Commit Graph

134 Commits

Author SHA1 Message Date
Louis Blin
aae8588182 dockerTools.buildLayeredImage: support fromImage
It is now possible to pass a `fromImage` to `buildLayeredImage` and
`streamLayeredImage`, similar to what `buildImage` currently supports.

This will prepend the layers of the given base image to the resulting
image, while ensuring that at most `maxLayers` are used. It will also
ensure that environment variables from the base image are propagated
to the final image.
2021-03-23 14:50:42 +00:00
Benjamin Hipple
17a9f368e3
Merge pull request #115793 from lbpdt/feature/docker-tools-layered-image-name-slashes
dockerTools.buildLayeredImage: image names with registry/ prefix
2021-03-11 14:58:26 -05:00
Louis Blin
419a4fa596 dockerTools.buildLayeredImage: image names with registry/ prefix
When using `buildLayeredImage`, it is not possible to specify an image
name of the form `<registry>/my/image`, although it is a valid name.

This is due to derivations under `buildLayeredImage` using that image
name as their derivation name, but slashes are not permitted in that
context.

A while ago, #13099 fixed that exact same problem in `buildImage` by
using `baseNameOf name` in derivation names instead of `name`. This
change does the same thing for `buildLayeredImage`.
2021-03-10 17:44:24 +00:00
Louis Blin
bf56388c92 dockerTools.buildLayeredImage: configurable store root
`stream_layered_image.py` currently assumes that the store root will be
at `/nix/store`, although the user might have configured this
differently. This makes `buildLayeredImage` unusable with stores having
a different root, as they will fail an assertion in the python script.

This change updates that assertion to use `builtins.storeDir` as the
source of truth about where the store lives, instead of assuming
`/nix/store`.
2021-03-10 16:44:53 +00:00
Chris Roberts
00996b5e03 dockerTools: Do not lowercase image tag in buildImage
Closes #115455
2021-03-09 09:06:04 +00:00
Robert Hensing
f3d006c1d4
Merge pull request #115083 from osener/fix-dockertools-on-darwin
dockerTools: fix build on Darwin
2021-03-04 16:50:26 +01:00
Ozan Sener
78f322f2d0 dockerTools: fix build on Darwin
Fixes #110665

Introduced by #109420
2021-03-04 16:17:48 +01:00
Ben Siraphob
98f26993f2 treewide: remove stdenv where not needed 2021-03-04 19:54:50 +07:00
Johan Thomsen
793e77d4e2 dockertools: sort tar-members by name for reproducibility 2021-02-18 09:51:41 +01:00
Pavol Rusnak
90f7338112
treewide: stdenv.lib -> lib 2021-01-24 01:49:49 +01:00
Robert Hensing
9797139cbb dockerTools: typo
Italian.
2021-01-15 14:23:51 +01:00
Milan
0d724ba2fc
dockerTools: fix build (#109420) 2021-01-15 03:56:38 +01:00
Robert Hensing
a31607f904 dockerTools: Don't apologize
Warning about future breaking changes is wrong.

 - It suggests that the maintainers don't value backwards compatibility.
   They do.
 - It implies that other parts of Nixpkgs won't ever break. They will.
 - It implies that a well-defined "public" interface exists. It doesn't.
 - If the reasons above didn't apply, it should have been in the manual
   instead.

Breaking changes will come, especially to the interface. That can be the
only way we can make progress without breaking the image _contents_.

I don't think dockerTools is any different from most of Nixpkgs in
these regards.
2021-01-06 13:02:19 +01:00
Robert Hensing
5cacf0fcec dockerTools: use go.GOARCH as default arch 2020-12-15 02:15:35 -08:00
Terin Stock
8f66dc94a7 dockerTools: normalize arch to GOARCH
Docker (via containerd) and the the OCI Image Configuration imply and
suggest, respectfully, that the architecture set in images matches those
of GOARCH in the Go Language document.

This changeset updates the implimentation of getArch in dockerTools to
return GOARCH values, to satisfy Docker.

Fixes: #106695
2020-12-15 02:14:01 -08:00
Florian Klink
e054694925 dockerTools.binSh: init 2020-12-02 14:57:23 +01:00
Florian Klink
f7ee2706c2 dockerTools.fakeNss: init
This provides a /etc/passwd and /etc/group that contain root and nobody.

Useful when packaging binaries that insist on using nss to look up
username/groups (like nginx).

The current nginx example used the `runAsRoot` parameter to setup
/etc/group and /etc/passwd (which also doesn't exist in
buildLayeredImage), so we can now just use fakeNss there and use
buildLayeredImage.
2020-12-02 14:56:07 +01:00
Graham Christensen
bc49a0815a
utillinux: rename to util-linux 2020-11-24 12:42:06 -05:00
adisbladis
6847a5c12d
referencesByPopularity: Don't use buildPackages at call-site
It's cleaner to reference buildPackages directly in
build-support/docker directly.
2020-11-24 02:55:40 +01:00
adisbladis
8a3b33baed
dockerTools: Set correct architecture when cross compiling 2020-11-19 18:13:21 +01:00
adisbladis
4313ac6b29
dockerTools.buildLayeredImage: Fix cross compilation 2020-11-19 14:32:22 +01:00
Michael
24c5059468 docker: Fix broken pipe on docker layer creation
Add `-p` to the `tee` command to avoid exiting on breaking pipe due to
tarsum finishing before tar which creating docker layers.
2020-11-03 12:33:11 +01:00
Robert Hensing
11b0106cf9 dockerTools: add isExe to streamLayeredImage result 2020-10-05 10:48:17 +02:00
Utku Demir
ae82f81bfa
dockerTools.streamLayeredImage: Store the customisation layer as a tarball
This fixes as issue described here[1], where permissions set by 'extraCommands'
were ignored by Nix.

[1] https://github.com/NixOS/nixpkgs/pull/91084#issuecomment-669834938
2020-09-04 16:53:23 +12:00
Robert Hensing
8c0459f611 dockerTools: Always set imageTag attribute
The image tag can be specified or generated from the output hash.
Previously, a generated tag could be recovered from the evaluated
image with some string operations.

However, with the introduction of streamLayeredImage, it's not
feasible to compute the generated tag yourself.

With this change, the imageTag attribute is set unconditionally,
for the buildImage, buildLayeredImage, streamLayeredImage functions.
2020-07-11 16:58:25 +02:00
Utku Demir
4bff5b7f3d
dockerTools: Properly quote a shell variable 2020-06-21 12:35:39 +12:00
Utku Demir
307804d97d
dockerTools.streamLayeredImage: comments 2020-06-21 12:35:38 +12:00
Utku Demir
4e0109f873
Set mtime to get more deterministic builds 2020-06-21 12:35:37 +12:00
Utku Demir
560201da66
Implement dockerTools.streamLayeredImage 2020-06-21 12:35:32 +12:00
lewo
a498da343a
Merge pull request #87154 from utdemir/buildimage-optimizations
Some performance optimizations to dockerTools.build{,Layered}Image
2020-05-19 15:39:25 +02:00
zowoq
42232493a3 dockerTools: pass insecure-policy and tmpdir to skopeo 2020-05-16 08:46:13 +10:00
Utku Demir
f5a90a7aab
dockerTools.buildImage: Preserve environment variables from the parent image 2020-05-08 21:49:16 +12:00
Utku Demir
f12346d493
dockerTools: Calculate tarsum's on the fly
Calculating the tarsum after creating a layer is inefficient, since
we have to read the tarball we've just written from the disk.

This commit simultaneously calculates the tarsum while creating the
tarball.
2020-05-07 11:50:07 +12:00
adisbladis
fafb127947
dockertools: Add a buildLayeredImageWithNixDb function
This is analogous to buildImageWithNixDb but instead uses
buildLayeredImage under the hood.
2020-05-02 15:59:39 +01:00
Robert Hensing
6dab1b50a6 buildLayeredImage: Allow empty store, no paths to add
This is useful when buildLayeredImage is called in a generic way
that should allow simple (base) images to be built, which may not
reference any store paths.
2020-02-28 14:59:04 +01:00
Silvan Mosberger
0a351c3f65
dockerTools.*: Assertion against building for Darwin (#77952)
dockerTools.*: Assertion against building for Darwin
2020-01-31 21:17:40 +01:00
Antoine Eiche
01a68479cc dockerTools.buildLayeredImage: assert maxLayers > 1
Since a layer is reserved for "customization", the image can not
contains less than 2 layers.

The user gets the following message at evaluation:

    nix-instantiate nixos/tests/docker-tools.nix
    trace: the maxLayers argument of dockerTools.buildLayeredImage function must be greather than 1 (current value: 1)
2020-01-30 21:09:52 +01:00
Antoine Eiche
283bcc1003 dockerTools.buildLayeredImage: fix image with only 2 layers
A test is also added to ensure an image with 2 layers can be built.
2020-01-30 21:09:44 +01:00
Silvan Mosberger
b6a9211bf4
dockerTools.*: Assertion against building for darwin
Building a docker image with darwin binaries just yields a confusing
error when ran:

  standard_init_linux.go:211: exec user process caused "exec format error"

This change prevents people from building such images in the first place
2020-01-20 19:14:12 +01:00
Antoine Eiche
da261e3631 dockerTools.buildLayeredImage: fix typo in comments 2020-01-11 09:02:30 +01:00
Richard Wallace
3be767593b dockerTools.buildLayeredImage: fix building layered images in parallel
when tar'ing store paths into layered archives when building layered
images, don't use the absolute nix store path so that tar won't complain
if something new is added to the nix store

when building the final docker image, ignore any file changes tar
detects in the layers. they are all immutable and the only thing that
might change is the number of hard links due to store optimization
2019-12-30 14:47:11 -07:00
Graham Christensen
64453c8dbd
Merge pull request #75781 from grahamc/dockertools/remove-implementation-detail-layers
dockertools.buildLayeredImage: remove implementation detail layers
2019-12-17 16:03:11 -05:00
Graham Christensen
9c02760855
dockerTools.buildLayeredImage: update maxlayers from 24 to 100 to match documentation
mkManyPureLayers already was changed, and this function was not updated.
2019-12-16 13:14:21 -05:00
Graham Christensen
12e2416380
dockerTools.buildLayeredImage: Exclude top level implementation detail layers 2019-12-16 13:03:15 -05:00
Graham Christensen
700f4c5388
dockerTools.buildLayeredImage: prepare to exclude some paths
Without changing behavior, since this code is fiddly, make it possible
to add a filtering step before packaging individual paths.
2019-12-16 12:57:04 -05:00
Graham Christensen
aec80dddc0
dockerTools.buildLayeredImage: pass a list of closures to mkManyPureLayers so it can exclude the top-most level
Before, every docker image had three extra layers:

1. A `closure` layer which is an internal implementation detail of
   calculating the closure of the container
2. a `name-config.json` layer which is the images' run-time
   configuration, and has no business being *in* the image as a layer.
3. a "bulk-layers" layer which is again and implementation detail
   around collecting the image's closure.

None of these layers need to be in the final product.
2019-12-16 12:48:05 -05:00
Graham Christensen
f6d75f550e
dockerTools.buildLayeredImage: tweak formatting on contentsEnv 2019-12-16 12:36:45 -05:00
tomberek
81b0a20dfa buildImageWithNixDb: export USER (#74959)
dockerTools.buildImageWithNixDb: export USER

Changes to Nix user detection (./src/nix-channel/nix-channel.cc#L-166)
cause this function to error. Exporting USER fixes this.
2019-12-07 10:06:42 +01:00
Nick Spinale
8166bc934b build-support/docker: set default image arch to host arch
The architecture of an image should default to the architecture for
which that image is being composed or pulled. buildPackages.go.GOARCH is
an easy way to compute that architecture with the correct terminology.
2019-09-16 14:22:30 +00:00
Graham Christensen
8adaae2df2
dockertools.buildLayeredImage: default layer count up to 100 2019-08-12 19:59:40 -04:00