dockerTools.pullImage: Fix build with sandboxing
Regression introduced in 736848723e
.
This commit most certainly hasn't been tested with sandboxing enabled
and breaks not only pullImage but also the docker-tools NixOS VM test
because it doesn't find it's certificate path and also relies on
/var/tmp being there.
Fixing the certificate path is the easiest one because it can be done
via environment variable.
I've used overrideAttrs for changing the hardcoded path to /tmp (which
is available in sandboxed builds and even hardcoded in Nix), so that
whenever someone uses Skopeo from all-packages.nix the path is still
/var/tmp.
The reason why this is hardcoded to /var/tmp can be seen in a comment in
vendor/github.com/containers/image/storage/storage_image.go:
Do not use the system default of os.TempDir(), usually /tmp, because
with systemd it could be a tmpfs.
With sandboxed builds this isn't the case, however for using Nix without
NixOS this could turn into a problem if this indeed is the case.
So in the long term this needs to have a proper solution.
In addition to that, I cleaned up the expression a bit.
Tested by building dockerTools.examples.nixFromDockerHub and the
docker-tools NixOS VM test.
Signed-off-by: aszlig <aszlig@nix.build>
Cc: @nlewo, @Mic92, @Profpatsch, @globin, @LnL7
This commit is contained in:
parent
cd960b965f
commit
42a0b11450
@ -32,28 +32,42 @@ rec {
|
||||
inherit pkgs buildImage pullImage shadowSetup buildImageWithNixDb;
|
||||
};
|
||||
|
||||
pullImage =
|
||||
let
|
||||
fixName = name: builtins.replaceStrings ["/" ":"] ["-" "-"] name;
|
||||
in {
|
||||
imageName,
|
||||
pullImage = let
|
||||
fixName = name: builtins.replaceStrings ["/" ":"] ["-" "-"] name;
|
||||
in
|
||||
{ imageName
|
||||
# To find the digest of an image, you can use skopeo:
|
||||
# skopeo inspect docker://docker.io/nixos/nix:1.11 | jq -r '.Digest'
|
||||
# sha256:20d9485b25ecfd89204e843a962c1bd70e9cc6858d65d7f5fadc340246e2116b
|
||||
imageDigest,
|
||||
sha256,
|
||||
, imageDigest
|
||||
, sha256
|
||||
# This used to set a tag to the pulled image
|
||||
finalImageTag ? "latest",
|
||||
name ? (fixName "docker-image-${imageName}-${finalImageTag}.tar") }:
|
||||
runCommand name {
|
||||
impureEnvVars=pkgs.stdenv.lib.fetchers.proxyImpureEnvVars;
|
||||
outputHashMode="flat";
|
||||
outputHashAlgo="sha256";
|
||||
outputHash=sha256;
|
||||
}
|
||||
''
|
||||
${pkgs.skopeo}/bin/skopeo copy docker://${imageName}@${imageDigest} docker-archive://$out:${imageName}:${finalImageTag}
|
||||
'';
|
||||
, finalImageTag ? "latest"
|
||||
, name ? fixName "docker-image-${imageName}-${finalImageTag}.tar"
|
||||
}:
|
||||
|
||||
runCommand name {
|
||||
impureEnvVars = pkgs.stdenv.lib.fetchers.proxyImpureEnvVars;
|
||||
outputHashMode = "flat";
|
||||
outputHashAlgo = "sha256";
|
||||
outputHash = sha256;
|
||||
|
||||
# One of the dependencies of Skopeo uses a hardcoded /var/tmp for storing
|
||||
# big image files, which is not available in sandboxed builds.
|
||||
nativeBuildInputs = lib.singleton (pkgs.skopeo.overrideAttrs (drv: {
|
||||
postPatch = (drv.postPatch or "") + ''
|
||||
sed -i -e 's!/var/tmp!/tmp!g' \
|
||||
vendor/github.com/containers/image/storage/storage_image.go \
|
||||
vendor/github.com/containers/image/internal/tmpdir/tmpdir.go
|
||||
'';
|
||||
}));
|
||||
SSL_CERT_FILE = "${pkgs.cacert.out}/etc/ssl/certs/ca-bundle.crt";
|
||||
|
||||
sourceURL = "docker://${imageName}@${imageDigest}";
|
||||
destNameTag = "${imageName}:${finalImageTag}";
|
||||
} ''
|
||||
skopeo copy "$sourceURL" "docker-archive://$out:$destNameTag"
|
||||
'';
|
||||
|
||||
# We need to sum layer.tar, not a directory, hence tarsum instead of nix-hash.
|
||||
# And we cannot untar it, because then we cannot preserve permissions ecc.
|
||||
|
Loading…
Reference in New Issue
Block a user