vars+facts: use bwrap only if supported

2025-03-09 13:52:15 +07:00
parent d266e749a8
commit db2e2e974c
5 changed files with 65 additions and 4 deletions
--- a/pkgs/clan-cli/clan_cli/bwrap/init.py
+++ b/pkgs/clan-cli/clan_cli/bwrap/init.py
@@ -0,0 +1,42 @@
+from clan_cli.cmd import run
+from clan_cli.nix import nix_shell
+
+_works: bool | None = None
+
+
+def bubblewrap_works() -> bool:
+    global _works
+    if _works is None:
+        _works = _bubblewrap_works()
+    return _works
+
+
+def _bubblewrap_works() -> bool:
+    # fmt: off
+    cmd = nix_shell(
+        [
+            "nixpkgs#bash",
+            "nixpkgs#bubblewrap",
+        ],
+        [
+            "bwrap",
+            "--unshare-all",
+            "--tmpfs",  "/",
+            "--ro-bind", "/nix/store", "/nix/store",
+            "--dev", "/dev",
+            "--chdir", "/",
+            "--bind", "/proc", "/proc",
+            "--uid", "1000",
+            "--gid", "1000",
+            "--",
+            # do nothing, just test if bash executes
+            "bash", "-c", ":"
+        ],
+    )
+    # fmt: on
+    try:
+        run(cmd)
+    except Exception:
+        return False
+    else:
+        return True
--- a/pkgs/clan-cli/clan_cli/bwrap/tests/test_bwrap.py
+++ b/pkgs/clan-cli/clan_cli/bwrap/tests/test_bwrap.py
@@ -0,0 +1,16 @@
+import sys
+
+import pytest
+from clan_cli.bwrap import bubblewrap_works
+
+
+@pytest.mark.skipif(sys.platform != "linux", reason="bubblewrap only works on linux")
+def test_bubblewrap_works_on_linux() -> None:
+    assert bubblewrap_works() is True
+
+
+@pytest.mark.skipif(
+    sys.platform == "linux", reason="bubblewrap does not work on non-linux"
+)
+def test_bubblewrap_detection_non_linux() -> None:
+    assert bubblewrap_works() is False
--- a/pkgs/clan-cli/clan_cli/facts/generate.py
+++ b/pkgs/clan-cli/clan_cli/facts/generate.py
@@ -103,7 +103,9 @@ def generate_service_facts(
                service, machine.facts_data[service]["generator"]["prompt"]
            )
            env["prompt_value"] = prompt_value
-    if sys.platform == "linux":
+    from clan_cli import bwrap
+
+    if sys.platform == "linux" and bwrap.bubblewrap_works():
        cmd = bubblewrap_cmd(generator, facts_dir, secrets_dir)
    else:
        cmd = ["bash", "-c", generator]
--- a/pkgs/clan-cli/clan_cli/vars/generate.py
+++ b/pkgs/clan-cli/clan_cli/vars/generate.py
@@ -201,8 +201,9 @@ def execute_generator(
                prompt_file = tmpdir_prompts / prompt.name
                value = get_prompt_value(prompt.name)
                prompt_file.write_text(value)
+        from clan_cli import bwrap

-        if sys.platform == "linux":
+        if sys.platform == "linux" and bwrap.bubblewrap_works():
            cmd = bubblewrap_cmd(str(generator.final_script), tmpdir)
        else:
            cmd = ["bash", "-c", str(generator.final_script)]