Merge pull request #170906 from Sohalt/dockerTools.ca-certificates.crt
dockerTools ca-certificates.crt helper
This commit is contained in:
commit
62b25a28fe
@ -308,7 +308,44 @@ The parameters relative to the base image have the same synopsis as described in
|
||||
|
||||
The `name` argument is the name of the derivation output, which defaults to `fromImage.name`.
|
||||
|
||||
## shadowSetup {#ssec-pkgs-dockerTools-shadowSetup}
|
||||
## Environment Helpers {#ssec-pkgs-dockerTools-helpers}
|
||||
|
||||
Some packages expect certain files to be available globally.
|
||||
When building an image from scratch (i.e. without `fromImage`), these files are missing.
|
||||
`pkgs.dockerTools` provides some helpers to set up an environment with the necessary files.
|
||||
You can include them in `copyToRoot` like this:
|
||||
|
||||
```nix
|
||||
buildImage {
|
||||
name = "environment-example";
|
||||
copyToRoot = with pkgs.dockerTools; [
|
||||
usrBinEnv
|
||||
binSh
|
||||
caCertificates
|
||||
fakeNss
|
||||
];
|
||||
}
|
||||
```
|
||||
|
||||
### usrBinEnv {#sssec-pkgs-dockerTools-helpers-usrBinEnv}
|
||||
|
||||
This provides the `env` utility at `/usr/bin/env`.
|
||||
|
||||
### binSh {#sssec-pkgs-dockerTools-helpers-binSh}
|
||||
|
||||
This provides `bashInteractive` at `/bin/sh`.
|
||||
|
||||
### caCertificates {#sssec-pkgs-dockerTools-helpers-caCertificates}
|
||||
|
||||
This sets up `/etc/ssl/certs/ca-certificates.crt`.
|
||||
|
||||
### fakeNss {#sssec-pkgs-dockerTools-helpers-fakeNss}
|
||||
|
||||
Provides `/etc/passwd` and `/etc/group` that contain root and nobody.
|
||||
Useful when packaging binaries that insist on using nss to look up
|
||||
username/groups (like nginx).
|
||||
|
||||
### shadowSetup {#ssec-pkgs-dockerTools-shadowSetup}
|
||||
|
||||
This constant string is a helper for setting up the base files for managing users and groups, only if such files don't exist already. It is suitable for being used in a [`buildImage` `runAsRoot`](#ex-dockerTools-buildImage-runAsRoot) script for cases like in the example below:
|
||||
|
||||
|
@ -792,6 +792,16 @@ rec {
|
||||
ln -s ${bashInteractive}/bin/bash $out/bin/sh
|
||||
'';
|
||||
|
||||
# This provides the ca bundle in common locations
|
||||
caCertificates = runCommand "ca-certificates" { } ''
|
||||
# Old NixOS compatibility.
|
||||
ln -s ${cacert}/etc/ssl/certs/ca-bundle.crt $out/etc/ssl/certs/ca-bundle.crt
|
||||
# NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility.
|
||||
ln -s ${cacert}/etc/ssl/certs/ca-bundle.crt $out/etc/ssl/certs/ca-certificates.crt
|
||||
# CentOS/Fedora compatibility.
|
||||
ln -s ${cacert}/etc/ssl/certs/ca-bundle.crt $out/etc/pki/tls/certs/ca-bundle.crt
|
||||
'';
|
||||
|
||||
# Build an image and populate its nix database with the provided
|
||||
# contents. The main purpose is to be able to use nix commands in
|
||||
# the container.
|
||||
|
Loading…
Reference in New Issue
Block a user