From caf47063b4b5d82a61753ea437f97e5642eedd03 Mon Sep 17 00:00:00 2001 From: Robert Hensing Date: Thu, 18 Jun 2020 17:29:21 +0200 Subject: [PATCH 1/2] dockerTools: test that tar keeps nix binary symlinks intact --- nixos/tests/docker-tools.nix | 14 ++++++++++++++ pkgs/build-support/docker/examples.nix | 22 ++++++++++++++++++++++ 2 files changed, 36 insertions(+) diff --git a/nixos/tests/docker-tools.nix b/nixos/tests/docker-tools.nix index 2375d15b3813..c48e5b079762 100644 --- a/nixos/tests/docker-tools.nix +++ b/nixos/tests/docker-tools.nix @@ -42,6 +42,20 @@ import ./make-test-python.nix ({ pkgs, ... }: { "docker rmi ${examples.nix.imageName}", ) + with subtest("The nix binary symlinks are intact"): + docker.succeed( + "docker load --input='${examples.nix}'", + "docker run --rm ${examples.nix.imageName} ${pkgs.bash}/bin/bash -c 'test nix == $(readlink ${pkgs.nix}/bin/nix-daemon)'", + "docker rmi ${examples.nix.imageName}", + ) + + with subtest("The nix binary symlinks are intact when the image is layered"): + docker.succeed( + "docker load --input='${examples.nixLayered}'", + "docker run --rm ${examples.nixLayered.imageName} ${pkgs.bash}/bin/bash -c 'test nix == $(readlink ${pkgs.nix}/bin/nix-daemon)'", + "docker rmi ${examples.nixLayered.imageName}", + ) + with subtest("The pullImage tool works"): docker.succeed( "docker load --input='${examples.nixFromDockerHub}'", diff --git a/pkgs/build-support/docker/examples.nix b/pkgs/build-support/docker/examples.nix index d533e3abd03b..b040d830b31c 100644 --- a/pkgs/build-support/docker/examples.nix +++ b/pkgs/build-support/docker/examples.nix @@ -121,6 +121,7 @@ rec { # the image env variable NIX_PAGER. pkgs.coreutils pkgs.nix + pkgs.bash ]; config = { Env = [ @@ -313,4 +314,25 @@ rec { ) ]; }; + + nixLayered = pkgs.dockerTools.buildLayeredImageWithNixDb { + name = "nix-layered"; + tag = "latest"; + contents = [ + # nix-store uses cat program to display results as specified by + # the image env variable NIX_PAGER. + pkgs.coreutils + pkgs.nix + pkgs.bash + ]; + config = { + Env = [ + "NIX_PAGER=cat" + # A user is required by nix + # https://github.com/NixOS/nix/blob/9348f9291e5d9e4ba3c4347ea1b235640f54fd79/src/libutil/util.cc#L478 + "USER=nobody" + ]; + }; + }; + } From 2dd94af18650aee1b53c9509832068b60c1b1225 Mon Sep 17 00:00:00 2001 From: Robert Hensing Date: Fri, 19 Jun 2020 09:02:17 +0200 Subject: [PATCH 2/2] dockerTools: keep symlinks to nix intact --- pkgs/build-support/docker/store-path-to-layer.sh | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/pkgs/build-support/docker/store-path-to-layer.sh b/pkgs/build-support/docker/store-path-to-layer.sh index 7437da51cc4a..3a1fcd0c27a1 100755 --- a/pkgs/build-support/docker/store-path-to-layer.sh +++ b/pkgs/build-support/docker/store-path-to-layer.sh @@ -16,7 +16,11 @@ mkdir -p "$layerPath" # when there are other things being added to the # nix store, tar could fail, saying, # "tar: /nix/store: file changed as we read it" -mkdir -p nix/store +# +# In addition, we use `__Nix__` instead of `nix` to avoid renaming +# relative symlink destinations like +# /nix/store/...-nix-2.3.4/bin/nix-daemon -> nix +mkdir -p __Nix__/store # Then we change into the /nix/store in order to # avoid a similar "file changed as we read it" error @@ -35,8 +39,8 @@ tarhash=$( --hard-dereference --sort=name \ --mtime="@$SOURCE_DATE_EPOCH" \ --owner=0 --group=0 \ - --transform 's,^nix$,/\0,' \ - --transform 's,^nix/store$,/\0,' \ + --transform 's,^__Nix__$,/nix,' \ + --transform 's,^__Nix__/store$,/nix/store,' \ --transform 's,^[^/],/nix/store/\0,rS' | tee "$layerPath/layer.tar" | tarsum