I tried testing this with Docker, but it looks like the CONFIG_CGROUP_PERF kernel option isn't enabled in the default Nixpkgs kernel, leading to some form of incompatibility between gvisor and Docker. I initially get the following error:

error creating container: error configuring cgroup: mkdir /sys/fs/cgroup/perf_event: read-only file system

I can remount the cgroup filesystem as rw (sudo mount -o remount,rw /sys/fs/cgroup), but when doing that or patching gvisor to remove that cgroup from the controller set, I get the error:

unable to find "perf_event" in controller set: unknown.

I don't have time to rebuild my kernel with that cgroup option right now, but I'll try to get it to it soon, unless someone else wants to have a try!

@orivej - After applying #50225, and setting virtualisation.docker.extraOptions = "--add-runtime=runsc=/nix/store/[...]-gvisor-2018-11-10/bin/runsc";, I'm able to run docker run --runtime=runsc -it ubuntu /bin/bash, apt-get install things from within the container, and generally do things. I also confirmed via ps that gvisor was running! 🎉

@Profpatsch Do you know if there is a more simple way to prefetch dependencies for Bazel builds in nixpkgs? The goal is to not have to download dependencies with Bazel (bazel sync) at application build time.

The goal is to not have to download dependencies with Bazel (bazel sync) at application build time.

I tried a couple ways to do this, but wasn't successful. You can use native.existing_rules() to iterate over all repository rules in a Bazel workspace, but turning those into things that Nix can fetch is pretty tricky. Especially since you can't just search for a standard set of rules that access the network, since e.g. rules_go has some repository rules that run custom commands to fetch dependencies. I suspect that bazel sync is probably the best we're going to get, honestly.

Do you know if there is a more simple way to prefetch dependencies for Bazel builds in nixpkgs?

bazel sync --experimental_repository_resolved_file <filename> is able to produce some kind of lock file, but it’s kinda verbose and not in a well-known format, but skylark. It might be possible to eval it with a python interpreter and spew out some json.

This looks good to me.
But, it's really tricky to build a Bazel project in nixpkgs. It would be nice to have a bazel2nix tool! Moreover, I don't know how this build will be robust on Bazel upgrades.

This is not required, but it would be nice to have a NixOS test that uses this container runtime engine. I could help on that.

@GrahamcOfBorg build gvisor

No attempt on aarch64-linux (full log)

The following builds were skipped because they don't evaluate on aarch64-linux: gvisor

a) For `nixos-rebuild` you can set
  { nixpkgs.config.allowUnsupportedSystem = true; }
in configuration.nix to override this.

b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
  { allowUnsupportedSystem = true; }
to ~/.config/nixpkgs/config.nix.

No attempt on x86_64-darwin (full log)

The following builds were skipped because they don't evaluate on x86_64-darwin: gvisor

a) For `nixos-rebuild` you can set
  { nixpkgs.config.allowUnsupportedSystem = true; }
in configuration.nix to override this.

b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
  { allowUnsupportedSystem = true; }
to ~/.config/nixpkgs/config.nix.

Unexpected error: command failed with exit code 1 on x86_64-linux (full log)

Attempted: gvisor

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   155    0   155    0     0    734      0 --:--:-- --:--:-- --:--:--   734
100 1735k    0 1735k    0     0  1521k      0 --:--:--  0:00:01 --:--:-- 3916k
unpacking source archive /build/d97ccfa346d23d99dcbe634a10fa5d81b089100d.tar.gz
cannot link '/nix/store/.links/1cnjyagqg3s6b6v6j675ryhzk9q9f6fhd88v0dyqw8w6s5b07r7x' to '/nix/store/zwzcdh5x9wr3pq0n6vdzcpgrjcnixr7f-source/pkg/sentry/kernel/g3doc/run_states.dot': No space left on device
cannot link '/nix/store/.links/1s37c4s9a74nv7j6xxydif20a7ljydlj8y4z3p69n1dahnn6m7gq' to '/nix/store/zwzcdh5x9wr3pq0n6vdzcpgrjcnixr7f-source/pkg/sentry/mm/mm.go': No space left on device
cannot link '/nix/store/.links/0wymhb94n99vs4yf3vjb4gmlva43hcfnbrvac9wldjd85aaznhxp' to '/nix/store/zwzcdh5x9wr3pq0n6vdzcpgrjcnixr7f-source/pkg/sentry/fs/proc/uptime.go': No space left on device
warning: path '/nix/store/zwzcdh5x9wr3pq0n6vdzcpgrjcnixr7f-source' claims to be content-addressed but isn't
error: unexpected end-of-file

@nlewo - This should be pretty reliable through Bazel upgrades; the bazel sync command is the newly-recommended way of doing reproducible builds, and the only other thing that could change is the $TEST_TMPDIR variable, which is currently documented here. Just about everything else is essentially independent of the way Bazel works. I suspect this approach is substantially more reliable than using the Bazel --experimental_repository_resolved_file flag, which could change at any point.

I'll try to get a NixOS test added today or tomorrow; it'll be my first one, so I'll happily take any advice!

In the mean time, do you mind kicking off another build? Looks like the Linux build failed due to disk space, which doesn't look related to this PR.

Current state: I've submitted a patch to bazel-gazelle to make the helper build tools deterministic (bazel-contrib/bazel-gazelle#382) which has been merged, but that's not sufficient; I'm currently chasing down some Nix paths in the dependency output. Most of them are local configuration from the environment, and we can just remove them (rm -rf $out/local_config*), but there's one particular problem that I'm running into:

Our Go compiler has patches[1][2] that replace the absolute /etc/services, /etc/protocols, and /usr/share/zoneinfo paths with Nix store paths. This, however, means that we cannot use a Go binary in a fixed-output derivation, since the binary will contain paths from the Nix store and thus the fixed-output hash will change if those paths ever do. Anyone have any idea what we normally do in cases like this? Or should we just assume that this particular problem is a lost cause, and find some other way of building these binaries?

(also, holy hell is this rapidly turning into something more complicated than I'd originally expected 😛)

Thanks for putting in the work to research bazel builds inside of nix.

This, however, means that we cannot use a Go binary in a fixed-output derivation, since the binary will contain paths from the Nix store and thus the fixed-output hash will change if those paths ever do. Anyone have any idea what we normally do in cases like this? Or should we just assume that this particular problem is a lost cause, and find some other way of building these binaries?

I haven’t seen fixed-output hashes for anything but implementing fetchers, since they require absolute determinism. Especially with a semi-hermetic build tool like bazel which uses build rules written by imperative programmers (cough rules_go cough) that’s tough to achieve.

Best strategy I can see right now is using their lock file to parse out all hashes and check those hashes into nixpkgs (plus an update script that can update the hashes). Since the output format is skylark, you should be able to parse it as valid python syntax (or eval with all symbols stubbed out).

This was super annoying, but: I've just force-pushed an update that successfully builds gvisor by manually fetching all dependencies with Nix. It's especially annoying since rules_go applies patches to some third-party libraries, so we have to manually apply those ourselves too, or the build will fail. However: this builds properly for me, now.

@Profpatsch and @nlewo - thoughts on this new approach?

Just pushed an alternate version; this is now generated by a very WIP script that will parse the Bazel resolved-dependencies file and attempt to convert it to a Nix file. It's pretty hacky, but I'm heading to bed and figured I'd drop it here for now!

thoughts on this new approach?

I really like it. Would be nice to split out the parser to get a generic transformation from bazel lockfile to nixpkgs package. Of course then the generated code must be overridable, I can help with that if you want. See https://github.com/Profpatsch/yarn2nix/tree/master/nix-lib for an example on how that can be done (there might be some code-reuse possible).

@andrew-d Wondered if you ever continued with this? I really like the idea of running services on my NixOS machine within gVisor KVM containers, especially for things like the Unifi controller I run, a big Java behemoth.

@benpye - The short answer is "not yet"; I'm currently trying my hand at a slightly more generic "Bazel to Nix" translator, and once I get that working will update this PR with the generated code. This branch does work, though, if you want to apply it to a local fork!

@andrew-d anything you need help with? This is rad.