diff --git a/maintainers/maintainer-list.nix b/maintainers/maintainer-list.nix index 6ca474d67ef..ac2b51881aa 100644 --- a/maintainers/maintainer-list.nix +++ b/maintainers/maintainer-list.nix @@ -2404,6 +2404,12 @@ fingerprint = "67FE 98F2 8C44 CF22 1828 E12F D57E FA62 5C9A 925F"; }]; }; + euank = { + email = "euank-nixpkg@euank.com"; + github = "euank"; + githubId = 2147649; + name = "Euan Kemp"; + }; evanjs = { email = "evanjsx@gmail.com"; github = "evanjs"; diff --git a/pkgs/applications/networking/cluster/k3s/default.nix b/pkgs/applications/networking/cluster/k3s/default.nix new file mode 100644 index 00000000000..a032a3c12ad --- /dev/null +++ b/pkgs/applications/networking/cluster/k3s/default.nix @@ -0,0 +1,233 @@ +with import {}; + +{ stdenv, lib, makeWrapper, fetchFromGitHub, fetchurl, fetchzip }: + +with lib; + +# k3s is a kinda weird derivation. One of the main points of k3s is the +# simplicity of it being one binary that can perform several tasks. +# However, when you have a good package manager (like nix), that doesn't +# actually make much of a difference; you don't really care if it's one binary +# or 10 since with a good package manager, installing and running it is +# identical. +# Since upstream k3s packages itself as one large binary with several +# "personalities" (in the form of subcommands like 'k3s agent' and 'k3s +# kubectl'), it ends up being easiest to mostly mimic upstream packaging, with +# some exceptions. +# K3s also carries patches to some packages (such as containerd and cni +# plugins), so we intentionally use the k3s versions of those binaries for k3s, +# even if the upstream version of those binaries exist in nixpkgs already. In +# the end, that means we have a thick k3s binary that behaves like the upstream +# one for the most part. +# However, k3s also bundles several pieces of unpatched software, from the +# strongswan vpn software, to iptables, to socat, conntrack, busybox, etc. +# Those pieces of software we entirely ignore upstream's handling of, and just +# make sure they're in the path if desired. +let + k3sVersion = "1.17.3+k3s1"; # k3s git tag + traefikChartVersion = "1.81.0"; # taken from ./scripts/version.sh at the above k3s tag + k3sRootVersion = "0.3.0"; # taken from .s/cripts/version.sh at the above k3s tag + # bundled into the k3s binary + traefikChart = fetchurl { + url = "https://kubernetes-charts.storage.googleapis.com/traefik-${traefikChartVersion}.tgz"; + sha256 = "1aqpzgjlvqhil0g3angz94zd4xbl4iq0qmpjcy5aq1xv9qciwdi9"; + }; + # so, k3s is a complicated thing to package + # This derivation attempts to avoid including any random binaries from the + # internet. k3s-root is _mostly_ binaries built to be bundled in k3s (which + # we don't care about doing, we can add those as build or runtime + # dependencies using a real package manager). + # In addition to those binaries, it's also configuration though (right now + # mostly strongswan configuration), and k3s does use those files. + # As such, we download it in order to grab 'etc' and bundle it into the final + # k3s binary. + k3sRoot = fetchzip { + # Note: marked as apache 2.0 license + url = "https://github.com/rancher/k3s-root/releases/download/v${k3sRootVersion}/k3s-root-amd64.tar"; + sha256 = "12xafn5jivl8lqdcs25b28xrc4mf7yf1xif5np169nvvxgvmpdxp"; + stripRoot=false; + }; + k3sPlugins = buildGoPackage rec { + name = "k3s-cni-plugins"; + version = "0.7.6-k3s1"; # from ./scripts/version.sh 'VERSION_CNIPLUGINS'; update when k3s's repo is updated. + + goPackagePath = "github.com/containernetworking/plugins"; + subPackages = [ "." ]; + + src = fetchFromGitHub { + owner = "rancher"; + repo = "plugins"; + rev = "v${version}"; + sha256 = "0ax72z1ziann352bp6khfds8vlf3bbkqckrkpx4l4jxgqks45izs"; + }; + + meta = { + description = "k3s-cni-plugins"; + license = licenses.asl20; + homepage = https://k3s.io; + maintainers = []; + platforms = platforms.linux; + }; + }; + # Grab this separately from a build because it's used by both stages of the + # k3s build. + k3sRepo = fetchgit { + url = "https://github.com/rancher/k3s"; + rev = "v${k3sVersion}"; + leaveDotGit = true; # for version / build date below + sha256 = "0qahyc0mf9glxj49va6d20mcncqg4svfic2iz8b1lqid5c4g68mm"; + }; + # Stage 1 of the k3s build: + # Let's talk about how k3s is structured. + # One of the ideas of k3s is that there's the single "k3s" binary which can + # do everything you need, from running a k3s server, to being a worker node, + # to running kubectl. + # The way that actually works is that k3s is a single go binary that contains + # a bunch of bindata that it unpacks at runtime into directories (either the + # user's home directory or /var/lib/rancher if run as root). + # This bindata includes both binaries and configuration. + # In order to let nixpkgs do all its autostripping/patching/etc, we split this into two derivations. + # First, we build all the binaries that get packed into the thick k3s binary + # (and output them from one derivation so they'll all be suitably patched up). + # Then, we bundle those binaries into our thick k3s binary and use that as + # the final single output. + # This approach was chosen because it ensures the bundled binaries all are + # correctly built to run with nix (we can lean on the existing buildGoPackage + # stuff), and we can again lean on that tooling for the final k3s binary too. + # Other alternatives would be to manually run the + # strip/patchelf/remove-references step ourselves in the installPhase of the + # derivation when we've built all the binaries, but haven't bundled them in + # with generated bindata yet. + k3sBuildStage1 = buildGoPackage rec { + name = "k3s-build-1"; + version = "${k3sVersion}"; + + goPackagePath = "github.com/rancher/k3s"; + + src = k3sRepo; + + patches = [ ./patches/00-k3s.patch ]; + + nativeBuildInputs = [ pkgconfig autoPatchelfHook breakpointHook ]; + buildInputs = [ git runc libseccomp ]; + + buildPhase = '' + pushd go/src/${goPackagePath} + + patchShebangs ./scripts/build ./scripts/version.sh + mkdir -p bin + ./scripts/build + + popd + ''; + + installPhase = '' + pushd go/src/${goPackagePath} + + mkdir -p "$bin/bin" + install -m 0755 -t "$bin/bin" ./bin/* + + popd + ''; + + meta = { + description = "The various binaries that get packaged into the final k3s binary."; + license = licenses.asl20; + homepage = https://k3s.io; + maintainers = []; + platforms = platforms.linux; + }; + }; + k3sBuild = buildGoPackage rec { + name = "k3s-build"; + version = "${k3sVersion}"; + + goPackagePath = "github.com/rancher/k3s"; + + src = k3sRepo; + + patches = [ ./patches/00-k3s.patch ]; + + nativeBuildInputs = [ pkgconfig autoPatchelfHook breakpointHook ]; + buildInputs = [ git k3sBuildStage1 ]; + + # In order to build the thick k3s binary (which is what + # ./scripts/package-cli does), we need to get all the binaries that script + # expects in place. + buildPhase = '' + pushd go/src/${goPackagePath} + + patchShebangs ./scripts/build ./scripts/version.sh ./scripts/package-cli + + mkdir -p bin + + install -m 0755 -t ./bin ${k3sBuildStage1}/bin/* + install -m 0755 -T "${k3sPlugins}/bin/plugins" ./bin/cni + # Note: use the already-nixpkgs-bundled k3s rather than the one bundled + # in k3s because the k3s one is completely unmodified from upstream + # (unlike containerd, cni, etc) + install -m 0755 -T "${runc}/bin/runc" ./bin/runc + cp -R "${k3sRoot}/etc" ./etc + mkdir -p "build/static/charts" + cp "${traefikChart}" "build/static/charts/traefik-${traefikChartVersion}.tgz" + + ./scripts/package-cli + + popd + ''; + + installPhase = '' + pushd go/src/${goPackagePath} + + mkdir -p "$bin/bin" + install -m 0755 -t "$bin/bin" ./dist/artifacts/k3s + + popd + ''; + + meta = { + description = "The k3s go binary which is used by the final wrapped output below."; + license = licenses.asl20; + homepage = https://k3s.io; + maintainers = []; + platforms = platforms.linux; + }; + }; +in +stdenv.mkDerivation rec { + name = "k3s"; + + # Important utilities used by the kubelet, see + # https://github.com/kubernetes/kubernetes/issues/26093#issuecomment-237202494 + # Note the list in that issue is stale and some aren't relevant for k3s. + k3sRuntimeDeps = [ + socat iptables iproute bridge-utils ethtool utillinux ipset conntrack-tools + ]; + + buildInputs = [ + k3sBuild makeWrapper + ] ++ k3sRuntimeDeps; + + unpackPhase = "true"; + + # And, one final derivation (you thought the last one was it, right?) + # We got the binary we wanted above, but it doesn't have all the runtime + # dependencies k8s wants, including mount utilities for kubelet, networking + # tools for cni/kubelet stuff, etc + # Use a wrapper script to reference all the binaries that k3s tries to + # execute, but that we didn't bundle with it. + installPhase = '' + mkdir -p "$out/bin" + makeWrapper ${k3sBuild}/bin/k3s "$out/bin/k3s" \ + --prefix PATH : ${lib.makeBinPath k3sRuntimeDeps} \ + --prefix PATH : "$out/bin" + ''; + + meta = { + description = "A lightweight Kubernetes distribution."; + license = licenses.asl20; + homepage = https://k3s.io; + maintainers = with maintainers; [ euank ]; + platforms = platforms.linux; + }; +} diff --git a/pkgs/applications/networking/cluster/k3s/patches/00-k3s.patch b/pkgs/applications/networking/cluster/k3s/patches/00-k3s.patch new file mode 100644 index 00000000000..afe2c356aa4 --- /dev/null +++ b/pkgs/applications/networking/cluster/k3s/patches/00-k3s.patch @@ -0,0 +1,74 @@ +diff --git a/main.go b/main.go +index 62908bb7bb..0527222887 100644 +--- a/main.go ++++ b/main.go +@@ -1,5 +1,5 @@ + //go:generate go run pkg/codegen/cleanup/main.go +-//go:generate /bin/rm -rf pkg/generated ++//go:generate rm -rf pkg/generated + //go:generate go run pkg/codegen/main.go + //go:generate go fmt pkg/deploy/zz_generated_bindata.go + //go:generate go fmt pkg/static/zz_generated_bindata.go +diff --git a/scripts/build b/scripts/build +index 72d3c07ece..3e5455b262 100755 +--- a/scripts/build ++++ b/scripts/build +@@ -10,7 +10,8 @@ PKG_CONTAINERD="github.com/containerd/containerd" + PKG_RANCHER_CONTAINERD="github.com/rancher/containerd" + PKG_CRICTL="github.com/kubernetes-sigs/cri-tools" + +-buildDate=$(date -u '+%Y-%m-%dT%H:%M:%SZ') ++# Deterministic build date ++buildDate="$(date -d "$(git log -1 --format=%ai)" -u "+%Y-%m-%dT%H:%M:%SZ")" + + VENDOR_PREFIX="${PKG}/vendor/" + VERSIONFLAGS=" +@@ -82,17 +83,7 @@ cleanup() { + } + + INSTALLBIN=$(pwd)/bin +-if [ ! -x ${INSTALLBIN}/cni ]; then +-( +- echo Building cni +- TMPDIR=$(mktemp -d) +- trap cleanup EXIT +- WORKDIR=$TMPDIR/src/github.com/containernetworking/plugins +- git clone -b $VERSION_CNIPLUGINS https://github.com/rancher/plugins.git $WORKDIR +- cd $WORKDIR +- GOPATH=$TMPDIR CGO_ENABLED=0 go build -tags "$TAGS" -ldflags "$LDFLAGS $STATIC" -o $INSTALLBIN/cni +-) +-fi ++# skip building cni, use our separately built one + # echo Building agent + # CGO_ENABLED=1 go build -tags "$TAGS" -ldflags "$VERSIONFLAGS $LDFLAGS $STATIC" -o bin/k3s-agent ./cmd/agent/main.go + echo Building server +@@ -108,9 +99,8 @@ ln -s containerd ./bin/ctr + #CGO_ENABLED=1 go build -tags "$TAGS" -ldflags "$VERSIONFLAGS $LDFLAGS $STATIC_SQLITE" -o bin/ctr ./cmd/ctr/main.go + # echo Building containerd + # CGO_ENABLED=0 go build -tags "$TAGS" -ldflags "$VERSIONFLAGS $LDFLAGS $STATIC" -o bin/containerd ./cmd/containerd/ +-echo Building runc +-make EXTRA_LDFLAGS="-w -s" BUILDTAGS="apparmor seccomp" -C ./vendor/github.com/opencontainers/runc static +-cp -f ./vendor/github.com/opencontainers/runc/runc ./bin/runc ++ ++# skip building runc; use our packaged one + + echo Building containerd-shim + make -C ./vendor/github.com/containerd/containerd bin/containerd-shim +diff --git a/scripts/package-cli b/scripts/package-cli +index 4c66ce32df..6d1e0c03cb 100755 +--- a/scripts/package-cli ++++ b/scripts/package-cli +@@ -55,10 +55,10 @@ LDFLAGS=" + -X github.com/rancher/k3s/pkg/version.GitCommit=${COMMIT:0:8} + -w -s + " +-STATIC="-extldflags '-static'" + if [ "$DQLITE" = "true" ]; then + DQLITE_TAGS="dqlite" + fi +-CGO_ENABLED=0 go build -tags "$DQLITE_TAGS" -ldflags "$LDFLAGS $STATIC" -o ${CMD_NAME} ./cmd/k3s/main.go ++go build -tags "$DQLITE_TAGS" -ldflags "$LDFLAGS" -o ${CMD_NAME} ./cmd/k3s/main.go + +-./scripts/build-upload ${CMD_NAME} ${COMMIT} ++# for nixos, don't upload it ++# ./scripts/build-upload ${CMD_NAME} ${COMMIT} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 064ff0724d0..3a9e66abc55 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -20159,6 +20159,8 @@ in boost = boost155.override { enablePython = true; }; }; + k3s = callPackage ../applications/networking/cluster/k3s {}; + k9copy = libsForQt5.callPackage ../applications/video/k9copy {}; kail = callPackage ../tools/networking/kail { };