security/hakurei
6
3
Fork 0
Code Issues 11 Pull Requests Actions Packages Projects Releases 11 Wiki Activity
1,385 Commits 4 Branches 11 Tags
b98d27f773d74059e92bd5d4169e1347eeb4a6d9
Commit Graph

1385 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Ophestra
b98d27f773 internal/pkg: expand single directory tarball
All checks were successful
Test / Create distribution (push) Successful in 43s
Details
Test / Sandbox (push) Successful in 2m34s
Details
Test / Hakurei (push) Successful in 3m36s
Details
Test / ShareFS (push) Successful in 3m41s
Details
Test / Hpkg (push) Successful in 4m24s
Details
Test / Sandbox (race detector) (push) Successful in 4m57s
Details
Test / Hakurei (race detector) (push) Successful in 5m51s
Details
Test / Flake checks (push) Successful in 1m35s
Details 
This enables much cleaner use of their output without giving up any meaningful data.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2026-01-05 01:43:23 +09:00
Ophestra
f3aa31e401 internal/pkg: temporary scratch space for cure
All checks were successful
Test / Sandbox (push) Successful in 2m30s
Details
Test / Hakurei (push) Successful in 2m35s
Details
Test / ShareFS (push) Successful in 3m40s
Details
Test / Sandbox (race detector) (push) Successful in 5m4s
Details
Test / Hakurei (race detector) (push) Successful in 5m52s
Details
Test / Hpkg (push) Successful in 4m21s
Details
Test / Create distribution (push) Successful in 43s
Details
Test / Flake checks (push) Successful in 1m52s
Details 
This allows for more flexibility during implementation. The use case that required this was for expanding single directory tarballs.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2026-01-05 01:39:18 +09:00
Ophestra
4da26681b5 internal/pkg: compute http identifier from url
All checks were successful
Test / Create distribution (push) Successful in 44s
Details
Test / Sandbox (push) Successful in 2m30s
Details
Test / ShareFS (push) Successful in 3m40s
Details
Test / Hpkg (push) Successful in 4m24s
Details
Test / Sandbox (race detector) (push) Successful in 4m46s
Details
Test / Hakurei (race detector) (push) Successful in 5m51s
Details
Test / Hakurei (push) Successful in 2m28s
Details
Test / Flake checks (push) Successful in 1m41s
Details 
The previous implementation exposes arbitrary user input to the cache as an identifier, which is highly error-prone and can cause the cache to enter an inconsistent state if the user is not careful. This change replaces the implementation to compute identifier late, using url string as params.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2026-01-05 00:43:21 +09:00
Ophestra
4897b0259e internal/pkg: improve artifact interface
All checks were successful
Test / Hakurei (race detector) (push) Successful in 5m52s
Details
Test / Create distribution (push) Successful in 43s
Details
Test / Sandbox (push) Successful in 2m35s
Details
Test / Hakurei (push) Successful in 3m36s
Details
Test / ShareFS (push) Successful in 3m41s
Details
Test / Hpkg (push) Successful in 4m19s
Details
Test / Sandbox (race detector) (push) Successful in 4m52s
Details
Test / Flake checks (push) Successful in 1m53s
Details 
This moves all cache I/O code to Cache. Artifact now only contains methods for constructing their actual contents.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2026-01-05 00:01:23 +09:00
Ophestra
d6e4f85864 internal/pkg: ignore typeflag 'g'
All checks were successful
Test / ShareFS (push) Successful in 3m42s
Details
Test / Hpkg (push) Successful in 4m18s
Details
Test / Sandbox (race detector) (push) Successful in 4m54s
Details
Test / Hakurei (race detector) (push) Successful in 5m51s
Details
Test / Flake checks (push) Successful in 1m40s
Details
Test / Create distribution (push) Successful in 44s
Details
Test / Sandbox (push) Successful in 2m38s
Details
Test / Hakurei (push) Successful in 3m34s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2026-01-04 12:46:56 +09:00
Ophestra
3eb927823f internal/pkg: create symlinks for files
All checks were successful
Test / Create distribution (push) Successful in 42s
Details
Test / Sandbox (push) Successful in 2m45s
Details
Test / Hakurei (push) Successful in 3m36s
Details
Test / ShareFS (push) Successful in 3m42s
Details
Test / Hpkg (push) Successful in 4m17s
Details
Test / Sandbox (race detector) (push) Successful in 4m49s
Details
Test / Hakurei (race detector) (push) Successful in 5m48s
Details
Test / Flake checks (push) Successful in 1m44s
Details 
These are much easier to handle than hard links and should be just as transparent for this use case.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2026-01-04 01:48:53 +09:00
Ophestra
d76b9d04b8 internal/pkg: implement tar artifact
All checks were successful
Test / Create distribution (push) Successful in 43s
Details
Test / Sandbox (push) Successful in 2m34s
Details
Test / Hakurei (push) Successful in 3m36s
Details
Test / ShareFS (push) Successful in 3m40s
Details
Test / Hpkg (push) Successful in 4m13s
Details
Test / Sandbox (race detector) (push) Successful in 4m57s
Details
Test / Flake checks (push) Successful in 1m44s
Details
Test / Hakurei (race detector) (push) Successful in 5m53s
Details 
This is useful for unpacking tarballs downloaded from the internet.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2026-01-04 01:34:30 +09:00
Ophestra
fa93476896 internal/pkg: override working directory perms
All checks were successful
Test / Create distribution (push) Successful in 42s
Details
Test / Sandbox (push) Successful in 2m31s
Details
Test / ShareFS (push) Successful in 3m40s
Details
Test / Hpkg (push) Successful in 4m20s
Details
Test / Sandbox (race detector) (push) Successful in 4m51s
Details
Test / Hakurei (race detector) (push) Successful in 5m52s
Details
Test / Hakurei (push) Successful in 2m32s
Details
Test / Flake checks (push) Successful in 1m42s
Details 
This must be writable to enable renaming, and the final result is conventionally read-only alongside the entire directory contents. This change overrides the permission bits as part of Store.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2026-01-04 00:55:52 +09:00
Ophestra
bd0ef086b1 internal/pkg: enable cache access during store
All checks were successful
Test / Create distribution (push) Successful in 45s
Details
Test / Sandbox (push) Successful in 2m37s
Details
Test / Hakurei (push) Successful in 3m37s
Details
Test / Hpkg (push) Successful in 4m32s
Details
Test / Sandbox (race detector) (push) Successful in 4m57s
Details
Test / Hakurei (race detector) (push) Successful in 5m53s
Details
Test / ShareFS (push) Successful in 3m40s
Details
Test / Flake checks (push) Successful in 1m47s
Details 
This is still not ideal as it makes entry into Store sequential. This will be improved after more usage code is written.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2026-01-04 00:39:14 +09:00
Ophestra
05202cf994 internal/pkg: pass context in request wrapper
All checks were successful
Test / Create distribution (push) Successful in 42s
Details
Test / Sandbox (push) Successful in 2m29s
Details
Test / Hakurei (push) Successful in 3m34s
Details
Test / ShareFS (push) Successful in 3m40s
Details
Test / Hpkg (push) Successful in 4m32s
Details
Test / Sandbox (race detector) (push) Successful in 4m48s
Details
Test / Hakurei (race detector) (push) Successful in 5m49s
Details
Test / Flake checks (push) Successful in 1m46s
Details 
This method is for the most common use case, and in actual use there will always be an associated context.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2026-01-03 23:53:52 +09:00
Ophestra
40081e7a06 internal/pkg: implement caching for directories
All checks were successful
Test / Hpkg (push) Successful in 4m29s
Details
Test / Sandbox (race detector) (push) Successful in 4m50s
Details
Test / Hakurei (race detector) (push) Successful in 5m49s
Details
Test / Flake checks (push) Successful in 1m43s
Details
Test / Create distribution (push) Successful in 45s
Details
Test / Sandbox (push) Successful in 2m30s
Details
Test / Hakurei (push) Successful in 3m38s
Details
Test / ShareFS (push) Successful in 3m40s
Details 
This works on any directories and should be robust against any bad state the artifact curing process might have failed at.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2026-01-03 22:54:46 +09:00
Ophestra
863d3dcf9f internal/pkg: wrap checksum string encoding
All checks were successful
Test / Create distribution (push) Successful in 43s
Details
Test / Sandbox (push) Successful in 2m36s
Details
Test / ShareFS (push) Successful in 3m46s
Details
Test / Hpkg (push) Successful in 4m24s
Details
Test / Sandbox (race detector) (push) Successful in 4m53s
Details
Test / Hakurei (race detector) (push) Successful in 5m48s
Details
Test / Flake checks (push) Successful in 1m45s
Details
Test / Hakurei (push) Successful in 2m30s
Details 
This wraps base64.URLEncoding.EncodeToString for cleaner call site.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2026-01-03 22:03:25 +09:00
Ophestra
8ad9909065 internal/pkg: compute identifier from deps
All checks were successful
Test / Create distribution (push) Successful in 43s
Details
Test / Sandbox (push) Successful in 2m31s
Details
Test / Hakurei (push) Successful in 3m34s
Details
Test / ShareFS (push) Successful in 3m40s
Details
Test / Hpkg (push) Successful in 4m21s
Details
Test / Hakurei (race detector) (push) Successful in 5m50s
Details
Test / Sandbox (race detector) (push) Successful in 4m51s
Details
Test / Flake checks (push) Successful in 1m46s
Details 
This provides infrastructure for computing a deterministic identifier based on current artifact kind, opaque parameters data, and optional dependency kind and identifiers.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2026-01-03 21:26:25 +09:00
Ophestra
deda16da38 internal/pkg: create work directory
All checks were successful
Test / Sandbox (race detector) (push) Successful in 4m50s
Details
Test / Flake checks (push) Successful in 1m43s
Details
Test / Create distribution (push) Successful in 43s
Details
Test / Sandbox (push) Successful in 2m39s
Details
Test / Hakurei (push) Successful in 3m35s
Details
Test / ShareFS (push) Successful in 3m38s
Details
Test / Hpkg (push) Successful in 4m15s
Details
Test / Hakurei (race detector) (push) Successful in 5m50s
Details 
This is used for artifacts that cure into directories.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2026-01-03 20:56:11 +09:00
Ophestra
55465c6e72 internal/pkg: optionally validate flat pathnames
All checks were successful
Test / Create distribution (push) Successful in 43s
Details
Test / Sandbox (push) Successful in 2m34s
Details
Test / Hakurei (push) Successful in 3m35s
Details
Test / ShareFS (push) Successful in 3m37s
Details
Test / Hpkg (push) Successful in 4m21s
Details
Test / Sandbox (race detector) (push) Successful in 4m57s
Details
Test / Hakurei (race detector) (push) Successful in 5m50s
Details
Test / Flake checks (push) Successful in 1m42s
Details 
This makes the decoder safe against untrusted input without hurting performance for a trusted stream. This should still not be called against untrusted input though.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2026-01-03 18:59:18 +09:00
Ophestra
ce249d23f1 internal/pkg: implement http artifact
All checks were successful
Test / Create distribution (push) Successful in 44s
Details
Test / Sandbox (push) Successful in 2m29s
Details
Test / ShareFS (push) Successful in 3m39s
Details
Test / Hpkg (push) Successful in 4m30s
Details
Test / Sandbox (race detector) (push) Successful in 4m53s
Details
Test / Flake checks (push) Successful in 1m44s
Details
Test / Hakurei (push) Successful in 2m29s
Details
Test / Hakurei (race detector) (push) Successful in 3m14s
Details 
This is useful for downloading source tarballs from the internet.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2026-01-03 15:29:58 +09:00
Ophestra
dd5d792d14 go: 1.25
All checks were successful
Test / Hakurei (race detector) (push) Successful in 3m20s
Details
Test / Flake checks (push) Successful in 1m51s
Details
Test / Create distribution (push) Successful in 44s
Details
Test / Sandbox (push) Successful in 2m34s
Details
Test / Hakurei (push) Successful in 3m29s
Details
Test / ShareFS (push) Successful in 3m30s
Details
Test / Hpkg (push) Successful in 4m22s
Details
Test / Sandbox (race detector) (push) Successful in 4m35s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2026-01-03 15:25:28 +09:00
Ophestra
d15d2ec2bd internal/pkg: relocate cache test helper
All checks were successful
Test / Flake checks (push) Successful in 1m37s
Details
Test / Create distribution (push) Successful in 43s
Details
Test / Sandbox (push) Successful in 2m28s
Details
Test / Hakurei (push) Successful in 3m28s
Details
Test / ShareFS (push) Successful in 3m24s
Details
Test / Hpkg (push) Successful in 4m11s
Details
Test / Sandbox (race detector) (push) Successful in 4m46s
Details
Test / Hakurei (race detector) (push) Successful in 5m37s
Details 
This is useful for other tests that need a cache instance.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2026-01-02 16:08:43 +09:00
Ophestra
3078c41ce7 internal/pkg: encode entry in custom format
All checks were successful
Test / Create distribution (push) Successful in 43s
Details
Test / Sandbox (push) Successful in 2m27s
Details
Test / ShareFS (push) Successful in 3m29s
Details
Test / Hpkg (push) Successful in 4m14s
Details
Test / Sandbox (race detector) (push) Successful in 4m40s
Details
Test / Hakurei (race detector) (push) Successful in 5m36s
Details
Test / Hakurei (push) Successful in 2m26s
Details
Test / Flake checks (push) Successful in 1m42s
Details 
The fact that Gob serialisation is deterministic is an implementation detail. This change replaces Gob with a simple custom format.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2026-01-02 15:39:42 +09:00
Ophestra
e9de5d3aca internal/pkg: implement caching for files
All checks were successful
Test / Create distribution (push) Successful in 45s
Details
Test / Sandbox (push) Successful in 2m30s
Details
Test / Hakurei (push) Successful in 3m30s
Details
Test / ShareFS (push) Successful in 3m27s
Details
Test / Hpkg (push) Successful in 4m19s
Details
Test / Sandbox (race detector) (push) Successful in 4m40s
Details
Test / Hakurei (race detector) (push) Successful in 5m37s
Details
Test / Flake checks (push) Successful in 1m40s
Details 
This change contains primitives for validating and caching single-file artifacts.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2026-01-02 12:57:19 +09:00
Ophestra
993afde840 dist: install sharefs
All checks were successful
Test / Create distribution (push) Successful in 1m3s
Details
Test / Sandbox (push) Successful in 2m48s
Details
Test / Hakurei (push) Successful in 3m58s
Details
Test / ShareFS (push) Successful in 3m53s
Details
Test / Hpkg (push) Successful in 4m39s
Details
Test / Sandbox (race detector) (push) Successful in 5m0s
Details
Test / Flake checks (push) Successful in 1m49s
Details
Test / Hakurei (race detector) (push) Successful in 6m1s
Details 
This also removes the deprecated hpkg program.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2026-01-02 00:57:51 +09:00
Ophestra
c9cd16fd2a cmd/sharefs: prepare directory early
All checks were successful
Test / Create distribution (push) Successful in 38s
Details
Test / ShareFS (push) Successful in 43s
Details
Test / Sandbox (race detector) (push) Successful in 47s
Details
Test / Sandbox (push) Successful in 49s
Details
Test / Hpkg (push) Successful in 50s
Details
Test / Hakurei (race detector) (push) Successful in 55s
Details
Test / Hakurei (push) Successful in 58s
Details
Test / Flake checks (push) Successful in 1m41s
Details 
This change also checks against filesystem daemon running as root early.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-12-27 23:17:02 +09:00
Ophestra
e42ea32dbe nix: configure sharefs via fileSystems
All checks were successful
Test / ShareFS (push) Successful in 41s
Details
Test / Sandbox (race detector) (push) Successful in 45s
Details
Test / Create distribution (push) Successful in 42s
Details
Test / Sandbox (push) Successful in 47s
Details
Test / Hpkg (push) Successful in 50s
Details
Test / Hakurei (push) Successful in 56s
Details
Test / Hakurei (race detector) (push) Successful in 56s
Details
Test / Flake checks (push) Successful in 1m35s
Details 
Turns out this did not work because in the vm test harness, virtualisation.fileSystems completely and silently overrides fileSystems, causing its contents to not even be evaluated anymore. This is not documented as far as I can tell, and is not obvious by any stretch of the imagination. The current hack is cargo culted from nix-community/impermanence and hopefully lasts until this project fully replaces nix.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-12-27 23:14:08 +09:00
Ophestra
e7982b4ee9 cmd/sharefs: create directory as root
All checks were successful
Test / Create distribution (push) Successful in 42s
Details
Test / Sandbox (push) Successful in 2m20s
Details
Test / Hakurei (push) Successful in 3m30s
Details
Test / Sandbox (race detector) (push) Successful in 4m42s
Details
Test / Flake checks (push) Successful in 1m36s
Details
Test / ShareFS (push) Successful in 3m26s
Details
Test / Hpkg (push) Successful in 4m19s
Details
Test / Hakurei (race detector) (push) Successful in 5m30s
Details 
This optional behaviour is required on NixOS as it is otherwise impossible to set this up: systemd.mounts breaks startup order somehow even though my unit looks identical to generated ones, fileSystems does not support any kind of initialisation or ordering other than against other mount points.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-12-27 22:14:33 +09:00
Ophestra
ef1ebf12d9 cmd/sharefs: handle mount -t fuse.sharefs
All checks were successful
Test / Create distribution (push) Successful in 33s
Details
Test / ShareFS (push) Successful in 39s
Details
Test / Sandbox (push) Successful in 46s
Details
Test / Sandbox (race detector) (push) Successful in 45s
Details
Test / Hpkg (push) Successful in 49s
Details
Test / Hakurei (push) Successful in 54s
Details
Test / Hakurei (race detector) (push) Successful in 55s
Details
Test / Flake checks (push) Successful in 1m35s
Details 
This should have been handled in a custom option parsing function, but that much extra complexity is unnecessary for this edge case. Honestly I do not know why libfuse does not handle this itself.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-12-27 20:49:27 +09:00
Ophestra
775a9f57c9 cmd/sharefs: check option parsing behaviour
All checks were successful
Test / Create distribution (push) Successful in 44s
Details
Test / ShareFS (push) Successful in 39s
Details
Test / Sandbox (push) Successful in 47s
Details
Test / Sandbox (race detector) (push) Successful in 46s
Details
Test / Hakurei (race detector) (push) Successful in 54s
Details
Test / Hpkg (push) Successful in 50s
Details
Test / Hakurei (push) Successful in 55s
Details
Test / Flake checks (push) Successful in 1m35s
Details 
This change makes it possible to check parseOpts behaviour as part of Go tests.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-12-27 17:33:12 +09:00
Ophestra
2f8ca83376 cmd/sharefs: containerise filesystem daemon
All checks were successful
Test / Create distribution (push) Successful in 44s
Details
Test / Sandbox (push) Successful in 2m30s
Details
Test / Hakurei (push) Successful in 3m26s
Details
Test / ShareFS (push) Successful in 3m26s
Details
Test / Hpkg (push) Successful in 4m20s
Details
Test / Sandbox (race detector) (push) Successful in 4m41s
Details
Test / Hakurei (race detector) (push) Successful in 5m31s
Details
Test / Flake checks (push) Successful in 1m36s
Details 
This replaces the forking daemonise libfuse function which prevents Go callbacks from calling into the runtime. This also enforces least privilege on the daemon process.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-12-27 10:16:35 +09:00
Ophestra
3d720ada92 container: optionally allow orphan
All checks were successful
Test / Create distribution (push) Successful in 43s
Details
Test / Sandbox (push) Successful in 2m21s
Details
Test / ShareFS (push) Successful in 3m25s
Details
Test / Hakurei (push) Successful in 3m31s
Details
Test / Sandbox (race detector) (push) Successful in 4m37s
Details
Test / Hpkg (push) Successful in 4m26s
Details
Test / Hakurei (race detector) (push) Successful in 3m16s
Details
Test / Flake checks (push) Successful in 1m45s
Details 
This is required for the typical daemonise use case.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-12-27 09:12:02 +09:00
Ophestra
2e5362e536 cmd/sharefs: opaque setup state
All checks were successful
Test / Sandbox (push) Successful in 2m26s
Details
Test / Hakurei (push) Successful in 3m28s
Details
Test / ShareFS (push) Successful in 3m31s
Details
Test / Hpkg (push) Successful in 4m26s
Details
Test / Sandbox (race detector) (push) Successful in 4m38s
Details
Test / Hakurei (race detector) (push) Successful in 5m34s
Details
Test / Flake checks (push) Successful in 1m42s
Details
Test / Create distribution (push) Successful in 43s
Details 
This allows unrestricted use of the type system and prepares setup code for cross-process initialisation.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-12-27 04:14:00 +09:00
Ophestra
6d3bd27220 cmd/sharefs: expand fuse_main
All checks were successful
Test / Create distribution (push) Successful in 42s
Details
Test / Sandbox (push) Successful in 2m20s
Details
Test / ShareFS (push) Successful in 3m22s
Details
Test / Hpkg (push) Successful in 4m20s
Details
Test / Sandbox (race detector) (push) Successful in 4m34s
Details
Test / Hakurei (race detector) (push) Successful in 5m28s
Details
Test / Hakurei (push) Successful in 2m41s
Details
Test / Flake checks (push) Successful in 1m55s
Details 
This change should not change behaviour other than making output more consistent.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-12-27 02:30:28 +09:00
Ophestra
a27305cb4a cmd/sharefs: improve help message
All checks were successful
Test / Create distribution (push) Successful in 42s
Details
Test / Sandbox (push) Successful in 2m20s
Details
Test / Hakurei (push) Successful in 3m24s
Details
Test / ShareFS (push) Successful in 3m23s
Details
Test / Hpkg (push) Successful in 4m19s
Details
Test / Sandbox (race detector) (push) Successful in 4m36s
Details
Test / Hakurei (race detector) (push) Successful in 5m32s
Details
Test / Flake checks (push) Successful in 1m52s
Details 
This improves consistency with the fuse_main help message.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-12-27 02:20:41 +09:00
Ophestra
0e476c5e5b cmd/sharefs: allocate sharefs_private early
All checks were successful
Test / Create distribution (push) Successful in 43s
Details
Test / Sandbox (push) Successful in 2m21s
Details
Test / ShareFS (push) Successful in 3m26s
Details
Test / Hpkg (push) Successful in 4m14s
Details
Test / Sandbox (race detector) (push) Successful in 4m31s
Details
Test / Hakurei (race detector) (push) Successful in 5m31s
Details
Test / Hakurei (push) Successful in 2m34s
Details
Test / Flake checks (push) Successful in 1m39s
Details 
This also removes global state used by sharefs_init.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-12-26 08:08:41 +09:00
Ophestra
54712e0426 nix: set noatime on sharefs
All checks were successful
Test / Create distribution (push) Successful in 42s
Details
Test / Sandbox (push) Successful in 47s
Details
Test / Sandbox (race detector) (push) Successful in 46s
Details
Test / Hakurei (push) Successful in 55s
Details
Test / Hpkg (push) Successful in 50s
Details
Test / Hakurei (race detector) (push) Successful in 55s
Details
Test / ShareFS (push) Successful in 2m27s
Details
Test / Flake checks (push) Successful in 1m38s
Details 
Could improve performance, atime is not useful for this filesystem anyway.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-12-26 05:34:05 +09:00
Ophestra
b77c1ecfdb cmd/sharefs/test: check option handling
All checks were successful
Test / Sandbox (push) Successful in 46s
Details
Test / Create distribution (push) Successful in 42s
Details
Test / Sandbox (race detector) (push) Successful in 46s
Details
Test / Hpkg (push) Successful in 50s
Details
Test / Hakurei (push) Successful in 55s
Details
Test / Hakurei (race detector) (push) Successful in 56s
Details
Test / ShareFS (push) Successful in 2m27s
Details
Test / Flake checks (push) Successful in 1m43s
Details 
This verifies behaviour related to setuid/setgid when starting as root.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-12-26 05:28:45 +09:00
Ophestra
dce5839a79 nix: do not restart sharefs
All checks were successful
Test / Create distribution (push) Successful in 43s
Details
Test / Sandbox (push) Successful in 47s
Details
Test / Sandbox (race detector) (push) Successful in 47s
Details
Test / Hpkg (push) Successful in 50s
Details
Test / Hakurei (race detector) (push) Successful in 54s
Details
Test / Hakurei (push) Successful in 56s
Details
Test / ShareFS (push) Successful in 2m29s
Details
Test / Flake checks (push) Successful in 1m44s
Details 
This avoids disrupting running containers.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-12-26 04:12:14 +09:00
Ophestra
d597592e1f cmd/sharefs: rename fuse-helper to fuse-operations
All checks were successful
Test / Create distribution (push) Successful in 43s
Details
Test / Sandbox (push) Successful in 2m34s
Details
Test / Hakurei (push) Successful in 3m26s
Details
Test / ShareFS (push) Successful in 3m23s
Details
Test / Hpkg (push) Successful in 4m23s
Details
Test / Sandbox (race detector) (push) Successful in 4m38s
Details
Test / Hakurei (race detector) (push) Successful in 5m33s
Details
Test / Flake checks (push) Successful in 1m45s
Details 
This is not really just library wrapper functions, but instead implements the callbacks, so fuse-operations makes more sense.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-12-26 03:19:32 +09:00
Ophestra
056f5b12d4 cmd/sharefs: move translate_pathname body to macro wrapper
All checks were successful
Test / Create distribution (push) Successful in 45s
Details
Test / Sandbox (push) Successful in 2m26s
Details
Test / Hakurei (push) Successful in 3m29s
Details
Test / ShareFS (push) Successful in 3m26s
Details
Test / Hpkg (push) Successful in 4m20s
Details
Test / Sandbox (race detector) (push) Successful in 4m50s
Details
Test / Hakurei (race detector) (push) Successful in 5m39s
Details
Test / Flake checks (push) Successful in 1m45s
Details 
This is never called directly anywhere and it is simple enough to be included in the macro. This avoids passing the pointer around and dereferencing errno location, resulting in over 5% increase in throughput on the clang build. No change in the gcc build though.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-12-26 02:10:59 +09:00
Ophestra
da2bb546ba cmd/sharefs: remove readlink
All checks were successful
Test / Create distribution (push) Successful in 44s
Details
Test / Sandbox (push) Successful in 2m31s
Details
Test / ShareFS (push) Successful in 3m23s
Details
Test / Hakurei (push) Successful in 3m27s
Details
Test / Hpkg (push) Successful in 4m20s
Details
Test / Sandbox (race detector) (push) Successful in 4m40s
Details
Test / Hakurei (race detector) (push) Successful in 5m33s
Details
Test / Flake checks (push) Successful in 1m44s
Details 
This filesystem does not support symbolic links, so readlink is not useful, and unreachable in this case because of the check in getattr.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-12-25 06:00:58 +09:00
Ophestra
7bfbd59810 cmd/sharefs: implement shared filesystem
All checks were successful
Test / Create distribution (push) Successful in 46s
Details
Test / Sandbox (push) Successful in 2m40s
Details
Test / Hakurei (push) Successful in 3m41s
Details
Test / Hpkg (push) Successful in 4m42s
Details
Test / Sandbox (race detector) (push) Successful in 4m53s
Details
Test / Hakurei (race detector) (push) Successful in 5m53s
Details
Test / ShareFS (push) Successful in 38m10s
Details
Test / Flake checks (push) Successful in 1m46s
Details 
This is for passing files between applications, similar to android /sdcard.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-12-25 05:13:02 +09:00
Ophestra
ea815a59e8 nix: disable source fortification in devShell
All checks were successful
Test / Create distribution (push) Successful in 35s
Details
Test / Sandbox (push) Successful in 43s
Details
Test / Sandbox (race detector) (push) Successful in 42s
Details
Test / Hakurei (race detector) (push) Successful in 46s
Details
Test / Hpkg (push) Successful in 44s
Details
Test / Hakurei (push) Successful in 49s
Details
Test / Flake checks (push) Successful in 1m36s
Details 
This generates warnings when compiling without optimisation.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-12-21 02:22:28 +09:00
Ophestra
28a8dc67d2 internal/pipewire: raise Core::Sync timeout
All checks were successful
Test / Create distribution (push) Successful in 38s
Details
Test / Sandbox (push) Successful in 2m27s
Details
Test / Hakurei (push) Successful in 3m24s
Details
Test / Hpkg (push) Successful in 4m12s
Details
Test / Sandbox (race detector) (push) Successful in 4m40s
Details
Test / Hakurei (race detector) (push) Successful in 5m26s
Details
Test / Flake checks (push) Successful in 1m35s
Details 
Hopefully relieves spurious failures on a very overloaded system.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-12-19 00:49:33 +09:00
Ophestra
ec49c63c5f internal/pipewire: EPOLL_CTL_ADD instead of EPOLL_CTL_MOD
All checks were successful
Test / Create distribution (push) Successful in 37s
Details
Test / Sandbox (push) Successful in 2m29s
Details
Test / Hakurei (push) Successful in 3m24s
Details
Test / Hpkg (push) Successful in 4m15s
Details
Test / Sandbox (race detector) (push) Successful in 4m30s
Details
Test / Hakurei (race detector) (push) Successful in 5m26s
Details
Test / Flake checks (push) Successful in 1m45s
Details 
Implementation is no longer tied down by the limitations of SyscallConn.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-12-19 00:43:44 +09:00
Ophestra
5a50bf80ee internal/pipewire: hold socket fd directly
All checks were successful
Test / Create distribution (push) Successful in 38s
Details
Test / Sandbox (push) Successful in 2m39s
Details
Test / Hakurei (push) Successful in 3m31s
Details
Test / Sandbox (race detector) (push) Successful in 4m30s
Details
Test / Hpkg (push) Successful in 4m34s
Details
Test / Hakurei (race detector) (push) Successful in 5m29s
Details
Test / Flake checks (push) Successful in 1m40s
Details 
The interface provided by net is not used here and is a leftover from a previous implementation. This change removes it.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-12-19 00:28:24 +09:00
Ophestra
ce06b7b663 internal/pipewire: inform conn of blocking intent
All checks were successful
Test / Create distribution (push) Successful in 30s
Details
Test / Sandbox (push) Successful in 2m31s
Details
Test / Hakurei (push) Successful in 3m29s
Details
Test / Hpkg (push) Successful in 4m24s
Details
Test / Sandbox (race detector) (push) Successful in 4m30s
Details
Test / Hakurei (race detector) (push) Successful in 5m27s
Details
Test / Flake checks (push) Successful in 1m40s
Details 
The interface does not expose underlying kernel notification mechanisms. This change removes the need to poll in situations were the next call might block.

This is made cumbersome by the SyscallConn interface left over from a previous implementation, it will be replaced in a later commit as the current implementation does not make use of any net.Conn methods other than Close.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-12-19 00:00:33 +09:00
Ophestra
08bdc68f3a internal/pipewire: sendmsg/recvmsg errors are fatal
All checks were successful
Test / Create distribution (push) Successful in 40s
Details
Test / Sandbox (push) Successful in 2m35s
Details
Test / Hakurei (push) Successful in 3m31s
Details
Test / Hpkg (push) Successful in 4m20s
Details
Test / Sandbox (race detector) (push) Successful in 4m42s
Details
Test / Hakurei (race detector) (push) Successful in 5m28s
Details
Test / Flake checks (push) Successful in 1m35s
Details 
When returned wrapped as a syscall error, these are impossible to recover from, so wrap them as a fatal error.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-12-18 23:33:12 +09:00
Ophestra
8cb0b433b2 release: 0.3.3
All checks were successful
Release / Create release (push) Successful in 42s
Details
Test / Sandbox (push) Successful in 43s
Details
Test / Hakurei (push) Successful in 3m2s
Details
Test / Create distribution (push) Successful in 27s
Details
Test / Hpkg (push) Successful in 3m57s
Details
Test / Sandbox (race detector) (push) Successful in 4m41s
Details
Test / Hakurei (race detector) (push) Successful in 5m0s
Details
Test / Flake checks (push) Successful in 1m43s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
v0.3.3 		2025-12-15 20:34:45 +09:00
Ophestra
767f1844d2 test: check shim private dir cleanup
All checks were successful
Test / Create distribution (push) Successful in 38s
Details
Test / Hpkg (push) Successful in 45s
Details
Test / Sandbox (push) Successful in 1m35s
Details
Test / Sandbox (race detector) (push) Successful in 2m28s
Details
Test / Hakurei (push) Successful in 2m32s
Details
Test / Hakurei (race detector) (push) Successful in 3m17s
Details
Test / Flake checks (push) Successful in 1m31s
Details 
This asserts that no shim private dir was left behind after all containers terminate.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-12-15 20:30:19 +09:00
Ophestra
54610aaddc internal/outcome: expose pipewire via pipewire-pulse
All checks were successful
Test / Create distribution (push) Successful in 28s
Details
Test / Sandbox (push) Successful in 42s
Details
Test / Hakurei (push) Successful in 3m20s
Details
Test / Hpkg (push) Successful in 2m13s
Details
Test / Sandbox (race detector) (push) Successful in 4m25s
Details
Test / Hakurei (race detector) (push) Successful in 3m21s
Details
Test / Flake checks (push) Successful in 1m30s
Details 
This no longer exposes the pipewire socket to the container, and instead mediates access via pipewire-pulse. This makes insecure parts of the protocol inaccessible as explained in the doc comment in hst.

Closes #29.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-12-15 12:57:06 +09:00
Ophestra
2e80660169 internal/outcome: look up pipewire-pulse path
All checks were successful
Test / Create distribution (push) Successful in 36s
Details
Test / Sandbox (push) Successful in 2m27s
Details
Test / Hakurei (push) Successful in 3m19s
Details
Test / Hpkg (push) Successful in 4m9s
Details
Test / Sandbox (race detector) (push) Successful in 4m20s
Details
Test / Hakurei (race detector) (push) Successful in 5m16s
Details
Test / Flake checks (push) Successful in 1m29s
Details 
This is for setting up the pipewire-pulse container in shim, for #29.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-12-15 12:38:39 +09:00
Ophestra
d0a3c6a2f3 internal/outcome: optional shim private dir
All checks were successful
Test / Create distribution (push) Successful in 34s
Details
Test / Sandbox (push) Successful in 2m20s
Details
Test / Hakurei (push) Successful in 3m24s
Details
Test / Hpkg (push) Successful in 4m1s
Details
Test / Sandbox (race detector) (push) Successful in 4m32s
Details
Test / Hakurei (race detector) (push) Successful in 5m18s
Details
Test / Flake checks (push) Successful in 1m40s
Details 
This is a private work directory owned by the specific shim. Useful for sockets owned by this instance of the shim and requires no direct assistance from the priv-side process.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-12-15 12:32:46 +09:00