Blame - build/run_in_container.sh - hafnium/hafnium.git

blob: ae0850ea1c069981e3c3d3d8c0fccb2847ce05df [file] [log] [blame]

David Brazdil	5ecf75f	2019-07-21 10:39:47 +0200	[diff] [blame]	1	#!/usr/bin/env bash
				2	# Copyright 2019 The Hafnium Authors.
				3	#
				4	# Licensed under the Apache License, Version 2.0 (the "License");
				5	# you may not use this file except in compliance with the License.
				6	# You may obtain a copy of the License at
				7	#
				8	# https://www.apache.org/licenses/LICENSE-2.0
				9	#
				10	# Unless required by applicable law or agreed to in writing, software
				11	# distributed under the License is distributed on an "AS IS" BASIS,
				12	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
				13	# See the License for the specific language governing permissions and
				14	# limitations under the License.
				15	set -euo pipefail
				16
				17	SCRIPT_DIR="$(realpath "$(dirname "${BASH_SOURCE[0]}")")"
				18	ROOT_DIR="$(realpath ${SCRIPT_DIR}/..)"
				19
				20	source "${SCRIPT_DIR}/docker/common.inc"
				21
				22	if [ "${HAFNIUM_HERMETIC_BUILD:-}" == "inside" ]
				23	then
				24	echo "ERROR: Invoked $0 recursively" 1>&2
				25	exit 1
				26	fi
				27
				28	# Set up a temp directory and register a cleanup function on exit.
				29	TMP_DIR="$(mktemp -d)"
				30	function cleanup() {
				31	rm -rf "${TMP_DIR}"
				32	}
				33	trap cleanup EXIT
				34
				35	# Build local image and write its hash to a temporary file.
				36	IID_FILE="${TMP_DIR}/imgid.txt"
				37	"${DOCKER}" build \
				38	--build-arg LOCAL_UID="$(id -u)" \
				39	--build-arg LOCAL_GID="$(id -g)" \
				40	--iidfile="${IID_FILE}" \
				41	-f "${SCRIPT_DIR}/docker/Dockerfile.local" \
				42	"${SCRIPT_DIR}/docker"
				43	IMAGE_ID="$(cat ${IID_FILE})"
				44
David Brazdil	5e0484e	2019-08-07 15:06:57 +0100	[diff] [blame^]	45	# Parse command line arguments
David Brazdil	5ecf75f	2019-07-21 10:39:47 +0200	[diff] [blame]	46	INTERACTIVE=false
David Brazdil	5e0484e	2019-08-07 15:06:57 +0100	[diff] [blame^]	47	ALLOW_PTRACE=false
				48	while true
				49	do
				50	case "${1:-}" in
				51	-i)
				52	INTERACTIVE=true
				53	shift
				54	;;
				55	-p)
				56	ALLOW_PTRACE=true
				57	shift
				58	;;
				59	-*)
				60	echo "ERROR: Unknown command line flag: $1" 1>&2
				61	echo "Usage: $0 [-i] [-p] <command>"
				62	exit 1
				63	;;
				64	*)
				65	break
				66	;;
				67	esac
				68	done
David Brazdil	5ecf75f	2019-07-21 10:39:47 +0200	[diff] [blame]	69
				70	ARGS=()
				71	# Run with a pseduo-TTY for nicer logging.
				72	ARGS+=(-t)
				73	# Run interactive if this script was invoked with '-i'.
				74	if [ "${INTERACTIVE}" == "true" ]
				75	then
				76	ARGS+=(-i)
				77	fi
David Brazdil	5e0484e	2019-08-07 15:06:57 +0100	[diff] [blame^]	78	# Allow ptrace() syscall if invoked with '-p'.
				79	if [ "${ALLOW_PTRACE}" == "true" ]
				80	then
				81	echo "WARNING: Docker seccomp profile is disabled!" 1>&2
				82	ARGS+=(--cap-add=SYS_PTRACE --security-opt seccomp=unconfined)
				83	fi
David Brazdil	5ecf75f	2019-07-21 10:39:47 +0200	[diff] [blame]	84	# Set environment variable informing the build that we are running inside
				85	# a container.
				86	ARGS+=(-e HAFNIUM_HERMETIC_BUILD=inside)
				87	# Bind-mount the Hafnium root directory. We mount it at the same absolute
				88	# location so that all paths match across the host and guest.
				89	ARGS+=(-v "${ROOT_DIR}":"${ROOT_DIR}")
				90	# Make all files outside of the Hafnium directory read-only to ensure that all
				91	# generated files are written there.
				92	ARGS+=(--read-only)
				93	# Mount a writable /tmp folder. Required by LLVM/Clang for intermediate files.
				94	ARGS+=(--tmpfs /tmp)
				95	# Set working directory.
				96	ARGS+=(-w "${ROOT_DIR}")
				97
				98	echo "Running in container: $*" 1>&2
				99	${DOCKER} run \
				100	${ARGS[@]} \
				101	"${IMAGE_ID}" \
				102	/bin/bash -c "$*"