From b35440bfcf536d1043dc04356c9f021bddc68256 Mon Sep 17 00:00:00 2001 From: Viktor Kronvall Date: Sun, 13 Aug 2023 00:25:29 +0900 Subject: [PATCH 1/2] dockerTools: replace --no-clobber with --update=none Since coreutils v9.2 the `--no-clobber` flag results in a non-zero exit code when the destination files exist. Using `--update=none` will now reproduce the old behavior of `--no-clobber`. However, the `--update=none` flag was introduced in coreutils v9.3 and thus `mergeImages` will fail if you have an older version than v9.3 in stdenv after applying this commit. [coreutils v9.3 changelog](https://github.com/coreutils/coreutils/blob/f386722dc0d996d5379f12b4a8d4dd15ca7df4b5/NEWS#L48) --- pkgs/build-support/docker/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/build-support/docker/default.nix b/pkgs/build-support/docker/default.nix index b74d7885d54a..f6416c81cc0a 100644 --- a/pkgs/build-support/docker/default.nix +++ b/pkgs/build-support/docker/default.nix @@ -777,7 +777,7 @@ rec { fi done # Copy all layers from input images to output image directory - cp -R --no-clobber inputs/*/* image/ + cp -R --update=none inputs/*/* image/ # Merge repositories objects and manifests jq -s add "''${repos[@]}" > repositories jq -s add "''${manifests[@]}" > manifest.json From ca072c08a2543b4a7a107ebbfbb03ab23426f6ed Mon Sep 17 00:00:00 2001 From: Viktor Kronvall Date: Thu, 17 Aug 2023 00:50:10 +0900 Subject: [PATCH 2/2] dockerTools: replace fakechroot with proot The command `fakechroot` errored with buffer overflows. The `proot` command doesn't seem to suffer from the same problem. The tar command creating the layer errors with "permission denied" on a bunch of paths in /proc but the layer seems to get built anyway. --- pkgs/build-support/docker/default.nix | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/pkgs/build-support/docker/default.nix b/pkgs/build-support/docker/default.nix index f6416c81cc0a..9f57804e957d 100644 --- a/pkgs/build-support/docker/default.nix +++ b/pkgs/build-support/docker/default.nix @@ -5,7 +5,7 @@ , closureInfo , coreutils , e2fsprogs -, fakechroot +, proot , fakeNss , fakeroot , go @@ -887,6 +887,13 @@ rec { }); contentsList = if builtins.isList contents then contents else [ contents ]; + bind-paths = builtins.toString (builtins.map (path: "--bind=${path}:${path}!") [ + "/dev/" + "/proc/" + "/sys/" + "${builtins.storeDir}/" + "$out/layer.tar" + ]); # We store the customisation layer as a tarball, to make sure that # things like permissions set on 'extraCommands' are not overridden @@ -898,21 +905,14 @@ rec { nativeBuildInputs = [ fakeroot ] ++ optionals enableFakechroot [ - fakechroot - # for chroot - coreutils - # fakechroot needs getopt, which is provided by util-linux - util-linux + proot ]; postBuild = '' mv $out old_out (cd old_out; eval "$extraCommands" ) mkdir $out - ${optionalString enableFakechroot '' - export FAKECHROOT_EXCLUDE_PATH=/dev:/proc:/sys:${builtins.storeDir}:$out/layer.tar - ''} - ${optionalString enableFakechroot ''fakechroot chroot $PWD/old_out ''}fakeroot bash -c ' + ${optionalString enableFakechroot ''proot -r $PWD/old_out ${bind-paths} --pwd=/ ''}fakeroot bash -c ' source $stdenv/setup ${optionalString (!enableFakechroot) ''cd old_out''} eval "$fakeRootCommands"