nixpkgs/pkgs/build-support/docker/nix-prefetch-docker

#! /usr/bin/env bash

set -e -o pipefail

os=
arch=
imageName=
imageTag=
imageDigest=
finalImageName=
finalImageTag=
hashType=$NIX_HASH_ALGO
hashFormat=$hashFormat
format=nix

usage(){
    echo  >&2 "syntax: nix-prefetch-docker [options] [IMAGE_NAME [IMAGE_TAG|IMAGE_DIGEST]]

Options:
      --os os                   OS to fetch image for
      --arch linux              Arch to fetch image for
      --image-name name         Name of the image to fetch
      --image-tag tag           Image tag
      --image-digest digest     Image digest
      --final-image-name name   Desired name of the image
      --final-image-tag tag     Desired image tag
      --json                    Output result in json format instead of nix
      --quiet                   Only print the final result
"
    exit 1
}

get_image_digest(){
    local imageName=$1
    local imageTag=$2

    if test -z "$imageTag"; then
        imageTag="latest"
    fi

    skopeo --override-os "${os}" --override-arch "${arch}" --insecure-policy --tmpdir=$TMPDIR inspect "docker://$imageName:$imageTag" | jq '.Digest' -r
}

get_name() {
    local imageName=$1
    local imageTag=$2

    echo "docker-image-$(echo "$imageName:$imageTag" | tr '/:' '-').tar"
}

argi=0
argfun=""
for arg; do
    if test -z "$argfun"; then
        case $arg in
            --os) argfun=set_os;;
            --arch) argfun=set_arch;;
            --image-name) argfun=set_imageName;;
            --image-tag) argfun=set_imageTag;;
            --image-digest) argfun=set_imageDigest;;
            --final-image-name) argfun=set_finalImageName;;
            --final-image-tag) argfun=set_finalImageTag;;
            --quiet) QUIET=true;;
            --json) format=json;;
            --help) usage; exit;;
            *)
                : $((++argi))
                case $argi in
                    1) imageName=$arg;;
                    2) [[ $arg == *"sha256"*  ]] && imageDigest=$arg || imageTag=$arg;;
                    *) exit 1;;
                esac
                ;;
        esac
    else
        case $argfun in
            set_*)
                var=${argfun#set_}
                eval $var=$arg
                ;;
        esac
        argfun=""
    fi
done

if test -z "$imageName"; then
    usage
fi

if test -z "$os"; then
    os=linux
fi

if test -z "$arch"; then
    arch=amd64
fi

if test -z "$hashType"; then
    hashType=sha256
fi

if test -z "$hashFormat"; then
    hashFormat=base32
fi

if test -z "$finalImageName"; then
    finalImageName="$imageName"
fi

if test -z "$finalImageTag"; then
    if test -z "$imageTag"; then
        finalImageTag="latest"
    else
        finalImageTag="$imageTag"
    fi
fi

if test -z "$imageDigest"; then
    imageDigest=$(get_image_digest $imageName $imageTag)
fi

sourceUrl="docker://$imageName@$imageDigest"

# nix>=2.20 rejects adding symlinked paths to the store, so use realpath
# to resolve to a physical path. https://github.com/NixOS/nix/issues/11941
tmpPath="$(realpath "$(mktemp -d --tmpdir skopeo-copy-tmp-XXXXXXXX)")"
trap "rm -rf \"$tmpPath\"" EXIT

tmpFile="$tmpPath/$(get_name $finalImageName $finalImageTag)"

if test -z "$QUIET"; then
    skopeo --insecure-policy --tmpdir=$TMPDIR --override-os ${os} --override-arch ${arch} copy "$sourceUrl" "docker-archive://$tmpFile:$finalImageName:$finalImageTag" >&2
else
    skopeo --insecure-policy --tmpdir=$TMPDIR --override-os ${os} --override-arch ${arch} copy "$sourceUrl" "docker-archive://$tmpFile:$finalImageName:$finalImageTag" > /dev/null
fi

# Compute the hash.
imageHash=$(nix-hash --flat --type $hashType --sri "$tmpFile")

# Add the downloaded file to Nix store.
finalPath=$(nix-store --add-fixed "$hashType" "$tmpFile")

if test -z "$QUIET"; then
    echo "-> ImageName: $imageName" >&2
    echo "-> ImageDigest: $imageDigest" >&2
    echo "-> FinalImageName: $finalImageName" >&2
    echo "-> FinalImageTag: $finalImageTag" >&2
    echo "-> ImagePath: $finalPath" >&2
    echo "-> ImageHash: $imageHash" >&2
fi

if [ "$format" == "nix" ]; then
cat <<EOF
{
  imageName = "$imageName";
  imageDigest = "$imageDigest";
  hash = "$imageHash";
  finalImageName = "$finalImageName";
  finalImageTag = "$finalImageTag";
}
EOF

else

cat <<EOF
{
  "imageName": "$imageName",
  "imageDigest": "$imageDigest",
  "hash": "$imageHash",
  "finalImageName": "$finalImageName",
  "finalImageTag": "$finalImageTag"
}
EOF

fi
dockerTools: add nix-prefetch-docker script 2019-03-26 11:33:43 +00:00			`#! /usr/bin/env bash`

			`set -e -o pipefail`

			`os=`
			`arch=`
			`imageName=`
			`imageTag=`
			`imageDigest=`
			`finalImageName=`
			`finalImageTag=`
			`hashType=$NIX_HASH_ALGO`
			`hashFormat=$hashFormat`
			`format=nix`

			`usage(){`
			`echo >&2 "syntax: nix-prefetch-docker [options] [IMAGE_NAME [IMAGE_TAG\|IMAGE_DIGEST]]`

			`Options:`
			`--os os OS to fetch image for`
			`--arch linux Arch to fetch image for`
			`--image-name name Name of the image to fetch`
			`--image-tag tag Image tag`
			`--image-digest digest Image digest`
			`--final-image-name name Desired name of the image`
			`--final-image-tag tag Desired image tag`
			`--json Output result in json format instead of nix`
			`--quiet Only print the final result`
			`"`
			`exit 1`
			`}`

			`get_image_digest(){`
			`local imageName=$1`
			`local imageTag=$2`

			`if test -z "$imageTag"; then`
			`imageTag="latest"`
			`fi`

nix-prefetch-docker: handle overrides correctly Without this change, the `--os` and `--arch` switches are disregarded for operations involving `skopeo inspect` invocations. This means that, for example, one cannot fetch Linux images while on macOS. 2023-04-03 18:12:13 +00:00			`skopeo --override-os "${os}" --override-arch "${arch}" --insecure-policy --tmpdir=$TMPDIR inspect "docker://$imageName:$imageTag" \| jq '.Digest' -r`
dockerTools: add nix-prefetch-docker script 2019-03-26 11:33:43 +00:00			`}`

			`get_name() {`
			`local imageName=$1`
			`local imageTag=$2`

			`echo "docker-image-$(echo "$imageName:$imageTag" \| tr '/:' '-').tar"`
			`}`

			`argi=0`
			`argfun=""`
			`for arg; do`
			`if test -z "$argfun"; then`
			`case $arg in`
			`--os) argfun=set_os;;`
			`--arch) argfun=set_arch;;`
			`--image-name) argfun=set_imageName;;`
			`--image-tag) argfun=set_imageTag;;`
			`--image-digest) argfun=set_imageDigest;;`
			`--final-image-name) argfun=set_finalImageName;;`
			`--final-image-tag) argfun=set_finalImageTag;;`
			`--quiet) QUIET=true;;`
			`--json) format=json;;`
			`--help) usage; exit;;`
			`*)`
			`: $((++argi))`
			`case $argi in`
			`1) imageName=$arg;;`
			`2) [[ $arg == "sha256" ]] && imageDigest=$arg \|\| imageTag=$arg;;`
			`*) exit 1;;`
			`esac`
			`;;`
			`esac`
			`else`
			`case $argfun in`
			`set_*)`
			`var=${argfun#set_}`
			`eval $var=$arg`
			`;;`
			`esac`
			`argfun=""`
			`fi`
			`done`

			`if test -z "$imageName"; then`
			`usage`
			`fi`

			`if test -z "$os"; then`
			`os=linux`
			`fi`

			`if test -z "$arch"; then`
			`arch=amd64`
			`fi`

			`if test -z "$hashType"; then`
			`hashType=sha256`
			`fi`

			`if test -z "$hashFormat"; then`
			`hashFormat=base32`
			`fi`

			`if test -z "$finalImageName"; then`
			`finalImageName="$imageName"`
			`fi`

			`if test -z "$finalImageTag"; then`
			`if test -z "$imageTag"; then`
			`finalImageTag="latest"`
			`else`
			`finalImageTag="$imageTag"`
			`fi`
			`fi`

			`if test -z "$imageDigest"; then`
			`imageDigest=$(get_image_digest $imageName $imageTag)`
			`fi`

			`sourceUrl="docker://$imageName@$imageDigest"`

build-support: fix nix-prefetch-* on macOS Since nix 2.20, `nix-store --add-fixed` doesn't accept paths where the parent directory is a symlink. On macOS, /tmp is a symlink to /private/tmp, which causes a "'/tmp' is a symlink" error: ``` $ nix run github:nixos/nixpkgs/24.11-beta#nix-prefetch-git -- --url https://github.com/IFTTT/polo.git --rev 316aa2ac210a45a7fc400ab921831493d5dd21b8 --hash sha256 Initialized empty Git repository in /private/tmp/git-checkout-tmp-1Bf9bIv7/polo-316aa2a/.git/ remote: Enumerating objects: 51, done. remote: Counting objects: 100% (51/51), done. remote: Compressing objects: 100% (42/42), done. remote: Total 51 (delta 8), reused 19 (delta 5), pack-reused 0 (from 0) Unpacking objects: 100% (51/51), 19.57 KiB \| 541.00 KiB/s, done. From https://github.com/IFTTT/polo * branch HEAD -> FETCH_HEAD Switched to a new branch 'fetchgit' removing `.git'... error: path '/tmp' is a symlink ``` Avoid this by resolving /tmp to a real directory in all the prefetch scripts 2024-11-24 11:32:46 +00:00			`# nix>=2.20 rejects adding symlinked paths to the store, so use realpath`
			`# to resolve to a physical path. https://github.com/NixOS/nix/issues/11941`
build-support: Simplify tmpdir creation with coreutils macOS 10.12 doesn't have a usable --tmpdir flag on the builtin mktemp, but we can make use of coreutil's mktemp instead. 2024-11-25 09:22:09 +00:00			`tmpPath="$(realpath "$(mktemp -d --tmpdir skopeo-copy-tmp-XXXXXXXX)")"`
dockerTools: add nix-prefetch-docker script 2019-03-26 11:33:43 +00:00			`trap "rm -rf \"$tmpPath\"" EXIT`

			`tmpFile="$tmpPath/$(get_name $finalImageName $finalImageTag)"`

			`if test -z "$QUIET"; then`
nix-prefetch-docker: output informational messages to stderr Informational messages belong on stderr, not on stdout and intermixed with structured output for programmatic use. Change-Id: I34d094d04460494e9ec8953db7490f4e2292d959 2020-12-01 16:48:29 +00:00			`skopeo --insecure-policy --tmpdir=$TMPDIR --override-os ${os} --override-arch ${arch} copy "$sourceUrl" "docker-archive://$tmpFile:$finalImageName:$finalImageTag" >&2`
dockerTools: add nix-prefetch-docker script 2019-03-26 11:33:43 +00:00			`else`
dockerTools: fix skopeo commands 2020-05-25 04:29:54 +00:00			`skopeo --insecure-policy --tmpdir=$TMPDIR --override-os ${os} --override-arch ${arch} copy "$sourceUrl" "docker-archive://$tmpFile:$finalImageName:$finalImageTag" > /dev/null`
dockerTools: add nix-prefetch-docker script 2019-03-26 11:33:43 +00:00			`fi`

			`# Compute the hash.`
nix-prefetch-docker: provide `hash` in SRI format 2024-09-16 20:48:16 +00:00			`imageHash=$(nix-hash --flat --type $hashType --sri "$tmpFile")`
dockerTools: add nix-prefetch-docker script 2019-03-26 11:33:43 +00:00
			`# Add the downloaded file to Nix store.`
			`finalPath=$(nix-store --add-fixed "$hashType" "$tmpFile")`

			`if test -z "$QUIET"; then`
nix-prefetch-docker: output informational messages to stderr Informational messages belong on stderr, not on stdout and intermixed with structured output for programmatic use. Change-Id: I34d094d04460494e9ec8953db7490f4e2292d959 2020-12-01 16:48:29 +00:00			`echo "-> ImageName: $imageName" >&2`
			`echo "-> ImageDigest: $imageDigest" >&2`
			`echo "-> FinalImageName: $finalImageName" >&2`
			`echo "-> FinalImageTag: $finalImageTag" >&2`
			`echo "-> ImagePath: $finalPath" >&2`
			`echo "-> ImageHash: $imageHash" >&2`
dockerTools: add nix-prefetch-docker script 2019-03-26 11:33:43 +00:00			`fi`

			`if [ "$format" == "nix" ]; then`
			`cat <<EOF`
			`{`
			`imageName = "$imageName";`
			`imageDigest = "$imageDigest";`
nix-prefetch-docker: provide `hash` in SRI format 2024-09-16 20:48:16 +00:00			`hash = "$imageHash";`
dockerTools: add nix-prefetch-docker script 2019-03-26 11:33:43 +00:00			`finalImageName = "$finalImageName";`
			`finalImageTag = "$finalImageTag";`
			`}`
			`EOF`

			`else`

			`cat <<EOF`
			`{`
			`"imageName": "$imageName",`
			`"imageDigest": "$imageDigest",`
nix-prefetch-docker: provide `hash` in SRI format 2024-09-16 20:48:16 +00:00			`"hash": "$imageHash",`
dockerTools: add nix-prefetch-docker script 2019-03-26 11:33:43 +00:00			`"finalImageName": "$finalImageName",`
			`"finalImageTag": "$finalImageTag"`
			`}`
			`EOF`

			`fi`