guix: Linux reproducible builds of the daemon

2022-11-30 11:11:29 +01:00 · 2022-11-30 11:11:29 +01:00 · 8dda896e4b
commit 8dda896e4b
parent bb9a41727e
4 changed files with 104 additions and 3 deletions
--- a/Cargo.toml
+++ b/Cargo.toml
@ -56,6 +56,3 @@ libc = "0.2"

 # Used for PSBTs
 base64 = "0.13"
-
-[patch.crates-io]
-
--- a/contrib/guix/build.sh
+++ b/contrib/guix/build.sh
@ -0,0 +1,21 @@
+set -ex
+
+# Guix comes with Cargo 1.52 but --config was stabilized in 1.63, so we need
+# to specify unstable-options.
+# We use the --config to redirect cargo toward our vendored source directory
+# for our dependencies.
+# TODO: build in release mode
+cargo -Z unstable-options -vvv \
+    --color always \
+    --frozen \
+    --offline \
+    rustc \
+    --release \
+    --target-dir "$TARGET_DIR" \
+    --config source.vendored_sources.directory=\""$VENDOR_DIR"\" \
+    --config source.crates-io.replace-with=\"vendored_sources\" \
+    --config source.\"https://github.com/darosior/rust-miniscript\".replace-with=\"vendored_sources\" \
+    --config source.\"https://github.com/darosior/rust-miniscript\".git=\"https://github.com/darosior/rust-miniscript\" \
+    --config source.\"https://github.com/darosior/rust-miniscript\".branch=\"multipath_descriptors_on_8.0\"
+
+set +ex
--- a/contrib/guix/guix-build.sh
+++ b/contrib/guix/guix-build.sh
@ -0,0 +1,78 @@
+#!/usr/bin/env sh
+
+set -ex
+
+# How many cores to allocate to Guix building.
+JOBS="${JOBS:-$(nproc)}"
+
+# The binary to check the hash of downloaded archives.
+SHASUM_BIN="${SHASUM_BIN:-sha256sum}"
+
+# We do everything in a single directory. That's the root of it, configurable
+# through the environment.
+BUILD_ROOT="${BUILD_ROOT:-$(mktemp -d)}"
+
+# Various folders we expose to the container. The vendor directory will contain
+# the sources of all our dependencies. Because we restrict network access from
+# within the container, this is pulled beforehand.
+# The out directory will contain the resulting binaries. It's wired to the --target-dir
+# for a cargo build.
+VENDOR_DIR="$BUILD_ROOT/vendor"
+OUT_DIR="${OUT_DIR:-"$BUILD_ROOT/out"}"
+BIN_DIR="${BIN_DIR:-"$BUILD_ROOT/bin"}"
+
+# Create the various folders if the root build directory is fresh.
+for d in "$OUT_DIR" "$BIN_DIR"; do
+    if ! [ -d "$d" ]; then
+        mkdir -p "$d"
+    fi
+done
+
+# That's what Guix comes with.
+RUST_VERSION="1.52.0"
+CARGO_BIN="$BIN_DIR/cargo"
+
+# First off get the cargo binary to run on the host to vendor dependencies.
+# We assume the host is a 64bit Linux system.
+if ! [ -f "$CARGO_BIN" ]; then
+    ARCHIVE_PATH="$BIN_DIR/rust-for-cargo.tar.gz"
+    curl -o "$ARCHIVE_PATH" "https://static.rust-lang.org/dist/rust-$RUST_VERSION-x86_64-unknown-linux-gnu.tar.gz"
+    echo "c082b5eea81206ff207407b41a10348282362dd972e93c86b054952b66ca0e2b $ARCHIVE_PATH" | $SHASUM_BIN -c
+    # Path of the cargo binary within the archive
+    CARGO_BIN_PATH="rust-$RUST_VERSION-x86_64-unknown-linux-gnu/cargo/bin/cargo"
+    ( cd $BIN_DIR && tar -xzf $ARCHIVE_PATH $CARGO_BIN_PATH && mv $CARGO_BIN_PATH $CARGO_BIN )
+fi
+
+# Pull the sources of our dependencies before building them in the container.
+if ! [ -d "$VENDOR_DIR" ]; then
+    $CARGO_BIN vendor $VENDOR_DIR
+fi
+
+# Execute "$@" in a pinned, possibly older version of Guix, for reproducibility
+# across time.
+time_machine() {
+    guix time-machine --url=https://git.savannah.gnu.org/git/guix.git \
+                      --commit=059d38dc3f8b087f4a42df586daeb05761ee18d7 \
+                      --cores="$JOBS" \
+                      --keep-failed \
+                      --fallback \
+                      -- "$@"
+}
+
+# Bootstrap a reproducible environment as specified by the manifest in an isolated
+# container, and build the project.
+time_machine shell --no-cwd \
+           --expose="$PWD/src=/liana/src" \
+           --expose="$PWD/Cargo.toml=/liana/Cargo.toml" \
+           --expose="$PWD/Cargo.lock=/liana/Cargo.lock" \
+           --expose="$PWD/contrib/guix/build.sh=/liana/build.sh" \
+           --expose="$VENDOR_DIR=$VENDOR_DIR" \
+           --share="$OUT_DIR=$OUT_DIR" \
+           --container \
+           -m $PWD/contrib/guix/manifest.scm \
+           -- env CC=clang VENDOR_DIR="$VENDOR_DIR" TARGET_DIR="$OUT_DIR" \
+              /bin/sh -c "cd /liana && ./build.sh"
+
+set +ex
+
+echo "Build successful. Output available at $OUT_DIR"
--- a/contrib/guix/manifest.scm
+++ b/contrib/guix/manifest.scm
@ -0,0 +1,5 @@
+(specifications->manifest
+  (list "rust"
+        "rust-cargo"
+        "coreutils"
+        "clang-toolchain"))