After #268458, when setting `enableFakechroot = true` and
`includeStorePaths = false`, some of the store paths were getting
included into the image anyway, thru `bind-paths`.
This resulted in unexpectedly large images.
Now, the images will not contain any store paths under those
circumstances.
Not sure how this ever worked but tar was trying to archive /proc and /sys, which failed to work.
Since this is never useful for containers to do, we exclude this now in the proot case.
Also fakeroot is not needed when proot is used as it provideds the same feature.
We now cleanly seperate those cases as both are kind of hacks and it's more likely
that the combination will just trigger new bugs.
The command `fakechroot` errored with buffer overflows. The `proot`
command doesn't seem to suffer from the same problem. The tar command
creating the layer errors with "permission denied" on a bunch of paths
in /proc but the layer seems to get built anyway.
Since coreutils v9.2 the `--no-clobber` flag results in a non-zero exit
code when the destination files exist. Using `--update=none` will now
reproduce the old behavior of `--no-clobber`.
However, the `--update=none` flag was introduced in coreutils v9.3 and
thus `mergeImages` will fail if you have an older version than v9.3 in
stdenv after applying this commit.
[coreutils v9.3 changelog](f386722dc0/NEWS (L48))
Without this change, the `--os` and `--arch` switches are disregarded
for operations involving `skopeo inspect` invocations. This means that,
for example, one cannot fetch Linux images while on macOS.
To the user running the docker image. If a Nix binary is available in
the resulting derivation, this then behaves like a single-user Nix
installation, except that already-written /nix/store paths can't be
changed. Most notably it makes Nix work not have to rely on a chroot
store in the image
When building a docker image using `dockertools.buildLayeredImage`, the
resulting image layers are passed to `jq` through the command line. When
building an image with too many layers this would exceed the maximum
command line argument length.
Hence, we store the list of layers in the Nix store and pass them to
`jq` as a file argument using `--slurpfile`.
Fixes#140908.
Fixes#186752. This adds buildVMMemorySize (defaults to 512 MiB) to
buildImage, which is passed to vm.runInLinuxVM. This is needed for
larger base images, which may otherwise cause container build failures
due to OOM in the VM.
This is useful for a use-case we have with a Nix-based CI system that
specifies things like deploy steps as passthru attributes[0].
Previously the only way to do this would have been to concatenate
attributes onto the resulting derivation, but passing them in and
actually treating them as proper passthru attributes is cleaner.
[0]: https://cs.tvl.fyi/depot@f7d7da6aceb407b719cf4683a75878fd3aca319e/-/blob/nix/buildkite/default.nix?L222-226