feat(build/oci): make sandbox shell configurable via query parameter

Previously, the sandbox shell path was hardcoded at compile time using
the SNIX_BUILD_SANDBOX_SHELL environment variable. This change allows
configuring the sandbox shell path at runtime via a query parameter in
the OCI build service URL.

The sandbox_shell can now be specified as: oci:///path/to/bundle?sandbox_shell=/path/to/shell
If not specified, it defaults to /bin/sh.

This makes the build service more flexible and removes the need for
compile-time configuration.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
Change-Id: Idf14ad2d1ddf111fb3173d6aa13b4049a2a89070

Author: domenkozar

snix/build/src/buildservice/from_addr.rs

@@ -1,10 +1,57 @@
 use super::{BuildService, DummyBuildService, grpc::GRPCBuildService};
+use serde::Deserialize;
 use snix_castore::{blobservice::BlobService, directoryservice::DirectoryService};
+use std::path::PathBuf;
 use url::Url;
 
 #[cfg(target_os = "linux")]
 use super::oci::OCIBuildService;
 
+/// Configuration for OCIBuildService
+#[cfg(target_os = "linux")]
+#[derive(Debug, Clone, PartialEq, Eq, Deserialize)]
+#[serde(deny_unknown_fields)]
+pub struct OCIBuildServiceConfig {
+    /// Root path in which all bundles are created
+    pub bundle_root: PathBuf,
+
+    /// Path to the sandbox shell to use.
+    /// This needs to be a statically linked binary, or you must ensure all
+    /// dependencies are part of the build (which they usually are not).
+    #[serde(default = "default_sandbox_shell")]
+    pub sandbox_shell: PathBuf,
+    // TODO: make rootless_uid_gid configurable
+}
+
+#[cfg(target_os = "linux")]
+fn default_sandbox_shell() -> PathBuf {
+    PathBuf::from("/bin/sh")
+}
+
+#[cfg(target_os = "linux")]
+impl TryFrom<Url> for OCIBuildServiceConfig {
+    type Error = Box<dyn std::error::Error + Send + Sync>;
+
+    fn try_from(url: Url) -> Result<Self, Self::Error> {
+        // oci wants a path in which it creates bundles
+        if url.path().is_empty() {
+            return Err("oci needs a bundle dir as path".into());
+        }
+
+        // Parse sandbox_shell from query parameters
+        let query_pairs: std::collections::HashMap<_, _> = url.query_pairs().collect();
+        let sandbox_shell = query_pairs
+            .get("sandbox_shell")
+            .map(|s| PathBuf::from(s.as_ref()))
+            .unwrap_or_else(default_sandbox_shell);
+
+        Ok(OCIBuildServiceConfig {
+            bundle_root: url.path().into(),
+            sandbox_shell,
+        })
+    }
+}
+
 /// Constructs a new instance of a [BuildService] from an URI.
 ///
 /// The following schemes are supported by the following services:
@@ -32,17 +79,14 @@ where
         "dummy" => Box::<DummyBuildService>::default(),
         #[cfg(target_os = "linux")]
         "oci" => {
-            // oci wants a path in which it creates bundles.
-            if url.path().is_empty() {
-                Err(std::io::Error::other("oci needs a bundle dir as path"))?
-            }
-
-            // TODO: make sandbox shell and rootless_uid_gid
+            let config = OCIBuildServiceConfig::try_from(url)
+                .map_err(|e| std::io::Error::other(format!("invalid oci config: {}", e)))?;
 
             Box::new(OCIBuildService::new(
-                url.path().into(),
+                config.bundle_root,
                 blob_service,
                 directory_service,
+                config.sandbox_shell,
             ))
         }
         scheme => {

snix/build/src/buildservice/oci.rs

@@ -18,7 +18,6 @@ use std::{ffi::OsStr, path::PathBuf, process::Stdio};
 
 use super::BuildService;
 
-const SANDBOX_SHELL: &str = env!("SNIX_BUILD_SANDBOX_SHELL");
 const MAX_CONCURRENT_BUILDS: usize = 2; // TODO: make configurable
 
 pub struct OCIBuildService<BS, DS> {
@@ -30,13 +29,21 @@ pub struct OCIBuildService<BS, DS> {
     /// Handle to a [DirectoryService], used by filesystems spawned during builds.
     directory_service: DS,
 
+    /// Path to the sandbox shell to use
+    sandbox_shell: PathBuf,
+
     // semaphore to track number of concurrently running builds.
     // this is necessary, as otherwise we very quickly run out of open file handles.
     concurrent_builds: tokio::sync::Semaphore,
 }
 
 impl<BS, DS> OCIBuildService<BS, DS> {
-    pub fn new(bundle_root: PathBuf, blob_service: BS, directory_service: DS) -> Self {
+    pub fn new(
+        bundle_root: PathBuf,
+        blob_service: BS,
+        directory_service: DS,
+        sandbox_shell: PathBuf,
+    ) -> Self {
         // We map root inside the container to the uid/gid this is running at,
         // and allocate one for uid 1000 into the container from the range we
         // got in /etc/sub{u,g}id.
@@ -45,6 +52,7 @@ impl<BS, DS> OCIBuildService<BS, DS> {
             bundle_root,
             blob_service,
             directory_service,
+            sandbox_shell,
             concurrent_builds: tokio::sync::Semaphore::new(MAX_CONCURRENT_BUILDS),
         }
     }
@@ -66,7 +74,7 @@ where
         let span = Span::current();
         span.record("bundle_name", bundle_name.to_string());
 
-        let mut runtime_spec = make_spec(&request, true, SANDBOX_SHELL)
+        let mut runtime_spec = make_spec(&request, true, self.sandbox_shell.to_str().unwrap())
             .context("failed to create spec")
             .map_err(std::io::Error::other)?;
 

snix/default.nix

@@ -67,7 +67,6 @@ in
     inherit cargoDeps src;
     name = "snix-rust-docs";
     PROTO_ROOT = protos;
-    SNIX_BUILD_SANDBOX_SHELL = "/homeless-shelter";
 
     nativeBuildInputs = with pkgs; [
       cargo
@@ -93,7 +92,6 @@ in
     inherit cargoDeps src;
     name = "snix-clippy";
     PROTO_ROOT = protos;
-    SNIX_BUILD_SANDBOX_SHELL = "/homeless-shelter";
 
     buildInputs = [
       pkgs.fuse

snix/shell.nix

@@ -51,7 +51,6 @@ pkgs.mkShell {
   # should also benchmark with a more static nixpkgs checkout, so nixpkgs
   # refactorings are not observed as eval perf changes.
   shellHook = ''
-    export SNIX_BUILD_SANDBOX_SHELL=${if pkgs.stdenv.isLinux then pkgs.busybox-sandbox-shell + "/bin/busybox" else "/bin/sh"}
     export SNIX_BENCH_NIX_PATH=nixpkgs=${pkgs.path}
   '';
 }

snix/utils.nix

@@ -80,7 +80,6 @@ in
         };
         PROTO_ROOT = depot.snix.build.protos.protos;
         nativeBuildInputs = [ pkgs.protobuf ];
-        SNIX_BUILD_SANDBOX_SHELL = if pkgs.stdenv.isLinux then pkgs.pkgsStatic.busybox + "/bin/sh" else "/bin/sh";
       };
 
       snix-castore = prev: {