diff --git a/.github/workflows/prod.yml b/.github/workflows/prod.yml index 3d809f8b..7c09d511 100644 --- a/.github/workflows/prod.yml +++ b/.github/workflows/prod.yml @@ -3,7 +3,7 @@ concurrency: group: ${{ github.actor }} jobs: deployContainer_makesAmd64: - if: ${{ github.repository == 'fluidattacks/makes' }} + if: ${{ github.repository == 'dsalaza4/makes' }} runs-on: ubuntu-latest permissions: packages: write @@ -17,7 +17,7 @@ jobs: with: args: sh -c "chown -R root:root /github/workspace && nix-env -if . && m . /deployContainer/makesAmd64" deployContainer_makesArm64: - if: ${{ github.repository == 'fluidattacks/makes' }} + if: ${{ github.repository == 'dsalaza4/makes' }} runs-on: buildjet-2vcpu-ubuntu-2204-arm permissions: packages: write @@ -31,7 +31,7 @@ jobs: with: args: sh -c "chown -R root:root /github/workspace && nix-env -if . && m . /deployContainer/makesArm64" deployContainerManifest_makes: - if: ${{ github.repository == 'fluidattacks/makes' }} + if: ${{ github.repository == 'dsalaza4/makes' }} runs-on: ubuntu-latest permissions: packages: write diff --git a/makes.nix b/makes.nix index c7934471..40da21e5 100644 --- a/makes.nix +++ b/makes.nix @@ -20,7 +20,7 @@ token = "GITHUB_TOKEN"; user = "GITHUB_ACTOR"; }; - image = "ghcr.io/fluidattacks/makes:amd64"; + image = "ghcr.io/dsalaza4/makes:amd64"; src = outputs."/container-image"; sign = true; }; @@ -29,7 +29,7 @@ token = "GITHUB_TOKEN"; user = "GITHUB_ACTOR"; }; - image = "ghcr.io/fluidattacks/makes:arm64"; + image = "ghcr.io/dsalaza4/makes:arm64"; src = outputs."/container-image"; sign = true; }; @@ -40,17 +40,17 @@ token = "GITHUB_TOKEN"; user = "GITHUB_ACTOR"; }; - image = "ghcr.io/fluidattacks/makes:latest"; + image = "ghcr.io/dsalaza4/makes:latest"; manifests = [ { - image = "ghcr.io/fluidattacks/makes:amd64"; + image = "ghcr.io/dsalaza4/makes:amd64"; platform = { architecture = "amd64"; os = "linux"; }; } { - image = "ghcr.io/fluidattacks/makes:arm64"; + image = "ghcr.io/dsalaza4/makes:arm64"; platform = { architecture = "arm64"; os = "linux"; diff --git a/makes/container-image/main.nix b/makes/container-image/main.nix index 2614bcdf..157a8b8d 100644 --- a/makes/container-image/main.nix +++ b/makes/container-image/main.nix @@ -1,5 +1,5 @@ { outputs, __nixpkgs__, ... }: -__nixpkgs__.dockerTools.buildImage { +__nixpkgs__.dockerTools.buildLayeredImage { config = { Env = [ "HOME=/home/root" @@ -11,12 +11,29 @@ __nixpkgs__.dockerTools.buildImage { "NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt" "SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt" "SYSTEM_CERTIFICATE_PATH=/etc/ssl/certs/ca-bundle.crt" + + # Support non-nix binaries via nix-ld (glibc) + "NIX_LD_LIBRARY_PATH=${ + __nixpkgs__.lib.makeLibraryPath [ __nixpkgs__.stdenv.cc ] + }" + "NIX_LD=${ + __nixpkgs__.lib.fileContents + "${__nixpkgs__.stdenv.cc}/nix-support/dynamic-linker" + }" ]; User = "root:root"; WorkingDir = "/working-dir"; }; name = "container-image"; tag = "latest"; + maxLayers = 1; + + # Support non-nix binaries via nix-ld (glibc) + fakeRootCommands = '' + mkdir /lib64 + ln -s /libexec/nix-ld /lib64/$(basename $(< ${__nixpkgs__.stdenv.cc}/nix-support/dynamic-linker)) + ''; + copyToRoot = __nixpkgs__.buildEnv { name = "root-file-system"; ignoreCollisions = false; @@ -29,6 +46,7 @@ __nixpkgs__.dockerTools.buildImage { __nixpkgs__.gnugrep __nixpkgs__.gnutar __nixpkgs__.gzip + __nixpkgs__.nix-ld __nixpkgs__.nixVersions.nix_2_15 # Add /usr/bin/env pointing to /bin/env