[wip] libvirt: build containerized libvirt as nix container image

.github/workflows/build-libvirt-container.yml

@@ -0,0 +1,45 @@
+name: Build libvirtd base container
+
+on:
+  push:
+    branches:
+       - "main"
+       # TODO(malt3): remove. Allows testing this PR
+       - feat/bazel/use-cc-libraries-from-nix
+    paths:
+      - "flake.nix"
+      - "flake.lock"
+      - "nix/containers/libvirtd_base.nix"
+      - ".github/workflows/build-libvirt-container.yml"
+  workflow_dispatch:
+
+jobs:
+  build-container:
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+
+      - name: Setup bazel
+        uses: ./.github/actions/setup_bazel_nix
+        with:
+          useCache: "false"
+          nixTools: |
+            crane
+            gzip
+
+      - name: Log in to the Container registry
+        uses: ./.github/actions/container_registry_login
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build container
+        run: |
+          nix build .#libvirtd_base
+          cat result | gunzip > libvirtd_base.tar
+          crane push libvirtd_base.tar ghcr.io/edgelesssys/constellation/libvirtd-base

bazel/oci/containers.bzl

@@ -51,7 +51,7 @@ def containers():
             "identifier": "libvirt",
             "image_name": "libvirt",
             "name": "libvirt",
-            "oci": "//cli/internal/libvirt:constellation_libvirt",
+            "oci": "@libvirtd_base//:libvirtd_base",
             "repotag_file": "//bazel/release:libvirt_tag.txt",
             "used_by": ["config"],
         },

bazel/toolchains/container_images.bzl

@@ -14,3 +14,8 @@ def containter_image_deps():
             "linux/arm64",
         ],
     )
+    oci_pull(
+        name = "libvirtd_base",
+        digest = "sha256:08d0643e47365d9a928e9b08845e932834da9e445b4ee96fd0f1f721eebcea07",
+        image = "ghcr.io/edgelesssys/constellation/libvirtd-base",
+    )

cli/internal/libvirt/BUILD.bazel

@@ -1,7 +1,4 @@
 load("@io_bazel_rules_go//go:def.bzl", "go_library")
-load("@rules_oci//oci:defs.bzl", "oci_image")
-load("@rules_pkg//:pkg.bzl", "pkg_tar")
-load("@rules_pkg//pkg:mappings.bzl", "pkg_attributes", "pkg_files", "strip_prefix")
 
 go_library(
     name = "libvirt",
@@ -17,60 +14,3 @@ go_library(
         "@com_github_spf13_afero//:afero",
     ],
 )
-
-pkg_files(
-    name = "etc",
-    srcs = [
-        "//cli/internal/libvirt/etc:passwd_db",
-    ],
-    attributes = pkg_attributes(
-        group = "root",
-        mode = "0644",
-        owner = "root",
-    ),
-    prefix = "etc",
-    strip_prefix = strip_prefix.from_pkg(),
-)
-
-pkg_files(
-    name = "nvram",
-    srcs = [
-        "//cli/internal/libvirt/nvram:nvram_vars",
-    ],
-    prefix = "usr/share/OVMF",
-    strip_prefix = strip_prefix.from_pkg(),
-)
-
-pkg_files(
-    name = "libvirt_conf",
-    srcs = [
-        "libvirtd.conf",
-        "qemu.conf",
-    ],
-    prefix = "/etc/libvirt",
-)
-
-pkg_tar(
-    name = "start",
-    srcs = [
-        "start.sh",
-        ":etc",
-        ":libvirt_conf",
-        ":nvram",
-    ],
-    mode = "0755",
-)
-
-oci_image(
-    name = "constellation_libvirt",
-    architecture = "amd64",
-    entrypoint = ["/start.sh"],
-    os = "linux",
-    tars = [
-        # TODO(malt3): test if libvirt works before merging this change!!!
-        "@libvirt_x86_64-linux//:closure.tar",
-        "@libvirt_x86_64-linux//:bin-linktree.tar",
-        ":start",
-    ],
-    visibility = ["//visibility:public"],
-)

cli/internal/libvirt/README.md

@@ -11,14 +11,19 @@ Connecting to the libvirt daemon running in the container and manage the deploym
 virsh -c "qemu+tcp://localhost:16599/system"
 ```
 
-## Docker image
+## Container image
 
-Build the image:
+Update the base image:
+
+```shell
+nix build .#libvirtd_base
+cat result | gunzip > libvirtd_base.tar
+crane push libvirtd_base.tar ghcr.io/edgelesssys/constellation/libvirtd-base
+```
+
+Push to your own registry:
 
 ```shell
-bazel build //cli/internal/libvirt:constellation_libvirt
-bazel build //bazel/release:libvirt_sum
-bazel build //bazel/release:libvirt_tar
 bazel run //bazel/release:libvirt_push
 ```
 

flake.nix

@@ -49,6 +49,8 @@
 
       packages.libvirt = callPackage ./nix/cc/libvirt.nix { pkgs = pkgsUnstable; };
 
+      packages.libvirtd_base = callPackage ./nix/container/libvirtd_base.nix { pkgs = pkgsUnstable; pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; }; };
+
       packages.awscli2 = pkgsUnstable.awscli2;
 
       packages.bazel_6 = pkgsUnstable.bazel_6;