Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Commit 47482ae

Browse files
committed
Make nsjail slightly less experimental, update README
1 parent de60783 commit 47482ae

File tree

5 files changed

+66
-8
lines changed

5 files changed

+66
-8
lines changed

‎Dockerfile.nsjail-3.0

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -10,8 +10,8 @@ COPY --from=libnl /output /output
1010
WORKDIR /build
1111
RUN download https://github.com/google/nsjail/archive/refs/tags/3.0.tar.gz source.tar.gz cfa66d3ed136b2e221752287b95e544915e8a6760aa866f023b604d14a374919 && tar xf source.tar.gz
1212
RUN download https://github.com/google/kafel/archive/refs/tags/20200831.tar.gz kafel.tar.gz dc6a541e4699acb2ac76128142780604452694d747dfd31a809a90506f965d7e && tar xf kafel.tar.gz
13-
RUN download https://github.com/protocolbuffers/protobuf/releases/download/v3.19.1/protoc-3.19.1-linux-x86_64.zip protoc.zip 4b18a69b3093432ee0531bc9bf3c4114f81bde1670ade2875f694180ac8bd7f6 && unzip protoc.zip
1413
COPY patches/nsjail-3.0 /build/patches
14+
RUN patches/download_protoc.sh
1515
RUN export PATH=/build/cross/bin:$PATH:/output/bin && \
1616
mkdir -p /output/bin && \
1717
mkdir -p /output/include/sys && \
@@ -26,7 +26,7 @@ sed -e 's/-Werror//' -e 's/-pie//' -e 's/-fPIE//' -i Makefile && \
2626
sed -e 's/YYUSE/YY_USE/' -i kafel/src/parser.y && \
2727
sed -e 's/^TARGET=.*/TARGET=${STATIC_TARGET}/' -i kafel/src/Makefile && \
2828
export CC="$MUSL_TARGET-gcc -static" && \
29-
export CXX="$MUSL_TARGET-g++ -static" && \
29+
export CXX="$MUSL_TARGET-g++ -static -static-libstdc++" && \
3030
export CFLAGS="-I/output/include -I/output/include/libnl3 -I/output/include/google -static -frandom-seed=pulse" && \
3131
export COMMON_FLAGS="-static -I/output/include -I/output/include/libnl3 -I/output/include/google" && \
3232
export LDFLAGS="-L/output/lib -pthread -lprotobuf -lnl-route-3 -lnl-3" && \

‎Makefile

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,5 @@
11
MUSL_TARGET ?= x86_64-linux-musl
2+
UNAME_M := $(shell uname -m)
23

34
DOCKER_BUILD = docker build --build-arg MUSL_TARGET=$(MUSL_TARGET) -f Dockerfile.$@ -t $@-$(MUSL_TARGET) .
45
GRABBY_HANDS = docker run --rm --mount type=bind,source=$(shell pwd)/output/$(MUSL_TARGET),target=/grabby $@-$(MUSL_TARGET) install -g $(shell id -g) -o $(shell id -u)
@@ -94,6 +95,7 @@ busybox-1.33.1: musl-cross-make
9495
$(DOCKER_BUILD)
9596
$(GRABBY_HANDS) /output/bin/busybox /grabby/$@
9697

98+
# Currently this will only build on 64 bit ARM, 32 or 64 bit x86. This will be sorted out later.
9799
nsjail-3.0: libnl-3.2.25 protobuf-3.19.1
98100
$(DOCKER_BUILD)
99101
$(GRABBY_HANDS) /build/nsjail-3.0/nsjail /grabby/$@

‎README.md

Lines changed: 37 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -13,22 +13,53 @@ Run `make MUSL_TARGET=some_target_tuple` to compile everything. Tested targets s
1313

1414
But others are very likely to work. Building everything currently needs about 2GB of disk per target and it helps to have a big machine with NVMe storage and plenty of RAM. A complete build for a single architecture currently takes about 15 minutes on a Ryzen 4750U, or a bit less on an Apple M1.
1515

16-
You can build individual binaries by specifying the recipe name as an argument to `make`. Dependency resolution will be handled automatically. These recipes are included at the moment:
16+
You can build individual binaries by specifying the recipe name as an argument to `make`. Dependency resolution will be handled automatically.
17+
18+
To validate that all your binaries came out right, run `make check`. This will list any binaries in the `output` directory which don't seem to have been statically linked.
19+
20+
More tools and documentation will be added over time.
21+
22+
### Supported tools
23+
24+
These are the tools that build cleanly without too many caveats and are generally usable.
1725

1826
* `busybox-1.33.1`
1927
* `curl-7.79.1`
2028
* `dropbear-2020.81` (`dropbear`, `dropbearclient` and `dropbearkey`)
21-
* `git-2.33.0` (`git-...` binary needs to be renamed to just `git` to work)
2229
* `loggedfs-0.9`
23-
* `nmap-7.90`
30+
* `nmap-7.90` (some extra functionality is missing as it requires additional data files)
2431
* `openssl-0.9.8zh` (insecure, not for general use)
2532
* `openssl-1.1.1k`
2633
* `socat-1.7.4.1`
2734
* `tcpdump-4.99.1`
2835

29-
More tools and documentation will be added over time.
30-
31-
To validate that all your binaries came out right, run `make check`. This will list any binaries in the `output` directory which don't seem to have been statically linked.
36+
### Experimental tools
37+
38+
These are tools which have significant caveats.
39+
40+
* `git-2.33.0` (`git-...` binary needs to be renamed to just `git` to work, generally this isn't very useful because even when compiled statically it's not very standalone due to all the scripts and helpers required)
41+
* `nsjail-3.0` (currently only builds on 64 bit ARM, 32 and 64 bit x86 due to using Google's static `protoc` compiler binaries)
42+
43+
### Supported libraries
44+
45+
These libraries are built automatically as required by the above tools.
46+
47+
* `musl-cross-make-0.9.9`
48+
* `expat-2.4.1`
49+
* `fuse-2.9.9`
50+
* `gettext-0.21` (not currently required for anything)
51+
* `kafel-20200831` (as part of `nsjail-3.0`)
52+
* `libcurl-7.79.1` (as part of `curl-7.79.1`)
53+
* `libnl-3.2.25`
54+
* `libpcap-1.10.1`
55+
* `libssl-0.9.8zh` (as part of `openssl-0.9.8zh`, don't use this, just here for compatibility)
56+
* `libssl-1.1.1k` (as part of `openssl-1.1.1k`)
57+
* `libxml2-2.9.12`
58+
* `ncurses-6.2`
59+
* `pcre-8.45`
60+
* `protobuf-3.19.1` (C++ support only)
61+
* `readline-8.1`
62+
* `zlib-1.2.11`
3263

3364
## Rationale
3465

‎patches/nsjail-3.0/download_protoc.sh

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
#!/bin/bash
2+
3+
# Lazy way to get a working 'protoc' compiler on at least some Linux architectures.
4+
5+
cd /build || exit 1
6+
7+
case $(uname -m) in
8+
aarch64)
9+
download https://github.com/protocolbuffers/protobuf/releases/download/v3.19.1/protoc-3.19.1-linux-aarch_64.zip protoc.zip 086e40c1658d241b2aefae659778637055b7c02e166fe2c835929a3066d41be3
10+
;;
11+
x86_64)
12+
download https://github.com/protocolbuffers/protobuf/releases/download/v3.19.1/protoc-3.19.1-linux-x86_64.zip protoc.zip 4b18a69b3093432ee0531bc9bf3c4114f81bde1670ade2875f694180ac8bd7f6
13+
;;
14+
i?86)
15+
download https://github.com/protocolbuffers/protobuf/releases/download/v3.19.1/protoc-3.19.1-linux-x86_32.zip protoc.zip ba9683d85db7d9f44965b38a5c0b05368d0e02ee21f24de3d29627f095d42de3
16+
;;
17+
*)
18+
echo "Currently I don't know how to get protoc for your host architecture. Sorry. This is going to be sorted out at some point."
19+
exit 1
20+
;;
21+
esac
22+
23+
unzip protoc.zip

‎patches/nsjail-3.0/queue.h

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,5 @@
1+
/* static-binary-zoo note: musl doesn't include a queue.h implementation so here's one from NetBSD that works */
2+
13
/* $NetBSD: queue.h,v 1.68 2014年11月19日 08:10:01 uebayasi Exp $ */
24

35
/*

0 commit comments

Comments
(0)

AltStyle によって変換されたページ (->オリジナル) /