diff --git a/lib/build.ml b/lib/build.ml index e18462c7..e9932597 100644 --- a/lib/build.ml +++ b/lib/build.ml @@ -59,6 +59,7 @@ module Make (Raw_store : S.STORE) (Sandbox : S.SANDBOX) = struct cmd : string; shell : string list; network : string list; + tmpfs : string list; } [@@deriving sexp_of] let run t ~switch ~log ~cache run_input = @@ -68,7 +69,7 @@ module Make (Raw_store : S.STORE) (Sandbox : S.SANDBOX) = struct |> Sha256.string |> Sha256.to_hex in - let { base; workdir; user; env; cmd; shell; network } = run_input in + let { base; workdir; user; env; cmd; shell; network; tmpfs } = run_input in Store.build t.store ?switch ~base ~id ~log (fun ~cancelled ~log result_tmp -> let to_release = ref [] in Lwt.finalize @@ -80,7 +81,7 @@ module Make (Raw_store : S.STORE) (Sandbox : S.SANDBOX) = struct ) >>= fun mounts -> let argv = shell @ [cmd] in - let config = Config.v ~cwd:workdir ~argv ~hostname ~user ~env ~mounts ~network in + let config = Config.v ~cwd:workdir ~argv ~hostname ~user ~env ~mounts ~network ~tmpfs in Os.with_pipe_to_child @@ fun ~r:stdin ~w:close_me -> Lwt_unix.close close_me >>= fun () -> Sandbox.run ~cancelled ~stdin ~log t.sandbox config result_tmp @@ -147,6 +148,7 @@ module Make (Raw_store : S.STORE) (Sandbox : S.SANDBOX) = struct ~env:["PATH", "/bin:/usr/bin"] ~mounts:[] ~network:[] + ~tmpfs:[] in Os.with_pipe_to_child @@ fun ~r:from_us ~w:to_untar -> let proc = Sandbox.run ~cancelled ~stdin:from_us ~log t.sandbox config result_tmp in @@ -187,10 +189,10 @@ module Make (Raw_store : S.STORE) (Sandbox : S.SANDBOX) = struct | `Comment _ -> k ~base ~context | `Workdir workdir -> k ~base ~context:(update_workdir ~context workdir) | `User user -> k ~base ~context:{context with user} - | `Run { shell = cmd; cache; network } -> + | `Run { shell = cmd; cache; network; tmpfs } -> let switch, run_input, log = let { Context.switch; workdir; user; env; shell; log; src_dir = _; scope = _ } = context in - (switch, { base; workdir; user; env; cmd; shell; network }, log) + (switch, { base; workdir; user; env; cmd; shell; network; tmpfs }, log) in run t ~switch ~log ~cache run_input >>!= fun base -> k ~base ~context diff --git a/lib/config.ml b/lib/config.ml index 31c3fbb6..860aa2e7 100644 --- a/lib/config.ml +++ b/lib/config.ml @@ -20,7 +20,8 @@ type t = { env : env; mounts : Mount.t list; network : string list; + tmpfs : string list; } -let v ~cwd ~argv ~hostname ~user ~env ~mounts ~network = - { cwd; argv; hostname; user; env; mounts; network } +let v ~cwd ~argv ~hostname ~user ~env ~mounts ~network ~tmpfs = + { cwd; argv; hostname; user; env; mounts; network; tmpfs } diff --git a/lib/runc_sandbox.ml b/lib/runc_sandbox.ml index c4a0efba..6e7a156b 100644 --- a/lib/runc_sandbox.ml +++ b/lib/runc_sandbox.ml @@ -99,7 +99,7 @@ module Json_config = struct in `Assoc fields - let make {Config.cwd; argv; hostname; user; env; mounts; network} t ~config_dir ~results_dir : Yojson.Safe.t = + let make {Config.cwd; argv; hostname; user; env; mounts; network; tmpfs} t ~config_dir ~results_dir : Yojson.Safe.t = let user = let { Obuilder_spec.uid; gid } = user in `Assoc [ @@ -225,6 +225,14 @@ module Json_config = struct ] else [] ) @ + List.map (fun target -> + mount target + ~ty:"tmpfs" + ~src:"tmpfs" + ~options:[ + "size=6G"; + ] + ) tmpfs @ user_mounts mounts ); "linux", `Assoc [ @@ -251,7 +259,7 @@ module Json_config = struct "seccomp", seccomp_policy t; ]; ] -end +end let next_id = ref 0 diff --git a/lib_spec/docker.ml b/lib_spec/docker.ml index 2122c2b2..a83d9a9a 100644 --- a/lib_spec/docker.ml +++ b/lib_spec/docker.ml @@ -24,8 +24,11 @@ let pp_cache ~ctx f { Cache.id; target; buildkit_options } = in Fmt.pf f "%a" Fmt.(list ~sep:(unit ",") pp_pair) buildkit_options -let pp_run ~ctx f { Spec.cache; shell; network = _ } = - Fmt.pf f "RUN %a%a" Fmt.(list (pp_cache ~ctx ++ const string " ")) cache pp_wrap shell +let pp_tmpfs f target = + Fmt.pf f "--mount=type=tmpfs,target=%s" target + +let pp_run ~ctx f { Spec.cache; shell; network = _; tmpfs } = + Fmt.pf f "RUN %a%a%a" Fmt.(list (pp_cache ~ctx ++ const string " ")) cache (Fmt.list pp_tmpfs) tmpfs pp_wrap shell let pp_copy ~ctx f { Spec.from; src; dst; exclude = _ } = let from = match from with diff --git a/lib_spec/spec.ml b/lib_spec/spec.ml index de5cd59d..5487377e 100644 --- a/lib_spec/spec.ml +++ b/lib_spec/spec.ml @@ -62,11 +62,12 @@ type user = { uid : int; gid : int } type run = { cache : Cache.t list [@sexp.list]; network : string list [@sexp.list]; + tmpfs : string list [@sexp.list]; shell : string; } [@@deriving sexp] let run_inlined = function - | "cache" | "network" -> true + | "cache" | "network" | "tmpfs" -> true | _ -> false let run_of_sexp x = run_of_sexp (inflate_record run_inlined x) @@ -145,7 +146,7 @@ let rec t_of_sexp = function let comment fmt = fmt |> Printf.ksprintf (fun c -> `Comment c) let workdir x = `Workdir x let shell xs = `Shell xs -let run ?(cache=[]) ?(network=[]) fmt = fmt |> Printf.ksprintf (fun x -> `Run { shell = x; cache; network }) +let run ?(cache=[]) ?(network=[]) ?(tmpfs=[]) fmt = fmt |> Printf.ksprintf (fun x -> `Run { shell = x; cache; network; tmpfs }) let copy ?(from=`Context) ?(exclude=[]) src ~dst = `Copy { from; src; dst; exclude } let env k v = `Env (k, v) let user ~uid ~gid = `User { uid; gid } diff --git a/lib_spec/spec.mli b/lib_spec/spec.mli index cfb9e7a3..4b068286 100644 --- a/lib_spec/spec.mli +++ b/lib_spec/spec.mli @@ -13,6 +13,7 @@ type user = { type run = { cache : Cache.t list; network : string list; + tmpfs : string list; shell : string; } [@@deriving sexp] @@ -37,7 +38,7 @@ val stage : ?child_builds:(string * t) list -> from:string -> op list -> t val comment : ('a, unit, string, op) format4 -> 'a val workdir : string -> op val shell : string list -> op -val run : ?cache:Cache.t list -> ?network:string list -> ('a, unit, string, op) format4 -> 'a +val run : ?cache:Cache.t list -> ?network:string list -> ?tmpfs:string list -> ('a, unit, string, op) format4 -> 'a val copy : ?from:[`Context | `Build of string] -> ?exclude:string list -> string list -> dst:string -> op val env : string -> string -> op val user : uid:int -> gid:int -> op