feat(build/oci): make sandbox shell configurable via query parameter

Previously, the sandbox shell path was configured at compile time using
the SNIX_BUILD_SANDBOX_SHELL environment variable. This change moves the
configuration to runtime via a query parameter in the OCI build service URL.

The sandbox_shell can now be specified as: oci:///path/to/bundle?sandbox_shell=/path/to/shell
If not specified, it defaults to /bin/sh.

Also adds an embedded-busybox cargo feature that embeds the busybox binary
at compile time for environments where a suitable shell isn't available.

This makes the build service more flexible and removes the need for
compile-time shell configuration in most cases.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>
Change-Id: Idf14ad2d1ddf111fb3173d6aa13b4049a2a89070

Author: domenkozar

snix/build/Cargo.toml

@@ -37,6 +37,7 @@ tonic-build.workspace = true
 [features]
 default = []
 tonic-reflection = ["dep:tonic-reflection", "snix-castore/tonic-reflection"]
+embedded-busybox = []
 
 [dev-dependencies]
 rstest.workspace = true

snix/build/build.rs

@@ -1,6 +1,18 @@
 use std::io::Result;
 
 fn main() -> Result<()> {
+    // Handle embedded busybox feature
+    #[cfg(feature = "embedded-busybox")]
+    {
+        if let Ok(busybox_path) = std::env::var("SNIX_BUILD_SANDBOX_SHELL") {
+            // Tell cargo to rerun if the busybox binary changes
+            println!("cargo:rerun-if-changed={}", busybox_path);
+        } else {
+            panic!(
+                "SNIX_BUILD_SANDBOX_SHELL environment variable must be set when using embedded-busybox feature"
+            );
+        }
+    }
     #[allow(unused_mut)]
     let mut builder = tonic_build::configure();
 

snix/build/src/buildservice/from_addr.rs

@@ -1,10 +1,105 @@
 use super::{BuildService, DummyBuildService, grpc::GRPCBuildService};
+use serde::Deserialize;
 use snix_castore::{blobservice::BlobService, directoryservice::DirectoryService};
+use std::path::PathBuf;
+use std::sync::OnceLock;
 use url::Url;
 
 #[cfg(target_os = "linux")]
 use super::oci::OCIBuildService;
 
+/// Extract the embedded busybox binary to a temporary location and return its path
+#[cfg(all(target_os = "linux", feature = "embedded-busybox"))]
+fn get_embedded_busybox_path() -> Result<PathBuf, std::io::Error> {
+    use std::fs;
+    use std::os::unix::fs::PermissionsExt;
+
+    static EXTRACTED_BUSYBOX_PATH: OnceLock<PathBuf> = OnceLock::new();
+
+    // The embedded busybox binary (included at compile time)
+    static EMBEDDED_BUSYBOX_BINARY: &[u8] = include_bytes!(env!("SNIX_BUILD_SANDBOX_SHELL"));
+
+    EXTRACTED_BUSYBOX_PATH
+        .get_or_try_init(|| {
+            let temp_dir = std::env::temp_dir();
+            let busybox_path = temp_dir.join(format!("snix-busybox-{}", std::process::id()));
+
+            // Write the binary
+            fs::write(&busybox_path, EMBEDDED_BUSYBOX_BINARY)?;
+
+            // Make it executable
+            let mut perms = fs::metadata(&busybox_path)?.permissions();
+            perms.set_mode(0o755);
+            fs::set_permissions(&busybox_path, perms)?;
+
+            tracing::debug!(?busybox_path, "extracted embedded busybox binary");
+
+            Ok(busybox_path)
+        })
+        .cloned()
+}
+
+/// Configuration for OCIBuildService
+#[cfg(target_os = "linux")]
+#[derive(Debug, Clone, PartialEq, Eq, Deserialize)]
+#[serde(deny_unknown_fields)]
+pub struct OCIBuildServiceConfig {
+    /// Root path in which all bundles are created
+    pub bundle_root: PathBuf,
+
+    /// Path to the sandbox shell to use.
+    /// This needs to be a statically linked binary, or you must ensure all
+    /// dependencies are part of the build (which they usually are not).
+    #[serde(default = "default_sandbox_shell")]
+    pub sandbox_shell: PathBuf,
+    // TODO: make rootless_uid_gid configurable
+}
+
+#[cfg(target_os = "linux")]
+fn default_sandbox_shell() -> PathBuf {
+    // Priority: embedded busybox -> SNIX_BUILD_SANDBOX_SHELL env var -> /bin/sh
+    #[cfg(feature = "embedded-busybox")]
+    {
+        if let Ok(path) = get_embedded_busybox_path() {
+            return path;
+        }
+        tracing::warn!(
+            "failed to extract embedded busybox, falling back to environment variable or /bin/sh"
+        );
+    }
+
+    // Check environment variable (for backward compatibility when feature is disabled)
+    if let Ok(shell_path) = std::env::var("SNIX_BUILD_SANDBOX_SHELL") {
+        return PathBuf::from(shell_path);
+    }
+
+    PathBuf::from("/bin/sh")
+}
+
+#[cfg(target_os = "linux")]
+impl TryFrom<Url> for OCIBuildServiceConfig {
+    type Error = Box<dyn std::error::Error + Send + Sync>;
+
+    fn try_from(url: Url) -> Result<Self, Self::Error> {
+        // oci wants a path in which it creates bundles
+        if url.path().is_empty() {
+            return Err("oci needs a bundle dir as path".into());
+        }
+
+        // Parse sandbox_shell from query parameters
+        let query_pairs: std::collections::HashMap<_, _> = url.query_pairs().collect();
+        let sandbox_shell = query_pairs
+            .get("sandbox_shell")
+            .map(|s| PathBuf::from(s.as_ref()))
+            .unwrap_or_else(default_sandbox_shell);
+
+        Ok(OCIBuildServiceConfig {
+            bundle_root: url.path().into(),
+            sandbox_shell,
+        })
+    }
+}
+
 /// Constructs a new instance of a [BuildService] from an URI.
 ///
 /// The following schemes are supported by the following services:
@@ -32,17 +127,14 @@ where
         "dummy" => Box::<DummyBuildService>::default(),
         #[cfg(target_os = "linux")]
         "oci" => {
-            // oci wants a path in which it creates bundles.
-            if url.path().is_empty() {
-                Err(std::io::Error::other("oci needs a bundle dir as path"))?
-            }
-
-            // TODO: make sandbox shell and rootless_uid_gid
+            let config = OCIBuildServiceConfig::try_from(url)
+                .map_err(|e| std::io::Error::other(format!("invalid oci config: {}", e)))?;
 
             Box::new(OCIBuildService::new(
-                url.path().into(),
+                config.bundle_root,
                 blob_service,
                 directory_service,
+                config.sandbox_shell,
             ))
         }
         scheme => {

snix/build/src/buildservice/oci.rs

@@ -18,7 +18,6 @@ use std::{ffi::OsStr, path::PathBuf, process::Stdio};
 
 use super::BuildService;
 
-const SANDBOX_SHELL: &str = env!("SNIX_BUILD_SANDBOX_SHELL");
 const MAX_CONCURRENT_BUILDS: usize = 2; // TODO: make configurable
 
 pub struct OCIBuildService<BS, DS> {
@@ -30,13 +29,21 @@ pub struct OCIBuildService<BS, DS> {
     /// Handle to a [DirectoryService], used by filesystems spawned during builds.
     directory_service: DS,
 
+    /// Path to the sandbox shell to use
+    sandbox_shell: PathBuf,
+
     // semaphore to track number of concurrently running builds.
     // this is necessary, as otherwise we very quickly run out of open file handles.
     concurrent_builds: tokio::sync::Semaphore,
 }
 
 impl<BS, DS> OCIBuildService<BS, DS> {
-    pub fn new(bundle_root: PathBuf, blob_service: BS, directory_service: DS) -> Self {
+    pub fn new(
+        bundle_root: PathBuf,
+        blob_service: BS,
+        directory_service: DS,
+        sandbox_shell: PathBuf,
+    ) -> Self {
         // We map root inside the container to the uid/gid this is running at,
         // and allocate one for uid 1000 into the container from the range we
         // got in /etc/sub{u,g}id.
@@ -45,6 +52,7 @@ impl<BS, DS> OCIBuildService<BS, DS> {
             bundle_root,
             blob_service,
             directory_service,
+            sandbox_shell,
             concurrent_builds: tokio::sync::Semaphore::new(MAX_CONCURRENT_BUILDS),
         }
     }
@@ -66,7 +74,7 @@ where
         let span = Span::current();
         span.record("bundle_name", bundle_name.to_string());
 
-        let mut runtime_spec = make_spec(&request, true, SANDBOX_SHELL)
+        let mut runtime_spec = make_spec(&request, true, self.sandbox_shell.to_str().unwrap())
             .context("failed to create spec")
             .map_err(std::io::Error::other)?;
 

snix/default.nix

@@ -67,7 +67,6 @@ in
     inherit cargoDeps src;
     name = "snix-rust-docs";
     PROTO_ROOT = protos;
-    SNIX_BUILD_SANDBOX_SHELL = "/homeless-shelter";
 
     nativeBuildInputs = with pkgs; [
       cargo
@@ -93,7 +92,6 @@ in
     inherit cargoDeps src;
     name = "snix-clippy";
     PROTO_ROOT = protos;
-    SNIX_BUILD_SANDBOX_SHELL = "/homeless-shelter";
 
     buildInputs = [
       pkgs.fuse

snix/shell.nix

@@ -51,7 +51,6 @@ pkgs.mkShell {
   # should also benchmark with a more static nixpkgs checkout, so nixpkgs
   # refactorings are not observed as eval perf changes.
   shellHook = ''
-    export SNIX_BUILD_SANDBOX_SHELL=${if pkgs.stdenv.isLinux then pkgs.busybox-sandbox-shell + "/bin/busybox" else "/bin/sh"}
     export SNIX_BENCH_NIX_PATH=nixpkgs=${pkgs.path}
   '';
 }

snix/utils.nix

@@ -80,7 +80,6 @@ in
         };
         PROTO_ROOT = depot.snix.build.protos.protos;
         nativeBuildInputs = [ pkgs.protobuf ];
-        SNIX_BUILD_SANDBOX_SHELL = if pkgs.stdenv.isLinux then pkgs.pkgsStatic.busybox + "/bin/sh" else "/bin/sh";
       };
 
       snix-castore = prev: {