maemachinebroke/hakurei
1
0
Fork 0
forked from rosa/hakurei
Code Pull Requests Activity
2,053 Commits 7 Branches 12 Tags
bcd79a22ffb1b307879efed9ca0c7bde293af81d
Commit Graph

293 Commits

Author SHA1 Message Date
cat 99ac96511b hst/fs: interface filesystem config 
This allows mount points to be represented by different underlying structs.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-14 04:52:49 +09:00
cat e99d7affb0 container: use absolute for pathname 
This is simultaneously more efficient and less error-prone. This change caused minor API changes in multiple other packages.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-11 04:56:42 +09:00
cat c6be82bcf9 container/path: fhs path constants 
This increases readability since this can help disambiguate absolute paths from similarly named path segments.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-03 21:16:45 +09:00
cat b32b1975a8 hst/container: remove cover 
This was never useful, and is now completely replaced by regular FilesystemConfig being able to mount tmpfs.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-02 00:34:52 +09:00
cat c02948e155 cmd/hakurei: print autoroot configuration 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-01 04:29:01 +09:00
cat 387b86bcdd app: integrate container autoroot 
Doing this instead of mounting directly on / because it's impossible to ensure a parent is available for every path hakurei wants to mount to. This situation is similar to autoetc hence the similar name, however a symlink mirror will not work in this case.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-01 04:21:54 +09:00
cat a8a79a8664 cmd/hpkg: rename from planterette 
Planterette is now developed in another repository, so rename this proof of concept to avoid confusion.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-31 23:57:11 +09:00
cat f7bd28118c hst: configurable wait delay 
This is useful for programs that take a long time to clean up.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-29 03:06:49 +09:00
cat b43d104680 app: integrate interrupt forwarding 
This significantly increases usability of command line tools running through hakurei.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-29 02:23:06 +09:00
cat 625632c593 nix: update flake lock 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-26 18:57:54 +09:00
cat 087959e81b app: remove split implementation 
It is completely nonsensical and highly error-prone to have multiple implementations of this in the same build. This should be switched at compile time instead therefore the split packages are pointless.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-03 04:36:59 +09:00
cat d2f9a9b83b treewide: migrate to hakurei.app 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-03 03:30:39 +09:00
cat 1b5ecd9eaf container: move out of toplevel 
This allows slightly easier use of the vanity url. This also provides some disambiguation between low level containers and hakurei app containers.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-03 02:59:43 +09:00
cat 82561d62b6 system: move system access packages 
These packages loosely belong in the "system" package and "system" provides high level wrappers for all of them.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-02 21:52:07 +09:00
cat eec021cc4b hakurei: move container helpers toplevel 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-02 21:31:29 +09:00
cat a1d98823f8 hakurei: move container toplevel 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-02 21:23:55 +09:00
cat 255b77d91d cmd/hakurei: move command handlers 
The hakurei command is a bit ugly since it's also used for validating the command package. This alleviates some of the ugliness.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-02 20:59:17 +09:00
cat eb22a8bcc1 cmd/hakurei: move to cmd 
Having it at the project root never made sense since the "ego" name was deprecated. This change finally addresses it.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-02 20:42:51 +09:00
cat 1a8840bebc sandbox/seccomp: resolve rules natively 
This enables loading syscall filter policies from external cross-platform config files.

This also removes a significant amount of C code.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-01 22:11:32 +09:00
cat aa454b158f cmd/planterette: remove hsu special case 
Remove special case and invoke hakurei out of process.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-06-25 20:50:24 +09:00
cat 87e008d56d treewide: rename to hakurei 
Fortify makes little sense for a container tool.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-06-25 04:57:41 +09:00
cat b7e991de5b nix: update flake lock 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-06-05 04:05:39 +09:00
cat f30a439bcd nix: improve common usability 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-05-16 04:40:12 +09:00
cat 31b7ddd122 fst: improve config 
The config struct more or less "grew" to what it is today. This change moves things around to make more sense and fixes nonsensical comments describing obsolete behaviour.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-13 03:30:19 +09:00
cat 6309469e93 app/instance: wrap internal implementation 
This reduces the scope of the fst package, which was growing questionably large.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-12 13:56:41 +09:00
cat 0d7c1a9a43 app: rename app implementation package 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-12 10:54:24 +09:00
cat 2f4f21fb18 fst: rename device field 
Dev is very ambiguous. Rename it here alongside upcoming config changes.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-11 19:32:15 +09:00
cat 584405f7cc sandbox/seccomp: rename flag type and constants 
The names are ambiguous. Rename them to make more sense.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-08 01:59:45 +09:00
cat e9a7cd526f app: improve shim process management 
This ensures a signal gets delivered to the process instead of relying on parent death behaviour.

SIGCONT was chosen as it is the only signal an unprivileged process is allowed to send to processes with different credentials.

A custom signal handler is installed because the Go runtime does not expose signal information other than which signal was received, and shim must check pid to ensure reasonable behaviour.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-07 03:55:17 +09:00
cat 4036da3b5c fst: optional configured shell path 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-31 21:27:31 +09:00
cat 532feb4bfa app: merge shim into app package 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 05:21:47 +09:00
cat ec5e91b8c9 system: optimise string formatting 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 04:42:30 +09:00
cat 5c4058d5ac app: run in native sandbox 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 01:52:49 +09:00
cat 24618ab9a1 sandbox: move out of internal 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 02:55:36 +09:00
cat 9a1f8e129f sandbox: wrap fmsg interface 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 02:44:07 +09:00
cat ee10860357 seccomp: install output atomically 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 01:10:27 +09:00
cat 2647a71be1 seccomp: move out of helper 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-14 22:42:40 +09:00
cat 4133b555ba internal/app: rename init to init0 
This makes way for the new container init.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-13 21:57:54 +09:00
cat 61e58aa14d helper/proc: expose setup file 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-09 17:22:31 +09:00
cat 9e15898c8f internal/prctl: rename prctl wrappers 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-07 22:56:35 +09:00
cat 2d4cabe786 nix: increase nixfmt max width 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-28 14:43:46 +09:00
cat 673b648bd3 cmd/fpkg: call app in-process 
Wrapping fortify is slow, painful and error-prone. Start apps in-process instead.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-26 19:51:44 +09:00
cat 45ad788c6d cmd/fsu: allow switch from fpkg 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-26 19:42:28 +09:00
cat 12c6d66bfd cmd/fpkg/test: nixos test fpkg install/start 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-26 13:12:16 +09:00
cat d7d2bd33ed cmd/fpkg/build: expose nixos configuration 
This should be used sparingly as the NixOS closure is in the bootstrap store which compresses rather poorly.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-26 12:31:18 +09:00
cat 4fa38d6063 cmd/fpkg: use fortify path from internal 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-26 12:16:35 +09:00
cat a5d2f040fb cmd/fpkg/build: run final build step in nix 
This used to be a script that had to be run outside of nix because the sandbox disallows access to nix store state. Turns out closureInfo is the proper way to do that.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-25 23:53:18 +09:00
cat e6cd2bb2a8 cmd/fpkg: integrate command handler 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-23 23:25:12 +09:00
cat 0fb72e5d99 cmd/fpkg/build: prepend extra nix flags 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-23 20:21:09 +09:00
cat 8bf162820b nix: separate fsu from package 
This appears to be the only way to build them with different configuration. This enables static linking in the main package.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-23 18:13:37 +09:00