dockerTools: only add "/nix" if it exists

The /nix path in 4d200538 of the layer tar didn't exist for some
packages, such as cacert. This is because cacert just creates an /etc
directory and doesn't depend on any other /nix paths. If we tried
putting this directory in the tar and using overlayfs with it, we'd get
"Invalid argument" when trying to remove the directory.

We now check whether the closure is non-empty before telling tar to
store the /nix directory.

Fixes #14710.

pkgs/build-support/docker/default.nix

@@ -286,17 +286,20 @@ EOF
         cp ${layer}/* temp/
         chmod ug+w temp/*
 
+        for dep in $(cat $layerClosure); do
+          find $dep -path "${layer}" -prune -o -print >> layerFiles
+        done
+
+        if [ -s layerFiles ]; then
           # FIXME: might not be /nix/store
           echo '/nix' >> layerFiles
           echo '/nix/store' >> layerFiles
-        for dep in $(cat $layerClosure); do
+        fi
-          find $dep >> layerFiles
-        done
 
         echo Adding layer
         tar -tf temp/layer.tar >> baseFiles
         sed 's/^\.//' -i baseFiles
-        comm <(sort -n baseFiles|uniq) <(sort -n layerFiles|uniq|grep -v ${layer}) -1 -3 > newFiles
+        comm <(sort -u baseFiles) <(sort -u layerFiles) -1 -3 > newFiles
         tar -rpf temp/layer.tar --mtime=0 --no-recursion --files-from newFiles 2>/dev/null || true
 
         echo Adding meta