From 42a0b11450948fd83b45e1ee60c252f8b9e84e81 Mon Sep 17 00:00:00 2001 From: aszlig Date: Sun, 6 May 2018 04:38:47 +0200 Subject: [PATCH] dockerTools.pullImage: Fix build with sandboxing Regression introduced in 736848723e5aefa5d24396c58dc6de603399efde. This commit most certainly hasn't been tested with sandboxing enabled and breaks not only pullImage but also the docker-tools NixOS VM test because it doesn't find it's certificate path and also relies on /var/tmp being there. Fixing the certificate path is the easiest one because it can be done via environment variable. I've used overrideAttrs for changing the hardcoded path to /tmp (which is available in sandboxed builds and even hardcoded in Nix), so that whenever someone uses Skopeo from all-packages.nix the path is still /var/tmp. The reason why this is hardcoded to /var/tmp can be seen in a comment in vendor/github.com/containers/image/storage/storage_image.go: Do not use the system default of os.TempDir(), usually /tmp, because with systemd it could be a tmpfs. With sandboxed builds this isn't the case, however for using Nix without NixOS this could turn into a problem if this indeed is the case. So in the long term this needs to have a proper solution. In addition to that, I cleaned up the expression a bit. Tested by building dockerTools.examples.nixFromDockerHub and the docker-tools NixOS VM test. Signed-off-by: aszlig Cc: @nlewo, @Mic92, @Profpatsch, @globin, @LnL7 --- pkgs/build-support/docker/default.nix | 50 +++++++++++++++++---------- 1 file changed, 32 insertions(+), 18 deletions(-) diff --git a/pkgs/build-support/docker/default.nix b/pkgs/build-support/docker/default.nix index 584beb3d89b8..374b71d42a39 100644 --- a/pkgs/build-support/docker/default.nix +++ b/pkgs/build-support/docker/default.nix @@ -32,28 +32,42 @@ rec { inherit pkgs buildImage pullImage shadowSetup buildImageWithNixDb; }; - pullImage = - let - fixName = name: builtins.replaceStrings ["/" ":"] ["-" "-"] name; - in { - imageName, + pullImage = let + fixName = name: builtins.replaceStrings ["/" ":"] ["-" "-"] name; + in + { imageName # To find the digest of an image, you can use skopeo: # skopeo inspect docker://docker.io/nixos/nix:1.11 | jq -r '.Digest' # sha256:20d9485b25ecfd89204e843a962c1bd70e9cc6858d65d7f5fadc340246e2116b - imageDigest, - sha256, + , imageDigest + , sha256 # This used to set a tag to the pulled image - finalImageTag ? "latest", - name ? (fixName "docker-image-${imageName}-${finalImageTag}.tar") }: - runCommand name { - impureEnvVars=pkgs.stdenv.lib.fetchers.proxyImpureEnvVars; - outputHashMode="flat"; - outputHashAlgo="sha256"; - outputHash=sha256; - } - '' - ${pkgs.skopeo}/bin/skopeo copy docker://${imageName}@${imageDigest} docker-archive://$out:${imageName}:${finalImageTag} - ''; + , finalImageTag ? "latest" + , name ? fixName "docker-image-${imageName}-${finalImageTag}.tar" + }: + + runCommand name { + impureEnvVars = pkgs.stdenv.lib.fetchers.proxyImpureEnvVars; + outputHashMode = "flat"; + outputHashAlgo = "sha256"; + outputHash = sha256; + + # One of the dependencies of Skopeo uses a hardcoded /var/tmp for storing + # big image files, which is not available in sandboxed builds. + nativeBuildInputs = lib.singleton (pkgs.skopeo.overrideAttrs (drv: { + postPatch = (drv.postPatch or "") + '' + sed -i -e 's!/var/tmp!/tmp!g' \ + vendor/github.com/containers/image/storage/storage_image.go \ + vendor/github.com/containers/image/internal/tmpdir/tmpdir.go + ''; + })); + SSL_CERT_FILE = "${pkgs.cacert.out}/etc/ssl/certs/ca-bundle.crt"; + + sourceURL = "docker://${imageName}@${imageDigest}"; + destNameTag = "${imageName}:${finalImageTag}"; + } '' + skopeo copy "$sourceURL" "docker-archive://$out:$destNameTag" + ''; # We need to sum layer.tar, not a directory, hence tarsum instead of nix-hash. # And we cannot untar it, because then we cannot preserve permissions ecc.