Commit Graph

325 Commits

Author SHA1 Message Date
Adrian Gierakowski
266283bec3 build-support/docker: use runCommand in make-layers.nix 2024-11-29 21:59:36 +00:00
Adrian Gierakowski
6cecfd8ad7 docker-tool: fix maxLayers assert 2024-11-11 18:45:13 +00:00
Adrian Gierakowski
5b4a8db4d9 build-support/docker: customisable layering strategy
Allow customisation of the algorithm used to convert nix references
graph (created from docker image contents) to docker layers.

A collection of building blocks (python functions) is provided, which
use can assembled into a processing pipeline by specifying a list of
operations (and their initial arguments) via a nix list.

Nix references graph if first converted into a python igraph.Graph
object (with each vertex representing a nix path), which is then fed
into the user defined pipeline. Each stage in the pipeline represents a
function call, with initial arguments specified by the user in nix, and
the last argument being the result of the previous stage in the pipeline
(or the initial Graph object). Each step of the pipeline is expected to
produce a data structure consisting of arbitrarily  nested lists/dicts
with Graph objects (representing docker layers) at it's leafs. The
result of the last stage in the pipeline is recursively flattened (with
each dict converted into list of values), until a flat list of Graphs
remains. This is then output as a json array of arrays (each Graph
converted into an array of paths).

This functionality is made available via new `layeringPipeline` argument
to the `streamLayeredImage`/`buildLayeredImage` functions. The default
value of the argument has been chosen to to preserve current layering
behaviour.

Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
2024-11-09 16:21:48 +00:00
Tom Bereknyei
d0b3364822 dockerTools: set mtime to epoch by default 2024-09-25 00:31:16 -04:00
WxNzEMof
847b4732e4 dockerTools: Allow separately specifying metadata and filesystem timestamps
Setting the image creation timestamp in the image metadata to a
constant date can cause problems with self-hosted container
registries, that need to e.g. prune old images.  This timestamp is
also useful for debugging.

However, it is almost never useful to set the filesystem timestamp to
a constant value.  Doing so not only causes the image to possibly no
longer be reproducible, but also removes any possibility of
deduplicating layers with other images, causing unnecessary storage
space usage.

Therefore, this commit introduces "mtime", a new parameter to
streamLayeredImage, which allows specifying the filesystem timestamps
separately from "created".  For backwards compatibility, "mtime"
defaults to the value of "created".
2024-09-25 00:23:20 -04:00
Artturin
e0464e4788 treewide: replace stdenv.is with stdenv.hostPlatform.is
In preparation for the deprecation of `stdenv.isX`.

These shorthands are not conducive to cross-compilation because they
hide the platforms.

Darwin might get cross-compilation for which the continued usage of `stdenv.isDarwin` will get in the way

One example of why this is bad and especially affects compiler packages
https://www.github.com/NixOS/nixpkgs/pull/343059

There are too many files to go through manually but a treewide should
get users thinking when they see a `hostPlatform.isX` in a place where it
doesn't make sense.

```
fd --type f "\.nix" | xargs sd --fixed-strings "stdenv.is" "stdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "stdenv'.is" "stdenv'.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "clangStdenv.is" "clangStdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "gccStdenv.is" "gccStdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "stdenvNoCC.is" "stdenvNoCC.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "inherit (stdenv) is" "inherit (stdenv.hostPlatform) is"
fd --type f "\.nix" | xargs sd --fixed-strings "buildStdenv.is" "buildStdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "effectiveStdenv.is" "effectiveStdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "originalStdenv.is" "originalStdenv.hostPlatform.is"
```
2024-09-25 00:04:37 +03:00
Gabriella Gonzalez
0b6fa5ee40
virtualisation.oci-containers: Add new imageStream option (#335430)
This adds a new `imageStream` option that can be used in conjunction
with `pkgs.dockerTools.streamLayeredImage` so that the image archive
never needs to be materialized in the `/nix/store`.  This greatly
improves the disk utilization for systems that use container images
built using Nix because they only need to store image layers instead of
the full image.  Additionally, when deploying the new system and only
new layers need to be built/copied.
2024-08-24 04:38:27 +02:00
Matthieu Coudron
ca1657217d
streamLayeredImage: add dynamic tagging of docker image (#329425)
* streamLayeredImage: self-document the script

'podman load' doesn't let me override the name/tag from the image.
This name and tag is dynamic and in a CI environment so I would like to
be able to adjust the tag dynamically.
Since the image is streamed by stream_layered_image.py, there is no need
to stick with the nix-hardcoded image name/tag: the python script can
accept another name

I've added argparse to expose the feature. It has the added benefit of
adding `--help` support to the script, which makes its usage
self-explanatory.

* blackified file
2024-07-29 19:45:58 +02:00
Robert Hensing
412601690e build-support/docker/default.nix: Refer to docs and tests
This removes redundant inline docs, because
- users should consult the better docs in the manual,
- contributors should add to the manual, not the inline comments
2024-07-28 23:19:58 +02:00
Robert Hensing
43df2b50f9 devShellTools.{unstructuredDerivationInputEnv,derivationOutputEnv}: extract 2024-07-28 23:17:18 +02:00
Robert Hensing
c5e5aa7266
Merge pull request #308822 from yorickvP/yorickvp/streamLayeredImage-overridable
dockerTools.streamLayeredImage: add includeNixDB argument, expose conf and streamScript
2024-07-24 16:02:35 +02:00
Florian Nagel
e18d3b4894
Added an error message when using enableFakechroot on Darwin (#327336)
* Added an error message when using enableFakechroot on Darwin

Co-authored-by: Valentin Gagarin <valentin@gagarin.work>
2024-07-17 10:06:42 +02:00
Robert Hensing
3f226f2f9c nixosTests.docker-tools: fix for hello's new versionCheckHook 2024-07-04 21:44:39 +02:00
Robert Hensing
8398e087cd devShellTools.{stringValue -> valueToString} 2024-06-29 17:22:57 +02:00
Robert Hensing
469039098b devShellTools.stringValue: init 2024-06-29 17:21:01 +02:00
Yorick van Pelt
8891e98f24
dockerTools: add nixDB tests 2024-05-06 17:48:49 +02:00
Yorick van Pelt
62e9e0f963
dockerTools: add includeNixDB to buildImage and document 2024-05-06 14:57:08 +02:00
Yorick van Pelt
c055845069
dockerTools.streamLayeredImage: add includeNixDB argument, expose conf and streamScript 2024-05-03 16:40:48 +02:00
Robert Hensing
c740c98fc1
Merge pull request #292760 from PigeonF/dockertools-build-layered-compressor
dockerTools: Fix changing compression method for `buildLayeredImage`
2024-04-08 09:24:18 +02:00
Ryan Lahfa
a199cd1dbd
Merge pull request #297496 from abryko/docker-tag-discard-closure
dockerTools: discard closure reference in imageTag
2024-03-27 09:29:53 -07:00
Pol Dellaiera
6522a75f90
Merge pull request #298239 from cdepillabout/layered-img-passthru
dockerTools: add streamed image as passthru to buildLayeredImage
2024-03-23 22:13:18 +01:00
Dennis Gosnell
2e91dc65e4 dockerTools: add streamed image as passthru to buildLayeredImage
This is convenient for debugging the underlying streamed image used by
`dockerTools.buildLayeredImage`.

Here's an example of how you might use this:

```console
$ nix repl ./.
nix-repl> dockerTools.examples.nginx.passthru.stream
«derivation /nix/store/9zczmlp2kraszx4ssmh6fawnlnsa5a4n-stream-nginx-container.drv»
```
2024-03-23 10:33:22 +09:00
Xavier Maillard
bc40f51d1a
dockerTools: discard closure reference in imageTag 2024-03-20 17:54:09 +01:00
Someone
63709965b7
Merge pull request #178717 from ShamrockLee/write-multiple-references
trivial-builders: replace writeReferencesToFile with writeClosure
2024-03-19 08:57:20 +00:00
stuebinm
ff1a94e523 treewide: add meta.mainProgram to packages with a single binary
The nixpkgs-unstable channel's programs.sqlite was used to identify
packages producing exactly one binary, and these automatically added
to their package definitions wherever possible.
2024-03-19 03:14:51 +01:00
Yueh-Shun Li
67ec1a7d7b dockerTools.buildImage: writeReferencesToFile -> writeClosure 2024-03-19 05:30:54 +08:00
Silvan Mosberger
aabd5fbfcf
Merge pull request #292259 from dawidd6/docker-nix-ssl
dockerTools: set NIX_SSL_CERT_FILE in image
2024-03-12 02:01:08 +01:00
Jonas Fierlings
f4871a62d2
dockerTools: Do not pass compressor to streamLayeredImage 2024-03-02 10:18:56 +01:00
Jonas Fierlings
f73a079352
dockerTools: Test changing compression of buildLayeredImage 2024-03-02 10:18:53 +01:00
Pol Dellaiera
2bf7ff4806
Merge pull request #289840 from PigeonF/master
Make `dockerTools.buildImageWithNixDb` reproducible
2024-02-29 13:03:07 +01:00
Dawid Dziurla
de8942e125
dockerTools: set NIX_SSL_CERT_FILE in image 2024-02-29 07:58:55 +01:00
WxNzEMof
b2f19980db Remove the redundant comments from streamLayeredImage parameters
The proper place to describe them is the documentation, where they are
described thoroughly.
2024-02-26 19:29:04 +00:00
WxNzEMof
2697d34603 streamLayeredImage: Change mode of /nix, /nix/store to 755
The change is insignificant when the owner is root.  However, when it
is not root, this change is needed to allow using Nix (as an
unprivileged user) inside the container.
2024-02-26 18:10:51 +00:00
WxNzEMof
0ec13cdb90 streamLayeredImage: Allow customizing ownership
This opens the way towards building images where Nix can be used as an
unprivileged user (in single-user mode).
2024-02-26 18:10:51 +00:00
Robert Hensing
d2dfcfcfad
Merge pull request #289584 from athre0z/docker-zstd
dockerTools: configurable compression schema
2024-02-19 18:06:54 +01:00
pigeon
2cea1dce6d
nixos/dockerTools: make buildImageWithNixDb reproducible
The loaded database contains timestamps of when the nix paths were
registered. Depending on the host store, these can differ between runs.
Resetting them to a well known values ensures that the produced image is
reproducible.
2024-02-18 21:16:35 +01:00
Joel Höner
4b603ad9cd dockerTools: configurable compression schema
This commit adds support for swapping out the compression algorithm
used in all major docker-tools commands that generate images. The
default algorithm remains unchanged (gzip).
2024-02-17 18:52:42 +01:00
Robert Hensing
dcf985388c
Merge pull request #271976 from r-k-b/fix-dockerTools-includeStorePaths
nixos/dockerTools: fix includeStorePaths when enableFakechroot
2024-02-14 23:38:44 +01:00
DS
0445c39047 doc: update environment helpers in dockerTools docs, add fakeNss section
Co-authored-by: Robert Hensing <roberth@users.noreply.github.com>
2024-02-01 01:37:31 -08:00
Matthew Planchard
d538fefb62
Use fakeroot for proot cmd in streamLayeredImage
Resolves #275705
2024-01-23 14:55:08 -05:00
Robert Hensing
1f9e86f314 nixosTests.docker-tools: Use both code paths in includeStorePath test 2024-01-17 13:50:01 +01:00
Robert K. Bell
8353fad13d
nixos/dockerTools: fix includeStorePaths when enableFakechroot
After #268458, when setting `enableFakechroot = true` and
`includeStorePaths = false`, some of the store paths were getting
included into the image anyway, thru `bind-paths`.
This resulted in unexpectedly large images.

Now, the images will not contain any store paths under those
circumstances.
2023-12-07 18:06:01 +11:00
Jörg Thalheim
4911915512 nixos/dockerTools: fixup proot/fakeroot code
Not sure how this ever worked but tar was trying to archive /proc and /sys, which failed to work.
Since this is never useful for containers to do, we exclude this now in the proot case.
Also fakeroot is not needed when proot is used as it provideds the same feature.
We now cleanly seperate those cases as both are kind of hacks and it's more likely
that the combination will just trigger new bugs.
2023-11-19 08:30:27 +01:00
Tim Windelschmidt
19c5b4307d dockerTools: create /tmp in rootLayer 2023-10-09 22:15:41 +02:00
Robert Scott
38c1400f67 dockerTools: use makeOverridable for buildImage family of functions
this allows nix users to modify existing images without having
to rely on container image inheritance mechanisms via fromImage
2023-09-11 21:10:37 +01:00
Viktor Kronvall
ca072c08a2 dockerTools: replace fakechroot with proot
The command `fakechroot` errored with buffer overflows. The `proot`
command doesn't seem to suffer from the same problem. The tar command
creating the layer errors with "permission denied" on a bunch of paths
in /proc but the layer seems to get built anyway.
2023-08-19 23:34:21 +09:00
Viktor Kronvall
b35440bfcf dockerTools: replace --no-clobber with --update=none
Since coreutils v9.2 the `--no-clobber` flag results in a non-zero exit
code when the destination files exist. Using `--update=none` will now
reproduce the old behavior of `--no-clobber`.

However, the `--update=none` flag was introduced in coreutils v9.3 and
thus `mergeImages` will fail if you have an older version than v9.3 in
stdenv after applying this commit.

[coreutils v9.3 changelog](f386722dc0/NEWS (L48))
2023-08-17 01:37:07 +09:00
Felix Buehler
f3719756b5 treewide: use optionalString instead of 'then ""' 2023-06-24 20:19:19 +02:00
Robin Bate Boerop
824c9ac5c9 nix-prefetch-docker: handle overrides correctly
Without this change, the `--os` and `--arch` switches are disregarded
for operations involving `skopeo inspect` invocations. This means that,
for example, one cannot fetch Linux images while on macOS.
2023-04-03 21:12:13 +03:00
Martin Weinelt
4472cf44eb
treewide: Make yescrypt the default algorithm for pam_unix.so
This ensures `passwd` will default to yescrypt for newly generated
passwords.
2023-03-13 07:54:27 +01:00