dockerTools.pullImage: accept hash parameter (#342400)

2025-04-12 16:07:24 +00:00 · 2024-12-09 15:32:15 +01:00 · 2024-12-09 15:32:15 +01:00 · ff8576f191
commit ff8576f191
parent 20dc18a465 5720f42c32
5 changed files with 52 additions and 49 deletions
--- a/doc/build-helpers/images/dockertools.section.md
+++ b/doc/build-helpers/images/dockertools.section.md
@ -881,7 +881,7 @@ dockerTools.pullImage {
  imageDigest = "sha256:b8ea88f763f33dfda2317b55eeda3b1a4006692ee29e60ee54ccf6d07348c598";
  finalImageName = "nix";
  finalImageTag = "2.19.3";
-  sha256 = "zRwlQs1FiKrvHPaf8vWOR/Tlp1C5eLn1d9pE4BZg3oA=";
+  hash = "sha256-zRwlQs1FiKrvHPaf8vWOR/Tlp1C5eLn1d9pE4BZg3oA=";
 }
 ```
 :::
@ -898,7 +898,7 @@ dockerTools.pullImage {
  imageDigest = "sha256:24a23053f29266fb2731ebea27f915bb0fb2ae1ea87d42d890fe4e44f2e27c5d";
  finalImageName = "etcd";
  finalImageTag = "v3.5.11";
-  sha256 = "Myw+85f2/EVRyMB3axECdmQ5eh9p1q77FWYKy8YpRWU=";
+  hash = "sha256-Myw+85f2/EVRyMB3axECdmQ5eh9p1q77FWYKy8YpRWU=";
 }
 ```
 :::
@ -922,7 +922,7 @@ Writing manifest to image destination
 {
  imageName = "nixos/nix";
  imageDigest = "sha256:498fa2d7f2b5cb3891a4edf20f3a8f8496e70865099ba72540494cd3e2942634";
-  sha256 = "1q6cf2pdrasa34zz0jw7pbs6lvv52rq2aibgxccbwcagwkg2qj1q";
+  hash = "sha256-OEgs3uRPMb4Y629FJXAWZW9q9LqHS/A/GUqr3K5wzOA=";
  finalImageName = "nixos/nix";
  finalImageTag = "latest";
 }
--- a/nixos/modules/services/cluster/k3s/default.nix
+++ b/nixos/modules/services/cluster/k3s/default.nix
@ -372,7 +372,7 @@ in
          (pkgs.dockerTools.pullImage {
            imageName = "docker.io/bitnami/keycloak";
            imageDigest = "sha256:714dfadc66a8e3adea6609bda350345bd3711657b7ef3cf2e8015b526bac2d6b";
-            sha256 = "0imblp0kw9vkcr7sp962jmj20fpmb3hvd3hmf4cs4x04klnq3k90";
+            hash = "sha256-IM2BLZ0EdKIZcRWOtuFY9TogZJXCpKtPZnMnPsGlq0Y=";
            finalImageTag = "21.1.2-debian-11-r0";
          })

--- a/pkgs/build-support/docker/default.nix
+++ b/pkgs/build-support/docker/default.nix
@ -129,50 +129,53 @@ rec {
    let
      fixName = name: builtins.replaceStrings [ "/" ":" ] [ "-" "-" ] name;
    in
-    { imageName
-      # To find the digest of an image, you can use skopeo:
-      # see doc/functions.xml
-    , imageDigest
-    , sha256
-    , os ? "linux"
-    , # Image architecture, defaults to the architecture of the `hostPlatform` when unset
-      arch ? defaultArchitecture
-      # This is used to set name to the pulled image
-    , finalImageName ? imageName
-      # This used to set a tag to the pulled image
-    , finalImageTag ? "latest"
-      # This is used to disable TLS certificate verification, allowing access to http registries on (hopefully) trusted networks
-    , tlsVerify ? true
+    lib.fetchers.withNormalizedHash { } (
+      { imageName
+        # To find the digest of an image, you can use skopeo:
+        # see doc/functions.xml
+      , imageDigest
+      , outputHash
+      , outputHashAlgo
+      , os ? "linux"
+      , # Image architecture, defaults to the architecture of the `hostPlatform` when unset
+        arch ? defaultArchitecture
+        # This is used to set name to the pulled image
+      , finalImageName ? imageName
+        # This used to set a tag to the pulled image
+      , finalImageTag ? "latest"
+        # This is used to disable TLS certificate verification, allowing access to http registries on (hopefully) trusted networks
+      , tlsVerify ? true

-    , name ? fixName "docker-image-${finalImageName}-${finalImageTag}.tar"
-    }:
+      , name ? fixName "docker-image-${finalImageName}-${finalImageTag}.tar"
+      }:

-    runCommand name
-      {
-        inherit imageDigest;
-        imageName = finalImageName;
-        imageTag = finalImageTag;
-        impureEnvVars = lib.fetchers.proxyImpureEnvVars;
-        outputHashMode = "flat";
-        outputHashAlgo = "sha256";
-        outputHash = sha256;
+      runCommand name
+        {
+          inherit imageDigest;
+          imageName = finalImageName;
+          imageTag = finalImageTag;
+          impureEnvVars = lib.fetchers.proxyImpureEnvVars;

-        nativeBuildInputs = [ skopeo ];
-        SSL_CERT_FILE = "${cacert.out}/etc/ssl/certs/ca-bundle.crt";
+          inherit outputHash outputHashAlgo;
+          outputHashMode = "flat";

-        sourceURL = "docker://${imageName}@${imageDigest}";
-        destNameTag = "${finalImageName}:${finalImageTag}";
-      } ''
-      skopeo \
-        --insecure-policy \
-        --tmpdir=$TMPDIR \
-        --override-os ${os} \
-        --override-arch ${arch} \
-        copy \
-        --src-tls-verify=${lib.boolToString tlsVerify} \
-        "$sourceURL" "docker-archive://$out:$destNameTag" \
-        | cat  # pipe through cat to force-disable progress bar
-    '';
+          nativeBuildInputs = [ skopeo ];
+          SSL_CERT_FILE = "${cacert.out}/etc/ssl/certs/ca-bundle.crt";
+
+          sourceURL = "docker://${imageName}@${imageDigest}";
+          destNameTag = "${finalImageName}:${finalImageTag}";
+        } ''
+        skopeo \
+          --insecure-policy \
+          --tmpdir=$TMPDIR \
+          --override-os ${os} \
+          --override-arch ${arch} \
+          copy \
+          --src-tls-verify=${lib.boolToString tlsVerify} \
+          "$sourceURL" "docker-archive://$out:$destNameTag" \
+          | cat  # pipe through cat to force-disable progress bar
+      ''
+    );

  # We need to sum layer.tar, not a directory, hence tarsum instead of nix-hash.
  # And we cannot untar it, because then we cannot preserve permissions etc.
--- a/pkgs/build-support/docker/examples.nix
+++ b/pkgs/build-support/docker/examples.nix
@ -115,7 +115,7 @@ rec {
  nixFromDockerHub = pullImage {
    imageName = "nixos/nix";
    imageDigest = "sha256:85299d86263a3059cf19f419f9d286cc9f06d3c13146a8ebbb21b3437f598357";
-    sha256 = "19fw0n3wmddahzr20mhdqv6jkjn1kanh6n2mrr08ai53dr8ph5n7";
+    hash = "sha256-xxZ4UW6jRIVAzlVYA62awcopzcYNViDyh6q1yocF3KU=";
    finalImageTag = "2.2.1";
    finalImageName = "nix";
  };
@ -124,7 +124,7 @@ rec {
  testNixFromDockerHub = pkgs.testers.invalidateFetcherByDrvHash pullImage {
    imageName = "nixos/nix";
    imageDigest = "sha256:85299d86263a3059cf19f419f9d286cc9f06d3c13146a8ebbb21b3437f598357";
-    sha256 = "19fw0n3wmddahzr20mhdqv6jkjn1kanh6n2mrr08ai53dr8ph5n7";
+    hash = "sha256-xxZ4UW6jRIVAzlVYA62awcopzcYNViDyh6q1yocF3KU=";
    finalImageTag = "2.2.1";
    finalImageName = "nix";
  };
--- a/pkgs/build-support/docker/nix-prefetch-docker
+++ b/pkgs/build-support/docker/nix-prefetch-docker
@ -133,7 +133,7 @@ else
 fi

 # Compute the hash.
-imageHash=$(nix-hash --flat --type $hashType --base32 "$tmpFile")
+imageHash=$(nix-hash --flat --type $hashType --sri "$tmpFile")

 # Add the downloaded file to Nix store.
 finalPath=$(nix-store --add-fixed "$hashType" "$tmpFile")
@ -152,7 +152,7 @@ cat <<EOF
 {
  imageName = "$imageName";
  imageDigest = "$imageDigest";
-  sha256 = "$imageHash";
+  hash = "$imageHash";
  finalImageName = "$finalImageName";
  finalImageTag = "$finalImageTag";
 }
@ -164,7 +164,7 @@ cat <<EOF
 {
  "imageName": "$imageName",
  "imageDigest": "$imageDigest",
-  "sha256": "$imageHash",
+  "hash": "$imageHash",
  "finalImageName": "$finalImageName",
  "finalImageTag": "$finalImageTag"
 }