coder · ThomasK33 · Jan 30, 2025 · Jan 29, 2025
diff --git a/dogfood/contents/nix.hash b/dogfood/contents/nix.hash
@@ -1,2 +1,2 @@
-91e81c240fcf9f72e4c67497b68ba247a3f901147b61736072eb234e03db87b5  flake.nix
-b43d86368a0d2713d646d57e964dc2ac49744f5e11b6395fabed2d49596c1615  flake.lock
+f41c80bd08bfef063a9cfe907d0ea1f377974ebe011751f64008a3a07a6b152a  flake.nix
+32c441011f1f3054a688c036a85eac5e4c3dbef0f8cfa4ab85acd82da577dc35  flake.lock
diff --git a/flake.nix b/flake.nix
@@ -85,7 +85,7 @@
           drpc.defaultPackage.${system}
           formatter
           fzf
-          gcc
+          gcc13
           gdk
           getopt
           gh
@@ -174,7 +174,7 @@
             name = "coder-${osArch}";
             # Updated with ./scripts/update-flake.sh`.
             # This should be updated whenever go.mod changes!
-            vendorHash = "sha256-hJBNmHz9ZJLS/QTu8w8y1w/Yi45aSoaSeZ//ysllp6c=";
+            vendorHash = "sha256-QjqF+QZ5JKMnqkpNh6ZjrJU2QcSqiT4Dip1KoicwLYc=";
             proxyVendor = true;
             src = ./.;
             nativeBuildInputs = with pkgs; [
@@ -212,10 +212,9 @@
         devShells = {
           default = pkgs.mkShell {
             buildInputs = devShellPackages;
-            shellHook = ''
-              export PLAYWRIGHT_BROWSERS_PATH=${pkgs.playwright-driver.browsers}
-              export PLAYWRIGHT_SKIP_VALIDATE_HOST_REQUIREMENTS=true
-            '';
+
+            PLAYWRIGHT_BROWSERS_PATH = pkgs.playwright-driver.browsers;
+            PLAYWRIGHT_SKIP_VALIDATE_HOST_REQUIREMENTS = true;
 
             LOCALE_ARCHIVE =
               with pkgs;
@@ -239,21 +238,29 @@
             aarch64-windows = buildFat "windows_arm64.exe";
           }
           // (pkgs.lib.optionalAttrs pkgs.stdenv.isLinux {
-            dev_image = docker.buildNixShellImage {
+            dev_image = docker.buildNixShellImage rec {
               name = "codercom/oss-dogfood-nix";
               tag = "latest-${system}";
 
+              # (ThomasK33): Workaround for images with too many layers (>64 layers) causing sysbox
+              # to have issues on dogfood envs.
               maxLayers = 32;
 
+              uname = "coder";
+              homeDirectory = "/home/${uname}";
+
               drv = devShells.default.overrideAttrs (oldAttrs: {
-                # (ThomasK33): Workaround for images with too many layers (>64 layers) causing sysbox
-                # to have issues on dogfood envs.
                 buildInputs =
-                  oldAttrs.buildInputs
-                  ++ (with pkgs; [
-                    nix
+                  (with pkgs; [
+                    busybox
                     coreutils
-                  ]);
+                    nix
+                    curl.bin # Ensure the actual curl binary is included in the PATH
+                    glibc.bin # Ensure the glibc binaries are included in the PATH
+                    binutils # ld and strings
+                    filebrowser # Ensure that we're not redownloading filebrowser on each launch
+                  ])
+                  ++ oldAttrs.buildInputs;
               });
             };
           });

diff --git a/nix/docker.nix b/nix/docker.nix
@@ -17,6 +17,8 @@
   storeDir ? builtins.storeDir,
   pigz,
   zstd,
+  stdenv,
+  glibc,
 }:
 let
   inherit (lib)
@@ -70,6 +72,7 @@ let
       command ? null,
       run ? null,
       maxLayers ? 100,
+      uname ? "nixbld",
     }:
     assert lib.assertMsg (!(drv.drvAttrs.__structuredAttrs or false))
       "streamNixShellImage: Does not work with the derivation ${drv.name} because it uses __structuredAttrs";
@@ -83,7 +86,14 @@ let
         exec ${lib.escapeShellArg (valueToString drv.drvAttrs.builder)} ${lib.escapeShellArgs (map valueToString drv.drvAttrs.args)}
       '';
 
-      staticPath = "${dirOf shell}:${lib.makeBinPath [ builder ]}";
+      staticPath = "${dirOf shell}:${
+        lib.makeBinPath (
+          lib.flatten [
+            builder
+            drv.buildInputs
+          ]
+        )
+      }";
 
       # https://github.com/NixOS/nix/blob/2.8.0/src/nix-build/nix-build.cc#L493-L526
       rcfile = writeText "nix-shell-rc" ''
@@ -109,6 +119,15 @@ let
         ''}
       '';
 
+      nixConfFile = writeText "nix-conf" ''
+        experimental-features = nix-command flakes
+      '';
+
+      etcNixConf = runCommand "etcd-nix-conf" { } ''
+        mkdir -p $out/etc/nix/
+        ln -s ${nixConfFile} $out/etc/nix/nix.conf
+      '';
+
       # https://github.com/NixOS/nix/blob/2.8.0/src/libstore/globals.hh#L464-L465
       sandboxBuildDir = "/build";
 
@@ -142,6 +161,8 @@ let
           # TODO: Make configurable?
           NIX_BUILD_CORES = "1";
 
+          # Make sure we get the libraries for C and C++ in.
+          LD_LIBRARY_PATH = lib.makeLibraryPath [ stdenv.cc.cc ];
         }
         // drvEnv
         // {
@@ -153,10 +174,10 @@ let
           TMPDIR = sandboxBuildDir;
           TEMPDIR = sandboxBuildDir;
           TMP = sandboxBuildDir;
-          TEMP = sandboxBuildDir;
+          TEMP = "/tmp";
 
           # https://github.com/NixOS/nix/blob/2.8.0/src/libstore/build/local-derivation-goal.cc#L1015-L1019
-          PWD = sandboxBuildDir;
+          PWD = homeDirectory;
 
           # https://github.com/NixOS/nix/blob/2.8.0/src/libstore/build/local-derivation-goal.cc#L1071-L1074
           # We don't set it here because the output here isn't handled in any special way
@@ -172,16 +193,17 @@ let
       contents = [
         binSh
         usrBinEnv
+        etcNixConf
         (fakeNss.override {
           # Allows programs to look up the build user's home directory
           # https://github.com/NixOS/nix/blob/ffe155abd36366a870482625543f9bf924a58281/src/libstore/build/local-derivation-goal.cc#L906-L910
           # Slightly differs however: We use the passed-in homeDirectory instead of sandboxBuildDir.
           # We're doing this because it's arguably a bug in Nix that sandboxBuildDir is used here: https://github.com/NixOS/nix/issues/6379
           extraPasswdLines = [
-            "nixbld:x:${toString uid}:${toString gid}:Build user:${homeDirectory}:/noshell"
+            "${toString uname}:x:${toString uid}:${toString gid}:Build user:${homeDirectory}:${lib.escapeShellArg shell}"
           ];
           extraGroupLines = [
-            "nixbld:!:${toString gid}:"
+            "${toString uname}:!:${toString gid}:"
           ];
         })
       ];
@@ -197,6 +219,28 @@ let
         # Gives the user control over the build directory
         mkdir -p .${sandboxBuildDir}
         chown -R ${toString uid}:${toString gid} .${sandboxBuildDir}
+
+        mkdir -p .${homeDirectory}
+        chown -R ${toString uid}:${toString gid} .${homeDirectory}
+
+        mkdir -p ./tmp
+        chown -R ${toString uid}:${toString gid} ./tmp
+
+        mkdir -p ./etc/skel
+        chown -R ${toString uid}:${toString gid} ./etc/skel
+
+        # Create traditional /lib or /lib64 as needed.
+        # For aarch64 (arm64):
+        if [ -e "${glibc}/lib/ld-linux-aarch64.so.1" ]; then
+          mkdir -p ./lib
+          ln -s "${glibc}/lib/ld-linux-aarch64.so.1" ./lib/ld-linux-aarch64.so.1
+        fi
+
+        # For x86_64:
+        if [ -e "${glibc}/lib64/ld-linux-x86-64.so.2" ]; then
+          mkdir -p ./lib64
+          ln -s "${glibc}/lib64/ld-linux-x86-64.so.2" ./lib64/ld-linux-x86-64.so.2
+        fi
       '';
 
       # Run this image as the given uid/gid
@@ -215,11 +259,12 @@ let
             shell
             rcfile
           ];
-      config.WorkingDir = sandboxBuildDir;
+      config.WorkingDir = homeDirectory;
       config.Env = lib.mapAttrsToList (name: value: "${name}=${value}") envVars;
     };
 in
 {
+  inherit streamNixShellImage;
 
   # This function streams a docker image that behaves like a nix-shell for a derivation
   # Docs: doc/build-helpers/images/dockertools.section.md