From 793c2476af0f62885be7b0358b2913e87d346a03 Mon Sep 17 00:00:00 2001 From: Jordan Doyle Date: Sun, 4 Dec 2022 18:10:37 +0000 Subject: [PATCH 1/3] Add flake.nix --- .gitignore | 1 + flake.lock | 77 ++++++++++++++++++++++++++++++++++++++++++++++++++ flake.nix | 83 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 161 insertions(+) create mode 100644 flake.lock create mode 100644 flake.nix diff --git a/.gitignore b/.gitignore index b6b1ad5..07821c7 100644 --- a/.gitignore +++ b/.gitignore @@ -7,3 +7,4 @@ # These are backup files generated by rustfmt **/*.rs.bk +result diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..d2134be --- /dev/null +++ b/flake.lock @@ -0,0 +1,77 @@ +{ + "nodes": { + "naersk": { + "inputs": { + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1662220400, + "narHash": "sha256-9o2OGQqu4xyLZP9K6kNe1pTHnyPz0Wr3raGYnr9AIgY=", + "owner": "nix-community", + "repo": "naersk", + "rev": "6944160c19cb591eb85bbf9b2f2768a935623ed3", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "master", + "repo": "naersk", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1670118144, + "narHash": "sha256-tdh9H4oomljZaKpCkZox8jmwt8p78oGLpK9cjFBy3Qk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "95f1ec721652d91a2993311d6cf537d3724690be", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "type": "indirect" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1670118144, + "narHash": "sha256-tdh9H4oomljZaKpCkZox8jmwt8p78oGLpK9cjFBy3Qk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "95f1ec721652d91a2993311d6cf537d3724690be", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "naersk": "naersk", + "nixpkgs": "nixpkgs_2", + "utils": "utils" + } + }, + "utils": { + "locked": { + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..b742a61 --- /dev/null +++ b/flake.nix @@ -0,0 +1,83 @@ +{ + inputs = { + naersk.url = "github:nix-community/naersk/master"; + nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; + utils.url = "github:numtide/flake-utils"; + }; + + outputs = { self, nixpkgs, utils, naersk }: + utils.lib.eachDefaultSystem (system: + let + pkgs = import nixpkgs { inherit system; }; + naersk-lib = pkgs.callPackage naersk { }; + in + { + defaultPackage = naersk-lib.buildPackage ./.; + devShell = with pkgs; mkShell { + buildInputs = [ cargo rustc rustfmt pre-commit rustPackages.clippy ]; + RUST_SRC_PATH = rustPlatform.rustLibSrc; + }; + + nixosModules.default = { config, lib, pkgs, ... }: + with lib; + let + cfg = config.services.paste-bin; + in + { + options.services.paste-bin = { + enable = mkEnableOption "paste-bin"; + bindAddress = mkOption { + default = "[::]:8000"; + description = "Address and port to listen on"; + type = types.str; + }; + maxPasteSize = mkOption { + default = 32768; + description = "Max allowed size of an individual paste"; + type = types.int; + }; + bufferSize = mkOption { + default = 1000; + description = "Maximum amount of pastes to store at a time"; + type = types.int; + }; + }; + + config = mkIf cfg.enable { + systemd.services.bin = { + enable = true; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + serviceConfig = { + Type = "exec"; + ExecStart = "${self.defaultPackage."${system}"}/bin/bin --buffer-size ${toString cfg.bufferSize} --max-paste-size ${toString cfg.maxPasteSize} ${cfg.bindAddress}"; + Restart = "on-failure"; + + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + PrivateMounts = true; + ProtectHome = true; + ProtectClock = true; + ProtectProc = "noaccess"; + ProcSubset = "pid"; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + ProtectHostname = true; + RestrictSUIDSGID = true; + RestrictRealtime = true; + RestrictNamespaces = true; + LockPersonality = true; + RemoveIPC = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + SystemCallFilter = [ "@system-service" "~@privileged" ]; + }; + }; + }; + }; + }); +} From dc6f9b5ec6e125b8a22437443406f8168279dc84 Mon Sep 17 00:00:00 2001 From: Alistair Bahr Date: Tue, 17 Oct 2023 17:20:13 +0200 Subject: [PATCH 2/3] use static linking in Dockerfile; add docker-compose.yml --- Dockerfile | 12 +++++++----- docker-compose.yml | 8 ++++++++ 2 files changed, 15 insertions(+), 5 deletions(-) create mode 100644 docker-compose.yml diff --git a/Dockerfile b/Dockerfile index 5c49b4d..2dc4861 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,15 +1,17 @@ FROM rust:1-slim AS builder -RUN apt update && apt install -y libclang-dev +RUN apt-get update && \ + apt-get install -y libclang-dev musl-tools +RUN rustup target add x86_64-unknown-linux-musl COPY . /sources WORKDIR /sources -RUN cargo build --release -RUN chown nobody:nogroup /sources/target/release/bin - +# force static linking with target to avoid glibc issues +RUN cargo build --release --target x86_64-unknown-linux-musl +RUN chown nobody:nogroup /sources/target/x86_64-unknown-linux-musl/release/bin FROM debian:bullseye-slim -COPY --from=builder /sources/target/release/bin /pastebin +COPY --from=builder /sources/target/x86_64-unknown-linux-musl/release/bin /pastebin USER nobody EXPOSE 8000 diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..70f20ac --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,8 @@ +version: '3' +services: + bin: + build: + context: . + dockerfile: Dockerfile + ports: + - "8000:8000" \ No newline at end of file From 8d02b31688452a3f337cb680c6c1ea18f7b4991e Mon Sep 17 00:00:00 2001 From: alk3pInjection Date: Sat, 21 Oct 2023 23:08:12 +0800 Subject: [PATCH 3/3] Revert "use static linking in Dockerfile" The root cause of glibc version mismatch (#60) is we're trying to build on bookworm and run on bullseye. The proper fix is simply aligning the distro version during multi-stage builds. While it's okay to statically link against musl libc, I don't see any benefits in doing so, which _might_ also introduce performance regressions. Switch to smaller "distroless" image while we're at it. This partially reverts commit dc6f9b5ec6e125b8a22437443406f8168279dc84. Signed-off-by: alk3pInjection --- Dockerfile | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/Dockerfile b/Dockerfile index 2dc4861..0a9e759 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,17 +1,14 @@ -FROM rust:1-slim AS builder +FROM rust:1-slim-bookworm AS builder -RUN apt-get update && \ - apt-get install -y libclang-dev musl-tools -RUN rustup target add x86_64-unknown-linux-musl +RUN apt update && apt install -y libclang-dev COPY . /sources WORKDIR /sources -# force static linking with target to avoid glibc issues -RUN cargo build --release --target x86_64-unknown-linux-musl -RUN chown nobody:nogroup /sources/target/x86_64-unknown-linux-musl/release/bin +RUN cargo build --release +RUN chown nobody:nogroup /sources/target/release/bin -FROM debian:bullseye-slim -COPY --from=builder /sources/target/x86_64-unknown-linux-musl/release/bin /pastebin +FROM gcr.io/distroless/cc-debian12 +COPY --from=builder /sources/target/release/bin /pastebin USER nobody EXPOSE 8000