ci: use NixOS in Docker

4 years ago · 1d68c9b386
parent 179645e3ad
commit 1d68c9b386
4 changed files with 55 additions and 138 deletions
--- a/build-docker.sh
+++ b/build-docker.sh
@ -1,14 +1,7 @@
 #!/usr/bin/env bash
 set -e

-if [ "$1" = "--gcc_source" ]; then
-  TOOLCHAIN_FLAVOR=src
-  shift
-else
-  TOOLCHAIN_FLAVOR=x86_64-linux
-fi
-
-IMAGE=trezor-firmware-build.$TOOLCHAIN_FLAVOR
+IMAGE=trezor-firmware-build.nixos

 TAG=${1:-master}
 REPOSITORY=${2:-local}
@ -21,7 +14,7 @@ else
  REPOSITORY=https://github.com/$REPOSITORY/trezor-firmware.git
 fi

-docker build -t "$IMAGE" --build-arg TOOLCHAIN_FLAVOR=$TOOLCHAIN_FLAVOR ci/
+docker build -t "$IMAGE" ci/

 USER=$(ls -lnd . | awk '{ print $3 }')
 GROUP=$(ls -lnd . | awk '{ print $4 }')
@ -43,7 +36,7 @@ for BITCOIN_ONLY in 0 1; do
    --env PRODUCTION="$PRODUCTION" \
    --user="$USER:$GROUP" \
    "$IMAGE" \
-    /bin/sh -c "\
+    /nix/var/nix/profiles/default/bin/nix-shell --run "\
      cd /tmp && \
      git clone $REPOSITORY trezor-firmware && \
      cd trezor-firmware/core && \
@ -69,7 +62,7 @@ for BITCOIN_ONLY in 0 1; do
    --env MEMORY_PROTECT="$MEMORY_PROTECT" \
    --user="$USER:$GROUP" \
    "$IMAGE" \
-    /bin/sh -c "\
+    /nix/var/nix/profiles/default/bin/nix-shell --run "\
      cd /tmp && \
      git clone $REPOSITORY trezor-firmware && \
      cd trezor-firmware/legacy && \
--- a/ci/Dockerfile
+++ b/ci/Dockerfile
@ -1,142 +1,37 @@
-# initialize from the image
+FROM nixos/nix:2.3.4

-FROM debian:10
+COPY shell.nix shell.nix

-ARG TOOLCHAIN_FLAVOR=x86_64-linux
-ENV TOOLCHAIN_FLAVOR=${TOOLCHAIN_FLAVOR}
+RUN nix-env -i -f shell.nix -A buildInputs

-ARG FULLDEPS_TESTING=0
-ENV FULLDEPS_TESTING=${FULLDEPS_TESTING}
-
-# install build tools and dependencies
-
-RUN apt-get update && apt-get install -y \
-        build-essential \
-        check \
-        clang-format \
-        git \
-        graphviz \
-        libjpeg-dev \
-        libsdl2-dev \
-        libsdl2-image-dev \
-        libsodium-dev \
-        libssl-dev \
-        libudev-dev \
-        libusb-1.0-0-dev \
-        valgrind \
-        wget \
-        zlib1g-dev
-
-# install python 3.7.3 + pip from the image
+CMD [ "nix-shell" ]

-RUN apt-get install -y \
-    python3-dev \
-    python3-pip
+# the rest of the file only applies when docker build is called
+# with the following argument: "--build-arg FULLDEPS_TESTING=1"

-# install other python versions from their sources
+ENV TREZOR_MONERO_TESTS_PATH="/opt/trezor_monero_tests"

-RUN if [ "${FULLDEPS_TESTING}" = "1" ]; then \
-        export PYTHON35VER="3.5.7" ; \
-        wget --no-verbose https://www.python.org/ftp/python/${PYTHON35VER}/Python-${PYTHON35VER}.tgz ; \
-        tar zxf Python-${PYTHON35VER}.tgz ; \
-        cd Python-${PYTHON35VER}/ && ./configure && make && make install ; \
-    fi
+ARG FULLDEPS_TESTING=0
+ENV FULLDEPS_TESTING=${FULLDEPS_TESTING}

-RUN if [ "${FULLDEPS_TESTING}" = "1" ]; then \
-        export PYTHON36VER="3.6.9" ; \
-        wget --no-verbose https://www.python.org/ftp/python/${PYTHON36VER}/Python-${PYTHON36VER}.tgz ; \
-        tar zxf Python-${PYTHON36VER}.tgz ; \
-        cd Python-${PYTHON36VER}/ && ./configure && make && make install ; \
-    fi
+# install other python versions for tox testing

 RUN if [ "${FULLDEPS_TESTING}" = "1" ]; then \
-        export PYTHON38VER="3.8.0" ; \
-        export PYTHONSUBVER="b3"; \
-        wget --no-verbose https://www.python.org/ftp/python/${PYTHON38VER}/Python-${PYTHON38VER}${PYTHONSUBVER}.tgz ; \
-        tar zxf Python-${PYTHON38VER}${PYTHONSUBVER}.tgz ; \
-        cd Python-${PYTHON38VER}${PYTHONSUBVER}/ && ./configure && make && make install ; \
-    fi
-
-# remove symlinks to newly installed pythons
-RUN cd /usr/local/bin; \
-    rm -f 2to3; \
-    rm -f python3; \
-    rm -f python3-config; \
-    rm -f pydoc3; \
-    rm -f pip3; \
-    rm -f pyvenv;
-
-# install dependencies from toolchain source build
-
-RUN if [ "${TOOLCHAIN_FLAVOR}" = "src" ]; then \
-        apt-get install -y autoconf autogen bison dejagnu \
-                           flex flip gawk git gperf gzip nsis \
-                           openssh-client p7zip-full perl python-dev \
-                           libisl-dev tcl tofrodos zip \
-                           texinfo texlive texlive-extra-utils; \
-    fi
-
-# download toolchain
-
-ENV TOOLCHAIN_LONGVER=gcc-arm-none-eabi-9-2019-q4-major
-ENV TOOLCHAIN_SUBDIR="9-2019q4/RC2.1"
-ENV TOOLCHAIN_URL=https://developer.arm.com/-/media/Files/downloads/gnu-rm/${TOOLCHAIN_SUBDIR}/${TOOLCHAIN_LONGVER}-${TOOLCHAIN_FLAVOR}.tar.bz2
-ENV TOOLCHAIN_HASH_linux=bcd840f839d5bf49279638e9f67890b2ef3a7c9c7a9b25271e83ec4ff41d177a
-ENV TOOLCHAIN_HASH_src=f162a655f222319f75862d7aba9ff8a4a86f752392e4f3c5d9ef2ee8bc13be58
-
-# extract toolchain
-
-RUN cd /opt && wget --no-verbose ${TOOLCHAIN_URL}
-RUN cd /opt && echo "${TOOLCHAIN_HASH_linux} ${TOOLCHAIN_LONGVER}-x86_64-linux.tar.bz2\n${TOOLCHAIN_HASH_src} ${TOOLCHAIN_LONGVER}-src.tar.bz2" | sha256sum -c --ignore-missing
-RUN cd /opt && tar xfj ${TOOLCHAIN_LONGVER}-${TOOLCHAIN_FLAVOR}.tar.bz2
-
-# build toolchain (if required)
-
-RUN if [ "${TOOLCHAIN_FLAVOR}" = "src" ]; then \
-        pushd /opt/${TOOLCHAIN_LONGVER} ; \
-        ./install-sources.sh --skip_steps=mingw32 ; \
-        ./build-prerequisites.sh --skip_steps=mingw32 ; \
-        ./build-toolchain.sh --skip_steps=mingw32,manual ; \
-        popd ; \
+        nix-env -iP python3-3.8.2 ; \
+        nix-env --set-flag priority 6 python3-3.8.2 ; \
+        nix-env -iP python3-3.6.10 ; \
+        nix-env --set-flag priority 7 python3-3.6.10 ; \
+        nix-env -iP python3-3.5.9 ; \
+        nix-env --set-flag priority 8 python3-3.5.9 ; \
    fi

-# download protobuf
-
-ENV PROTOBUF_VERSION=3.6.1
-ENV PROTOBUF_HASH=6003de742ea3fcf703cfec1cd4a3380fd143081a2eb0e559065563496af27807
-RUN wget --no-verbose "https://github.com/google/protobuf/releases/download/v${PROTOBUF_VERSION}/protoc-${PROTOBUF_VERSION}-linux-x86_64.zip"
-RUN echo "${PROTOBUF_HASH} protoc-${PROTOBUF_VERSION}-linux-x86_64.zip" | sha256sum -c
-
-# setup toolchain
-
-ENV PATH=/opt/${TOOLCHAIN_LONGVER}/bin:${PATH}
-
-ENV LC_ALL=C.UTF-8 LANG=C.UTF-8
-
-ENV PYTHON=python3
-
-# use zipfile module to extract files world-readable
-RUN ${PYTHON} -m zipfile -e "protoc-${PROTOBUF_VERSION}-linux-x86_64.zip" /usr/local && chmod 755 /usr/local/bin/protoc
-
 # download monero tests binary

-ENV TREZOR_MONERO_TESTS_SHA256SUM=5b35342c79eb91265f5f427224016a52994fff32c8ea078de5d502b37d3022d6
-ENV TREZOR_MONERO_TESTS_URL="https://github.com/ph4r05/monero/releases/download/v0.15.0.0-tests-u18.04-03/trezor_tests"
-ENV TREZOR_MONERO_TESTS_PATH="/opt/trezor_monero_tests"
-
 RUN if [ "${FULLDEPS_TESTING}" = "1" ]; then \
+        TREZOR_MONERO_TESTS_SHA256SUM=1e5dfdb07de4ea46088f4a5bdb0d51f040fe479019efae30f76427eee6edb3f7 ; \
+        TREZOR_MONERO_TESTS_URL="https://github.com/ph4r05/monero/releases/download/v0.15.0.0-tests-u18.04-03/trezor_tests" ; \
        wget --no-verbose "${TREZOR_MONERO_TESTS_URL}" -O "${TREZOR_MONERO_TESTS_PATH}" ; \
        chmod +x "${TREZOR_MONERO_TESTS_PATH}" ; \
        echo "${TREZOR_MONERO_TESTS_SHA256SUM} ${TREZOR_MONERO_TESTS_PATH}" | sha256sum -c ; \
+        nix-shell -p patchelf --run 'patchelf --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" "${TREZOR_MONERO_TESTS_PATH}"' ; \
    fi
-
-# install python dependencies
-
-ENV WORKON_HOME=/tmp/.venvs
-ENV PIPENV_CACHE_DIR=/tmp/.pipenv-cache
-
-RUN ${PYTHON} -m pip install pipenv
-
-RUN ${PYTHON} --version
-RUN ${PYTHON} -m pip --version
-RUN pipenv --version
--- a/ci/shell.nix
+++ b/ci/shell.nix
@ -0,0 +1,29 @@
+# nixos-unstable from 2020-06-02
+with import (builtins.fetchTarball https://github.com/NixOS/nixpkgs/archive/467ce5a9f45aaf96110b41eb863a56866e1c2c3c.tar.gz) {};
+
+stdenv.mkDerivation {
+  name = "trezor-firmware-docker";
+  buildInputs = [
+    SDL2
+    SDL2_image
+    autoflake
+    check
+    clang-tools
+    gcc
+    gcc-arm-embedded
+    git
+    gnumake
+    graphviz
+    libffi
+    libjpeg
+    libressl
+    libusb1
+    pipenv
+    pkgconfig
+    protobuf3_6
+    valgrind
+    zlib
+  ];
+  LD_LIBRARY_PATH = "${libffi}/lib:${libjpeg.out}/lib:${libusb1}/lib:${libressl.out}/lib";
+  NIX_ENFORCE_PURITY = 0;
+}
--- a/shell.nix
+++ b/shell.nix
@ -1,4 +1,5 @@
-with import <nixpkgs> {};
+# nixos-unstable from 2020-06-02
+with import (builtins.fetchTarball https://github.com/NixOS/nixpkgs/archive/467ce5a9f45aaf96110b41eb863a56866e1c2c3c.tar.gz) {};

 stdenv.mkDerivation {
  name = "trezor-firmware-dev";
@ -9,6 +10,7 @@ stdenv.mkDerivation {
    check
    clang-tools
    gcc
+    gcc-arm-embedded
    git
    gnumake
    graphviz
@ -21,8 +23,6 @@ stdenv.mkDerivation {
    protobuf3_6
    valgrind
    zlib
-  ] ++ stdenv.lib.optionals (!stdenv.isDarwin) [
-    gcc-arm-embedded
  ] ++ stdenv.lib.optionals (stdenv.isDarwin) [
    darwin.apple_sdk.frameworks.CoreAudio
    darwin.apple_sdk.frameworks.AudioToolbox