From d64bbaba38d04c7e90d4bfff04ff5fa7d69637e9 Mon Sep 17 00:00:00 2001
From: Greg Curtis <greg.curtis@jetpack.io>
Date: Thu, 29 Aug 2024 10:30:52 -0400
Subject: [PATCH] patchpkg: start moving glibc-patch.bash to Go

Start porting the glibc patching script (which has expanded to patching
other libraries too) over to Go.

To make this change more incremental, this commit only ports copying the
original package's files to the patched package (basically the `cp`
command). Devbox still runs the embedded bash script until the rest of
it is ported.

The general patching steps are:

- When generating the glibc-patch.nix flake, Devbox gets the absolute
  path to itself and adds it as a flake input. This makes devbox
  available in the flake's build.
- Instead of running `glibc-patch.bash` as the flake's builder, run
  `devbox patch <pkg>`.
---
 internal/boxcli/patch.go                      |  22 +++
 internal/boxcli/root.go                       |   1 +
 internal/patchpkg/builder.go                  | 156 ++++++++++++++++++
 .../tmpl => patchpkg}/glibc-patch.bash        |   8 -
 internal/shellgen/flake_plan.go               |  27 ++-
 internal/shellgen/generate.go                 |  15 --
 internal/shellgen/tmpl/glibc-patch.nix.tmpl   |  35 +++-
 7 files changed, 229 insertions(+), 35 deletions(-)
 create mode 100644 internal/boxcli/patch.go
 create mode 100644 internal/patchpkg/builder.go
 rename internal/{shellgen/tmpl => patchpkg}/glibc-patch.bash (91%)

diff --git a/internal/boxcli/patch.go b/internal/boxcli/patch.go
new file mode 100644
index 00000000000..ae69c2c4bb5
--- /dev/null
+++ b/internal/boxcli/patch.go
@@ -0,0 +1,22 @@
+package boxcli
+
+import (
+	"github.com/spf13/cobra"
+	"go.jetpack.io/devbox/internal/patchpkg"
+)
+
+func patchCmd() *cobra.Command {
+	return &cobra.Command{
+		Use:    "patch <store-path>",
+		Short:  "Apply Devbox patches to a package to fix common linker errors",
+		Args:   cobra.ExactArgs(1),
+		Hidden: true,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			builder, err := patchpkg.NewDerivationBuilder()
+			if err != nil {
+				return err
+			}
+			return builder.Build(cmd.Context(), args[0])
+		},
+	}
+}
diff --git a/internal/boxcli/root.go b/internal/boxcli/root.go
index e3910b52ddd..e30ba6a363b 100644
--- a/internal/boxcli/root.go
+++ b/internal/boxcli/root.go
@@ -70,6 +70,7 @@ func RootCmd() *cobra.Command {
 	command.AddCommand(integrateCmd())
 	command.AddCommand(listCmd())
 	command.AddCommand(logCmd())
+	command.AddCommand(patchCmd())
 	command.AddCommand(removeCmd())
 	command.AddCommand(runCmd(runFlagDefaults{}))
 	command.AddCommand(searchCmd())
diff --git a/internal/patchpkg/builder.go b/internal/patchpkg/builder.go
new file mode 100644
index 00000000000..32190124141
--- /dev/null
+++ b/internal/patchpkg/builder.go
@@ -0,0 +1,156 @@
+// patchpkg patches packages to fix common linker errors.
+package patchpkg
+
+import (
+	"bytes"
+	"context"
+	_ "embed"
+	"fmt"
+	"io"
+	"io/fs"
+	"iter"
+	"log/slog"
+	"os"
+	"os/exec"
+	"path/filepath"
+)
+
+//go:embed glibc-patch.bash
+var glibcPatchScript []byte
+
+// DerivationBuilder patches an existing package.
+type DerivationBuilder struct {
+	// Out is the output directory that will contain the built derivation.
+	// If empty it defaults to $out, which is typically set by Nix.
+	Out string
+}
+
+// NewDerivationBuilder initializes a new DerivationBuilder from the current
+// Nix build environment.
+func NewDerivationBuilder() (*DerivationBuilder, error) {
+	d := &DerivationBuilder{}
+	if err := d.init(); err != nil {
+		return nil, err
+	}
+	return d, nil
+}
+
+func (d *DerivationBuilder) init() error {
+	if d.Out == "" {
+		d.Out = os.Getenv("out")
+		if d.Out == "" {
+			return fmt.Errorf("patchpkg: $out is empty (is this being run from a nix build?)")
+		}
+	}
+	return nil
+}
+
+// Build applies patches to a package store path and puts the result in the
+// d.Out directory.
+func (d *DerivationBuilder) Build(ctx context.Context, pkgStorePath string) error {
+	slog.DebugContext(ctx, "starting build of patched package", "pkg", pkgStorePath, "out", d.Out)
+
+	var err error
+	pkgFS := os.DirFS(pkgStorePath)
+	for path, entry := range allFiles(pkgFS, ".") {
+		switch {
+		case entry.IsDir():
+			err = d.copyDir(path)
+		case isSymlink(entry.Type()):
+			err = d.copySymlink(pkgStorePath, path)
+		default:
+			err = d.copyFile(pkgFS, path)
+		}
+
+		if err != nil {
+			return err
+		}
+	}
+
+	bash := filepath.Join(os.Getenv("bash"), "bin/bash")
+	cmd := exec.CommandContext(ctx, bash, "-s")
+	cmd.Stdin = bytes.NewReader(glibcPatchScript)
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	return cmd.Run()
+}
+
+func (d *DerivationBuilder) copyDir(path string) error {
+	osPath, err := filepath.Localize(path)
+	if err != nil {
+		return err
+	}
+	return os.Mkdir(filepath.Join(d.Out, osPath), 0o777)
+}
+
+func (d *DerivationBuilder) copyFile(pkgFS fs.FS, path string) error {
+	src, err := pkgFS.Open(path)
+	if err != nil {
+		return err
+	}
+	defer src.Close()
+
+	stat, err := src.Stat()
+	if err != nil {
+		return err
+	}
+
+	// We only need to copy the executable permissions of a file.
+	// Nix ends up making everything in the store read-only after
+	// the build is done.
+	perm := fs.FileMode(0o666)
+	if isExecutable(stat.Mode()) {
+		perm = fs.FileMode(0o777)
+	}
+
+	osPath, err := filepath.Localize(path)
+	if err != nil {
+		return err
+	}
+	dstPath := filepath.Join(d.Out, osPath)
+
+	dst, err := os.OpenFile(dstPath, os.O_CREATE|os.O_WRONLY|os.O_EXCL, perm)
+	if err != nil {
+		return err
+	}
+	defer dst.Close()
+
+	_, err = io.Copy(dst, src)
+	if err != nil {
+		return err
+	}
+	return dst.Close()
+}
+
+func (d *DerivationBuilder) copySymlink(pkgStorePath, path string) error {
+	// The fs package doesn't support symlinks, so we need to convert the
+	// path back to an OS path to see what it points to.
+	osPath, err := filepath.Localize(path)
+	if err != nil {
+		return err
+	}
+	target, err := os.Readlink(filepath.Join(pkgStorePath, osPath))
+	if err != nil {
+		return err
+	}
+	// TODO(gcurtis): translate absolute symlink targets to relative paths.
+	return os.Symlink(target, filepath.Join(d.Out, osPath))
+}
+
+// RegularFiles iterates over all files in fsys starting at root. It silently
+// ignores errors.
+func allFiles(fsys fs.FS, root string) iter.Seq2[string, fs.DirEntry] {
+	return func(yield func(string, fs.DirEntry) bool) {
+		_ = fs.WalkDir(fsys, root, func(path string, d fs.DirEntry, err error) error {
+			if err == nil {
+				if !yield(path, d) {
+					return filepath.SkipAll
+				}
+			}
+			return nil
+		})
+	}
+}
+
+func isExecutable(mode fs.FileMode) bool { return mode&0o111 != 0 }
+func isSymlink(mode fs.FileMode) bool    { return mode&fs.ModeSymlink != 0 }
diff --git a/internal/shellgen/tmpl/glibc-patch.bash b/internal/patchpkg/glibc-patch.bash
similarity index 91%
rename from internal/shellgen/tmpl/glibc-patch.bash
rename to internal/patchpkg/glibc-patch.bash
index d8fe9ba9699..2539135345c 100644
--- a/internal/shellgen/tmpl/glibc-patch.bash
+++ b/internal/patchpkg/glibc-patch.bash
@@ -23,14 +23,6 @@ hash -p "$gnused/bin/sed" sed
 hash -p "$patchelf/bin/patchelf" patchelf
 hash -p "$ripgrep/bin/rg" rg
 
-# Copy the contents of the original package so we can patch them.
-cp -R "$pkg" "$out"
-
-# Because we copied an existing store path, our new $out directory might be
-# read-only. This might've caused issues with some versions of Nix, so make it
-# writable again just to be safe.
-chmod u+rwx "$out"
-
 # Find the new linker that we'll patch into all of the package's executables as
 # the interpreter.
 interp="$(find "$glibc/lib" -type f -maxdepth 1 -executable -name 'ld-linux-*.so*' | head -n1)"
diff --git a/internal/shellgen/flake_plan.go b/internal/shellgen/flake_plan.go
index bb0c6529d4a..7262a57a0c7 100644
--- a/internal/shellgen/flake_plan.go
+++ b/internal/shellgen/flake_plan.go
@@ -3,6 +3,7 @@ package shellgen
 import (
 	"context"
 	"fmt"
+	"os"
 	"path/filepath"
 	"runtime/trace"
 	"strings"
@@ -68,6 +69,10 @@ func (f *flakePlan) needsGlibcPatch() bool {
 }
 
 type glibcPatchFlake struct {
+	// DevboxExecutable is the absolute path to the Devbox binary to use as
+	// the flake's builder. It must not be the wrapper script.
+	DevboxExecutable string
+
 	// NixpkgsGlibcFlakeRef is a flake reference to the nixpkgs flake
 	// containing the new glibc package.
 	NixpkgsGlibcFlakeRef string
@@ -85,7 +90,21 @@ type glibcPatchFlake struct {
 }
 
 func newGlibcPatchFlake(nixpkgsGlibcRev string, packages []*devpkg.Package) (glibcPatchFlake, error) {
-	flake := glibcPatchFlake{NixpkgsGlibcFlakeRef: "flake:nixpkgs/" + nixpkgsGlibcRev}
+	// Get the path to the actual devbox binary (not the /usr/bin/devbox
+	// wrapper) so the flake build can use it.
+	exe, err := os.Executable()
+	if err != nil {
+		return glibcPatchFlake{}, err
+	}
+	exe, err = filepath.EvalSymlinks(exe)
+	if err != nil {
+		return glibcPatchFlake{}, err
+	}
+
+	flake := glibcPatchFlake{
+		DevboxExecutable:     exe,
+		NixpkgsGlibcFlakeRef: "flake:nixpkgs/" + nixpkgsGlibcRev,
+	}
 	for _, pkg := range packages {
 		if !pkg.PatchGlibc() {
 			continue
@@ -143,9 +162,5 @@ func (g *glibcPatchFlake) fetchClosureExpr(pkg *devpkg.Package) (string, error)
 }
 
 func (g *glibcPatchFlake) writeTo(dir string) error {
-	err := writeFromTemplate(dir, g, "glibc-patch.nix", "flake.nix")
-	if err != nil {
-		return err
-	}
-	return writeGlibcPatchScript(filepath.Join(dir, "glibc-patch.bash"))
+	return writeFromTemplate(dir, g, "glibc-patch.nix", "flake.nix")
 }
diff --git a/internal/shellgen/generate.go b/internal/shellgen/generate.go
index 65699fe1886..57d8e37acc9 100644
--- a/internal/shellgen/generate.go
+++ b/internal/shellgen/generate.go
@@ -8,7 +8,6 @@ import (
 	"bytes"
 	"context"
 	"embed"
-	"io/fs"
 	"os"
 	"path/filepath"
 	"runtime/trace"
@@ -102,20 +101,6 @@ func writeFromTemplate(path string, plan any, tmplName, generatedName string) er
 	return nil
 }
 
-// writeGlibcPatchScript writes the embedded glibc patching script to disk so
-// that a generated flake can use it.
-func writeGlibcPatchScript(path string) error {
-	script, err := fs.ReadFile(tmplFS, "tmpl/glibc-patch.bash")
-	if err != nil {
-		return redact.Errorf("read embedded glibc-patch.bash: %v", redact.Safe(err))
-	}
-	err = overwriteFileIfChanged(path, script, 0o755)
-	if err != nil {
-		return redact.Errorf("write glibc-patch.bash to file: %v", err)
-	}
-	return nil
-}
-
 // overwriteFileIfChanged checks that the contents of f == data, and overwrites
 // f if they differ. It also ensures that f's permissions are set to perm.
 func overwriteFileIfChanged(path string, data []byte, perm os.FileMode) error {
diff --git a/internal/shellgen/tmpl/glibc-patch.nix.tmpl b/internal/shellgen/tmpl/glibc-patch.nix.tmpl
index fdb7a2408ff..f9bc2c35e42 100644
--- a/internal/shellgen/tmpl/glibc-patch.nix.tmpl
+++ b/internal/shellgen/tmpl/glibc-patch.nix.tmpl
@@ -2,6 +2,11 @@
   description = "Patches packages to use a newer version of glibc";
 
   inputs = {
+    local-devbox = {
+      url = "path://{{ .DevboxExecutable }}";
+      flake = false;
+    };
+
     nixpkgs-glibc.url = "{{ .NixpkgsGlibcFlakeRef }}";
 
     {{- range $name, $flakeref := .Inputs }}
@@ -9,7 +14,7 @@
     {{- end }}
   };
 
-  outputs = args@{ self, nixpkgs-glibc {{- range $name, $_ := .Inputs -}}, {{ $name }} {{- end }} }:
+  outputs = args@{ self, local-devbox, nixpkgs-glibc {{- range $name, $_ := .Inputs -}}, {{ $name }} {{- end }} }:
     {{ with .Outputs -}}
     let
       # Initialize each nixpkgs input into a new attribute set with the
@@ -30,17 +35,35 @@
         else null) args;
 
       patchGlibc = pkg: derivation rec {
-        name = "devbox-patched-glibc";
-        system = pkg.system;
-
         # The package we're patching.
         inherit pkg;
 
+        # Keep the name the same as the package we're patching so that the
+        # length of the store path doesn't change. Otherwise patching binaries
+        # becomes trickier.
+        name = pkg.name;
+        system = pkg.system;
+
         # Programs needed by glibc-patch.bash.
         inherit (nixpkgs-glibc.legacyPackages."${system}") bash coreutils file findutils glibc gnused patchelf ripgrep;
 
-        builder = "${bash}/bin/bash";
-        args = [ ./glibc-patch.bash ];
+        # Create a package that puts the local devbox binary in the conventional
+        # bin subdirectory. This also ensures that the executable is named
+        # "devbox" and not "<hash>-source" (which is how Nix names the flake
+        # input). Invoking it as anything other than "devbox" will break
+        # testscripts which look at os.Args[0] to decide to run the real
+        # entrypoint or the test entrypoint.
+        devbox = derivation {
+          name = "devbox";
+          system = pkg.system;
+          builder = "${bash}/bin/bash";
+
+          # exit 0 to work around https://github.com/NixOS/nix/issues/2176
+          args = [ "-c" "${coreutils}/bin/mkdir -p $out/bin && ${coreutils}/bin/cp ${local-devbox} $out/bin/devbox && exit 0" ];
+        };
+
+        builder = "${devbox}/bin/devbox";
+        args = [ "patch" pkg ];
       };
     in
     {