Add: nix flakes support#2219
Conversation
|
@team, please review the package build. I made a few decisions myself regarding compile flags, paths, and a few other details. If you have any questions about flakes, just ask. I’ll do my best to help. |
|
No problem with Darwin because is deprecated since 26.05 nixos 🤣🤣 Ok, I'll remove it |
|
Thank you very much for this PR :). |
|
Regarding gvm-libs: I think it would be better to not use the one provided in nixpkgs as openvas assumes the latest gvm-libs version to be available. So when it is not updated on nixpkgs in time the nix check would fail, which is a bit annoying to debug within a pipeline. |
Ok, but this has a problem: version has to be manually bumped at nix package... OR, have a source of truth on the repo that makes possible to choose the gvm-libs version. |
|
And should we package |
I think just |
|
I also think so. Ok, so we should discuss the "To be discussed" section on the PR. What do you all think? |
Yup, totally for that.
Do you mean exporting the configuration options for openvas and openvasd with the additional redis running on unix socket mode when activated as a service? Would be cool, but could also be done afterwards.
We actually just use the tags as a source of truth when we generate a release. So we could do the same and check if an environment variable (within the CI) is set then use version otherwise it is a git sha1? |
| let | ||
| rustToolchain = pkgs.fenix.fromToolchainFile { | ||
| dir = self + /rust; | ||
| sha256 = "sha256-gh/xTkxKHL4eiRXzWv8KP7vfjSk61Iq48x47BEDFgfk="; |
There was a problem hiding this comment.
we just use the toolchain so that we are not so often surprised by clippy and fmt changes and can do that when we have time. Since we don't validate clippy nor formatting via nix I don't think it is necessary to respect the toolchain definition?
There was a problem hiding this comment.
Well, toolchain is loaded mainly because of the Rust version, so we can have it fixed. Clippy & formatting are extra tools, but not necessary.
I can remove the toolchain usage but that means that Rust version will be set by fenix's input lock at flakes.
Usually openvas just depends on the latest gvm-libs version so for main or the latest release it shouldn't be an issue. So for now it is fine as we have the same breakage point when openvas is build from source by release tag and I think also when the container image is being rebuild on a tag. But I agree on release we should come up with a mechanism to store the used gvm-libs version so that openvas can be rebuild with that instead of hoping the latest gvm-libs version is still compatible. |
Well, for CI I also think would be great, but that escapes from my scope
Yep, i mean that, but ok, let's first focus on packaging everything right.
Nop, nix is deterministic and can only extract data from the actual state of the repo. For example, it could extract the actual commit's hash, but tag cannot be retrieved. To be able to read env vars, we should use nix with the |
Ok, so I will take the approach of using the latest available and remember to bump it from time to time
Definetly 😂. Even if you pin the Docker image, I could extract it from there 🤣🤣 I think isn't the best way, but it would work. |
3 participants
What:
A
flake.nixthat builds the entire openvas-scanner workspace — the Copenvasscanner and the Rustopenvasd/scannerctl/feed-filterbinaries — pinned to the same source tree.Why:
I think it's interesting to have Nix flakes to make a way of native building and distribution.
How:
C scanner: built from source with CMake. Reuses
gvm-libsfrom nixpkgs (22.31.1 — the scanner only needs ≥22.4). UsessubstituteInPlaceto strip-Werrorfrom the CMake files rather than a blanketNIX_CFLAGS_COMPILE. Installs viaDESTDIRwith standard FHS paths;autoPatchelfHookfixes RPATH since the non-standard install layout bypasses the Nix linker wrapper.Rust scanner: built with crane and fenix. Each workspace binary is its own derivation sharing a single
buildDepsOnlycache. Thenasl-c-lib-syscrates are the trickiest part — they use a custombuild_support.rsthat discovers native libraries through$OPENVAS_ARCHIVESrather than pkg-config. The flake works around this with:buildCachederivation that symlinkslibgcrypt,libgpg-error, and Kerberos.sofiles + headers into the flat layout the-syscrates expect.postPatchthat switchescargo:rustc-link-lib=static=→dylib=and.a→.soso Nix's shared libraries are used instead of the upstream static archive convention (those static archives are produced by an upstream Docker-only "build-archives" stage and aren't reproducible outside that environment).autoPatchelfHookrestores RPATH on the final binaries since the-syscrates emit directcargo:rustc-linkdirectives that bypass the stdenv linker wrapper.Tests: enabled by default (
doCheck = true) on the per-binary builds — 64 pass. Thecontainer_image_scannertests are skipped (they need a Docker registry in the sandbox). The full workspace build hasdoCheck = falsebecausecargo test --libhitsnasl::builtin::sys::tests::find_in_pathwhich SIGABRTs in the sandbox; no coverage is lost since the per-binary builds exercise the same code.Fragility notes
sha256infromToolchainFile(flake.nix:31) — needs updating whenrust/rust-toolchain.tomlchanges channel.To be discused
Depending on the level of adoption of flakes, some points must be discussed:
nix flake checkshould gate PRs.CMakeLists.txton theopenvasproject. Maybe we should use a easier way to declare version.gvm-libs, but it may be interesting to package it here.ospd-openvas?Checklist: