dockerTools: Verify nix-store contents on buildLayeredImage test

nixos/tests/docker-tools.nix

@@ -179,10 +179,11 @@ import ./make-test-python.nix ({ pkgs, ... }: {
         docker.succeed("docker run --rm no-store-paths ls /")
         docker.fail("docker run --rm no-store-paths ls /nix/store")
 
-    with subtest("Ensure buildLayeredImage supports files directly under /nix/store"):
+    with subtest("Ensure buildLayeredImage does not change store path contents."):
         docker.succeed(
             "docker load --input='${pkgs.dockerTools.examples.filesInStore}'",
-            "docker run file-in-store |& grep 'some data'",
+            "docker run --rm file-in-store nix-store --verify --check-contents",
+            "docker run --rm file-in-store |& grep 'some data'",
         )
   '';
 })

pkgs/build-support/docker/examples.nix

@@ -337,12 +337,21 @@ rec {
 
   # 19. Support files in the store on buildLayeredImage
   # See: https://github.com/NixOS/nixpkgs/pull/91084#issuecomment-653496223
-  filesInStore = pkgs.dockerTools.buildLayeredImage {
+  filesInStore = pkgs.dockerTools.buildLayeredImageWithNixDb {
     name = "file-in-store";
     tag = "latest";
-    config.Cmd = [
+    contents = [
-      "${pkgs.coreutils}/bin/cat"
+      pkgs.coreutils
-      (pkgs.writeText "somefile" "some data")
+      pkgs.nix
+      (pkgs.writeScriptBin "myscript" ''
+        #!${pkgs.runtimeShell}
+        cat ${pkgs.writeText "somefile" "some data"}
+      '')
     ];
+    config = {
+      Cmd = [ "myscript" ];
+      # For some reason 'nix-store --verify' requires this environment variable
+      Env = [ "USER=root" ];
+    };
   };
 }