bramble run (#33)

* bramble run for git download

* remove path from sandbox, just take args to match libcontainer limitation

* tty support, exit code handling, initial run version

* add go binaries to /bin

* add run tests

* integration test is integration test

* submit config values for read_only_paths and hidden_paths

* fix tmpfile length, run within docker

* accidental delete

Former-commit-id: 7d80644

Author: maxmcd

Dockerfile

@@ -0,0 +1,15 @@
+FROM golang:alpine
+
+
+RUN apk add build-base linux-headers
+WORKDIR /go/src/github.com/maxmcd/bramble
+COPY go.sum go.mod ./
+RUN go mod download
+
+COPY . .
+
+RUN go install
+
+# FROM alpine
+
+# COPY --from=0 /go/src/github.com/maxmcd/bramble/bramble /bin/bramble

Makefile

@@ -22,5 +22,7 @@ integration_ci_test: install gotestsum
 	env BRAMBLE_INTEGRATION_TEST=truthy gotestsum -- -v ./pkg/bramble/
 
 integration_test: install
-	env BRAMBLE_INTEGRATION_TEST=truthy go test -v ./pkg/bramble/
+	env BRAMBLE_INTEGRATION_TEST=truthy go test -run=$(run) -v ./pkg/bramble/
 
+rootless_within_docker:
+	docker build -t bramble . && docker run --privileged -it bramble bramble build ./lib:busybox

bramble.toml

@@ -2,3 +2,5 @@
 
 [module]
 name = "github.com/maxmcd/bramble"
+read_only_paths = ["./"]
+hidden_paths = ["./lib"]

go.mod

@@ -7,10 +7,12 @@ require (
 	github.com/bmatcuk/doublestar/v4 v4.0.2
 	github.com/certifi/gocertifi v0.0.0-20210507211836-431795d63e8d
 	github.com/containerd/console v1.0.3
+	github.com/creack/pty v1.1.15 // indirect
 	github.com/jaguilar/vt100 v0.0.0-20201024211400-81de19cb81a4
 	github.com/maxmcd/dag v0.0.0-20210909010249-5757e2034a95
 	github.com/mholt/archiver/v3 v3.5.0
 	github.com/minio/sha256-simd v1.0.0
+	github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6
 	github.com/morikuni/aec v1.0.0
 	github.com/opencontainers/runc v1.0.2
 	github.com/peterbourgon/ff/v3 v3.1.0

go.sum

@@ -1,4 +1,6 @@
 code.cloudfoundry.org/bytefmt v0.0.0-20190710193110-1eb035ffe2b6/go.mod h1:wN/zk7mhREp/oviagqUXY3EwuHhWyOvAdsn5Y4CzOrc=
+github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8=
+github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/toml v0.4.1 h1:GaI7EiDXDRfa8VshkTj7Fym7ha+y8/XxIgD2okUIjLw=
 github.com/BurntSushi/toml v0.4.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
@@ -29,6 +31,9 @@ github.com/coreos/go-systemd/v22 v22.3.2 h1:D9/bQk5vlXQFZ6Kwuu6zaiXJ9oTPe68++AzA
 github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/creack/pty v1.1.15 h1:cKRCLMj3Ddm54bKSpemfQ8AtYFBhAI2MPmdys22fBdc=
+github.com/creack/pty v1.1.15/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
 github.com/cyphar/filepath-securejoin v0.2.2 h1:jCwT2GTP+PY5nBz3c/YL5PAIbusElVrPujOBSCj8xRg=
 github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -96,6 +101,8 @@ github.com/minio/sha256-simd v1.0.0/go.mod h1:OuYzVNI5vcoYIAmbIvHPl3N3jUzVedXbKy
 github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db/go.mod h1:l0dey0ia/Uv7NcFFVbCLtqEBQbrT4OCwCSKTEv6enCw=
 github.com/moby/sys/mountinfo v0.4.1 h1:1O+1cHA1aujwEwwVMa2Xm2l+gIpUHyd3+D+d7LZh1kM=
 github.com/moby/sys/mountinfo v0.4.1/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A=
+github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6 h1:dcztxKSvZ4Id8iPpHERQBbIJfabdt4wUm5qy3wOL2Zc=
+github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6/go.mod h1:E2VnQOmVuvZB6UYnnDB0qG5Nq/1tD9acaOpo6xmt0Kw=
 github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
 github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
 github.com/mrunalp/fileutils v0.5.0 h1:NKzVxiH7eSk+OQ4M+ZYW1K6h27RUV3MI6NUTsHhU6Z4=
@@ -129,6 +136,7 @@ github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvW
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
 github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE=
 github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
@@ -186,6 +194,7 @@ golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210426230700-d19ff857e887/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210909193231-528a39cd75f3 h1:3Ad41xy2WCESpufXwgs7NpDSu+vjxqLt2UFqUV+20bI=
 golang.org/x/sys v0.0.0-20210909193231-528a39cd75f3/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
@@ -195,6 +204,7 @@ golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac h1:7zkz7BUtwNFFqcowJ+RIgu2M
 golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190624222133-a101b041ded4/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -225,3 +235,5 @@ gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gotest.tools/v3 v3.0.2 h1:kG1BFyqVHuQoVQiR1bWGnfz/fmHvvuiSPIV7rvl360E=
+gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk=

lib/default.bramble

@@ -2,7 +2,22 @@ load("github.com/maxmcd/bramble/lib/std")
 
 
 def cacerts():
-    return std.fetch_url("https://brmbl.s3.amazonaws.com/ca-certificates.crt")
+    return derivation(
+        name="ca-certificates",
+        builder=busybox().out + "/bin/sh",
+        env=dict(
+            PATH=busybox().out + "/bin",
+            src=std.fetch_url("https://brmbl.s3.amazonaws.com/ca-certificates.crt"),
+        ),
+        args=[
+            "-c",
+            """
+            set -ex
+            cp -r $src/ca-certificates.crt $out
+            cp $out/ca-certificates.crt $out/ca-bundle.crt
+            """,
+        ],
+    )
 
 
 def git():
@@ -33,18 +48,17 @@ def git_fetcher():
             git=git(),
             PATH=git().out + "/bin",
             GIT_EXEC_PATH=git().out + "/libexec/git-core",
-            GIT_SSL_CAINFO=cacerts(),
+            GIT_SSL_CAINFO=cacerts().out + "/ca-certificates.crt",
         ),
     )
 
 
-# Need better sandboxing
-# def git_test():
-#     return derivation(
-#         "git-test",
-#         "fetch_git",
-#         env=dict(url="https://github.com/maxmcd/bramble.git", cachebust=1),
-#     )
+def git_test():
+    return derivation(
+        "git-test",
+        "fetch_git",
+        env=dict(url="https://github.com/maxmcd/bramble.git", cachebust=1),
+    )
 
 
 def zig():

lib/go/build.sh

@@ -1,7 +1,5 @@
 set -ex
 
-
-export PATH=$stdenv/bin:$busybox/bin
 export LD_LIBRARY_PATH=$stdenv/lib
 
 mkdir -p /var/tmp
@@ -13,12 +11,18 @@ cd $out/go/src
 ls -lah ./cmd/dist
 export GO_LDFLAGS="-L $stdenv/lib -I $include -I $stdenv/include-glibc -I $stdenv/include"
 export CC="gcc -L $stdenv/lib -I $include -I $stdenv/include-glibc -I $stdenv/include -Wl,-rpath=$stdenv/lib -Wl,--dynamic-linker=$stdenv/lib/ld-linux-x86-64.so.2 "
-# export GOROOT_BOOTSTRAP=$(pwd)
+
 export CGO_ENABLED="0"
 sed -i 's/set -e/set -ex/g' ./make.bash
-# cat ./make.bash
+
 bash ./make.bash
 
+
+mkdir $out/bin
+cd $out/bin
+ln -s ../go/bin/go ./go
+ln -s ../go/bin/gofmt ./gofmt
+
 # this works for a few things, but has trouble finding the network, resolve.conf
 # syslog, no go in PATH,
 # stat testdata/libmach8db: no such file or directory

notes/22-bramble-run.md

@@ -0,0 +1,10 @@
+Bramble run and bramble shell
+
+
+Bramble run works to run a function, by default it takes no stdin and doesn't take the environment's variables.
+
+Bramble shell runs a shell, takes environment variables from the local environment (maybe even allows RO access to $HOME??), but is not allowed for external deps.
+
+
+When either of these are called the drv $out/bin is added to the path.
+

pkg/bramble/bramble.go

@@ -0,0 +1,22 @@
+package bramble
+
+import (
+	build "github.com/maxmcd/bramble/pkg/bramblebuild"
+	project "github.com/maxmcd/bramble/pkg/brambleproject"
+)
+
+type bramble struct {
+	store   *build.Store
+	project *project.Project
+}
+
+func newBramble() (b bramble, err error) {
+	if b.project, err = project.NewProject("."); err != nil {
+		return
+	}
+	if b.store, err = build.NewStore(""); err != nil {
+		return
+	}
+	b.store.RegisterGetGit(b.runGit)
+	return b, nil
+}

pkg/bramble/build.go

@@ -10,39 +10,28 @@ import (
 	"github.com/pkg/errors"
 )
 
-func runBuildFromOutput(output project.ExecModuleOutput) (outputDerivations []build.Derivation, err error) {
-	return runBuild(func(p *project.Project) (project.ExecModuleOutput, error) {
+func (b bramble) runBuildFromOutput(output project.ExecModuleOutput) (outputDerivations []build.Derivation, err error) {
+	return b.runBuild(func() (project.ExecModuleOutput, error) {
 		return output, nil
 	})
 }
 
-func runBuildFromCLI(command string, args []string) (outputDerivations []build.Derivation, err error) {
-	return runBuild(func(p *project.Project) (output project.ExecModuleOutput, err error) {
-		return p.ExecModule(project.ExecModuleInput{
+func (b bramble) runBuildFromCLI(command string, args []string) (outputDerivations []build.Derivation, err error) {
+	return b.runBuild(func() (output project.ExecModuleOutput, err error) {
+		return b.project.ExecModule(project.ExecModuleInput{
 			Command:   command,
 			Arguments: args,
 		})
 	})
 }
 
-func runBuild(execModule func(*project.Project) (project.ExecModuleOutput, error)) (outputDerivations []build.Derivation, err error) {
-	p, err := project.NewProject(".")
+func (b bramble) runBuild(execModule func() (project.ExecModuleOutput, error)) (outputDerivations []build.Derivation, err error) {
+	output, err := execModule()
 	if err != nil {
 		return nil, err
 	}
 
-	output, err := execModule(p)
-	if err != nil {
-		return nil, err
-	}
-
-	store, err := build.NewStore("")
-	if err != nil {
-		return nil, err
-	}
-	store.RegisterGetGit(getGit)
-
-	builder := store.NewBuilder(false, p.URLHashes())
+	builder := b.store.NewBuilder(false, b.project.URLHashes())
 
 	derivationIDUpdates := map[project.Dependency]build.DerivationOutput{}
 	// allDerivations := []build.Derivation{}
@@ -63,16 +52,16 @@ func runBuild(execModule func(*project.Project) (project.ExecModuleOutput, error
 		}
 		derivationDataLock.Unlock()
 
-		source, err := store.StoreLocalSources(build.SourceFiles{
-			ProjectLocation: p.Location(),
+		source, err := b.store.StoreLocalSources(build.SourceFiles{
+			ProjectLocation: b.project.Location(),
 			Location:        drv.Sources.Location,
 			Files:           drv.Sources.Files,
 		}) // TODO: delete this if the build fails?
 		if err != nil {
 			return nil, errors.Wrap(err, "error moving local files to the store")
 		}
 
-		_, buildDrv, err := store.NewDerivation(build.NewDerivationOptions{
+		_, buildDrv, err := b.store.NewDerivation(build.NewDerivationOptions{
 			Args:             drv.Args,
 			Builder:          drv.Builder,
 			Env:              drv.Env,
@@ -120,7 +109,7 @@ func runBuild(execModule func(*project.Project) (project.ExecModuleOutput, error
 		return nil, err
 	}
 
-	err = p.AddURLHashesToLockfile(builder.URLHashes)
+	err = b.project.AddURLHashesToLockfile(builder.URLHashes)
 	if err != nil {
 		return outputDerivations, err
 	}