nix-required-mounts: nixfmt
This commit is contained in:
parent
ff430d1699
commit
ebeb6b9d1d
@ -1,10 +1,16 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
|
||||
let
|
||||
cfg = config.programs.nix-required-mounts;
|
||||
package = pkgs.nix-required-mounts;
|
||||
|
||||
Mount = with lib;
|
||||
Mount =
|
||||
with lib;
|
||||
types.submodule {
|
||||
options.host = mkOption {
|
||||
type = types.str;
|
||||
@ -15,25 +21,30 @@ let
|
||||
description = "Location in the sandbox to mount the host path at";
|
||||
};
|
||||
};
|
||||
Pattern = with lib.types;
|
||||
types.submodule ({ config, name, ... }: {
|
||||
options.onFeatures = lib.mkOption {
|
||||
type = listOf types.str;
|
||||
description =
|
||||
"Which requiredSystemFeatures should trigger relaxation of the sandbox";
|
||||
default = [ name ];
|
||||
};
|
||||
options.paths = lib.mkOption {
|
||||
type = listOf (oneOf [ path Mount ]);
|
||||
description =
|
||||
"A list of glob patterns, indicating which paths to expose to the sandbox";
|
||||
};
|
||||
options.unsafeFollowSymlinks = lib.mkEnableOption ''
|
||||
Instructs the hook to mount the symlink targets as well, when any of
|
||||
the `paths` contain symlinks. This may not work correctly with glob
|
||||
patterns.
|
||||
'';
|
||||
});
|
||||
Pattern =
|
||||
with lib.types;
|
||||
types.submodule (
|
||||
{ config, name, ... }:
|
||||
{
|
||||
options.onFeatures = lib.mkOption {
|
||||
type = listOf types.str;
|
||||
description = "Which requiredSystemFeatures should trigger relaxation of the sandbox";
|
||||
default = [ name ];
|
||||
};
|
||||
options.paths = lib.mkOption {
|
||||
type = listOf (oneOf [
|
||||
path
|
||||
Mount
|
||||
]);
|
||||
description = "A list of glob patterns, indicating which paths to expose to the sandbox";
|
||||
};
|
||||
options.unsafeFollowSymlinks = lib.mkEnableOption ''
|
||||
Instructs the hook to mount the symlink targets as well, when any of
|
||||
the `paths` contain symlinks. This may not work correctly with glob
|
||||
patterns.
|
||||
'';
|
||||
}
|
||||
);
|
||||
|
||||
driverPaths = [
|
||||
pkgs.addOpenGLRunpath.driverLink
|
||||
@ -53,8 +64,7 @@ in
|
||||
{
|
||||
meta.maintainers = with lib.maintainers; [ SomeoneSerge ];
|
||||
options.programs.nix-required-mounts = {
|
||||
enable = lib.mkEnableOption
|
||||
"Expose extra paths to the sandbox depending on derivations' requiredSystemFeatures";
|
||||
enable = lib.mkEnableOption "Expose extra paths to the sandbox depending on derivations' requiredSystemFeatures";
|
||||
presets.nvidia-gpu.enable = lib.mkEnableOption ''
|
||||
Declare the support for derivations that require an Nvidia GPU to be
|
||||
available, e.g. derivations with `requiredSystemFeatures = [ "cuda" ]`.
|
||||
@ -64,11 +74,11 @@ in
|
||||
You may extend or override the exposed paths via the
|
||||
`programs.nix-required-mounts.allowedPatterns.nvidia-gpu.paths` option.
|
||||
'';
|
||||
allowedPatterns = with lib.types;
|
||||
allowedPatterns =
|
||||
with lib.types;
|
||||
lib.mkOption rec {
|
||||
type = attrsOf Pattern;
|
||||
description =
|
||||
"The hook config, describing which paths to mount for which system features";
|
||||
description = "The hook config, describing which paths to mount for which system features";
|
||||
default = { };
|
||||
defaultText = lib.literalExpression ''
|
||||
{
|
||||
@ -86,28 +96,24 @@ in
|
||||
extraWrapperArgs = lib.mkOption {
|
||||
type = with lib.types; listOf str;
|
||||
default = [ ];
|
||||
description =
|
||||
lib.mdDoc
|
||||
"List of extra arguments (such as `--add-flags -v`) to pass to the hook's wrapper";
|
||||
description = "List of extra arguments (such as `--add-flags -v`) to pass to the hook's wrapper";
|
||||
};
|
||||
package = lib.mkOption {
|
||||
type = lib.types.package;
|
||||
default = package.override {
|
||||
inherit (cfg)
|
||||
allowedPatterns
|
||||
extraWrapperArgs;
|
||||
};
|
||||
description = lib.mdDoc "The final package with the final config applied";
|
||||
default = package.override { inherit (cfg) allowedPatterns extraWrapperArgs; };
|
||||
description = "The final package with the final config applied";
|
||||
internal = true;
|
||||
};
|
||||
};
|
||||
config = lib.mkIf cfg.enable (lib.mkMerge [
|
||||
{ nix.settings.pre-build-hook = lib.getExe cfg.package; }
|
||||
(lib.mkIf cfg.presets.nvidia-gpu.enable {
|
||||
nix.settings.system-features = cfg.allowedPatterns.nvidia-gpu.onFeatures;
|
||||
programs.nix-required-mounts.allowedPatterns = {
|
||||
inherit (defaults) nvidia-gpu;
|
||||
};
|
||||
})
|
||||
]);
|
||||
config = lib.mkIf cfg.enable (
|
||||
lib.mkMerge [
|
||||
{ nix.settings.pre-build-hook = lib.getExe cfg.package; }
|
||||
(lib.mkIf cfg.presets.nvidia-gpu.enable {
|
||||
nix.settings.system-features = cfg.allowedPatterns.nvidia-gpu.onFeatures;
|
||||
programs.nix-required-mounts.allowedPatterns = {
|
||||
inherit (defaults) nvidia-gpu;
|
||||
};
|
||||
})
|
||||
]
|
||||
);
|
||||
}
|
||||
|
@ -1,6 +1,4 @@
|
||||
{ pkgs
|
||||
, ...
|
||||
}:
|
||||
{ pkgs, ... }:
|
||||
|
||||
let
|
||||
inherit (pkgs) lib;
|
||||
@ -9,32 +7,34 @@ in
|
||||
{
|
||||
name = "nix-required-mounts";
|
||||
meta.maintainers = with lib.maintainers; [ SomeoneSerge ];
|
||||
nodes.machine = { config, pkgs, ... }: {
|
||||
virtualisation.writableStore = true;
|
||||
system.extraDependencies = [ (pkgs.runCommand "deps" { } "mkdir $out").inputDerivation ];
|
||||
nix.nixPath = [ "nixpkgs=${../../..}" ];
|
||||
nix.settings.substituters = lib.mkForce [ ];
|
||||
nix.settings.system-features = [ "supported-feature" ];
|
||||
nix.settings.experimental-features = [ "nix-command" ];
|
||||
programs.nix-required-mounts.enable = true;
|
||||
programs.nix-required-mounts.allowedPatterns.supported-feature = {
|
||||
onFeatures = [ "supported-feature" ];
|
||||
paths = [
|
||||
"/supported-feature-files"
|
||||
{
|
||||
host = "/usr/lib/imaginary-fhs-drivers";
|
||||
guest = "/run/opengl-driver/lib";
|
||||
}
|
||||
nodes.machine =
|
||||
{ config, pkgs, ... }:
|
||||
{
|
||||
virtualisation.writableStore = true;
|
||||
system.extraDependencies = [ (pkgs.runCommand "deps" { } "mkdir $out").inputDerivation ];
|
||||
nix.nixPath = [ "nixpkgs=${../../..}" ];
|
||||
nix.settings.substituters = lib.mkForce [ ];
|
||||
nix.settings.system-features = [ "supported-feature" ];
|
||||
nix.settings.experimental-features = [ "nix-command" ];
|
||||
programs.nix-required-mounts.enable = true;
|
||||
programs.nix-required-mounts.allowedPatterns.supported-feature = {
|
||||
onFeatures = [ "supported-feature" ];
|
||||
paths = [
|
||||
"/supported-feature-files"
|
||||
{
|
||||
host = "/usr/lib/imaginary-fhs-drivers";
|
||||
guest = "/run/opengl-driver/lib";
|
||||
}
|
||||
];
|
||||
unsafeFollowSymlinks = true;
|
||||
};
|
||||
users.users.person.isNormalUser = true;
|
||||
systemd.tmpfiles.rules = [
|
||||
"d /supported-feature-files 0755 person users -"
|
||||
"f /usr/lib/libcuda.so 0444 root root - fakeContent"
|
||||
"L /usr/lib/imaginary-fhs-drivers/libcuda.so 0444 root root - /usr/lib/libcuda.so"
|
||||
];
|
||||
unsafeFollowSymlinks = true;
|
||||
};
|
||||
users.users.person.isNormalUser = true;
|
||||
systemd.tmpfiles.rules = [
|
||||
"d /supported-feature-files 0755 person users -"
|
||||
"f /usr/lib/libcuda.so 0444 root root - fakeContent"
|
||||
"L /usr/lib/imaginary-fhs-drivers/libcuda.so 0444 root root - /usr/lib/libcuda.so"
|
||||
];
|
||||
};
|
||||
testScript = ''
|
||||
import shlex
|
||||
|
||||
|
@ -1,8 +1,9 @@
|
||||
{ pkgs ? import <nixpkgs> { }, feature }:
|
||||
|
||||
pkgs.runCommandNoCC "${feature}-not-present"
|
||||
{
|
||||
} ''
|
||||
pkgs ? import <nixpkgs> { },
|
||||
feature,
|
||||
}:
|
||||
|
||||
pkgs.runCommandNoCC "${feature}-not-present" { } ''
|
||||
if [[ -e /${feature}-files ]]; then
|
||||
echo "No ${feature} in requiredSystemFeatures, but /${feature}-files was mounted anyway"
|
||||
exit 1
|
||||
@ -10,4 +11,3 @@ pkgs.runCommandNoCC "${feature}-not-present"
|
||||
touch $out
|
||||
fi
|
||||
''
|
||||
|
||||
|
@ -1,9 +1,9 @@
|
||||
{ pkgs ? import <nixpkgs> { }, feature }:
|
||||
|
||||
pkgs.runCommandNoCC "${feature}-present"
|
||||
{
|
||||
requiredSystemFeatures = [ feature ];
|
||||
} ''
|
||||
pkgs ? import <nixpkgs> { },
|
||||
feature,
|
||||
}:
|
||||
|
||||
pkgs.runCommandNoCC "${feature}-present" { requiredSystemFeatures = [ feature ]; } ''
|
||||
if [[ ! -e /${feature}-files ]]; then
|
||||
echo "The host declares ${feature} support, but doesn't expose /${feature}-files" >&2
|
||||
exit 1
|
||||
|
@ -1,10 +1,8 @@
|
||||
{ pkgs ? import <nixpkgs> { } }:
|
||||
|
||||
pkgs.runCommandNoCC "nix-required-mounts-structured-attrs-no-features"
|
||||
{
|
||||
__structuredAttrs = true;
|
||||
} ''
|
||||
touch $out
|
||||
''
|
||||
|
||||
pkgs ? import <nixpkgs> { },
|
||||
}:
|
||||
|
||||
pkgs.runCommandNoCC "nix-required-mounts-structured-attrs-no-features" { __structuredAttrs = true; }
|
||||
''
|
||||
touch $out
|
||||
''
|
||||
|
@ -1,15 +1,18 @@
|
||||
{ pkgs ? import <nixpkgs> { }, feature }:
|
||||
{
|
||||
pkgs ? import <nixpkgs> { },
|
||||
feature,
|
||||
}:
|
||||
|
||||
pkgs.runCommandNoCC "${feature}-present-structured"
|
||||
{
|
||||
__structuredAttrs = true;
|
||||
requiredSystemFeatures = [ feature ];
|
||||
} ''
|
||||
if [[ -e /${feature}-files ]]; then
|
||||
touch $out
|
||||
else
|
||||
echo "The host declares ${feature} support, but doesn't expose /${feature}-files" >&2
|
||||
echo "Do we fail to parse __structuredAttrs=true derivations?" >&2
|
||||
fi
|
||||
''
|
||||
|
||||
{
|
||||
__structuredAttrs = true;
|
||||
requiredSystemFeatures = [ feature ];
|
||||
}
|
||||
''
|
||||
if [[ -e /${feature}-files ]]; then
|
||||
touch $out
|
||||
else
|
||||
echo "The host declares ${feature} support, but doesn't expose /${feature}-files" >&2
|
||||
echo "Do we fail to parse __structuredAttrs=true derivations?" >&2
|
||||
fi
|
||||
''
|
||||
|
@ -8,7 +8,7 @@
|
||||
}:
|
||||
|
||||
let
|
||||
blenderWithCuda = blender.override {cudaSupport = true;};
|
||||
blenderWithCuda = blender.override { cudaSupport = true; };
|
||||
name = "${blenderWithCuda.name}-check-cuda";
|
||||
unwrapped = writeScriptBin "${name}-unwrapped" ''
|
||||
#!${lib.getExe bash}
|
||||
@ -16,14 +16,11 @@ let
|
||||
'';
|
||||
in
|
||||
{
|
||||
cudaAvailable =
|
||||
runCommand name
|
||||
{
|
||||
nativeBuildInputs = [unwrapped];
|
||||
requiredSystemFeatures = ["cuda"];
|
||||
passthru = {
|
||||
inherit unwrapped;
|
||||
};
|
||||
}
|
||||
"${name}-unwrapped && touch $out";
|
||||
cudaAvailable = runCommand name {
|
||||
nativeBuildInputs = [ unwrapped ];
|
||||
requiredSystemFeatures = [ "cuda" ];
|
||||
passthru = {
|
||||
inherit unwrapped;
|
||||
};
|
||||
} "${name}-unwrapped && touch $out";
|
||||
}
|
||||
|
@ -3,32 +3,35 @@
|
||||
# in the sandbox as well. In practice, things seemed to have worked without
|
||||
# this as well, but we go with the safe option until we understand why.
|
||||
|
||||
{ lib
|
||||
, runCommand
|
||||
, python3Packages
|
||||
, allowedPatterns
|
||||
{
|
||||
lib,
|
||||
runCommand,
|
||||
python3Packages,
|
||||
allowedPatterns,
|
||||
}:
|
||||
runCommand "allowed-patterns.json"
|
||||
{
|
||||
nativeBuildInputs = [ python3Packages.python ];
|
||||
exportReferencesGraph =
|
||||
builtins.concatMap
|
||||
(name:
|
||||
builtins.concatMap
|
||||
(path:
|
||||
let
|
||||
prefix = "${builtins.storeDir}/";
|
||||
# Has to start with a letter: https://github.com/NixOS/nix/blob/516e7ddc41f39ff939b5d5b5dc71e590f24890d4/src/libstore/build/local-derivation-goal.cc#L568
|
||||
exportName = ''references-${lib.strings.removePrefix prefix "${path}"}'';
|
||||
isStorePath = lib.isStorePath path && (lib.hasPrefix prefix "${path}");
|
||||
in
|
||||
lib.optionals isStorePath [ exportName path ])
|
||||
allowedPatterns.${name}.paths)
|
||||
(builtins.attrNames allowedPatterns);
|
||||
env.storeDir = "${builtins.storeDir}/";
|
||||
shallowConfig = builtins.toJSON allowedPatterns;
|
||||
passAsFile = [ "shallowConfig" ];
|
||||
}
|
||||
{
|
||||
nativeBuildInputs = [ python3Packages.python ];
|
||||
exportReferencesGraph = builtins.concatMap (
|
||||
name:
|
||||
builtins.concatMap (
|
||||
path:
|
||||
let
|
||||
prefix = "${builtins.storeDir}/";
|
||||
# Has to start with a letter: https://github.com/NixOS/nix/blob/516e7ddc41f39ff939b5d5b5dc71e590f24890d4/src/libstore/build/local-derivation-goal.cc#L568
|
||||
exportName = ''references-${lib.strings.removePrefix prefix "${path}"}'';
|
||||
isStorePath = lib.isStorePath path && (lib.hasPrefix prefix "${path}");
|
||||
in
|
||||
lib.optionals isStorePath [
|
||||
exportName
|
||||
path
|
||||
]
|
||||
) allowedPatterns.${name}.paths
|
||||
) (builtins.attrNames allowedPatterns);
|
||||
env.storeDir = "${builtins.storeDir}/";
|
||||
shallowConfig = builtins.toJSON allowedPatterns;
|
||||
passAsFile = [ "shallowConfig" ];
|
||||
}
|
||||
''
|
||||
python ${./scripts/nix_required_mounts_closure.py}
|
||||
''
|
||||
|
@ -1,10 +1,16 @@
|
||||
{ addOpenGLRunpath
|
||||
, cmake
|
||||
, allowedPatternsPath ? callPackage ./closure.nix { inherit allowedPatterns; }
|
||||
, allowedPatterns ? rec {
|
||||
{
|
||||
addOpenGLRunpath,
|
||||
cmake,
|
||||
allowedPatternsPath ? callPackage ./closure.nix { inherit allowedPatterns; },
|
||||
allowedPatterns ? rec {
|
||||
# This config is just an example.
|
||||
# When the hook observes either of the following requiredSystemFeatures:
|
||||
nvidia-gpu.onFeatures = [ "gpu" "nvidia-gpu" "opengl" "cuda" ];
|
||||
nvidia-gpu.onFeatures = [
|
||||
"gpu"
|
||||
"nvidia-gpu"
|
||||
"opengl"
|
||||
"cuda"
|
||||
];
|
||||
# It exposes these paths in the sandbox:
|
||||
nvidia-gpu.paths = [
|
||||
addOpenGLRunpath.driverLink
|
||||
@ -12,28 +18,26 @@
|
||||
"/dev/nvidia*"
|
||||
];
|
||||
nvidia-gpu.unsafeFollowSymlinks = true;
|
||||
}
|
||||
, buildPackages
|
||||
, callPackage
|
||||
, extraWrapperArgs ? [ ]
|
||||
, formats
|
||||
, lib
|
||||
, makeWrapper
|
||||
, nix
|
||||
, nixosTests
|
||||
, python3Packages
|
||||
, runCommand
|
||||
},
|
||||
buildPackages,
|
||||
callPackage,
|
||||
extraWrapperArgs ? [ ],
|
||||
formats,
|
||||
lib,
|
||||
makeWrapper,
|
||||
nix,
|
||||
nixosTests,
|
||||
python3Packages,
|
||||
runCommand,
|
||||
}:
|
||||
|
||||
|
||||
let
|
||||
attrs = builtins.fromTOML (builtins.readFile ./pyproject.toml);
|
||||
pname = attrs.project.name;
|
||||
inherit (attrs.project) version;
|
||||
in
|
||||
|
||||
python3Packages.buildPythonApplication
|
||||
{
|
||||
python3Packages.buildPythonApplication {
|
||||
inherit pname version;
|
||||
pyproject = true;
|
||||
|
||||
|
@ -1,23 +1,17 @@
|
||||
{ runCommandNoCC
|
||||
, python
|
||||
}:
|
||||
{ runCommandNoCC, python }:
|
||||
|
||||
runCommandNoCC "pynvml-gpu-test"
|
||||
{
|
||||
nativeBuildInputs = [
|
||||
(python.withPackages (ps: [ ps.pynvml ]))
|
||||
];
|
||||
requiredSystemFeatures = [
|
||||
"cuda"
|
||||
];
|
||||
} ''
|
||||
python3 << EOF
|
||||
import pynvml
|
||||
from pynvml.smi import nvidia_smi
|
||||
{
|
||||
nativeBuildInputs = [ (python.withPackages (ps: [ ps.pynvml ])) ];
|
||||
requiredSystemFeatures = [ "cuda" ];
|
||||
}
|
||||
''
|
||||
python3 << EOF
|
||||
import pynvml
|
||||
from pynvml.smi import nvidia_smi
|
||||
|
||||
pynvml.nvmlInit()
|
||||
EOF
|
||||
|
||||
touch $out
|
||||
''
|
||||
pynvml.nvmlInit()
|
||||
EOF
|
||||
|
||||
touch $out
|
||||
''
|
||||
|
@ -16,7 +16,7 @@ let
|
||||
}:
|
||||
let
|
||||
name = "${torch.name}-${feature}-check";
|
||||
unwrapped = writers.writePython3Bin "${name}-unwrapped" {libraries = [torch];} ''
|
||||
unwrapped = writers.writePython3Bin "${name}-unwrapped" { libraries = [ torch ]; } ''
|
||||
import torch
|
||||
message = f"{torch.cuda.is_available()=} and {torch.version.${versionAttr}=}"
|
||||
assert torch.cuda.is_available() and torch.version.${versionAttr}, message
|
||||
@ -25,8 +25,8 @@ let
|
||||
in
|
||||
runCommandNoCC name
|
||||
{
|
||||
nativeBuildInputs = [unwrapped];
|
||||
requiredSystemFeatures = [feature];
|
||||
nativeBuildInputs = [ unwrapped ];
|
||||
requiredSystemFeatures = [ feature ];
|
||||
passthru = {
|
||||
inherit unwrapped;
|
||||
};
|
||||
|
Loading…
Reference in New Issue
Block a user