Merge #2380

2380: [nix] Add nix derivation for static builds r=rhatdan a=hswong3i

#### What type of PR is this?

<!--
Please label this pull request according to what type of issue you are
addressing, especially if this is a release targeted pull request.

Uncomment only one `/kind <>` line, hit enter to put that in a new line, and
remove leading whitespace from that line:
-->

> /kind feature

#### What this PR does / why we need it:

Similar PR goes for crun/conmon/libpod/cri-o/etc, too.


Also see:
  - ~~containers/crun#372
  - ~~containers/conmon#161
  - containers/skopeo#932
  - #2380
  - containers/podman#6402
  - cri-o/cri-o#3804


Static binaries:
  - [crun-0.13-linux-amd64](https://github.com/alvistack/crun/releases/download/0.13/crun-0.13-linux-amd64)
  - [conmon-v2.0.17-linux-amd64](https://github.com/alvistack/conmon/releases/download/v2.0.17/conmon-v2.0.17-linux-amd64)
  - [skopeo-v1.0.0-linux-amd64](https://github.com/alvistack/skopeo/releases/download/v1.0.0/skopeo-v1.0.0-linux-amd64)
  - [buildah-v1.14.9-linux-amd64](https://github.com/alvistack/buildah/releases/download/v1.14.9/buildah-v1.14.9-linux-amd64)
  - [podman-v1.9.3-linux-amd64](https://github.com/alvistack/libpod/releases/download/v1.9.3/podman-v1.9.3-linux-amd64)
  - [cri-o-v1.17.4-linux-amd64.tar.gz](https://github.com/alvistack/cri-o/releases/download/v1.17.4/cri-o-v1.17.4-linux-amd64.tar.gz)
  - [cri-o-v1.18.1-linux-amd64.tar.gz](https://github.com/alvistack/cri-o/releases/download/v1.18.1/cri-o-v1.18.1-linux-amd64.tar.gz)

Ansible Roles:
  - https://github.com/alvistack/ansible-role-crun
  - https://github.com/alvistack/ansible-role-conmon
  - https://github.com/alvistack/ansible-role-skopeo
  - https://github.com/alvistack/ansible-role-buildah 
  - https://github.com/alvistack/ansible-role-podman
  - https://github.com/alvistack/ansible-role-cri_o


#### How to verify it

```
nix build -f nix/
```

#### Which issue(s) this PR fixes:

<!--
Automatically closes linked issue when PR is merged.
Uncomment the following comment block and include the issue
number or None on one line.
Usage: `Fixes #<issue number>`, or `Fixes (paste link of issue)`, or `None`.
-->

<!--
Fixes #
or
None
-->

#### Special notes for your reviewer:


Here I skip the btrfs and lvm2 support for static binary, because:
1. btrfs will not support in CentOS 8
2. With skopeo experience both btrfs and lvm2 are not easy for compile as static binary

Also see:
- containers/podman#6402 (comment)

#### Does this PR introduce a user-facing change?

<!--
If no, just write `None` in the release-note block below. If yes, a release note
is required: Enter your extended release note in the block below. If the PR
requires additional action from users switching to the new release, include the
string "action required".

For more information on release notes please follow the kubernetes model:
https://git.k8s.io/community/contributors/guide/release-notes.md
-->

```release-note

```



Co-authored-by: Wong Hoi Sing Edison <hswong3i@gmail.com>

Author: bors[bot]

.cirrus.yml

@@ -157,7 +157,7 @@ gce_instance:
 
     env:
         matrix:
-            CROSS_TARGET: darwin
+            CROSS_TARGET: bin/buildah.darwin
 
     setup_script: '${SCRIPT_BASE}/setup.sh |& ${_TIMESTAMP}'
     build_script: '${SCRIPT_BASE}/build.sh |& ${_TIMESTAMP}'

.gitignore

@@ -6,3 +6,4 @@ tests/tools/build
 Dockerfile*
 !/tests/bud/*/Dockerfile*
 *.swp
+result

Makefile

@@ -33,33 +33,36 @@ CNI_COMMIT := $(shell sed -n 's;\tgithub.com/containernetworking/cni \([^ \n]*\)
 RUNC_COMMIT := v1.0.0-rc8
 LIBSECCOMP_COMMIT := release-2.3
 
-EXTRALDFLAGS :=
-LDFLAGS := -ldflags '-X main.GitCommit=$(GIT_COMMIT) -X main.buildInfo=$(SOURCE_DATE_EPOCH) -X main.cniVersion=$(CNI_COMMIT)' $(EXTRALDFLAGS)
+EXTRA_LDFLAGS ?=
+LDFLAGS := -ldflags '-X main.GitCommit=$(GIT_COMMIT) -X main.buildInfo=$(SOURCE_DATE_EPOCH) -X main.cniVersion=$(CNI_COMMIT) $(EXTRA_LDFLAGS)'
 SOURCES=*.go imagebuildah/*.go bind/*.go chroot/*.go cmd/buildah/*.go docker/*.go pkg/blobcache/*.go pkg/cli/*.go pkg/parse/*.go util/*.go
 
 LINTFLAGS ?=
 
-all: buildah imgtype docs
+all: bin/buildah bin/imgtype docs
 
-.PHONY: static
-static: $(SOURCES)
-	$(MAKE) SECURITYTAGS="$(SECURITYTAGS)" STORAGETAGS=$(STATIC_STORAGETAGS) EXTRALDFLAGS='-ldflags "-extldflags '-static'"' BUILDAH=buildah.static binary
+nixpkgs:
+	@nix run -f channel:nixpkgs-unstable nix-prefetch-git -c nix-prefetch-git \
+		--no-deepClone https://github.com/nixos/nixpkgs > nix/nixpkgs.json
 
-.PHONY: binary
-binary:  $(SOURCES)
-	$(GO_BUILD) $(LDFLAGS) -o $(BUILDAH) $(BUILDFLAGS) ./cmd/buildah
+.PHONY: bin/buildah
+bin/buildah:  $(SOURCES)
+	$(GO_BUILD) $(LDFLAGS) -o $@ $(BUILDFLAGS) ./cmd/buildah
 
-buildah: binary
+.PHONY: buildah
+buildah: bin/buildah
 
-darwin:
-	GOOS=darwin $(GO_BUILD) $(LDFLAGS) -o buildah.darwin -tags "containers_image_openpgp" ./cmd/buildah
+.PHONY: bin/buildah.darwin
+bin/buildah.darwin:
+	GOOS=darwin $(GO_BUILD) $(LDFLAGS) -o $@ -tags "containers_image_openpgp" ./cmd/buildah
 
-imgtype: *.go docker/*.go util/*.go tests/imgtype/imgtype.go
-	$(GO_BUILD) $(LDFLAGS) -o imgtype $(BUILDFLAGS) ./tests/imgtype/imgtype.go
+.PHONY: bin/imgtype
+bin/imgtype: *.go docker/*.go util/*.go tests/imgtype/imgtype.go
+	$(GO_BUILD) $(LDFLAGS) -o $@ $(BUILDFLAGS) ./tests/imgtype/imgtype.go
 
 .PHONY: clean
 clean:
-	$(RM) -r buildah imgtype build buildah.static buildah.darwin tests/testreport/testreport
+	$(RM) -r bin tests/testreport/testreport
 	$(MAKE) -C docs clean
 
 .PHONY: docs
@@ -105,7 +108,7 @@ install.cni.sudo: gopath
 
 .PHONY: install
 install:
-	install -D -m0755 buildah $(DESTDIR)/$(BINDIR)/buildah
+	install -D -m0755 bin/buildah $(DESTDIR)/$(BINDIR)/buildah
 	$(MAKE) -C docs install
 
 .PHONY: uninstall

contrib/cirrus/build.sh

@@ -20,10 +20,9 @@ else
     mkdir -p bin
     if [[ -z "$CROSS_TARGET" ]]
     then
-        ln -v buildah bin/buildah
         showrun make install PREFIX=/usr
         showrun ./bin/buildah info
     else
-        ln -v buildah.${CROSS_TARGET} bin/buildah
+        ln -v ${CROSS_TARGET} bin/buildah
     fi
 fi

contrib/cirrus/logcollector.sh

@@ -17,8 +17,8 @@ case $1 in
     df) showrun df -lhTx tmpfs ;;
     journal) showrun journalctl -b ;;
     podman) showrun podman system info ;;
-    buildah_version) showrun $GOSRC/buildah version;;
-    buildah_info) showrun $GOSRC/buildah info;;
+    buildah_version) showrun $GOSRC/bin/buildah version;;
+    buildah_info) showrun $GOSRC/bin/buildah info;;
     packages)
         # These names are common to Fedora and Ubuntu
         PKG_NAMES=(\

nix/default.nix

@@ -0,0 +1,53 @@
+{ system ? builtins.currentSystem }:
+let
+  pkgs = (import ./nixpkgs.nix {
+    config = {
+      packageOverrides = pkg: {
+        gpgme = (static pkg.gpgme);
+        libassuan = (static pkg.libassuan);
+        libgpgerror = (static pkg.libgpgerror);
+        libseccomp = (static pkg.libseccomp);
+        glib = pkg.glib.overrideAttrs(x: {
+          outputs = [ "bin" "out" "dev" ];
+          mesonFlags = [
+            "-Ddefault_library=static"
+            "-Ddevbindir=${placeholder ''dev''}/bin"
+            "-Dgtk_doc=false"
+            "-Dnls=disabled"
+          ];
+        });
+      };
+    };
+  });
+
+  static = pkg: pkg.overrideAttrs(x: {
+    configureFlags = (x.configureFlags or []) ++
+      [ "--without-shared" "--disable-shared" ];
+    dontDisableStatic = true;
+    enableSharedExecutables = false;
+    enableStatic = true;
+  });
+
+  self = with pkgs; buildGoPackage rec {
+    name = "buildah";
+    src = ./..;
+    goPackagePath = "github.com/containers/buildah";
+    doCheck = false;
+    enableParallelBuilding = true;
+    nativeBuildInputs = [ git installShellFiles pkg-config ];
+    buildInputs = [ glib glibc glibc.static gpgme libapparmor libassuan libgpgerror libseccomp libselinux ];
+    prePatch = ''
+      export LDFLAGS='-s -w -static-libgcc -static'
+      export EXTRA_LDFLAGS='-s -w -linkmode external -extldflags "-static -lm"'
+      export BUILDTAGS='static netgo apparmor selinux seccomp exclude_graphdriver_btrfs exclude_graphdriver_devicemapper'
+    '';
+    buildPhase = ''
+      pushd go/src/${goPackagePath}
+      patchShebangs .
+      make bin/buildah
+    '';
+    installPhase = ''
+      install -Dm755 bin/buildah $out/bin/buildah
+    '';
+  };
+in self

nix/nixpkgs.json

@@ -0,0 +1,10 @@
+{
+  "url": "https://github.com/nixos/nixpkgs",
+  "rev": "78e324d2726127828a15f87a75b4d3199a8955ec",
+  "date": "2020-06-16T18:23:14-07:00",
+  "path": "/nix/store/bwhp0061k3fk00j8fskpfak261jdcjl6-nixpkgs",
+  "sha256": "1j58aa9ngdmvbnds4x4a497nynj390dzqyb5yrvmhjc7k9anq6jm",
+  "fetchSubmodules": false,
+  "deepClone": false,
+  "leaveDotGit": false
+}

nix/nixpkgs.nix

@@ -0,0 +1,8 @@
+let
+  json = builtins.fromJSON (builtins.readFile ./nixpkgs.json);
+  nixpkgs = import (builtins.fetchTarball {
+    name = "nixos-unstable";
+    url = "${json.url}/archive/${json.rev}.tar.gz";
+    inherit (json) sha256;
+  });
+in nixpkgs

tests/e2e/buildah_suite_test.go

@@ -95,7 +95,7 @@ func CreateTempDirInTempDir() (string, error) {
 func BuildahCreate(tempDir string) BuildAhTest {
 	cwd, _ := os.Getwd()
 
-	buildAhBinary := filepath.Join(cwd, "../../buildah")
+	buildAhBinary := filepath.Join(cwd, "../../bin/buildah")
 	if os.Getenv("BUILDAH_BINARY") != "" {
 		buildAhBinary = os.Getenv("BUILDAH_BINARY")
 	}

tests/helpers.bash

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 
-BUILDAH_BINARY=${BUILDAH_BINARY:-$(dirname ${BASH_SOURCE})/../buildah}
-IMGTYPE_BINARY=${IMGTYPE_BINARY:-$(dirname ${BASH_SOURCE})/../imgtype}
+BUILDAH_BINARY=${BUILDAH_BINARY:-$(dirname ${BASH_SOURCE})/../bin/buildah}
+IMGTYPE_BINARY=${IMGTYPE_BINARY:-$(dirname ${BASH_SOURCE})/../bin/imgtype}
 TESTSDIR=${TESTSDIR:-$(dirname ${BASH_SOURCE})}
 STORAGE_DRIVER=${STORAGE_DRIVER:-vfs}
 PATH=$(dirname ${BASH_SOURCE})/..:${PATH}