| blob | 1f5507f2eb753ecbe547303d74146764d291176b |
1 { lib, writeText, runCommand, writeClosure }:
3 {
4 buildContainer =
5 { args
6 , mounts ? {}
7 , os ? "linux"
8 , arch ? "x86_64"
9 , readonly ? false
10 }:
11 let
12 sysMounts = {
13 "/proc" = {
14 type = "proc";
15 source = "proc";
16 };
17 "/dev" = {
18 type = "tmpfs";
19 source = "tmpfs";
20 options = [ "nosuid" "strictatime" "mode=755" "size=65536k" ];
21 };
22 "/dev/pts" = {
23 type = "devpts";
24 source = "devpts";
25 options = [ "nosuid" "noexec" "newinstance" "ptmxmode=0666" "mode=755" "gid=5" ];
26 };
27 "/dev/shm" = {
28 type = "tmpfs";
29 source = "shm";
30 options = [ "nosuid" "noexec" "nodev" "mode=1777" "size=65536k" ];
31 };
32 "/dev/mqueue" = {
33 type = "mqueue";
34 source = "mqueue";
35 options = [ "nosuid" "noexec" "nodev" ];
36 };
37 "/sys" = {
38 type = "sysfs";
39 source = "sysfs";
40 options = [ "nosuid" "noexec" "nodev" "ro" ];
41 };
42 "/sys/fs/cgroup" = {
43 type = "cgroup";
44 source = "cgroup";
45 options = [ "nosuid" "noexec" "nodev" "relatime" "ro" ];
46 };
47 };
48 config = writeText "config.json" (builtins.toJSON {
49 ociVersion = "1.0.0";
50 platform = {
51 inherit os arch;
52 };
54 linux = {
55 namespaces = map (type: { inherit type; }) [ "pid" "network" "mount" "ipc" "uts" ];
56 };
58 root = { path = "rootfs"; inherit readonly; };
60 process = {
61 inherit args;
62 user = { uid = 0; gid = 0; };
63 cwd = "/";
64 };
66 mounts = lib.mapAttrsToList (destination: { type, source, options ? null }: {
67 inherit destination type source options;
68 }) sysMounts;
69 });
70 in
71 runCommand "join" {} ''
72 set -o pipefail
73 mkdir -p $out/rootfs/{dev,proc,sys}
74 cp ${config} $out/config.json
75 xargs tar c < ${writeClosure args} | tar -xC $out/rootfs/
76 '';
77 }