dockerTools.pullImage: Fix build with sandboxing

Regression introduced in 736848723e. This commit most certainly hasn't been tested with sandboxing enabled and breaks not only pullImage but also the docker-tools NixOS VM test because it doesn't find it's certificate path and also relies on /var/tmp being there. Fixing the certificate path is the easiest one because it can be done via environment variable. I've used overrideAttrs for changing the hardcoded path to /tmp (which is available in sandboxed builds and even hardcoded in Nix), so that whenever someone uses Skopeo from all-packages.nix the path is still /var/tmp. The reason why this is hardcoded to /var/tmp can be seen in a comment in vendor/github.com/containers/image/storage/storage_image.go: Do not use the system default of os.TempDir(), usually /tmp, because with systemd it could be a tmpfs. With sandboxed builds this isn't the case, however for using Nix without NixOS this could turn into a problem if this indeed is the case. So in the long term this needs to have a proper solution. In addition to that, I cleaned up the expression a bit. Tested by building dockerTools.examples.nixFromDockerHub and the docker-tools NixOS VM test. Signed-off-by: aszlig <aszlig@nix.build> Cc: @nlewo, @Mic92, @Profpatsch, @globin, @LnL7
2024-11-16 06:45:16 +01:00 · 2018-05-06 04:38:47 +02:00 · 2018-05-06 04:38:47 +02:00 · 42a0b11450
commit 42a0b11450
parent cd960b965f
1 changed files with 32 additions and 18 deletions
--- a/pkgs/build-support/docker/default.nix
+++ b/pkgs/build-support/docker/default.nix
@ -32,28 +32,42 @@ rec {
    inherit pkgs buildImage pullImage shadowSetup buildImageWithNixDb;
  };

-  pullImage =
-    let
-      fixName = name: builtins.replaceStrings ["/" ":"] ["-" "-"] name;
-    in {
-      imageName,
+  pullImage = let
+    fixName = name: builtins.replaceStrings ["/" ":"] ["-" "-"] name;
+  in
+    { imageName
      # To find the digest of an image, you can use skopeo:
      # skopeo inspect docker://docker.io/nixos/nix:1.11 | jq -r '.Digest'
      # sha256:20d9485b25ecfd89204e843a962c1bd70e9cc6858d65d7f5fadc340246e2116b
-      imageDigest,
-      sha256,
+    , imageDigest
+    , sha256
      # This used to set a tag to the pulled image
-      finalImageTag ? "latest",
-      name ? (fixName "docker-image-${imageName}-${finalImageTag}.tar") }:
-      runCommand name {
-        impureEnvVars=pkgs.stdenv.lib.fetchers.proxyImpureEnvVars;
-        outputHashMode="flat";
-        outputHashAlgo="sha256";
-        outputHash=sha256;
-      }
-      ''
-        ${pkgs.skopeo}/bin/skopeo copy docker://${imageName}@${imageDigest} docker-archive://$out:${imageName}:${finalImageTag}
-      '';
+    , finalImageTag ? "latest"
+    , name ? fixName "docker-image-${imageName}-${finalImageTag}.tar"
+    }:
+
+    runCommand name {
+      impureEnvVars = pkgs.stdenv.lib.fetchers.proxyImpureEnvVars;
+      outputHashMode = "flat";
+      outputHashAlgo = "sha256";
+      outputHash = sha256;
+
+      # One of the dependencies of Skopeo uses a hardcoded /var/tmp for storing
+      # big image files, which is not available in sandboxed builds.
+      nativeBuildInputs = lib.singleton (pkgs.skopeo.overrideAttrs (drv: {
+        postPatch = (drv.postPatch or "") + ''
+          sed -i -e 's!/var/tmp!/tmp!g' \
+            vendor/github.com/containers/image/storage/storage_image.go \
+            vendor/github.com/containers/image/internal/tmpdir/tmpdir.go
+        '';
+      }));
+      SSL_CERT_FILE = "${pkgs.cacert.out}/etc/ssl/certs/ca-bundle.crt";
+
+      sourceURL = "docker://${imageName}@${imageDigest}";
+      destNameTag = "${imageName}:${finalImageTag}";
+    } ''
+      skopeo copy "$sourceURL" "docker-archive://$out:$destNameTag"
+    '';

  # We need to sum layer.tar, not a directory, hence tarsum instead of nix-hash.
  # And we cannot untar it, because then we cannot preserve permissions ecc.