init project

Signed-off-by: Kevin Cui <[email protected]>

.editorconfig

@@ -0,0 +1,10 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+insert_final_newline = true
+
+[*.{json,yml,yaml}]
+indent_style = space
+indent_size = 2

.github/workflows/release.yml

@@ -0,0 +1,65 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+permissions:
+  contents: write
+
+jobs:
+  build:
+    runs-on: macos-latest
+    steps:
+      - name: Configure R2 Credentials
+        run: |
+          aws configure set aws_access_key_id ${{ secrets.R2_OOMOL_STATIC_S3_AK }}
+          aws configure set aws_secret_access_key ${{ secrets.R2_OOMOL_STATIC_S3_SK }}
+          aws configure set region auto
+
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Set up Goenv
+        run: |
+          brew install goenv
+
+      - name: Exec
+        run: |
+          ./main.sh
+        env:
+          CODESIGN_IDENTITY: ${{ secrets.MACOS_CODESIGN_IDENTITY }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Hash
+        run: sha256sums ./out/* > sha256.txt
+
+      - name: Get Tag Name
+        shell: bash
+        run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
+
+      - name: Upload To R2
+        shell: bash
+        run: |
+          aws s3 cp \
+            --endpoint-url ${{ secrets.R2_OOMOL_STATIC_S3_ENDPOINT }} \
+            ./out \
+            s3://oomol-static/ovm-resources/libexec/$RELEASE_VERSION \
+            --recursive --exclude "*" --include "*.tar.gz"
+
+      - name: Release
+        uses: softprops/action-gh-release@v2
+        with:
+          files: |
+            ./*.tar.gz
+            ./out/*
+            ./sha256.txt
+          body_path: ./sha256.txt
+          draft: false
+          prerelease: false
+          fail_on_unmatched_files: true
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -0,0 +1,11 @@
+.idea
+.vscode
+out
+Thumbs.db
+[Dd]esktop.ini
+$RECYCLE.BIN/
+.DS_Store
+
+gvisor-tap-vsock
+krunkit
+*.tar.gz

README.md

@@ -0,0 +1,3 @@
+# ovm-libexec
+
+OVM needs some third-party binary files, but some binary are either unsigned or universal. This project exists to address these issues.

krunkit.entitlements

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.security.hypervisor</key>
+	<true/>
+	<key>com.apple.security.cs.disable-library-validationr</key>
+	<true/>
+</dict>
+</plist>

main.sh

@@ -0,0 +1,47 @@
+#/bin/sh
+
+set -e
+
+export WORK=`pwd`
+
+rm -rf ./out
+mkdir -p ./out
+export GOARCH=arm64
+export GOOS=darwin
+
+# Gvp
+echo "Building gvp..."
+rm -rf gvisor-tap-vsock
+git clone https://github.com/containers/gvisor-tap-vsock.git
+cd gvisor-tap-vsock
+git checkout v0.7.5
+eval "$(goenv init -)"
+goenv install 1.22.0 -s
+goenv shell 1.22.0
+make gvproxy
+mv ./bin/gvproxy $WORK/out/gvproxy
+
+# krun
+echo "Dwonloading krun..."
+cd $WORK
+rm -rf ./krunkit
+mkdir -p krunkit
+cd krunkit
+gh release download v0.1.3 -R containers/krunkit --pattern "krunkit-*" --clobber
+tar -zxvf krunkit-*.tgz -C ./
+mv bin/krunkit $WORK/out/krunkit
+mv lib/* $WORK/out/
+
+cd $WORK
+
+# codesign
+echo "Signing gvproxy..."
+codesign --force --sign $CODESIGN_IDENTITY --timestamp $WORK/out/gvproxy
+
+echo "Signing krunkit..."
+codesign --force --sign $CODESIGN_IDENTITY --timestamp --entitlements krunkit.entitlements $WORK/out/krunkit
+
+find $WORK/out -name "*.dylib" -type f -exec sh -c "echo 'Signing {}...'; codesign --force --sign $CODESIGN_IDENTITY --timestamp {}" ';'
+
+# pack
+tar -czvf ./libexec-$GOOS-$GOARCH.tar.gz -C ./out/ .