nixos/dockerTools: fix includeStorePaths when enableFakechroot

After #268458, when setting `enableFakechroot = true` and
`includeStorePaths = false`, some of the store paths were getting
included into the image anyway, thru `bind-paths`.
This resulted in unexpectedly large images.

Now, the images will not contain any store paths under those
circumstances.

nixos/tests/docker-tools.nix

@@ -75,6 +75,8 @@ in {
             docker.succeed("${examples.helloOnRootNoStore} | docker load")
             docker.fail("docker run --rm hello | grep -i hello")
             docker.succeed("docker image rm hello:latest")
+        with subtest("Ensure ZERO paths are added to the store"):
+            docker.fail("${examples.helloOnRootNoStore} | ${pkgs.crane}/bin/crane export - - | tar t | grep 'nix/store/'")
         with subtest("includeStorePath = false; works with mounted store"):
             docker.succeed("${examples.helloOnRootNoStore} | docker load")
             docker.succeed("docker run --rm --volume ${builtins.storeDir}:${builtins.storeDir}:ro hello | grep -i hello")

pkgs/build-support/docker/default.nix

@@ -922,6 +922,7 @@ rec {
                   --sort name \
                   --exclude=./proc \
                   --exclude=./sys \
+                  --exclude=.${builtins.storeDir} \
                   --numeric-owner --mtime "@$SOURCE_DATE_EPOCH" \
                   --hard-dereference \
                   -cf $out/layer.tar .

pkgs/build-support/docker/examples.nix

@@ -637,6 +637,7 @@ rec {
     ];
     config.Cmd = [ "hello" ];
     includeStorePaths = false;
+    enableFakechroot = true;
   };
 
   etc =