Skip to content

Commit

Permalink
Share /lib64 into the container (#109)
Browse files Browse the repository at this point in the history
* Share /lib64 into the container

* Don't attempt to mount host directories that don't exist
  • Loading branch information
grahamc authored Jul 22, 2024
1 parent 0d82cb0 commit ab6bcb2
Show file tree
Hide file tree
Showing 2 changed files with 99 additions and 29 deletions.
62 changes: 47 additions & 15 deletions dist/index.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

66 changes: 52 additions & 14 deletions src/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -688,6 +688,55 @@ class NixInstallerAction extends DetSysAction {

{
actionsCore.debug("Starting the Nix daemon through Docker...");

const candidateDirectories = [
{
dir: "/bin",
readOnly: true,
},
{
dir: "/etc",
readOnly: true,
},
{
dir: "/home",
readOnly: true,
},
{
dir: "/lib",
readOnly: true,
},
{
dir: "/lib64",
readOnly: true,
},
{
dir: "/tmp",
readOnly: false,
},
{
dir: "/nix",
readOnly: false,
},
];

const mountArguments = [];

for (const { dir, readOnly } of candidateDirectories) {
try {
await access(dir);
actionsCore.debug(`Will mount ${dir} in the docker shim.`);
mountArguments.push("--mount");
mountArguments.push(
`type=bind,src=${dir},dst=${dir}${readOnly ? ",readonly" : ""}`,
);
} catch {
actionsCore.debug(
`Not mounting ${dir} in the docker shim: it doesn't appear to exist.`,
);
}
}

this.recordEvent(EVENT_START_DOCKER_SHIM);
const exitCode = await actionsExec.exec(
"docker",
Expand All @@ -699,25 +748,14 @@ class NixInstallerAction extends DetSysAction {
"--network=host",
"--userns=host",
"--pid=host",
"--mount",
"type=bind,src=/bin,dst=/bin,readonly",
"--mount",
"type=bind,src=/lib,dst=/lib,readonly",
"--mount",
"type=bind,src=/home,dst=/home,readonly",
"--mount",
"type=bind,src=/tmp,dst=/tmp",
"--mount",
"type=bind,src=/nix,dst=/nix",
"--mount",
"type=bind,src=/etc,dst=/etc,readonly",
"--restart",
"always",
"--init",
"--name",
`determinate-nix-shim-${this.getUniqueId()}-${randomUUID()}`,
"determinate-nix-shim:latest",
],
]
.concat(mountArguments)
.concat(["determinate-nix-shim:latest"]),
{
silent: true,
listeners: {
Expand Down

0 comments on commit ab6bcb2

Please sign in to comment.