devconfig,shellgen: option to patch ELF binaries with newer glibc

Add an optional `patch_glibc` boolean field to packages in devbox.json.
When true, devbox will patch any ELF binaries in a package to link
against the latest `nixpkgs#glibc` at runtime. This is a workaround for
dynamic linking issues that can arise when using older packages.

For example, an old Python interpreter that's linked against glibc 2.35
might run a script that loads a native library that requires glibc
2.37. Because the linker only loads a library into a process once
(regardless of version), linking will fail when the script references a
2.37 symbol.

The following devbox.json will reproduce a glibc version bug when the
`virtenv` and `crash` scripts are run on x86-64-linux (aarch64 will not
work). Setting the `patch_glibc` field to true will fix it:

```json
{
  "packages": {
    "binutils": "latest",
    "libpqxx": "latest",
    "libxcrypt": "latest",
    "libz": "latest",
    "python37Packages.pip": "latest",
    "python": {
      "version": "3.7",
      "patch_glibc": false
    }
  },
  "shell": {
    "scripts": {
      "crash": "python3 -c 'import psycopg2'",
      "virtenv": [
        "rm -rf \"$VENV_DIR\"",
        "echo \"python3 path: $(readlink -f $(command -v python3))\"",
        "python3 -m venv \"$VENV_DIR\"",
        ". \"$VENV_DIR/bin/activate\"",
        "echo \"pip3 path: $(readlink -f $(command -v pip3))\"",
        "pip3 install psycopg2==2.9.5"
      ]
    }
  }
}
```

This field is intended to be a "last resort" for when a package cannot
be updated to a newer version. Upgrading to a newer version of Python
in the example above is preferable.

Author: gcurtis

internal/devconfig/packages.go

@@ -214,6 +214,10 @@ type Package struct {
 
 	Platforms         []string `json:"platforms,omitempty"`
 	ExcludedPlatforms []string `json:"excluded_platforms,omitempty"`
+
+	// PatchGlibc applies a function to the package's derivation that
+	// patches any ELF binaries to use the latest version of nixpkgs#glibc.
+	PatchGlibc bool `json:"patch_glibc,omitempty"`
 }
 
 func NewVersionOnlyPackage(name, version string) Package {

internal/devpkg/package.go

@@ -47,6 +47,10 @@ type Package struct {
 	//    example: github:nixos/nixpkgs/5233fd2ba76a3accb5aaa999c00509a11fd0793c#hello
 	Raw string
 
+	// PatchGlibc applies a function to the package's derivation that
+	// patches any ELF binaries to use the latest version of nixpkgs#glibc.
+	PatchGlibc bool
+
 	// isInstallable is true if the package may be enabled on the current platform.
 	isInstallable bool
 
@@ -65,8 +69,10 @@ func PackageFromStrings(rawNames []string, l lock.Locker) []*Package {
 
 func PackagesFromConfig(config *devconfig.Config, l lock.Locker) []*Package {
 	result := []*Package{}
-	for _, pkg := range config.Packages.Collection {
-		result = append(result, newPackage(pkg.VersionedName(), pkg.IsEnabledOnPlatform(), l))
+	for _, cfgPkg := range config.Packages.Collection {
+		pkg := newPackage(cfgPkg.VersionedName(), cfgPkg.IsEnabledOnPlatform(), l)
+		pkg.PatchGlibc = cfgPkg.PatchGlibc
+		result = append(result, pkg)
 	}
 	return result
 }

internal/shellgen/flake_input.go

@@ -47,28 +47,33 @@ func (f *flakeInput) PkgImportName() string {
 	return f.Name + "-pkgs"
 }
 
-func (f *flakeInput) BuildInputs() ([]string, error) {
-	var err error
-	attributePaths := lo.Map(f.Packages, func(pkg *devpkg.Package, _ int) string {
-		attributePath, attributePathErr := pkg.FullPackageAttributePath()
-		if attributePathErr != nil {
-			err = attributePathErr
-		}
-		return attributePath
-	})
-	if err != nil {
-		return nil, err
+type buildInput struct {
+	AttrPath   string
+	PatchGlibc bool
+}
+
+func (f *flakeInput) BuildInputs() ([]buildInput, error) {
+	inputs := make([]buildInput, len(f.Packages))
+	prefix := f.Name
+	if f.IsNixpkgs() {
+		prefix = f.PkgImportName()
 	}
-	if !f.IsNixpkgs() {
-		return lo.Map(attributePaths, func(pkg string, _ int) string {
-			return f.Name + "." + pkg
-		}), nil
+	prefix += "."
+	for i, pkg := range f.Packages {
+		attrPath, err := pkg.FullPackageAttributePath()
+		if err != nil {
+			return nil, err
+		}
+		if f.IsNixpkgs() {
+			// Remove the legacyPackages.<system> prefix.
+			attrPath = strings.SplitN(attrPath, ".", 3)[2]
+		}
+		inputs[i] = buildInput{
+			AttrPath:   prefix + attrPath,
+			PatchGlibc: pkg.PatchGlibc,
+		}
 	}
-	return lo.Map(attributePaths, func(pkg string, _ int) string {
-		parts := strings.Split(pkg, ".")
-		// Ugh, not sure if this is reliable?
-		return f.PkgImportName() + "." + strings.Join(parts[2:], ".")
-	}), nil
+	return inputs, nil
 }
 
 // flakeInputs returns a list of flake inputs for the top level flake.nix

internal/shellgen/flake_plan.go

@@ -3,6 +3,7 @@ package shellgen
 import (
 	"context"
 	"runtime/trace"
+	"slices"
 
 	"go.jetpack.io/devbox/internal/devpkg"
 	"go.jetpack.io/devbox/internal/nix"
@@ -65,3 +66,9 @@ func newFlakePlan(ctx context.Context, devbox devboxer) (*flakePlan, error) {
 		System:      nix.System(),
 	}, nil
 }
+
+func (f flakePlan) PatchGlibc() bool {
+	return slices.ContainsFunc(f.Packages, func(p *devpkg.Package) bool {
+		return p.PatchGlibc
+	})
+}

internal/shellgen/generate.go

@@ -4,10 +4,10 @@
 package shellgen
 
 import (
+	"bufio"
 	"bytes"
 	"context"
 	"embed"
-	"io"
 	"io/fs"
 	"os"
 	"os/exec"
@@ -20,6 +20,7 @@ import (
 	"go.jetpack.io/devbox/internal/boxcli/featureflag"
 	"go.jetpack.io/devbox/internal/cuecfg"
 	"go.jetpack.io/devbox/internal/debug"
+	"go.jetpack.io/devbox/internal/redact"
 )
 
 //go:embed tmpl/*
@@ -61,10 +62,7 @@ func GenerateForPrintEnv(ctx context.Context, devbox devboxer) error {
 // Cache and buffers for generating templated files.
 var (
 	tmplCache = map[string]*template.Template{}
-
-	// Most generated files are < 4KiB.
-	tmplNewBuf = bytes.NewBuffer(make([]byte, 0, 4096))
-	tmplOldBuf = bytes.NewBuffer(make([]byte, 0, 4096))
+	tmplBuf   bytes.Buffer
 )
 
 func writeFromTemplate(path string, plan any, tmplName, generatedName string) error {
@@ -75,61 +73,92 @@ func writeFromTemplate(path string, plan any, tmplName, generatedName string) er
 		tmpl.Funcs(templateFuncs)
 
 		var err error
-		tmpl, err = tmpl.ParseFS(tmplFS, "tmpl/"+tmplKey)
+		glob := "tmpl/" + tmplKey
+		tmpl, err = tmpl.ParseFS(tmplFS, glob)
 		if err != nil {
-			return errors.WithStack(err)
+			return redact.Errorf("parse embedded tmplFS glob %q: %v", redact.Safe(glob), redact.Safe(err))
 		}
 		tmplCache[tmplKey] = tmpl
 	}
-	tmplNewBuf.Reset()
-	if err := tmpl.Execute(tmplNewBuf, plan); err != nil {
-		return errors.WithStack(err)
+	tmplBuf.Reset()
+	if err := tmpl.Execute(&tmplBuf, plan); err != nil {
+		return redact.Errorf("execute template %s: %v", redact.Safe(tmplKey), err)
 	}
 
 	// In some circumstances, Nix looks at the mod time of a file when
 	// caching, so we only want to update the file if something has
 	// changed. Blindly overwriting the file could invalidate Nix's cache
 	// every time, slowing down evaluation considerably.
-	var (
-		outPath = filepath.Join(path, generatedName)
-		flag    = os.O_RDWR | os.O_CREATE
-		perm    = fs.FileMode(0o644)
-	)
-	outFile, err := os.OpenFile(outPath, flag, perm)
-	if errors.Is(err, fs.ErrNotExist) {
-		if err := os.MkdirAll(path, 0o755); err != nil {
-			return errors.WithStack(err)
-		}
-		outFile, err = os.OpenFile(outPath, flag, perm)
+	err := overwriteFileIfChanged(filepath.Join(path, generatedName), tmplBuf.Bytes(), 0o644)
+	if err != nil {
+		return redact.Errorf("write %s to file: %v", redact.Safe(tmplName), err)
 	}
+	return nil
+}
+
+// writeGlibcPatchScript writes the embedded glibc patching script to disk so
+// that a generated flake can use it.
+func writeGlibcPatchScript(path string) error {
+	script, err := fs.ReadFile(tmplFS, "tmpl/glibc-patch.bash")
 	if err != nil {
-		return errors.WithStack(err)
+		return redact.Errorf("read embedded glibc-patch.bash: %v", redact.Safe(err))
+	}
+	err = overwriteFileIfChanged(path, script, 0o755)
+	if err != nil {
+		return redact.Errorf("write glibc-patch.bash to file: %v", err)
 	}
-	defer outFile.Close()
+	return nil
+}
+
+// overwriteFileIfChanged checks that the contents of f == data, and overwrites
+// f if they differ. It also ensures that f's permissions are set to perm.
+func overwriteFileIfChanged(path string, data []byte, perm os.FileMode) error {
+	flag := os.O_RDWR | os.O_CREATE
+	file, err := os.OpenFile(path, flag, perm)
+	if errors.Is(err, os.ErrNotExist) {
+		if err := os.MkdirAll(filepath.Dir(path), 0o700); err != nil {
+			return err
+		}
 
-	// Only read len(tmplWriteBuf) + 1 from the existing file so we can
-	// check if the lengths are different without reading the whole thing.
-	tmplOldBuf.Reset()
-	tmplOldBuf.Grow(tmplNewBuf.Len() + 1)
-	_, err = io.Copy(tmplOldBuf, io.LimitReader(outFile, int64(tmplNewBuf.Len())+1))
+		// Definitely a new file if we had to make the directory.
+		return os.WriteFile(path, data, perm)
+	}
 	if err != nil {
-		return errors.WithStack(err)
+		return err
 	}
-	if bytes.Equal(tmplNewBuf.Bytes(), tmplOldBuf.Bytes()) {
-		return nil
+	defer file.Close()
+
+	fi, err := file.Stat()
+	if err != nil || fi.Mode().Perm() != perm {
+		if err := file.Chmod(perm); err != nil {
+			return err
+		}
 	}
 
-	// Replace the existing file contents.
-	if _, err := outFile.Seek(0, io.SeekStart); err != nil {
-		return errors.WithStack(err)
+	// Fast path - check if the lengths differ.
+	if err == nil && fi.Size() != int64(len(data)) {
+		return overwriteFile(file, data, 0)
 	}
-	if err := outFile.Truncate(int64(tmplNewBuf.Len())); err != nil {
-		return errors.WithStack(err)
+
+	r := bufio.NewReader(file)
+	for offset := range data {
+		b, err := r.ReadByte()
+		if err != nil || b != data[offset] {
+			return overwriteFile(file, data, offset)
+		}
 	}
-	if _, err := io.Copy(outFile, tmplNewBuf); err != nil {
-		return errors.WithStack(err)
+	return nil
+}
+
+// overwriteFile truncates f to len(data) and writes data[offset:] beginning at
+// the same offset in f.
+func overwriteFile(f *os.File, data []byte, offset int) error {
+	err := f.Truncate(int64(len(data)))
+	if err != nil {
+		return err
 	}
-	return errors.WithStack(outFile.Close())
+	_, err = f.WriteAt(data[offset:], int64(offset))
+	return err
 }
 
 func toJSON(a any) string {
@@ -157,6 +186,13 @@ func makeFlakeFile(d devboxer, outPath string, plan *flakePlan) error {
 		return errors.WithStack(err)
 	}
 
+	if plan.PatchGlibc() {
+		err := writeGlibcPatchScript(filepath.Join(flakeDir, "glibc-patch.bash"))
+		if err != nil {
+			return err
+		}
+	}
+
 	if !isProjectInGitRepo(outPath) {
 		// if we are not in a git repository, then carry on
 		return nil
@@ -178,8 +214,9 @@ func makeFlakeFile(d devboxer, outPath string, plan *flakePlan) error {
 		return errors.WithStack(err)
 	}
 
-	// add the flake.nix file to git
-	cmd = exec.Command("git", "-C", flakeDir, "add", "flake.nix")
+	// Any files that flake.nix needs at build time must be in git.
+	// Otherwise, Nix won't copy it into the flake's build environment.
+	cmd = exec.Command("git", "-C", flakeDir, "add", ".")
 	if debug.IsEnabled() {
 		cmd.Stdin = os.Stdin
 		cmd.Stdout = os.Stdout

internal/shellgen/tmpl/flake_remove_nixpkgs.nix.tmpl

@@ -3,9 +3,14 @@
 
    inputs = {
      nixpkgs.url = "{{ .NixpkgsInfo.URL }}";
+
      {{- range .FlakeInputs }}
      {{.Name}}.url = "{{.URLWithCaching}}";
      {{- end }}
+
+     {{- if .PatchGlibc }}
+     nixpkgs-unstable.url = "nixpkgs";
+     {{- end }}
    };
 
    outputs = {
@@ -14,6 +19,9 @@
      {{- range .FlakeInputs }}
      {{.Name}},
      {{- end }}
+     {{- if .PatchGlibc }}
+     nixpkgs-unstable,
+     {{- end }}
    }:
       let
         pkgs = nixpkgs.legacyPackages.{{ .System }};
@@ -29,25 +37,59 @@
             {{- end }}
             {{- end }}
           ];
+
+          overlays = [
+            {{- range $flake.Packages }}
+            {{- if .PatchGlibc }}
+            (final: prev: {
+              {{.PackageAttributePath}} = prev.{{.PackageAttributePath}};
+            })
+            {{- end }}
+            {{- end }}
+          ];
         });
         {{- end }}
         {{- end }}
+
+	{{ if .PatchGlibc -}}
+        patchGlibc = pkg: derivation {
+          name = "devbox-patched-glibc";
+          system = "{{.System}}";
+
+          # Set these attributes so that glibc-patch.bash has access to their
+          # paths via environment variables of the same name.
+          inherit pkg;
+          glibc = nixpkgs.legacyPackages."{{.System}}".glibc;
+          coreutils = nixpkgs.legacyPackages."{{.System}}".coreutils;
+          file = nixpkgs.legacyPackages."{{.System}}".file;
+          findutils = nixpkgs.legacyPackages."{{.System}}".findutils;
+          patchelf = nixpkgs.legacyPackages."{{.System}}".patchelf;
+          ripgrep = nixpkgs.legacyPackages."{{.System}}".ripgrep;
+
+          builder = "${nixpkgs-unstable.legacyPackages.{{.System}}.bash}/bin/bash";
+          args = [ ./glibc-patch.bash ];
+        };
+        {{ end }}
       in
       {
         devShells.{{ .System }}.default = pkgs.mkShell {
           buildInputs = [
             {{- range .Packages }}
-            {{- if .IsInBinaryCache }}
-            (builtins.fetchClosure{
+            {{ if .IsInBinaryCache -}}
+            {{ if .PatchGlibc -}} (patchGlibc {{ end -}}
+            (builtins.fetchClosure {
               fromStore = "{{ $.BinaryCache }}";
               fromPath = "{{ .InputAddressedPath }}";
               inputAddressed = true;
             })
+            {{- if .PatchGlibc -}} ) {{- end -}}
             {{- end }}
             {{- end }}
             {{- range .FlakeInputs }}
             {{- range .BuildInputs }}
-            {{.}}
+            {{ if .PatchGlibc -}} (patchGlibc {{ end -}}
+            {{.AttrPath}}
+            {{- if .PatchGlibc -}} ) {{- end -}}
             {{- end }}
             {{- end }}
           ];