Merge pull request #308822 from yorickvP/yorickvp/streamLayeredImage-overridable

dockerTools.streamLayeredImage: add includeNixDB argument, expose conf and streamScript
2024-07-24 16:02:35 +02:00 · 2024-07-24 16:02:35 +02:00 · c5e5aa7266
commit c5e5aa7266
parent e599ef1514 8891e98f24
4 changed files with 70 additions and 16 deletions
--- a/doc/build-helpers/images/dockertools.section.md
+++ b/doc/build-helpers/images/dockertools.section.md
@ -185,6 +185,19 @@ Similarly, if you encounter errors similar to `Error_Protocol ("certificate has
  _Default value:_ `"gz"`.\
  _Possible values:_ `"none"`, `"gz"`, `"zstd"`.

+`includeNixDB` (Boolean; _optional_)
+
+: Populate the nix database in the image with the dependencies of `copyToRoot`.
+  The main purpose is to be able to use nix commands in the container.
+
+  :::{.caution}
+  Be careful since this doesn't work well in combination with `fromImage`. In particular, in a multi-layered image, only the Nix paths from the lower image will be in the database.
+
+  This also neglects to register the store paths that are pulled into the image as a dependency of one of the other values, but aren't a dependency of `copyToRoot`.
+  :::
+
+  _Default value:_ `false`.
+
 `contents` **DEPRECATED**

 : This attribute is deprecated, and users are encouraged to use `copyToRoot` instead.
@ -574,6 +587,19 @@ This allows the function to produce reproducible images.

  _Default value:_ `true`

+`includeNixDB` (Boolean; _optional_)
+
+: Populate the nix database in the image with the dependencies of `copyToRoot`.
+  The main purpose is to be able to use nix commands in the container.
+
+  :::{.caution}
+  Be careful since this doesn't work well in combination with `fromImage`. In particular, in a multi-layered image, only the Nix paths from the lower image will be in the database.
+
+  This also neglects to register the store paths that are pulled into the image as a dependency of one of the other values, but aren't a dependency of `copyToRoot`.
+  :::
+
+  _Default value:_ `false`.
+
 `passthru` (Attribute Set; _optional_)

 : Use this to pass any attributes as [`passthru`](#chap-passthru) for the resulting derivation.
--- a/nixos/tests/docker-tools.nix
+++ b/nixos/tests/docker-tools.nix
@ -567,6 +567,12 @@ in {
        docker.succeed("docker run --rm image-with-certs:latest test -r /etc/pki/tls/certs/ca-bundle.crt")
        docker.succeed("docker image rm image-with-certs:latest")

+    with subtest("buildImageWithNixDB: Has a nix database"):
+        docker.succeed(
+            "docker load --input='${examples.nix}'",
+            "docker run --rm ${examples.nix.imageName} nix-store -q --references /bin/bash"
+        )
+
    with subtest("buildNixShellImage: Can build a basic derivation"):
        docker.succeed(
            "${examples.nix-shell-basic} | docker load",
@ -632,5 +638,11 @@ in {
            "${nonRootTestImage} | docker load",
            "docker run --rm ${chownTestImage.imageName} | diff /dev/stdin <(echo 12345:12345)"
        )
+
+    with subtest("streamLayeredImage: with nix db"):
+        docker.succeed(
+            "${examples.nix-layered} | docker load",
+            "docker run --rm ${examples.nix-layered.imageName} nix-store -q --references /bin/bash"
+        )
  '';
 })
--- a/pkgs/build-support/docker/default.nix
+++ b/pkgs/build-support/docker/default.nix
@ -576,6 +576,8 @@ rec {
      created ? "1970-01-01T00:00:01Z"
    , # Compressor to use. One of: none, gz, zstd.
      compressor ? "gz"
+      # Populate the nix database in the image with the dependencies of `copyToRoot`.
+    , includeNixDB ? false
    , # Deprecated.
      contents ? null
    ,
@ -613,20 +615,26 @@ rec {

      compress = compressorForImage compressor name;

+      # TODO: add the dependencies of the config json.
+      extraCommandsWithDB =
+        if includeNixDB then (mkDbExtraCommand rootContents) + extraCommands
+        else extraCommands;
+
      layer =
        if runAsRoot == null
        then
          mkPureLayer
            {
              name = baseName;
-              inherit baseJson keepContentsDirlinks extraCommands uid gid;
+              inherit baseJson keepContentsDirlinks uid gid;
+              extraCommands = extraCommandsWithDB;
              copyToRoot = rootContents;
            } else
          mkRootLayer {
            name = baseName;
            inherit baseJson fromImage fromImageName fromImageTag
-              keepContentsDirlinks runAsRoot diskSize buildVMMemorySize
-              extraCommands;
+              keepContentsDirlinks runAsRoot diskSize buildVMMemorySize;
+            extraCommands = extraCommandsWithDB;
            copyToRoot = rootContents;
          };
      result = runCommand "docker-image-${baseName}.tar${compress.ext}"
@ -885,18 +893,9 @@ rec {
  # the container.
  # Be careful since this doesn't work well with multilayer.
  # TODO: add the dependencies of the config json.
-  buildImageWithNixDb = args@{ copyToRoot ? contents, contents ? null, extraCommands ? "", ... }: (
-    buildImage (args // {
-      extraCommands = (mkDbExtraCommand copyToRoot) + extraCommands;
-    })
-  );
+  buildImageWithNixDb = args: buildImage (args // { includeNixDB = true; });

-  # TODO: add the dependencies of the config json.
-  buildLayeredImageWithNixDb = args@{ contents ? null, extraCommands ? "", ... }: (
-    buildLayeredImage (args // {
-      extraCommands = (mkDbExtraCommand contents) + extraCommands;
-    })
-  );
+  buildLayeredImageWithNixDb = args: buildLayeredImage (args // { includeNixDB = true; });

  # Arguments are documented in ../../../doc/build-helpers/images/dockertools.section.md
  streamLayeredImage = lib.makeOverridable (
@ -917,6 +916,7 @@ rec {
    , fakeRootCommands ? ""
    , enableFakechroot ? false
    , includeStorePaths ? true
+    , includeNixDB ? false
    , passthru ? {}
    ,
    }:
@ -954,7 +954,9 @@ rec {
        customisationLayer = symlinkJoin {
          name = "${baseName}-customisation-layer";
          paths = contentsList;
-          inherit extraCommands fakeRootCommands;
+          extraCommands =
+            (lib.optionalString includeNixDB (mkDbExtraCommand contents)) + extraCommands;
+          inherit fakeRootCommands;
          nativeBuildInputs = [
            fakeroot
          ] ++ optionals enableFakechroot [
@ -1107,7 +1109,9 @@ rec {

        result = runCommand "stream-${baseName}"
          {
+            inherit conf;
            inherit (conf) imageName;
+            inherit streamScript;
            preferLocalBuild = true;
            passthru = passthru // {
              inherit (conf) imageTag;
@ -1118,7 +1122,7 @@ rec {
            };
            nativeBuildInputs = [ makeWrapper ];
          } ''
-          makeWrapper ${streamScript} $out --add-flags ${conf}
+          makeWrapper $streamScript $out --add-flags $conf
        '';
      in
      result
--- a/pkgs/build-support/docker/examples.nix
+++ b/pkgs/build-support/docker/examples.nix
@ -901,4 +901,16 @@ rec {
    '';
  };

+  nix-layered = pkgs.dockerTools.streamLayeredImage  {
+    name = "nix-layered";
+    tag = "latest";
+    contents = [ pkgs.nix pkgs.bash ];
+    includeNixDB = true;
+    config = {
+      Env = [
+        "NIX_PAGER=cat"
+      ];
+    };
+  };
+
 }