dockerTools.pullImage: Fix build with sandboxing

Regression introduced in 736848723e.

This commit most certainly hasn't been tested with sandboxing enabled
and breaks not only pullImage but also the docker-tools NixOS VM test
because it doesn't find it's certificate path and also relies on
/var/tmp being there.

Fixing the certificate path is the easiest one because it can be done
via environment variable.

I've used overrideAttrs for changing the hardcoded path to /tmp (which
is available in sandboxed builds and even hardcoded in Nix), so that
whenever someone uses Skopeo from all-packages.nix the path is still
/var/tmp.

The reason why this is hardcoded to /var/tmp can be seen in a comment in
vendor/github.com/containers/image/storage/storage_image.go:

  Do not use the system default of os.TempDir(), usually /tmp, because
  with systemd it could be a tmpfs.

With sandboxed builds this isn't the case, however for using Nix without
NixOS this could turn into a problem if this indeed is the case.

So in the long term this needs to have a proper solution.

In addition to that, I cleaned up the expression a bit.

Tested by building dockerTools.examples.nixFromDockerHub and the
docker-tools NixOS VM test.

Signed-off-by: aszlig <aszlig@nix.build>
Cc: @nlewo, @Mic92, @Profpatsch, @globin, @LnL7

pkgs/build-support/docker/default.nix

@@ -32,28 +32,42 @@ rec {
     inherit pkgs buildImage pullImage shadowSetup buildImageWithNixDb;
   };
 
-  pullImage =
+  pullImage = let
-    let
+    fixName = name: builtins.replaceStrings ["/" ":"] ["-" "-"] name;
-      fixName = name: builtins.replaceStrings ["/" ":"] ["-" "-"] name;
+  in
-    in {
+    { imageName
-      imageName,
       # To find the digest of an image, you can use skopeo:
       # skopeo inspect docker://docker.io/nixos/nix:1.11 | jq -r '.Digest'
       # sha256:20d9485b25ecfd89204e843a962c1bd70e9cc6858d65d7f5fadc340246e2116b
-      imageDigest,
+    , imageDigest
-      sha256,
+    , sha256
       # This used to set a tag to the pulled image
-      finalImageTag ? "latest",
+    , finalImageTag ? "latest"
-      name ? (fixName "docker-image-${imageName}-${finalImageTag}.tar") }:
+    , name ? fixName "docker-image-${imageName}-${finalImageTag}.tar"
-      runCommand name {
+    }:
-        impureEnvVars=pkgs.stdenv.lib.fetchers.proxyImpureEnvVars;
+
-        outputHashMode="flat";
+    runCommand name {
-        outputHashAlgo="sha256";
+      impureEnvVars = pkgs.stdenv.lib.fetchers.proxyImpureEnvVars;
-        outputHash=sha256;
+      outputHashMode = "flat";
-      }
+      outputHashAlgo = "sha256";
-      ''
+      outputHash = sha256;
-        ${pkgs.skopeo}/bin/skopeo copy docker://${imageName}@${imageDigest} docker-archive://$out:${imageName}:${finalImageTag}
+
-      '';
+      # One of the dependencies of Skopeo uses a hardcoded /var/tmp for storing
+      # big image files, which is not available in sandboxed builds.
+      nativeBuildInputs = lib.singleton (pkgs.skopeo.overrideAttrs (drv: {
+        postPatch = (drv.postPatch or "") + ''
+          sed -i -e 's!/var/tmp!/tmp!g' \
+            vendor/github.com/containers/image/storage/storage_image.go \
+            vendor/github.com/containers/image/internal/tmpdir/tmpdir.go
+        '';
+      }));
+      SSL_CERT_FILE = "${pkgs.cacert.out}/etc/ssl/certs/ca-bundle.crt";
+
+      sourceURL = "docker://${imageName}@${imageDigest}";
+      destNameTag = "${imageName}:${finalImageTag}";
+    } ''
+      skopeo copy "$sourceURL" "docker-archive://$out:$destNameTag"
+    '';
 
   # We need to sum layer.tar, not a directory, hence tarsum instead of nix-hash.
   # And we cannot untar it, because then we cannot preserve permissions ecc.