fix: switch continuum-proxy to nix-based static build from source #132
Conversation
WalkthroughAdds a Git submodule entry for privatemode-public, replaces the container-based continuum-proxy update with a git-tagged, source-based Nix build workflow (new justfile targets), and appends new PCR snapshot entries to both pcrDevHistory.json and pcrProdHistory.json. Changes
Sequence Diagram(s)sequenceDiagram
autonumber
actor Developer
participant Just as "Justfile"
participant Git as "Git (privatemode-public)"
participant Nix as "Nix Build"
participant FS as "Filesystem"
rect rgb(235,245,255)
Note over Developer,FS: Continuum-proxy versioned source build flow
end
Developer->>Just: update-continuum-proxy version="v1.32.0"
Just->>Git: fetch tags & checkout v1.32.0
Git-->>Just: source at tag
Just->>Nix: build-continuum-proxy (Nix)
Nix->>Nix: compile from source
Nix->>FS: emit binary artifact
Just->>FS: rename -> continuum-proxy, chmod +x
Just-->>Developer: print version & finish
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Poem
Pre-merge checks and finishing touches✅ Passed checks (3 passed)
✨ Finishing touches🧪 Generate unit tests (beta)
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 Gitleaks (8.30.0).gitmodulespanic: allocator_unix: failed to reserve memory: cannot allocate memory goroutine 1 [running]: ... [truncated 302 characters] ... 2a0, {0xf8a300, 0xc000224a80}, 0x0?, {0xe18d1d?, 0x0?}, 0x0?, {0x1932260, 0x0, 0x0}) justfilepanic: allocator_unix: failed to reserve memory: cannot allocate memory goroutine 1 [running]: ... [truncated 302 characters] ... 2a0, {0xf8a300, 0xc000222a80}, 0x0?, {0xe18d1d?, 0x0?}, 0x0?, {0x1932260, 0x0, 0x0}) pcrDevHistory.jsonpanic: allocator_unix: failed to reserve memory: cannot allocate memory goroutine 1 [running]: ... [truncated 302 characters] ... 2a0, {0xf8a300, 0xc0001a2a80}, 0x0?, {0xe18d1d?, 0x0?}, 0x0?, {0x1932260, 0x0, 0x0})
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (2)
justfile (2)
184-186: Add submodule initialization check before git operations.The recipe assumes the privatemode-public submodule is already initialized. If someone clones the repository without
--recursiveor forgets to rungit submodule init && git submodule update, this will fail with a confusing error.🔎 Suggested improvement with submodule initialization
# Update continuum-proxy submodule to a specific version update-continuum-proxy-version version: + git submodule update --init privatemode-public cd privatemode-public && git fetch --tags && git checkout {{version}}Alternatively, add a verification script to provide a clearer error message:
# Update continuum-proxy submodule to a specific version update-continuum-proxy-version version: + #!/usr/bin/env bash + if [ ! -d "privatemode-public/.git" ]; then + echo "Initializing privatemode-public submodule..." + git submodule update --init privatemode-public + fi cd privatemode-public && git fetch --tags && git checkout {{version}}
188-197: Consider verifying static linking after build.The build process looks solid, but since the PR motivation mentions that v1.31.0+ ships dynamically linked binaries, it would be valuable to verify that the built binary is indeed statically linked.
🔎 Optional: Add static linking verification
# Build continuum-proxy from source using Nix (produces statically linked binary) build-continuum-proxy: nix build ./privatemode-public#privatemode-proxy.bin -o continuum-proxy-build chmod u+w continuum-proxy || true cp continuum-proxy-build/bin/privatemode-proxy continuum-proxy chmod +x continuum-proxy rm continuum-proxy-build @echo "Built continuum-proxy:" @file continuum-proxy @./continuum-proxy --version + @echo "Verifying static linking:" + @ldd continuum-proxy 2>&1 | grep -q "not a dynamic executable" && echo "✅ Binary is statically linked" || echo "⚠️ Warning: Binary may be dynamically linked"This provides immediate feedback if the build produces a dynamically linked binary instead of the expected static binary.
📜 Review details
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (2)
pcrDev.jsonis excluded by!pcrDev.jsonpcrProd.jsonis excluded by!pcrProd.json
📒 Files selected for processing (6)
.gitmodulescontinuum-proxyjustfilepcrDevHistory.jsonpcrProdHistory.jsonprivatemode-public
⏰ Context from checks skipped due to timeout of 100000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: Greptile Review
- GitHub Check: Development Reproducible Build
🔇 Additional comments (5)
privatemode-public (1)
1-1: Submodule commit verified. The commitb4c884d9ed037ced2d6326b42e989335caef5bbbexists in theedgelesssys/privatemode-publicrepository and references mirrored public components. No further action needed..gitmodules (1)
4-6: LGTM! Submodule configuration is correct.The submodule entry follows Git conventions and is consistent with the existing nitro-toolkit submodule structure.
pcrProdHistory.json (1)
477-484: LGTM! PCR history entry is well-formed.The new entry follows the established schema with all required fields (PCR0, PCR1, PCR2, timestamp, signature) and maintains consistency with existing entries.
pcrDevHistory.json (1)
477-484: LGTM! PCR history entry is well-formed.The new entry maintains the established schema with all required fields and is properly appended to the history array.
justfile (1)
199-202: Good composition pattern with reasonable defaults.The recipe cleanly combines version update and build steps. The default version (v1.32.0) provides a convenient starting point while still allowing customization.
Greptile SummaryThis PR transitions continuum-proxy from extracting pre-built Docker binaries to building from source using Nix, resolving dynamic linking issues introduced in v1.31.0. Key Changes:
Technical Implementation: Confidence Score: 5/5
Important Files Changed
Sequence DiagramsequenceDiagram
participant Dev as Developer
participant Just as Justfile
participant Sub as privatemode-public<br/>Submodule
participant Nix as Nix Build System
participant Bin as continuum-proxy<br/>Binary
participant PCR as PCR Files
Dev->>Just: just update-continuum-proxy v1.32.0
Just->>Sub: Update submodule to version
Sub->>Sub: git fetch --tags && git checkout v1.32.0
Just->>Nix: nix build ./privatemode-public#privatemode-proxy.bin
Nix->>Nix: Build from source (statically linked)
Nix-->>Bin: Output binary to continuum-proxy-build
Just->>Bin: Copy binary to continuum-proxy
Just->>Bin: chmod +x continuum-proxy
Just->>Bin: Verify with --version
Note over Dev,PCR: PCR Update Process
Dev->>Just: just update-pcr-all
Just->>Nix: nix build .?submodules=1#eif-dev
Nix-->>PCR: Generate PCR values
Just->>PCR: Copy to pcrDev.json
Just->>PCR: Sign PCR0 and append to pcrDevHistory.json
Just->>Nix: nix build .?submodules=1#eif-prod
Nix-->>PCR: Generate PCR values
Just->>PCR: Copy to pcrProd.json
Just->>PCR: Sign PCR0 and append to pcrProdHistory.json
|
- Add privatemode-public as git submodule for reproducible builds - Replace Docker extraction with nix build (produces statically linked binary) - Update to v1.32.0 built from source (MIT licensed) - New justfile commands: build-continuum-proxy, update-continuum-proxy The Docker container images from v1.31.0+ ship dynamically linked binaries that depend on specific Nix store paths, breaking standalone usage. Building from source with nix ensures static linking. Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
AnthonyRonning
force-pushed
the
fix/continuum-proxy-static-build
branch
from
26f2b43 to
cd1a0e2
Compare
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (2)
justfile (2)
184-186: Consider validating the submodule state and version parameter.The command assumes the
privatemode-publicsubmodule is initialized and the version parameter is valid. If the submodule doesn't exist or the version tag is invalid, the git operations will fail with cryptic errors.🔎 Suggested improvement with validation
# Update continuum-proxy submodule to a specific version update-continuum-proxy-version version: + @test -d privatemode-public/.git || (echo "Error: privatemode-public submodule not initialized. Run: git submodule update --init" && exit 1) cd privatemode-public && git fetch --tags && git checkout {{version}} + @echo "Updated continuum-proxy submodule to {{version}}"
188-197: Ensure Nix build success is verified before proceeding.The command performs several operations assuming the Nix build succeeded. If
nix buildfails, the subsequentcpcommand will fail with a less clear error message.🔎 Optional improvement for clearer error handling
# Build continuum-proxy from source using Nix (produces statically linked binary) build-continuum-proxy: nix build ./privatemode-public#privatemode-proxy.bin -o continuum-proxy-build + @test -f continuum-proxy-build/bin/privatemode-proxy || (echo "Error: Nix build failed to produce binary" && exit 1) chmod u+w continuum-proxy || true cp continuum-proxy-build/bin/privatemode-proxy continuum-proxy chmod +x continuum-proxy rm continuum-proxy-build @echo "Built continuum-proxy:" @file continuum-proxy @./continuum-proxy --version
📜 Review details
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (2)
pcrDev.jsonis excluded by!pcrDev.jsonpcrProd.jsonis excluded by!pcrProd.json
📒 Files selected for processing (6)
.gitmodulescontinuum-proxyjustfilepcrDevHistory.jsonpcrProdHistory.jsonprivatemode-public
🚧 Files skipped from review as they are similar to previous changes (2)
- pcrDevHistory.json
- .gitmodules
⏰ Context from checks skipped due to timeout of 100000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: Greptile Review
🔇 Additional comments (3)
privatemode-public (1)
1-1: Submodule commit verified as v1.32.0.The commit hash
b4c884d9ed037ced2d6326b42e989335caef5bbbcorrectly points to the v1.32.0 release tag for edgelesssys/privatemode-public.pcrProdHistory.json (1)
485-490: LGTM! New PCR entry structure is consistent.The new PCR history entry follows the established format with all required fields (PCR0, PCR1, PCR2, timestamp, signature) and matches the structure of existing entries.
justfile (1)
199-202: LGTM! Clean orchestration of version update and rebuild.The command properly chains the version update and build steps. The default version
v1.32.0matches the PR objectives.
Summary
Switches from extracting pre-built binaries from Docker containers to building continuum-proxy from source using Nix.
Problem
Starting with v1.31.0, the privatemode-proxy Docker images ship dynamically linked binaries that depend on specific Nix store paths (e.g.,
/nix/store/yi5zymrhcqm4f0qdsl28v4jc4hnv64vr-glibc-aarch64-unknown-linux-gnu-2.40-66). This breaks standalone usage outside their container environment.Previous versions (v1.28.0, v1.30.0) were statically linked and worked fine.
Solution
privatemode-publicas a git submodule (MIT licensed for the proxy component)nix buildwhich produces statically linked binariesNew Commands
Testing
./continuum-proxy --versionworksSummary by CodeRabbit
✏️ Tip: You can customize this high-level summary in your review settings.