aboutsummaryrefslogtreecommitdiff
path: root/bwrap-files
diff options
context:
space:
mode:
Diffstat (limited to 'bwrap-files')
-rwxr-xr-xbwrap-files/chroot-initialise.sh4
-rwxr-xr-xbwrap-files/entry.sh6
-rwxr-xr-xbwrap-files/make-chroot.sh31
-rwxr-xr-xbwrap-files/start.sh45
4 files changed, 86 insertions, 0 deletions
diff --git a/bwrap-files/chroot-initialise.sh b/bwrap-files/chroot-initialise.sh
new file mode 100755
index 0000000..972bf75
--- /dev/null
+++ b/bwrap-files/chroot-initialise.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+sed -i '/^_apt:/d' /etc/passwd # See https://github.com/containers/bubblewrap/issues/210
+apt update && apt install -y build-essential curl libffi-dev libffi7 libgmp-dev libgmp10 libncurses-dev libncurses5 libtinfo5 locales
+PATH="$PATH:/usr/sbin" dpkg-reconfigure locales
diff --git a/bwrap-files/entry.sh b/bwrap-files/entry.sh
new file mode 100755
index 0000000..f9c4ad3
--- /dev/null
+++ b/bwrap-files/entry.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+set -euo pipefail
+
+cd "$(dirname "$0")"
+
+ghcup --offline run -- ghci 2>&1
diff --git a/bwrap-files/make-chroot.sh b/bwrap-files/make-chroot.sh
new file mode 100755
index 0000000..d29d1af
--- /dev/null
+++ b/bwrap-files/make-chroot.sh
@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+cd "$(dirname "$0")"
+
+basedir=ubuntu-base
+
+[[ ($# -le 0 || "$1" != "-f") && -d "$basedir" ]] && {
+ echo >&2 "Warning: base directory already exists, use -f to force"
+ exit 1
+}
+
+mkdir -p "$basedir"
+curl -L 'http://cdimage.ubuntu.com/ubuntu-base/releases/20.04/release/ubuntu-base-20.04.1-base-amd64.tar.gz' | tar -C "$basedir" -xz
+
+args=(
+ --bind ubuntu-base /
+ --ro-bind /etc/resolv.conf /etc/resolv.conf
+ --tmpfs /tmp
+ --dev /dev
+ --proc /proc
+ --new-session
+ --unshare-all
+ --share-net
+ --die-with-parent
+ --gid 0 --uid 0
+ --chdir /
+ --ro-bind chroot-initialise.sh /tmp/chinit.sh
+ /bin/bash /tmp/chinit.sh
+)
+bwrap "${args[@]}"
diff --git a/bwrap-files/start.sh b/bwrap-files/start.sh
new file mode 100755
index 0000000..859145c
--- /dev/null
+++ b/bwrap-files/start.sh
@@ -0,0 +1,45 @@
+#!/bin/bash
+set -euo pipefail
+
+filesdir="$(dirname "$0")"
+cd "$filesdir"
+
+ghcup_base=$(ghcup whereis basedir)
+
+chroot="${filesdir}/ubuntu-base"
+
+args=(
+ --tmpfs /tmp
+ --ro-bind "${chroot}/bin" /bin
+ --ro-bind "${chroot}/usr/bin" /usr/bin
+ --ro-bind "${chroot}/usr/lib" /usr/lib
+ --ro-bind "${chroot}/usr/include" /usr/include
+ --ro-bind "${chroot}/lib" /lib
+ --ro-bind "${chroot}/lib64" /lib64
+ --dir "${ghcup_base}"
+ --ro-bind "${ghcup_base}/bin" "${ghcup_base}/bin"
+ --ro-bind "${ghcup_base}/ghc" "${ghcup_base}/ghc"
+ --ro-bind "${ghcup_base}/cache" "${ghcup_base}/cache"
+ --setenv PATH "/bin:/usr/bin:${ghcup_base}/bin"
+ --setenv GHCUP_INSTALL_BASE_PREFIX "$(dirname ${ghcup_base})"
+ --proc /proc
+ --chdir "/tmp"
+ --new-session
+ --unshare-all
+ --die-with-parent
+ --file 4 "/tmp/entry.sh"
+ /bin/bash "/tmp/entry.sh"
+)
+
+# Turn off core files
+ulimit -c 0
+
+# Limit on the number of processes
+ulimit -u 10000
+
+# Limit memory to 600 MiB. Note that the compiled program gets a 500 MiB memory
+# limit via the GHC RTS, so this limit is 1. to constrain GHC itself (including
+# any TH code), and 2. as a second-layer defense.
+ulimit -d $(( 600 * 1024 ))
+
+exec bwrap "${args[@]}" 4<"${filesdir}/entry.sh"