commit 9508b12bba50625eaccadc4aacf908ba538e3dd6
author Leopold Schabel <leo@monogon.tech> Fri Jul 14 17:54:17 2023 +0200
committer Leopold Schabel <leo@monogon.tech> Wed Jul 19 15:57:32 2023 +0000
tree acaf5e1981fc98101f25924a6fb44cf827f826c5
parent 150f24a5421dc1449d79a801524a7c98754f7bca

*: fully hermetic builds and nix shell support

This change is a slightly more polished version of Serge's experiment:
- https://review.monogon.dev/c/monogon/+/1148
- https://bin.monogon.dev/pasta/sloth-parrot-ant
- https://bin.monogon.dev/pasta/eel-seal-wolf

There are two execution environments we have to support:

- Most builds run inside a sandbox, which is a Fedora
  environment and does not require any host dependencies at all.

- Bazel itself and the tooling we require to bootstrap
  the sandbox (mainly, Go and Proto toolchains). This has to
  work directly on the host.

We first make the sandbox fully hermetic by setting
--experimental_use_hermetic_linux_sandbox, which set up an empty /
instead of mounting over individual directories, removing any remaining
host paths from the sandbox (except /proc and /dev/shm, which are
required by some toolchains). We also force static values for the shell,
$TMPDIR and $PATH, which would otherwise leak into the sandbox.

For the host, we use buildFHSUserEnv to build an environment which
supports our static toolchains, and well as a clean Bazel build
without all the nixpkgs patches which would otherwise break our custom
toolchains and sandbox implementation.

This allows us to use the exact same toolchains on NixOS and other
distros for perfect reproducibility.

Fixes https://github.com/monogon-dev/monogon/issues/174.
Fixes https://github.com/monogon-dev/monogon/issues/175.

Co-authored-by: Serge Bazanski <serge@monogon.tech>
Change-Id: I665471a45b315ce7e93ef16d9d056d7622886959
Reviewed-on: https://review.monogon.dev/c/monogon/+/1929
Tested-by: Jenkins CI
Reviewed-by: Serge Bazanski <serge@monogon.tech>