Commit Graph

288 Commits

Author SHA1 Message Date
Robert Hensing
dcf985388c
Merge pull request #271976 from r-k-b/fix-dockerTools-includeStorePaths
nixos/dockerTools: fix includeStorePaths when enableFakechroot
2024-02-14 23:38:44 +01:00
DS
0445c39047 doc: update environment helpers in dockerTools docs, add fakeNss section
Co-authored-by: Robert Hensing <roberth@users.noreply.github.com>
2024-02-01 01:37:31 -08:00
Matthew Planchard
d538fefb62
Use fakeroot for proot cmd in streamLayeredImage
Resolves #275705
2024-01-23 14:55:08 -05:00
Robert Hensing
1f9e86f314 nixosTests.docker-tools: Use both code paths in includeStorePath test 2024-01-17 13:50:01 +01:00
Robert K. Bell
8353fad13d
nixos/dockerTools: fix includeStorePaths when enableFakechroot
After #268458, when setting `enableFakechroot = true` and
`includeStorePaths = false`, some of the store paths were getting
included into the image anyway, thru `bind-paths`.
This resulted in unexpectedly large images.

Now, the images will not contain any store paths under those
circumstances.
2023-12-07 18:06:01 +11:00
Jörg Thalheim
4911915512 nixos/dockerTools: fixup proot/fakeroot code
Not sure how this ever worked but tar was trying to archive /proc and /sys, which failed to work.
Since this is never useful for containers to do, we exclude this now in the proot case.
Also fakeroot is not needed when proot is used as it provideds the same feature.
We now cleanly seperate those cases as both are kind of hacks and it's more likely
that the combination will just trigger new bugs.
2023-11-19 08:30:27 +01:00
Tim Windelschmidt
19c5b4307d dockerTools: create /tmp in rootLayer 2023-10-09 22:15:41 +02:00
Robert Scott
38c1400f67 dockerTools: use makeOverridable for buildImage family of functions
this allows nix users to modify existing images without having
to rely on container image inheritance mechanisms via fromImage
2023-09-11 21:10:37 +01:00
Viktor Kronvall
ca072c08a2 dockerTools: replace fakechroot with proot
The command `fakechroot` errored with buffer overflows. The `proot`
command doesn't seem to suffer from the same problem. The tar command
creating the layer errors with "permission denied" on a bunch of paths
in /proc but the layer seems to get built anyway.
2023-08-19 23:34:21 +09:00
Viktor Kronvall
b35440bfcf dockerTools: replace --no-clobber with --update=none
Since coreutils v9.2 the `--no-clobber` flag results in a non-zero exit
code when the destination files exist. Using `--update=none` will now
reproduce the old behavior of `--no-clobber`.

However, the `--update=none` flag was introduced in coreutils v9.3 and
thus `mergeImages` will fail if you have an older version than v9.3 in
stdenv after applying this commit.

[coreutils v9.3 changelog](f386722dc0/NEWS (L48))
2023-08-17 01:37:07 +09:00
Felix Buehler
f3719756b5 treewide: use optionalString instead of 'then ""' 2023-06-24 20:19:19 +02:00
Robin Bate Boerop
824c9ac5c9 nix-prefetch-docker: handle overrides correctly
Without this change, the `--os` and `--arch` switches are disregarded
for operations involving `skopeo inspect` invocations. This means that,
for example, one cannot fetch Linux images while on macOS.
2023-04-03 21:12:13 +03:00
Martin Weinelt
4472cf44eb
treewide: Make yescrypt the default algorithm for pam_unix.so
This ensures `passwd` will default to yescrypt for newly generated
passwords.
2023-03-13 07:54:27 +01:00
Andrew Brooks
84e04ccf85 dockerTools: Preprocess layers list before unpack to handle repeated layers 2023-02-06 12:19:29 -06:00
Andrew Brooks
f4e4cac0c8 dockerTools: Correctly unpack duplicate rootfs diffs
This PR addresses issue #214434 by preventing
dockerTools.buildImage from deleting rootfs diffs until after
they've been unpacked.
2023-02-03 17:50:36 -06:00
Walter Franzini
d2b0f9a9f6 dockerTools: make gzipped docker images faster to update by rsync
This passes --rsyncable / -R to pigz for input-determined block
locations, to improve rsync-ability.
2022-12-23 13:22:16 +01:00
figsoda
ec8cb34358 treewide: fix typos 2022-12-17 19:39:44 -05:00
Robert Hensing
454d2307ae nixosTests.docker-tools: Fix nginx test 2022-12-08 22:29:10 +01:00
Robert Hensing
3e28f972fc dockerTools: refactor, rename internal variable
> has to fit its domain, which is the OCI spec, which uses
> `architecture`. The `defaultArch` and `GOARCH` names are irrelevant.
2022-12-08 20:29:10 +01:00
Christian Kemper
f6ae4479ea dockerTools: allowing architecture to be specified
... for buildImage, buildLayeredImage and streamLayeredImage,
adding docs and tests.
2022-12-08 20:29:09 +01:00
Izorkin
fc7eef65a2 dockerTools: fix nginx test 2022-11-30 15:23:43 +10:00
Vladimír Čunát
94d6c732d1
dockerTools: fixup evaluation without allowed aliases
This is a regression from PR #172736
2022-11-27 10:37:55 +01:00
Silvan Mosberger
a566d0842e
Merge pull request #172736 from infinisil/docker-nix-shell 2022-11-26 20:21:59 +01:00
mupdt
bb5827a692 dockerTools: prefer local builds 2022-11-18 09:31:53 -05:00
Silvan Mosberger
a1cf249394 dockerTools.buildNixShellImage: Chown nix directories
To the user running the docker image. If a Nix binary is available in
the resulting derivation, this then behaves like a single-user Nix
installation, except that already-written /nix/store paths can't be
changed. Most notably it makes Nix work not have to rely on a chroot
store in the image
2022-11-07 19:38:09 +01:00
Robert Hensing
8fca2fd4bf
Merge pull request #141050 from koenw/dockertools_too_many_arguments
build-support: Fix error when building images with many layers
2022-10-13 21:45:10 +01:00
Koen Wilde
2f5fcda329 build-support: Fix error when building images with many layers
When building a docker image using `dockertools.buildLayeredImage`, the
resulting image layers are passed to `jq` through the command line. When
building an image with too many layers this would exceed the maximum
command line argument length.

Hence, we store the list of layers in the Nix store and pass them to
`jq` as a file argument using `--slurpfile`.

Fixes #140908.
2022-10-13 16:27:13 +02:00
Silvan Mosberger
c36f929dee nixos/tests: Add tests for dockerTools.buildNixShellImage 2022-10-07 22:04:24 +02:00
Silvan Mosberger
8ec0837a72 Introduce dockerTools.buildNixShellImage 2022-10-07 22:04:22 +02:00
Robert Hensing
cbb1f39264 nixosTests.docker-tools: Add image-with-certs 2022-09-21 01:00:04 +01:00
Ross Light
f140b54916 dockerTools: add missing mkdir to caCertificates derivation 2022-09-20 08:07:23 -07:00
Robert Hensing
62b25a28fe
Merge pull request #170906 from Sohalt/dockerTools.ca-certificates.crt
dockerTools ca-certificates.crt helper
2022-08-31 14:08:02 +02:00
Alex James
c9af898255
dockerTools.buildImage: make VM memSize configurable
Fixes #186752. This adds buildVMMemorySize (defaults to 512 MiB) to
buildImage, which is passed to vm.runInLinuxVM. This is needed for
larger base images, which may otherwise cause container build failures
due to OOM in the VM.
2022-08-16 21:47:29 -05:00
olaf
5a6853b3bf use consistently user alice for examples 2022-08-05 13:13:24 +02:00
zowoq
0c98db7b91 dockerTools: use list of strings for configureFlags 2022-07-15 10:23:07 +10:00
Robert Hensing
e007eb480c dockerTools.buildImage: Add copyToRoot to replace contents, explain usage 2022-07-06 07:30:24 +02:00
Robert Hensing
44522c1d59 dockerTools.examples.etc: Make it a reliable test
/etc/hosts is generally also provided by the container runtime.
2022-05-30 14:32:14 +02:00
Robert Hensing
116832edbf dockerTools: Add example of using NixOS' etc
(cherry picked from commit 9b2af8673b)
2022-05-30 14:26:52 +02:00
Robert Hensing
c071530ca5 testers.invalidateFetcherByDrvHash: Move from top-level 2022-05-05 12:08:50 +02:00
sohalt
f238aa9833 dockerTools: add caCertificates helper
Various tools (e.g. wget) expect the ca bundle to be available at
/etc/ssl/certs/ca-certificates.crt
2022-05-03 11:57:25 +02:00
Ben Siraphob
259fa13d53 treewide: remove nativeBuildInputs that are in stdenv 2022-04-16 21:46:46 +03:00
zowoq
e65aba25f8 dockerTools: misc fixes
- add nixosTests to `dockerTools.tests`
- don't use `pkgs` or `lib.singleton`
2022-04-05 17:04:59 +10:00
zowoq
76636e0099 dockerTools: pkgs.system -> pkgs.stdenv.hostPlatform.system
`pkgs.system` is an alias
2022-04-05 10:19:40 +10:00
Florian Klink
76d05dfa62 fakeNss: move to toplevel
Make this reachable from pkgs.fakeNss. This is useful outside docker
contexts, too.

https://github.com/NixOS/nixpkgs/pull/164943#discussion_r833220769
2022-03-24 18:47:30 +01:00
Vincent Ambo
af9f248926 streamLayeredImage: pass through passthru attributes
This is useful for a use-case we have with a Nix-based CI system that
specifies things like deploy steps as passthru attributes[0].

Previously the only way to do this would have been to concatenate
attributes onto the resulting derivation, but passing them in and
actually treating them as proper passthru attributes is cleaner.

[0]: https://cs.tvl.fyi/depot@f7d7da6aceb407b719cf4683a75878fd3aca319e/-/blob/nix/buildkite/default.nix?L222-226
2022-01-31 10:10:10 +03:00
Andrew Brooks
57718902e3 nixos/tests/docker-tools: add test for pre-runAsRoot layer unpack order 2021-12-17 19:26:53 -06:00
Andrew Brooks
69ffb0004a dockerTools.buildImage: unpack base image layers in correct order 2021-12-17 18:28:10 -06:00
Robert Hensing
ddda5f28e1 dockerTools: Keep fakechroot disabled by default
Avoid risk of breaking existing images by making it opt-in.
2021-12-04 13:49:10 +00:00
Robert Hensing
0e9bc9ffd1 dockerTools: Add fakechroot to fakeRootCommands 2021-12-04 13:49:10 +00:00
Robert Hensing
66c19d856b
Merge pull request #148341 from hercules-ci/add-dockerTools-customization-layer-dependencies
dockerTools: Add store dependencies of the customization layer
2021-12-03 00:20:44 +01:00