diff options
Diffstat (limited to 'bwrap-files')
-rwxr-xr-x | bwrap-files/chroot-initialise.sh | 4 | ||||
-rwxr-xr-x | bwrap-files/entry.sh | 6 | ||||
-rwxr-xr-x | bwrap-files/make-chroot.sh | 31 | ||||
-rwxr-xr-x | bwrap-files/start.sh | 45 |
4 files changed, 86 insertions, 0 deletions
diff --git a/bwrap-files/chroot-initialise.sh b/bwrap-files/chroot-initialise.sh new file mode 100755 index 0000000..972bf75 --- /dev/null +++ b/bwrap-files/chroot-initialise.sh @@ -0,0 +1,4 @@ +#!/bin/bash +sed -i '/^_apt:/d' /etc/passwd # See https://github.com/containers/bubblewrap/issues/210 +apt update && apt install -y build-essential curl libffi-dev libffi7 libgmp-dev libgmp10 libncurses-dev libncurses5 libtinfo5 locales +PATH="$PATH:/usr/sbin" dpkg-reconfigure locales diff --git a/bwrap-files/entry.sh b/bwrap-files/entry.sh new file mode 100755 index 0000000..f9c4ad3 --- /dev/null +++ b/bwrap-files/entry.sh @@ -0,0 +1,6 @@ +#!/bin/bash +set -euo pipefail + +cd "$(dirname "$0")" + +ghcup --offline run -- ghci 2>&1 diff --git a/bwrap-files/make-chroot.sh b/bwrap-files/make-chroot.sh new file mode 100755 index 0000000..d29d1af --- /dev/null +++ b/bwrap-files/make-chroot.sh @@ -0,0 +1,31 @@ +#!/usr/bin/env bash +set -euo pipefail + +cd "$(dirname "$0")" + +basedir=ubuntu-base + +[[ ($# -le 0 || "$1" != "-f") && -d "$basedir" ]] && { + echo >&2 "Warning: base directory already exists, use -f to force" + exit 1 +} + +mkdir -p "$basedir" +curl -L 'http://cdimage.ubuntu.com/ubuntu-base/releases/20.04/release/ubuntu-base-20.04.1-base-amd64.tar.gz' | tar -C "$basedir" -xz + +args=( + --bind ubuntu-base / + --ro-bind /etc/resolv.conf /etc/resolv.conf + --tmpfs /tmp + --dev /dev + --proc /proc + --new-session + --unshare-all + --share-net + --die-with-parent + --gid 0 --uid 0 + --chdir / + --ro-bind chroot-initialise.sh /tmp/chinit.sh + /bin/bash /tmp/chinit.sh +) +bwrap "${args[@]}" diff --git a/bwrap-files/start.sh b/bwrap-files/start.sh new file mode 100755 index 0000000..859145c --- /dev/null +++ b/bwrap-files/start.sh @@ -0,0 +1,45 @@ +#!/bin/bash +set -euo pipefail + +filesdir="$(dirname "$0")" +cd "$filesdir" + +ghcup_base=$(ghcup whereis basedir) + +chroot="${filesdir}/ubuntu-base" + +args=( + --tmpfs /tmp + --ro-bind "${chroot}/bin" /bin + --ro-bind "${chroot}/usr/bin" /usr/bin + --ro-bind "${chroot}/usr/lib" /usr/lib + --ro-bind "${chroot}/usr/include" /usr/include + --ro-bind "${chroot}/lib" /lib + --ro-bind "${chroot}/lib64" /lib64 + --dir "${ghcup_base}" + --ro-bind "${ghcup_base}/bin" "${ghcup_base}/bin" + --ro-bind "${ghcup_base}/ghc" "${ghcup_base}/ghc" + --ro-bind "${ghcup_base}/cache" "${ghcup_base}/cache" + --setenv PATH "/bin:/usr/bin:${ghcup_base}/bin" + --setenv GHCUP_INSTALL_BASE_PREFIX "$(dirname ${ghcup_base})" + --proc /proc + --chdir "/tmp" + --new-session + --unshare-all + --die-with-parent + --file 4 "/tmp/entry.sh" + /bin/bash "/tmp/entry.sh" +) + +# Turn off core files +ulimit -c 0 + +# Limit on the number of processes +ulimit -u 10000 + +# Limit memory to 600 MiB. Note that the compiled program gets a 500 MiB memory +# limit via the GHC RTS, so this limit is 1. to constrain GHC itself (including +# any TH code), and 2. as a second-layer defense. +ulimit -d $(( 600 * 1024 )) + +exec bwrap "${args[@]}" 4<"${filesdir}/entry.sh" |