pull request #306656 from ShamrockLee/apptainer-format

apptainer, singularity: format Nix expression according to Nix RFC 166
2024-04-25 19:45:51 +00:00 · 2024-04-25 19:45:51 +00:00 · 5e05a5e3c9
parent a4abfa2936 54e547ff5d
commit 5e05a5e3c9
3 changed files with 264 additions and 226 deletions
--- a/nixos/modules/programs/singularity.nix
+++ b/nixos/modules/programs/singularity.nix
@ -1,4 +1,9 @@
-{ config, pkgs, lib, ... }:
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:

 with lib;
 let
@ -12,9 +17,7 @@ in
        Whether to install Singularity/Apptainer with system-level overriding such as SUID support.
      '';
    };
-    package = mkPackageOption pkgs "singularity" {
-      example = "apptainer";
-    };
+    package = mkPackageOption pkgs "singularity" { example = "apptainer"; };
    packageOverriden = mkOption {
      type = types.nullOr types.package;
      default = null;
@ -75,17 +78,19 @@ in
  };

  config = mkIf cfg.enable {
-    programs.singularity.packageOverriden = (cfg.package.override (
-      optionalAttrs cfg.enableExternalLocalStateDir {
-        externalLocalStateDir = "/var/lib";
-      } // optionalAttrs cfg.enableFakeroot {
-        newuidmapPath = "/run/wrappers/bin/newuidmap";
-        newgidmapPath = "/run/wrappers/bin/newgidmap";
-      } // optionalAttrs cfg.enableSuid {
-        enableSuid = true;
-        starterSuidPath = "/run/wrappers/bin/${cfg.package.projectName}-suid";
-      }
-    ));
+    programs.singularity.packageOverriden = (
+      cfg.package.override (
+        optionalAttrs cfg.enableExternalLocalStateDir { externalLocalStateDir = "/var/lib"; }
+        // optionalAttrs cfg.enableFakeroot {
+          newuidmapPath = "/run/wrappers/bin/newuidmap";
+          newgidmapPath = "/run/wrappers/bin/newgidmap";
+        }
+        // optionalAttrs cfg.enableSuid {
+          enableSuid = true;
+          starterSuidPath = "/run/wrappers/bin/${cfg.package.projectName}-suid";
+        }
+      )
+    );
    environment.systemPackages = [ cfg.packageOverriden ];
    security.wrappers."${cfg.packageOverriden.projectName}-suid" = mkIf cfg.enableSuid {
      setuid = true;
@ -97,5 +102,4 @@ in
      "d /var/lib/${cfg.packageOverriden.projectName}/mnt/session 0770 root root -"
    ];
  };
-
 }
--- a/pkgs/applications/virtualization/singularity/generic.nix
+++ b/pkgs/applications/virtualization/singularity/generic.nix
@ -1,107 +1,111 @@
 # Configurations that should only be overrided by
 # overrideAttrs
-{ pname
-, version
-, src
-, projectName # "apptainer" or "singularity"
-, vendorHash ? null
-, deleteVendor ? false
-, proxyVendor ? false
-, extraConfigureFlags ? [ ]
-, extraDescription ? ""
-, extraMeta ? { }
+{
+  pname,
+  version,
+  src,
+  projectName, # "apptainer" or "singularity"
+  vendorHash ? null,
+  deleteVendor ? false,
+  proxyVendor ? false,
+  extraConfigureFlags ? [ ],
+  extraDescription ? "",
+  extraMeta ? { },
 }:

 let
  # Workaround for vendor-related attributes not overridable (#86349)
  # should be removed when the issue is resolved
  _defaultGoVendorArgs = {
-    inherit
-      vendorHash
-      deleteVendor
-      proxyVendor
-      ;
+    inherit vendorHash deleteVendor proxyVendor;
  };
 in
-{ lib
-, buildGoModule
-, runCommandLocal
+{
+  lib,
+  buildGoModule,
+  runCommandLocal,
+  substituteAll,
  # Native build inputs
-, addDriverRunpath
-, makeWrapper
-, pkg-config
-, util-linux
-, which
+  addDriverRunpath,
+  makeWrapper,
+  pkg-config,
+  util-linux,
+  which,
  # Build inputs
-, bash
-, callPackage
-, conmon
-, coreutils
-, cryptsetup
-, e2fsprogs
-, fakeroot
-, fuse2fs ? e2fsprogs.fuse2fs
-, go
-, gpgme
-, libseccomp
-, libuuid
+  bash,
+  callPackage,
+  conmon,
+  coreutils,
+  cryptsetup,
+  e2fsprogs,
+  fakeroot,
+  fuse2fs ? e2fsprogs.fuse2fs,
+  go,
+  gpgme,
+  libseccomp,
+  libuuid,
  # This is for nvidia-container-cli
-, nvidia-docker
-, openssl
-, squashfsTools
-, squashfuse
+  nvidia-docker,
+  openssl,
+  squashfsTools,
+  squashfuse,
  # Test dependencies
-, singularity-tools
-, cowsay
-, hello
+  singularity-tools,
+  cowsay,
+  hello,
  # Overridable configurations
-, enableNvidiaContainerCli ? true
+  enableNvidiaContainerCli ? true,
  # --nvccli currently requires extra privileges:
  # https://github.com/apptainer/apptainer/issues/1893#issuecomment-1881240800
-, forceNvcCli ? false
+  forceNvcCli ? false,
  # Compile with seccomp support
  # SingularityCE 3.10.0 and above requires explicit --without-seccomp when libseccomp is not available.
-, enableSeccomp ? true
+  enableSeccomp ? true,
  # Whether the configure script treat SUID support as default
  # When equal to enableSuid, it supress the --with-suid / --without-suid build flag
  # It can be set to `null` to always pass either --with-suid or --without-suided
  # Type: null or boolean
-, defaultToSuid ? true
+  defaultToSuid ? true,
  # Whether to compile with SUID support
-, enableSuid ? false
-, starterSuidPath ? null
-, substituteAll
+  enableSuid ? false,
+  starterSuidPath ? null,
  # newuidmapPath and newgidmapPath are to support --fakeroot
  # where those SUID-ed executables are unavailable from the FHS system PATH.
  # Path to SUID-ed newuidmap executable
-, newuidmapPath ? null
+  newuidmapPath ? null,
  # Path to SUID-ed newgidmap executable
-, newgidmapPath ? null
+  newgidmapPath ? null,
  # External LOCALSTATEDIR
-, externalLocalStateDir ? null
+  externalLocalStateDir ? null,
  # Remove the symlinks to `singularity*` when projectName != "singularity"
-, removeCompat ? false
+  removeCompat ? false,
  # Workaround #86349
  # should be removed when the issue is resolved
-, vendorHash ? _defaultGoVendorArgs.vendorHash
-, deleteVendor ? _defaultGoVendorArgs.deleteVendor
-, proxyVendor ? _defaultGoVendorArgs.proxyVendor
+  vendorHash ? _defaultGoVendorArgs.vendorHash,
+  deleteVendor ? _defaultGoVendorArgs.deleteVendor,
+  proxyVendor ? _defaultGoVendorArgs.proxyVendor,
 }:

 let
  defaultPathOriginal = "/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin";
-  privileged-un-utils = if ((newuidmapPath == null) && (newgidmapPath == null)) then null else
-  (runCommandLocal "privileged-un-utils" { } ''
-    mkdir -p "$out/bin"
-    ln -s ${lib.escapeShellArg newuidmapPath} "$out/bin/newuidmap"
-    ln -s ${lib.escapeShellArg newgidmapPath} "$out/bin/newgidmap"
-  '');
+  privileged-un-utils =
+    if ((newuidmapPath == null) && (newgidmapPath == null)) then
+      null
+    else
+      (runCommandLocal "privileged-un-utils" { } ''
+        mkdir -p "$out/bin"
+        ln -s ${lib.escapeShellArg newuidmapPath} "$out/bin/newuidmap"
+        ln -s ${lib.escapeShellArg newgidmapPath} "$out/bin/newgidmap"
+      '');
 in
 (buildGoModule {
  inherit pname version src;

  patches = lib.optionals (projectName == "apptainer") [
-    (substituteAll { src = ./apptainer/0001-ldCache-patch-for-driverLink.patch; inherit (addDriverRunpath) driverLink; })
+    (substituteAll {
+      src = ./apptainer/0001-ldCache-patch-for-driverLink.patch;
+      inherit (addDriverRunpath) driverLink;
+    })
  ];

  # Override vendorHash with the output got from
@ -138,29 +142,36 @@ in
  # apptainer/apptainer: https://github.com/apptainer/apptainer/blob/main/dist/debian/control
  # sylabs/singularity: https://github.com/sylabs/singularity/blob/main/debian/control

-  buildInputs = [
-    bash # To patch /bin/sh shebangs.
-    conmon
-    cryptsetup
-    gpgme
-    libuuid
-    openssl
-    squashfsTools # Required at build time by SingularityCE
-  ]
-  ++ lib.optional enableNvidiaContainerCli nvidia-docker
-  ++ lib.optional enableSeccomp libseccomp
-  ;
+  buildInputs =
+    [
+      bash # To patch /bin/sh shebangs.
+      conmon
+      cryptsetup
+      gpgme
+      libuuid
+      openssl
+      squashfsTools # Required at build time by SingularityCE
+    ]
+    # Optional dependencies.
+    # Formatting: Optional dependencies are likely to increase.
+    # Don't squash them into the same line.
+    ++ lib.optional enableNvidiaContainerCli nvidia-docker
+    ++ lib.optional enableSeccomp libseccomp;

  configureScript = "./mconfig";

-  configureFlags = [
-    "--localstatedir=${if externalLocalStateDir != null then externalLocalStateDir else "${placeholder "out"}/var/lib"}"
-    "--runstatedir=/var/run"
-  ]
-  ++ lib.optional (!enableSeccomp) "--without-seccomp"
-  ++ lib.optional (enableSuid != defaultToSuid) (if enableSuid then "--with-suid" else "--without-suid")
-  ++ extraConfigureFlags
-  ;
+  configureFlags =
+    [
+      "--localstatedir=${
+        if externalLocalStateDir != null then externalLocalStateDir else "${placeholder "out"}/var/lib"
+      }"
+      "--runstatedir=/var/run"
+    ]
+    ++ lib.optional (!enableSeccomp) "--without-seccomp"
+    ++ lib.optional (enableSuid != defaultToSuid) (
+      if enableSuid then "--with-suid" else "--without-suid"
+    )
+    ++ extraConfigureFlags;

  # causes redefinition of _FORTIFY_SOURCE
  hardeningDisable = [ "fortify3" ];
@ -177,9 +188,7 @@ in
    privileged-un-utils
    squashfsTools # mksquashfs unsquashfs # Make / unpack squashfs image
    squashfuse # squashfuse_ll squashfuse # Mount (without unpacking) a squashfs image without privileges
-  ]
-  ++ lib.optional enableNvidiaContainerCli nvidia-docker
-  ;
+  ] ++ lib.optional enableNvidiaContainerCli nvidia-docker;

  postPatch = ''
    if [[ ! -e .git || ! -e VERSION ]]; then
@ -249,70 +258,86 @@ in
        rm "$file"
      done
    ''}
-    ${lib.optionalString enableSuid (lib.warnIf (starterSuidPath == null) "${projectName}: Null starterSuidPath when enableSuid produces non-SUID-ed starter-suid and run-time permission denial." ''
-      chmod +x $out/libexec/${projectName}/bin/starter-suid
-    '')}
+    ${lib.optionalString enableSuid (
+      lib.warnIf (starterSuidPath == null)
+        "${projectName}: Null starterSuidPath when enableSuid produces non-SUID-ed starter-suid and run-time permission denial."
+        ''
+          chmod +x $out/libexec/${projectName}/bin/starter-suid
+        ''
+    )}
    ${lib.optionalString (enableSuid && (starterSuidPath != null)) ''
      mv "$out"/libexec/${projectName}/bin/starter-suid{,.orig}
      ln -s ${lib.escapeShellArg starterSuidPath} "$out/libexec/${projectName}/bin/starter-suid"
    ''}
  '';

-  meta = with lib; {
-    description = "Application containers for linux" + extraDescription;
-    longDescription = ''
-      Singularity (the upstream) renamed themselves to Apptainer
-      to distinguish themselves from a fork made by Sylabs Inc.. See
+  meta =
+    with lib;
+    {
+      description = "Application containers for linux" + extraDescription;
+      longDescription = ''
+        Singularity (the upstream) renamed themselves to Apptainer
+        to distinguish themselves from a fork made by Sylabs Inc.. See

-      https://sylabs.io/2021/05/singularity-community-edition
-      https://apptainer.org/news/community-announcement-20211130
-    '';
-    license = licenses.bsd3;
-    platforms = platforms.linux;
-    maintainers = with maintainers; [ jbedo ShamrockLee ];
-    mainProgram = projectName;
-  } // extraMeta;
-}).overrideAttrs (finalAttrs: prevAttrs: {
-  passthru = prevAttrs.passthru or { } // {
-    tests = {
-      image-hello-cowsay = singularity-tools.buildImage {
-        name = "hello-cowsay";
-        contents = [ hello cowsay ];
-        singularity = finalAttrs.finalPackage;
-      };
-    };
-    gpuChecks = lib.optionalAttrs (projectName == "apptainer") {
-      # Should be in tests, but Ofborg would skip image-hello-cowsay because
-      # saxpy is unfree.
-      image-saxpy = callPackage
-        ({ singularity-tools, cudaPackages }:
-          singularity-tools.buildImage {
-            name = "saxpy";
-            contents = [ cudaPackages.saxpy ];
-            memSize = 2048;
-            diskSize = 2048;
+        https://sylabs.io/2021/05/singularity-community-edition
+        https://apptainer.org/news/community-announcement-20211130
+      '';
+      license = licenses.bsd3;
+      platforms = platforms.linux;
+      maintainers = with maintainers; [
+        jbedo
+        ShamrockLee
+      ];
+      mainProgram = projectName;
+    }
+    // extraMeta;
+}).overrideAttrs
+  (
+    finalAttrs: prevAttrs: {
+      passthru = prevAttrs.passthru or { } // {
+        tests = {
+          image-hello-cowsay = singularity-tools.buildImage {
+            name = "hello-cowsay";
+            contents = [
+              hello
+              cowsay
+            ];
            singularity = finalAttrs.finalPackage;
-          })
-        { };
-      saxpy =
-        callPackage
-          ({ runCommand, writeShellScriptBin }:
+          };
+        };
+        gpuChecks = lib.optionalAttrs (projectName == "apptainer") {
+          # Should be in tests, but Ofborg would skip image-hello-cowsay because
+          # saxpy is unfree.
+          image-saxpy = callPackage (
+            { singularity-tools, cudaPackages }:
+            singularity-tools.buildImage {
+              name = "saxpy";
+              contents = [ cudaPackages.saxpy ];
+              memSize = 2048;
+              diskSize = 2048;
+              singularity = finalAttrs.finalPackage;
+            }
+          ) { };
+          saxpy = callPackage (
+            { runCommand, writeShellScriptBin }:
            let
-              unwrapped = writeShellScriptBin "apptainer-cuda-saxpy"
-                ''
-                  ${lib.getExe finalAttrs.finalPackage} exec --nv $@ ${finalAttrs.passthru.gpuChecks.image-saxpy} saxpy
-                '';
+              unwrapped = writeShellScriptBin "apptainer-cuda-saxpy" ''
+                ${lib.getExe finalAttrs.finalPackage} exec --nv $@ ${finalAttrs.passthru.gpuChecks.image-saxpy} saxpy
+              '';
            in
            runCommand "run-apptainer-cuda-saxpy"
              {
                requiredSystemFeatures = [ "cuda" ];
                nativeBuildInputs = [ unwrapped ];
-                passthru = { inherit unwrapped; };
+                passthru = {
+                  inherit unwrapped;
+                };
              }
              ''
                apptainer-cuda-saxpy
-              '')
-          { };
-    };
-  };
-})
+              ''
+          ) { };
+        };
+      };
+    }
+  )
--- a/pkgs/applications/virtualization/singularity/packages.nix
+++ b/pkgs/applications/virtualization/singularity/packages.nix
@ -1,89 +1,98 @@
-{ callPackage
-, fetchFromGitHub
-, nixos
-, conmon
+{
+  callPackage,
+  fetchFromGitHub,
+  nixos,
+  conmon,
 }:
 let
-  apptainer = callPackage
-    (import ./generic.nix rec {
-      pname = "apptainer";
-      version = "1.3.1";
-      projectName = "apptainer";
+  apptainer =
+    callPackage
+      (import ./generic.nix rec {
+        pname = "apptainer";
+        version = "1.3.1";
+        projectName = "apptainer";

-      src = fetchFromGitHub {
-        owner = "apptainer";
-        repo = "apptainer";
-        rev = "refs/tags/v${version}";
-        hash = "sha256-XhJecINx8jC6pRzIoM4nC6Aunj40xL8EmYIA4UizfAY=";
+        src = fetchFromGitHub {
+          owner = "apptainer";
+          repo = "apptainer";
+          rev = "refs/tags/v${version}";
+          hash = "sha256-XhJecINx8jC6pRzIoM4nC6Aunj40xL8EmYIA4UizfAY=";
+        };
+
+        # Update by running
+        # nix-prefetch -E "{ sha256 }: ((import ./. { }).apptainer.override { vendorHash = sha256; }).goModules"
+        # at the root directory of the Nixpkgs repository
+        vendorHash = "sha256-MXW1U13uDRAx4tqZvqsuJvoD22nEL2gcxiGaa/6zwU0=";
+
+        extraDescription = " (previously known as Singularity)";
+        extraMeta.homepage = "https://apptainer.org";
+      })
+      {
+        # Apptainer doesn't depend on conmon
+        conmon = null;
+
+        # Apptainer builders require explicit --with-suid / --without-suid flag
+        # when building on a system with disabled unprivileged namespace.
+        # See https://github.com/NixOS/nixpkgs/pull/215690#issuecomment-1426954601
+        defaultToSuid = null;
      };

-      # Update by running
-      # nix-prefetch -E "{ sha256 }: ((import ./. { }).apptainer.override { vendorHash = sha256; }).goModules"
-      # at the root directory of the Nixpkgs repository
-      vendorHash = "sha256-MXW1U13uDRAx4tqZvqsuJvoD22nEL2gcxiGaa/6zwU0=";
+  singularity =
+    callPackage
+      (import ./generic.nix rec {
+        pname = "singularity-ce";
+        version = "4.1.2";
+        projectName = "singularity";

-      extraDescription = " (previously known as Singularity)";
-      extraMeta.homepage = "https://apptainer.org";
-    })
-    {
-      # Apptainer doesn't depend on conmon
-      conmon = null;
+        src = fetchFromGitHub {
+          owner = "sylabs";
+          repo = "singularity";
+          rev = "refs/tags/v${version}";
+          hash = "sha256-/KTDdkCMkZ5hO+VYHzw9vB8FDWxg7PS1yb2waRJQngY=";
+        };

-      # Apptainer builders require explicit --with-suid / --without-suid flag
-      # when building on a system with disabled unprivileged namespace.
-      # See https://github.com/NixOS/nixpkgs/pull/215690#issuecomment-1426954601
-      defaultToSuid = null;
-    };
+        # Update by running
+        # nix-prefetch -E "{ sha256 }: ((import ./. { }).singularity.override { vendorHash = sha256; }).goModules"
+        # at the root directory of the Nixpkgs repository
+        vendorHash = "sha256-4Nxj2PzZmFdvouWKyXLFDk8iuRhFuvyPW/+VRTw75Zw=";

-  singularity = callPackage
-    (import ./generic.nix rec {
-      pname = "singularity-ce";
-      version = "4.1.2";
-      projectName = "singularity";
+        # Do not build conmon and squashfuse from the Git submodule sources,
+        # Use Nixpkgs provided version
+        extraConfigureFlags = [
+          "--without-conmon"
+          "--without-squashfuse"
+        ];

-      src = fetchFromGitHub {
-        owner = "sylabs";
-        repo = "singularity";
-        rev = "refs/tags/v${version}";
-        hash = "sha256-/KTDdkCMkZ5hO+VYHzw9vB8FDWxg7PS1yb2waRJQngY=";
+        extraDescription = " (Sylabs Inc's fork of Singularity, a.k.a. SingularityCE)";
+        extraMeta.homepage = "https://sylabs.io/";
+      })
+      {
+        # Sylabs SingularityCE builders defaults to set the SUID flag
+        # on UNIX-like platforms,
+        # and only have --without-suid but not --with-suid.
+        defaultToSuid = true;
      };

-      # Update by running
-      # nix-prefetch -E "{ sha256 }: ((import ./. { }).singularity.override { vendorHash = sha256; }).goModules"
-      # at the root directory of the Nixpkgs repository
-      vendorHash = "sha256-4Nxj2PzZmFdvouWKyXLFDk8iuRhFuvyPW/+VRTw75Zw=";
+  genOverridenNixos =
+    package: packageName:
+    (nixos {
+      programs.singularity = {
+        enable = true;
+        inherit package;
+      };
+    }).config.programs.singularity.packageOverriden.overrideAttrs
+      (oldAttrs: {
+        meta = oldAttrs.meta // {
+          description = "";
+          longDescription = ''
+            This package produces identical store derivations to `pkgs.${packageName}`
+            overriden and installed by the NixOS module `programs.singularity`
+            with default configuration.

-      # Do not build conmon and squashfuse from the Git submodule sources,
-      # Use Nixpkgs provided version
-      extraConfigureFlags = [
-        "--without-conmon"
-        "--without-squashfuse"
-      ];
-
-      extraDescription = " (Sylabs Inc's fork of Singularity, a.k.a. SingularityCE)";
-      extraMeta.homepage = "https://sylabs.io/";
-    })
-    {
-      defaultToSuid = true;
-    };
-
-  genOverridenNixos = package: packageName: (nixos {
-    programs.singularity = {
-      enable = true;
-      inherit package;
-    };
-  }).config.programs.singularity.packageOverriden.overrideAttrs (oldAttrs: {
-    meta = oldAttrs.meta // {
-      description = "";
-      longDescription = ''
-        This package produces identical store derivations to `pkgs.${packageName}`
-        overriden and installed by the NixOS module `programs.singularity`
-        with default configuration.
-
-        This is for binary substitutes only. Use pkgs.${packageName} instead.
-      '';
-    };
-  });
+            This is for binary substitutes only. Use pkgs.${packageName} instead.
+          '';
+        };
+      });
 in
 {
  inherit apptainer singularity;