Minimal environments

[PedroRegisPOAR]

Abstract

An really great quote:

Toybox vs BusyBox - Rob Landley, hobbyist, start=721&end=777

nix develop nixpkgs#toybox --command sh -c 'cd "$TMPDIR" && source $stdenv/setup && genericBuild'

nix develop nixpkgs#pkgsStatic.toybox --command sh -c 'cd "$TMPDIR" && source $stdenv/setup && genericBuild'

It removes every binary and only compiles the toybox sh:

EXPR_NIX='
  (
    let
      nixpkgs = (builtins.getFlake "github:NixOS/nixpkgs/f3dab3509afca932f3f4fd0908957709bb1c1f57");
      pkgs = import nixpkgs { };
    in
      (
        pkgs.pkgsStatic.toybox.overrideAttrs 
          (oldAttrs: 
            {
              hardeningDisable = [ "fortify" ]; 
              buildPhase = "make clean && make sh";
              installPhase = "rm -frv $out && mkdir -pv $out/bin && cp -v sh $out/bin";
            }
          )
      )
  )
'

nix \
build \
--no-link \
--print-build-logs \
--print-out-paths \
--impure \
--expr \
"$EXPR_NIX"

sha256sum $FULL_LOCAL_PATH/bin/sh
EXPECTED_SHA256SUM=49e7a0edc0638e198d45a91b606b136f2fb0ceeb33a4751e844cc6f0128f97b0

du -hs $FULL_LOCAL_PATH/bin/sh
echo $EXPECTED_SHA256SUM  $FULL_LOCAL_PATH/bin/sh | sha256sum -c 

FULL_LOCAL_PATH=$(nix \
    build \
    --no-link \
    --print-build-logs \
    --print-out-paths \
    --rebuild \
    --impure \
    --expr \
    "$EXPR_NIX")

du -hs $FULL_LOCAL_PATH/bin/sh
echo $EXPECTED_SHA256SUM  $FULL_LOCAL_PATH/bin/sh | sha256sum -c 

Refs.:

• Compiling toybox from source code., start=90&end=200
• https://nixos.org/manual/nixpkgs/stable/#sec-hardening-in-nixpkgs
• https://github.com/NixOS/nixpkgs/issues/18995#issuecomment-249829054
• https://github.com/NixOS/nixpkgs/issues/60919
• https://github.com/landley/toybox/blob/master/toys/pending/sh.c
• https://github.com/tianon/dockerfiles/blob/master/toybox/Dockerfile
• https://www.landley.net/toybox/

Using old Ubuntu OCI images

podman run ubuntu:10.04 bash -c 'lsb_release -a'

podman run ubuntu:10.04 bash -c 'lsb_release -a || cat /etc/os*release'
podman run ubuntu:14.04 bash -c 'lsb_release -a || cat /etc/os*release'
podman run ubuntu:16.04 bash -c 'lsb_release -a || cat /etc/os*release'
podman run ubuntu:18.04 bash -c 'lsb_release -a || cat /etc/os*release'
podman run ubuntu:20.04 bash -c 'lsb_release -a || cat /etc/os*release'
podman run ubuntu:22.04 bash -c 'lsb_release -a || cat /etc/os*release'
podman run ubuntu:23.04 bash -c 'lsb_release -a || cat /etc/os*release'

podman pull docker.io/tianon/toybox
podman pull docker.io/tianon/toybox@sha256:b7e31a6cc27d812ecfde6b7184a69b68890fa804937645bbf8fdd5557bd26c7d

podman image inspect --format='{{index .RepoDigests 0}}' docker.io/tianon/toybox

podman run docker.io/tianon/toybox toybox

TODOs:

• How can a language only have 120 words?
• Build Your Own Shell using Rust + https://en.wikipedia.org/wiki/GNU_Readline what is the rust lib for readline? + https://www.reddit.com/r/rust/comments/g736sv/why_are_the_binaries_so_big/
• https://github.com/rust-lang/rust-clippy
• https://stackoverflow.com/questions/64693079/how-to-use-nixmountmount-replace-with-libcmount-in-rust
• Cross-compile and link a dynamic library (cdylib) on macOS for Linux with cargo and rust
• https://github.com/uutils/coreutils#uutils-coreutils
• Installing and Learning Rust (Terra Development Basics, Smart Contracts), start=327&end=397
• Remote Nix shells
• https://github.com/nixvital/vital-modules/blob/b99ee921b54428dbf7997f429fb35977eafe1491/modules/dev/modern-utils.nix#L14-L25
• https://discourse.nixos.org/t/issues-using-nixos-container-to-set-up-an-etcd-cluster/8438/3
• https://github.com/NixOS/nixpkgs/blob/nixos-21.11/pkgs/tools/misc/diskus/default.nix#L19
• https://github.com/nix-community/nix-user-chroot
• https://www.reddit.com/r/rust/comments/i1abpg/comment/g070nty/?utm_source=reddit&utm_medium=web2x&context=3
• C vs ASM: Making the World's SMALLEST Windows App
• Running "Hello World!" in 10 FORBIDDEN Programming Languages, start=859&end=924
• Toybox vs BusyBox - Rob Landley, hobbyist, start=700&end=787

TODO: https://discourse.nixos.org/t/build-a-yocto-rootfs-inside-nix/2643/26 TODO: https://github.com/hjones2199/ush

The busybox-sandbox-shell

TODO: add metadata infos

nix \
shell \
--ignore-environment \
nixpkgs#busybox-sandbox-shell \
--command \
sh \
-c \
'echo Hi!'

The toybox

Toybox vs BusyBox - Rob Landley, hobbyist

podman \
 run \
--interactive=true \
--tty=true \
--rm=true \
--user='guest' \
docker.io/tianon/toybox:0.8.5 \
sh \
-c \
"echo 'Hello!' && id"

podman \
run \
--log-level=error \
--privileged=false \
--device=/dev/fuse \
--device=/dev/kvm \
--env="DISPLAY=${DISPLAY:-:0.0}" \
--interactive=true \
--network=slirp4netns \
--tty=true \
--rm=true \
--user=guest \
docker.io/tianon/toybox \
sh

podman run --rm tianon/toybox toybox

# podman run --rm docker.io/library/busybox busybox
podman run --rm docker.io/library/busybox busybox --list | column

Refs:

• https://unix.stackexchange.com/questions/729118/what-is-included-in-the-alpine-linux-docker-image

podman run --rm alpine:latest apk list --installed

podman run --rm ubuntu:latest apt list --installed

podman run --rm ubuntu:latest dpkg-query -l

Refs.:

• https://linuxize.com/post/how-to-list-installed-packages-on-ubuntu/

podman run --rm ubuntu:latest apt show '~i' -a

Refs.:

• https://askubuntu.com/a/1394929

TODO: https://unix.stackexchange.com/a/665012

nix \
shell \
--ignore-environment \
nixpkgs#busybox \
--command \
sh \
-c \
'ls -al'

nix \
shell \
--ignore-environment \
nixpkgs#busybox-sandbox-shell \
--command \
sh \
-c \
'echo Hi!'

nix run nixpkgs#toybox file .

TODO: document other examples that for now are spread

• https://www.reddit.com/r/NixOS/comments/owqb9e/a_minimal_nixshell/
• https://github.com/divnix/digga
• https://github.com/haslersn/any-nix-shell

nix shell -i nixpkgs#uutils-coreutils

nix run nixpkgs#uutils-coreutils

appimage-run and stean-run

nix shell nixpkgs#appimage-run

env NIXPKGS_ALLOW_UNFREE=1 nix shell --impure nixpkgs#steam-run

[PedroRegisPOAR]

TODO: test it https://github.com/cleverca22/not-os

[PedroRegisPOAR]

UTF-8 limitations

• https://github.com/samuela/rustybox/pull/32#discussion_r443187836
• https://github.com/RazrFalcon/pico-args#alternatives
• https://rustrepo.com/tag/busybox_star_1

[PedroRegisPOAR]

Using sha256sum to compare environments

Improve it! Use sha512sum too?

# env | sort | sha256sum
env | grep -v HOSTNAME | sort | sha256sum

podman \
run \
--interactive=true \
--tty=false \
--rm=true \
--user=0 \
docker.io/library/busybox \
<<'COMMANDS'
env | grep -v HOSTNAME | sort | sha256sum
COMMANDS

env > env.txt
SHA="$(sha256sum env.txt | cut -d ' ' -f 1)"
echo "$SHA env.txt" | sha256sum --check
echo "$SHA env.txt" | sha256sum --check --status

https://superuser.com/questions/1312740/how-to-take-sha256sum-of-file-and-compare-to-check-in-one-line#comment2484548_1468626

[PedroRegisPOAR]

TODO: make examples, refactor...

nix \
build \
github:ratsclub/dotfiles/54fc62c5cdc15176f7511381b20cfb0c524bfeec#homeConfigurations.textual.activationPackage

From: https://t.me/nixosbrasil/43756