Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR continues the migration to a Nix-based build and CI workflow, replacing the prior compile-env/docker-based approach and wiring sysroot/toolchain configuration through Nix shells and Nix builds.
Changes:
- Replaces the legacy compile-env + fake-nix workflow with
default.nix/overlays,nix-shell, and updatedjustrecipes. - Updates CI (
dev.yml) to build/test via Nix targets and introduces new Nix packaging pieces (FRR packaging, platform/profile plumbing). - Refactors sysroot usage in Rust build scripts and updates docs to match the new Nix-first workflow.
Reviewed changes
Copilot reviewed 55 out of 56 changed files in this pull request and generated 12 comments.
Show a summary per file
| File | Description |
|---|---|
| testing.md | Updates testing instructions to assume nix-shell tooling. |
| sysfs/build.rs | Removes sysroot build script logic. |
| sysfs/Cargo.toml | Drops dpdk-sysroot-helper build-dependency. |
| shell.nix | Switches shell entrypoint to default.nix devenv. |
| scripts/update-doc-headers.sh | Bumps KaTeX version used in docs. |
| scripts/todo.sh | Adds a Nix-based build/test “checklist” script. |
| scripts/test-runner.sh | Removes legacy docker-based test runner wrapper. |
| scripts/rust.env | Removes legacy RUSTFLAGS/profile env file. |
| scripts/k8s-crd.env | Updates gateway CRD ref env file (now likely legacy). |
| scripts/installl-real-nix.sh | Adds helper to replace “fake nix” with real Nix install. |
| scripts/dpdk-sys.env | Updates pinned dpdk-sys commit. |
| scripts/doc/custom-header.html | Updates KaTeX CDN links and integrity hashes. |
| rust-toolchain.toml | Removes rustup toolchain file in favor of Nix toolchain sourcing. |
| routing/Cargo.toml | Cleans tokio features and adds dev tokio “full”. |
| npins/sources.json | Updates Nix pins (crane, frr, gateway, nixpkgs, rust, rust-overlay). |
| nix/profiles.nix | Adjusts compile/link/security profile flags and profile mapping. |
| nix/platforms.nix | Adds platform name mapping for bluefield2 → bluefield. |
| nix/pkgs/frr/patches/yang-hack.patch | Adds FRR/libyang-related patch. |
| nix/pkgs/frr/patches/xrelifo.py.fix.patch | Adds FRR python/xrelfo patch. |
| nix/pkgs/frr/default.nix | Introduces FRR derivation with configurable protocol support. |
| nix/pkgs/frr/clippy-helper.nix | Adds split derivation for FRR “clippy” tool for cross builds. |
| nix/pkgs/dpdk/default.nix | Simplifies DPDK build params and uses platform-provided properties. |
| nix/overlays/llvm.nix | Reworks LLVM+Rust toolchain overlay to source versions from pins. |
| nix/overlays/frr.nix | Adds overlay customizing dependencies for FRR static/cross builds. |
| nix/overlays/default.nix | Registers new overlays (rust/llvm/dataplane/frr). |
| nix/overlays/dataplane.nix | Wires platform/profile into DPDK build and tweaks deps. |
| nix/overlays/dataplane-dev.nix | Uses llvmPackages’ stdenv and adds a static-leaning gdb override. |
| net/src/buffer/test_buffer.rs | Cleans doc-only import; adds explicit PacketBuffer doc link. |
| mgmt/tests/reconcile.rs | Adds VM-runner attribute to a test. |
| mgmt/src/tests/mgmt.rs | Removes unused imports and disables a VM test during refactor. |
| mgmt/Cargo.toml | Adds n-vm + tracing-subscriber for tests. |
| k8s-intf/build.rs | Refactors CRD generation to OUT_DIR and env-driven inputs. |
| k8s-intf/Cargo.toml | Swaps build deps to dpdk-sysroot-helper. |
| justfile | Replaces compile-env/sterile/docker flows with Nix build/test/container commands. |
| init/build.rs | Switches to dpdk_sysroot_helper::use_sysroot() behind feature gate. |
| init/Cargo.toml | Introduces sysroot feature and makes sysroot helper optional. |
| hardware/src/os/mod.rs | Fixes a typo in a clippy lint comment. |
| hardware/build.rs | Switches to centralized use_sysroot(). |
| dpdk/src/lcore.rs | Updates lcore ID call to rte_lcore_id(). |
| dpdk/build.rs | Switches to centralized use_sysroot(). |
| dpdk-sysroot-helper/src/lib.rs | Changes sysroot discovery to DATAPLANE_SYSROOT and adds use_sysroot(). |
| dpdk-sys/build.rs | Updates bindgen/sysroot handling and link libs list. |
| development/code/running-tests.md | Updates test-running docs to Nix-first commands. |
| default.nix | Major Nix build definition: dev shell env, profiles, test archives, container tars. |
| dataplane/src/drivers/dpdk.rs | Gates DPDK driver file behind dpdk feature. |
| dataplane/build.rs | Switches to centralized use_sysroot() behind dpdk feature. |
| dataplane/Cargo.toml | Makes dpdk deps optional behind a dpdk feature (default on). |
| cli/build.rs | Removes sysroot build script logic. |
| cli/Cargo.toml | Drops dpdk-sysroot-helper build-dependency. |
| README.md | Updates developer setup/docs to nix-shell workflow. |
| Cargo.toml | Updates workspace version and dependency versions. |
| Cargo.lock | Updates lockfile to match dependency/version changes. |
| .github/workflows/dev.yml.old | Keeps old workflow as .old (new file added). |
| .github/workflows/dev.yml | Reworks CI to use Nix builds and archives. |
| .envrc | Simplifies direnv env vars for the new devroot/sysroot layout. |
| .cargo/config.toml | Updates env vars and rustflags for sysroot/devroot-based builds. |
mvachhar
force-pushed
the
pr/mvachhar/new-build-system
branch
7 times, most recently
from
d2a1beb to
cddb251
Compare
daniel-noland
force-pushed
the
pr/mvachhar/new-build-system
branch
from
cddb251 to
3591e49
Compare
mvachhar
force-pushed
the
pr/mvachhar/new-build-system
branch
from
3591e49 to
921adf0
Compare
daniel-noland
force-pushed
the
pr/mvachhar/new-build-system
branch
from
e3be498 to
eb71953
Compare
daniel-noland
force-pushed
the
pr/mvachhar/new-build-system
branch
2 times, most recently
from
bae29e6 to
6a688dd
Compare
mvachhar
force-pushed
the
pr/mvachhar/new-build-system
branch
2 times, most recently
from
81e9456 to
0059740
Compare
Reorganize nix/profiles.nix to consolidate build profile settings: - Move --as-needed and --gc-sections from the performance-only link flags into common RUSTFLAGS so dead-code elimination applies to debug builds too (FRR builds are unaffected as they don't use RUSTFLAGS) - Add fuzz profile (aliased to release for now) - Enable Intel CET cf-protection hardening (-fcf-protection=full for CFLAGS, -Zcf-protection=full for RUSTFLAGS) in the x86_64 march block where it belongs, since cf-protection is an x86-only feature Co-Authored-By: Manish Vachharajani <manish@githedgehog.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Rework the llvm overlay to use the rust-overlay for toolchain management instead of reading from rust-toolchain.toml. This pins the LLVM toolchain to the same version rustc was built against, ensuring ABI compatibility for LTO and mixed C/Rust compilation. Switch from llvmPackages to llvmPackages' (version-matched to rustc's LLVM), add rustPlatform'-dev for dev tooling, use final instead of prev where appropriate, and remove the redundant separateDebugInfo setting. Also adds the rust-overlay to the overlay registry and removes unused explicit parameters from the overlay entry point since individual overlays destructure what they need from inputs. Co-Authored-By: Manish Vachharajani <manish@githedgehog.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Add a name attribute to the platform definition that maps bluefield2 to "bluefield" for DPDK compatibility. DPDK internally uses the name "bluefield" for the BF2 SoC definition, even though we generate a correct cross-compile file with armv8.2-a / cortex-a72 (unlike DPDK's own soc meson.build which only half-heartedly picks armv8-a). BF2 is not a primary support target but serves as a useful cross-compilation test target for the build tooling. Co-Authored-By: Manish Vachharajani <manish@githedgehog.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Remove the build-params default argument from the dpdk package in favor of using platform.name directly and hardcoding buildtype/lto settings which are always the same for our use case. Reorder and deduplicate meson flags, remove the unused -Ddebug=false flag, and fix unnecessary nix string interpolation in the cross-file argument. Co-Authored-By: Manish Vachharajani <manish@githedgehog.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Use version-matched LLVM packages (llvmPackages') consistently across both overlays, following the llvm.nix rework. dataplane-dev: Add optimized gdb' package with LTO, static linking, and minimal features for container-friendly debugging. This gives us a small gdb binary suitable for inclusion in debugger container images without pulling in the full desktop dependency tree. dataplane: Pass platform and profile through to dpdk, remove unnecessary output entries from libmd (man, dev), drop unused ethtool/iproute2 overrides from rdma-core, fix llvmPackages->llvmPackages' for libunwind, fix libX11->libx11 case in hwloc, and fix perftest callPackage argument passing. Co-Authored-By: Manish Vachharajani <manish@githedgehog.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Add a nix derivation for building FRR (Free Range Routing) from source with only the routing daemons we need (bgpd, bfdd, staticd) and all others disabled. Packaging FRR in nix gives us reproducible builds with precise control over dependencies and compile-time options. The package includes: - clippy-helper.nix: FRR's custom Clippy code generator, built as a native build tool and injected into the FRR build - xrelifo.py.fix.patch: suppress false-positive build errors from FRR's xrelfo ELF annotation tool (error counting and -Werror interaction) - yang-hack.patch: skip the lyd_find_xpath3 check in configure.ac to work with our pinned libyang version which provides equivalent functionality under a different symbol Also registers the frr overlay in the overlay entry point (nix/overlays/default.nix). Co-Authored-By: Manish Vachharajani <manish@githedgehog.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Package FRR runtime configuration as a separate derivation so it can be composed independently into different container images (e.g. the dataplane FRR container vs. the host FRR container). Contents: - daemons: FRR daemon selection and startup options - vtysh.conf: VTY shell configuration - zebra.conf: empty base config (populated at runtime) - passwd/group: FRR service user and group definitions - nsswitch.conf: name service configuration - docker-start: container entrypoint script for FRR Co-Authored-By: Manish Vachharajani <manish@githedgehog.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Add nix derivation for the dataplane RPC library. This is a C/C++ library (built with CMake) that provides the gRPC interface used by the FRR dplane-plugin to communicate route updates to the dataplane process. Co-Authored-By: Manish Vachharajani <manish@githedgehog.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Add nix derivation for the FRR dataplane plugin shared library. This is a CMake-built shared object loaded by FRR at runtime to forward route updates to the dataplane process via dplane-rpc. Co-Authored-By: Manish Vachharajani <manish@githedgehog.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Add a nix derivation for frr-agent, the Hedgehog FRR management agent. This is a Rust binary built with buildRustPackage from the pinned frr-agent source. References to build-time paths are stripped with nuke-refs to keep the closure minimal. Co-Authored-By: Manish Vachharajani <manish@githedgehog.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Rework the core build machinery in default.nix to support the new nix-native build pipeline. The old default.nix was structured around the compile-env sysroot approach; this rework introduces proper nix builders and integrates FRR packaging support. Changes: - Add tag parameter for container/version tagging - Add fuzz to cargo-profile map - Add frr-pkgs import with FRR overlay - Add comments explaining libc fully-qualified paths in sysroot - Add skopeo to devroot for container operations - Rework devenv from shellHook to structured env attributes - Add jsonFilter for source filtering - Simplify cargo-cmd-prefix (unconditional build-std-features) - Remove sanitizer-conditional RUSTFLAGS block - Add VERSION env var from tag parameter - Rename package-builder to workspace-builder - Rework test-builder to support building all tests at once - Update crane config (removeReferencesToRustToolchain/VendorDir) - Use clang++ as the linker driver instead of clang so that C++ standard library and exception handling runtime are linked correctly for transitive C++ dependencies (e.g. DPDK PMDs, hwloc) Co-Authored-By: Manish Vachharajani <manish@githedgehog.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Add docs-builder helper and docs output that runs `cargo doc` through the nix build system with -D warnings. Supports building docs for individual packages or the entire workspace. Co-Authored-By: Manish Vachharajani <manish@githedgehog.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Rework the dataplane tar to use busybox (providing a shell and coreutils in-container), symlinks instead of copies for binaries, and additional security hardening: - Add /home and /tmp directories - Use symlinks to nix store paths instead of copying binaries - Install busybox for minimal shell access - Change tar permissions to ugo-sw (no write, no setuid/setgid) - Add dontPatchShebangs, dontFixup, dontPatchElf - Include workspace.dataplane, workspace.init, workspace.cli, busybox and glibc.libgcc unconditionally in the tar - Rename attribute from dataplane-tar to dataplane.tar Co-Authored-By: Manish Vachharajani <manish@githedgehog.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Add container image definitions using nixpkgs dockerTools: - containers.dataplane: production image with busybox, cli, init - containers.dataplane-debugger: debug image with gdb, rr, libc debug symbols - containers.frr.dataplane: FRR with dplane-plugin, dplane-rpc, frr-agent - containers.frr.host: FRR host variant with fakeNss The FRR containers include fakeRootCommands for /run/frr directory setup and use tini as the entrypoint. Co-Authored-By: Manish Vachharajani <manish@githedgehog.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Add llvm tools to the dev shell for llvm-cov/llvm-profdata. Set CLANG_PATH, LLVM_COV, LLVM_PROFDATA, and CARGO_LLVM_COV_* env vars in .cargo/config.toml. Inject -ffile-prefix-map into all dataplane-dep builds so coverage data maps /build paths back to nix store source paths. Co-Authored-By: Manish Vachharajani <manish@githedgehog.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Rework build.rs scripts across the workspace to use the nix build environment. Remove the ureq-based CRD fetching and dotenvy env-file parsing from k8s-intf build.rs; the CRD is now read from a nix-provided path. Remove build.rs from cli and sysfs (no longer needed). Simplify dpdk-sysroot-helper to read DATAPLANE_SYSROOT from the environment and add rerun-if-env-changed directive. Update Cargo.toml build-dependencies to match. Co-Authored-By: Manish Vachharajani <manish@githedgehog.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Nix builds can't access the network from a build.rs script, so the prior approach of fetching CRDs via ureq at build time won't work. Move CRD binding generation from committed source to build.rs so that bindings are always in sync with the CRD schema provided by nix. This eliminates the need to manually regenerate and commit the 500-line gateway_agent_crd.rs file when the upstream CRD changes. The generated module and its re-exports are removed; consumers now get the bindings via the build-time generation in k8s-intf's build.rs (which invokes kopium against the nix-provided CRD file). Also simplify the version handling: get_gateway_version() now returns a plain String (defaulting to "dev" when VERSION is unset) instead of Option<String> that was always Some. Remove the commented-out npins-based version lookup and the now-unused serde_json build-dependency. Remove the standalone rerun-if-changed for the sysroot path (now handled by dpdk-sysroot-helper::use_sysroot()). Co-Authored-By: Manish Vachharajani <manish@githedgehog.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Add feature gates to the dataplane and init crates so DPDK and dpdk-sysroot-helper are optional dependencies. The dataplane crate gets a `dpdk` feature (default on) with a corresponding cfg(feature = "dpdk") gate on the DPDK driver module. The init crate gets a `sysroot` feature (default on). This allows building without a DPDK sysroot for development and testing scenarios. Co-Authored-By: Manish Vachharajani <manish@githedgehog.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Remove k8s-crd.env, rust.env, and test-runner.sh. These scripts provided environment variables and test execution support for the old compile-env build approach. Their functionality is now provided by: - k8s-crd.env: nix build environment (GW_CRD_PATH in .cargo/config.toml) - rust.env: nix shell and build profiles (nix/profiles.nix) - test-runner.sh: n-vm test runner (#[n_vm::in_vm] annotations) Co-Authored-By: Manish Vachharajani <manish@githedgehog.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Replace the old fixin::wrap(with_caps(...)) capability-escalation pattern on test_sample_config with #[n_vm::in_vm] and mark it #[ignore] pending vm runner integration. Add required dev-dependencies (n-vm, tracing-subscriber to mgmt; tokio with full features to routing). Deduplicate tokio feature flags in routing. Co-Authored-By: Manish Vachharajani <manish@githedgehog.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Rewrite the justfile to work with the nix build environment instead of the old compile-env/docker approach. Key changes: - Remove all compile-env and docker container machinery (image pulling, docker socket handling, container-based builds) - Remove dotenv loading of scripts/rust.env (environment now comes from nix) - Replace target triple (x86_64-unknown-linux-gnu) with platform name (x86-64-v3/bluefield2) to match the nix platform abstraction - Add nix-based build/push recipes that invoke nix build and skopeo - Add sanitizer and instrumentation selection variables (sanitize, instrument) - Simplify cargo invocations (no longer need explicit target/linker flags) - Add FRR container image push alongside dataplane container - Add `push` recipe for pushing all release container images - Wrap test and lint recipes in nix-shell for toolchain access - Rewrite coverage recipe to use nix-built test archives with local llvm-cov/llvm-profdata - Rename clippy recipe to lint - Remove obsolete recipes (hugepages, build-sweep, rustdoc-serve, setup/teardown-test-env) Co-Authored-By: Manish Vachharajani <manish@githedgehog.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Rewrite the dev.yml CI workflow to use nix instead of the compile-env/docker build approach. Key changes: - Replace compile-env setup with cachix/install-nix-action and cachix for binary caching - Replace the profile-only build matrix with a target x profile matrix: targets are nix outputs (tests.all, frr.dataplane, dataplane) and profiles include debug and release - Comment out sanitizer matrix entries (address, thread) pending build-time and correctness fixes; when re-enabled they will use the fuzz profile with coverage instrumentation - Wrap just/cargo invocations in nix-shell so the CI runner has access to the full nix-provided toolchain - Use REGISTRY_URL (set by the reusable workflow) for container pushes instead of a hardcoded registry variable - Rename the "check" job to "build" to better reflect what it does - Add lint (clippy), rustdoc, and doctest steps for the tests.all matrix target so these checks are not lost in the workflow rewrite - Override the devfiles change-detection gate for tag pushes and manual workflow dispatches so builds always run for releases - Remove stale commented-out upgrade-from matrix entry - Add FRR version bumping alongside dataplane in the tag-push release job - Remove docker-based cargo/just invocations in favor of nix build commands Co-Authored-By: Manish Vachharajani <manish@githedgehog.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Rewrite README.md and test documentation to reflect the new nix-based development workflow. The old instructions required manually installing Rust via rustup, pulling docker-based compile-env images, and symlinking /nix (the "fake nix" hack). The new workflow is: install nix, enter the dev shell with `just shell`, and use just recipes for building, testing, and linting. Document build arguments (profile, sanitize, instrument, platform, jobs), container build/push workflow, the lint and docs recipes, and setup-roots for the initial sysroot/devroot symlink creation. Also update the test-running docs to reference cargo-nextest and the nix-shell environment instead of the old test-runner.sh script. Co-Authored-By: Manish Vachharajani <manish@githedgehog.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Add a 'features' argstr to default.nix (comma-separated, same pattern as 'sanitize') that injects --features into cargo-cmd-prefix. This flows through to all cargo invocations: workspace-builder, test-builder, clippy-builder, and docs-builder. Add a corresponding 'features' variable to the justfile that passes through to nix build via --argstr. The version string incorporates enabled features (e.g. -feat.shuttle) for artifact disambiguation. Add a 'filter' variable to the justfile that is forwarded to nextest as a test name filter (e.g. 'shuttle' to run only shuttle-named tests). Add shuttle test invocation to the CI test step: after the regular test run, a second just invocation builds and runs the test archive with features=shuttle and the 'shuttle' nextest filter, restoring the shuttle concurrency testing that was present in the old workflow. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Add private computed variables `_cargo_feature_flags` and `_cargo_profile_flag` that each recipe can compose as needed (not all cargo subcommands accept all flags). - `_cargo_feature_flags`: expands --no-default-features and/or --features based on the `default_features` and `features` just variables. - `_cargo_profile_flag`: expands --profile based on the `profile` variable (empty for debug since that is the cargo default). Add `check-dependencies` recipe wrapping `cargo deny` with feature flags. Add `doctest` recipe wrapping `cargo test --doc` with feature and profile flags. Fix `lint` recipe to use the computed variables instead of hardcoding `--all-features`. Note: the lint fix portion is a fixup for: "build: rewrite justfile for nix build system" Signed-off-by: Daniel Noland <daniel@githedgehog.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Adds the cargo-edit package (which provides `cargo upgrade`) to the nix dev shell so that the bump workflow can run `cargo upgrade` within nix-shell. Signed-off-by: Daniel Noland <daniel@githedgehog.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Daniel Noland <daniel@githedgehog.com>
The gateway repo has been absorbed into the fabric repo. Update all references to the gateway npins source to point to fabric instead. - npins/sources.json: replace gateway pin with fabric pin (v0.113.2) - scripts/gen-pins.sh: update pin name and comments - default.nix: update GW_CRD_PATH in devenv and build env - nix/overlays/dataplane-dev.nix: update source and destination paths - .cargo/config.toml: update GW_CRD_PATH for local dev - README.md: update pin management instructions Signed-off-by: Daniel Noland <daniel@githedgehog.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Daniel Noland <daniel@githedgehog.com>
The gateway and gateway-proto repos have been archived and merged into the fabric repo. Replace the two stale repo links with a single fabric link. Signed-off-by: Daniel Noland <daniel@githedgehog.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Signed-off-by: Daniel Noland <daniel@githedgehog.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Daniel Noland <daniel@githedgehog.com>
| sanitize: "" # TODO: enable cfi and safe-stack when possible | ||
| instrument: "none" | ||
| debug_justfile: | ||
| - "${{ inputs.debug_justfile || false }}" |
There was a problem hiding this comment.
confidence: 9
tags: [logic]This workflow references the inputs context in the matrix definition, but inputs is only populated for workflow_dispatch/reusable workflows. Since this workflow also runs on pull_request, push, and merge_group, this can fail with an “Unrecognized named-value: 'inputs'” evaluation error. Use github.event.inputs.debug_justfile (and default it) or gate this expression on github.event_name == 'workflow_dispatch' so non-dispatch events don’t reference inputs at all.
Suggested change
| - "${{ inputs.debug_justfile || false }}" | |
| - "${{ github.event_name == 'workflow_dispatch' && github.event.inputs.debug_justfile || false }}" |
| nix-shell --run " | ||
| just \ | ||
| docker_sock=/run/docker/docker.sock \ | ||
| debug_justfile=${{ inputs.debug_justfile || false }} \ |
There was a problem hiding this comment.
confidence: 9
tags: [logic]This run step also interpolates inputs.debug_justfile inside the nix-shell --run command. On non-workflow_dispatch events the inputs context may be undefined, which can break the job even if you don’t care about the flag. Prefer passing debug_justfile=${{ github.event.inputs.debug_justfile || false }} (or similar) instead of inputs.* here.
Suggested change
| debug_justfile=${{ inputs.debug_justfile || false }} \ | |
| debug_justfile=${{ github.event.inputs.debug_justfile || false }} \ |
Comment on lines
484
to
487
| `# anybody editing the files shipped in the container image is up to no good, block all of that.` \ | ||
| `# More, we expressly forbid setuid / setgid anything. May as well toss in the sticky bit as well.` \ | ||
| --mode='u-sw,go=' \ | ||
| `# More, we expressly forbid setuid / setgid anything.` \ | ||
| --mode='ugo-sw' \ | ||
| \ |
There was a problem hiding this comment.
confidence: 8
tags: [logic]tar --mode='ugo-sw' only strips setuid/setgid/sticky bits but still leaves regular write permissions intact. That contradicts the preceding comment about “block all of that” (preventing edits) and weakens the hardening of the generated rootfs. Either tighten the mode to remove write bits (and possibly group/other permissions), or update the comment so it accurately reflects what’s enforced.
Collaborator
There was a problem hiding this comment.
Are you sure that is true? The -w part of ugo-sw should remove write no? I could accept that it should be a-sw but I think that amounts to the same thing no?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR is a continuation of the work started by @daniel-noland to move to a proper nix based build system.
Most of this PR was built based on #1275 and the work of Claude Code using Opus 4.6. As such it should be reviewed carefully. I have tried to do the work in small chunks with the AI to get some review as we go along, but I am not a nix expert and had to rely a bit on the AI's judgement as to the best approach for certain things.
TODO:
Make failing new sanitizer runs optional - the sanitizers found real bugs we need to fix in separate PRsCo-pilot review of this PR before signoffDONERemoveDONEscripts/todo.sh.RemoveDONEscripts/install-real-nix.sh.justtargets for building and pushing containers is there (I believe we are good, but I want to confirm)