Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / 9508b12bba50625eaccadc4aacf908ba538e3dd6^! / . / SETUP.md
commit9508b12bba50625eaccadc4aacf908ba538e3dd6[log] [tgz]
authorLeopold Schabel <leo@monogon.tech>Fri Jul 14 17:54:17 2023 +0200
committerLeopold Schabel <leo@monogon.tech>Wed Jul 19 15:57:32 2023 +0000
treeacaf5e1981fc98101f25924a6fb44cf827f826c5
parent150f24a5421dc1449d79a801524a7c98754f7bca [diff] [blame]
*: fully hermetic builds and nix shell support

This change is a slightly more polished version of Serge's experiment:
- https://review.monogon.dev/c/monogon/+/1148
- https://bin.monogon.dev/pasta/sloth-parrot-ant
- https://bin.monogon.dev/pasta/eel-seal-wolf

There are two execution environments we have to support:

- Most builds run inside a sandbox, which is a Fedora
  environment and does not require any host dependencies at all.

- Bazel itself and the tooling we require to bootstrap
  the sandbox (mainly, Go and Proto toolchains). This has to
  work directly on the host.

We first make the sandbox fully hermetic by setting
--experimental_use_hermetic_linux_sandbox, which set up an empty /
instead of mounting over individual directories, removing any remaining
host paths from the sandbox (except /proc and /dev/shm, which are
required by some toolchains). We also force static values for the shell,
$TMPDIR and $PATH, which would otherwise leak into the sandbox.

For the host, we use buildFHSUserEnv to build an environment which
supports our static toolchains, and well as a clean Bazel build
without all the nixpkgs patches which would otherwise break our custom
toolchains and sandbox implementation.

This allows us to use the exact same toolchains on NixOS and other
distros for perfect reproducibility.

Fixes https://github.com/monogon-dev/monogon/issues/174.
Fixes https://github.com/monogon-dev/monogon/issues/175.

Co-authored-by: Serge Bazanski <serge@monogon.tech>
Change-Id: I665471a45b315ce7e93ef16d9d056d7622886959
Reviewed-on: https://review.monogon.dev/c/monogon/+/1929
Tested-by: Jenkins CI
Reviewed-by: Serge Bazanski <serge@monogon.tech>

diff --git a/SETUP.md b/SETUP.md
index 16a2353..d48e894 100644
--- a/SETUP.md
+++ b/SETUP.md

@@ -32,7 +32,7 @@
 - Ubuntu >= 20.04
 - Debian >= 11
 - RHEL / Alma / Rocky >= 8.4
-- NixOS >= 22.05 (see below)
+- NixOS >= 23.05 (see below)
 
 You can use this snippet to install the official Bazelisk release binary to `/usr/local/bin`:
 
@@ -76,8 +76,11 @@
 
 ### NixOS
 
-Bazelisk and rules_go does not work on NixOS since its prebuilt binaries are dynamically linked,
-so we cannot bootstrap the sandbox. We recommend building in a "normal" container.
+We fully support building on NixOS, and we provide a `shell.nix` file to make it easy:
+
+    nix-shell --pure
+
+(just don't look at it too closely unless you want toolchain-themed nightmares)
 
 ## IntelliJ