From fb8409427c202e0686fe885251e6871a8a5f8ca8 Mon Sep 17 00:00:00 2001 From: Robert Hensing Date: Tue, 25 May 2021 15:04:45 +0200 Subject: [PATCH] dockerTools: Allow omitting all store paths Adds includeStorePaths, allowing the omission of the store paths. You generally want to leave it on, but tooling may disable this to insert the store paths more efficiently via other means, such as bind mounting the host store. (cherry picked from commit 5259d66b7487b94233821e28aafb0683ae3f1df6) --- nixos/tests/docker-tools.nix | 14 ++++++++++++++ pkgs/build-support/docker/default.nix | 12 +++++++++++- pkgs/build-support/docker/examples.nix | 25 +++++++++++++++++++++++++ 3 files changed, 50 insertions(+), 1 deletion(-) diff --git a/nixos/tests/docker-tools.nix b/nixos/tests/docker-tools.nix index 39b97b4cb99..831ef2fb77a 100644 --- a/nixos/tests/docker-tools.nix +++ b/nixos/tests/docker-tools.nix @@ -20,6 +20,20 @@ import ./make-test-python.nix ({ pkgs, ... }: { docker.wait_for_unit("sockets.target") + with subtest("includeStorePath"): + with subtest("assumption"): + docker.succeed("${examples.helloOnRoot} | docker load") + docker.succeed("set -euo pipefail; docker run --rm hello | grep -i hello") + docker.succeed("docker image rm hello:latest") + with subtest("includeStorePath = false; breaks example"): + docker.succeed("${examples.helloOnRootNoStore} | docker load") + docker.fail("set -euo pipefail; docker run --rm hello | grep -i hello") + docker.succeed("docker image rm hello:latest") + with subtest("includeStorePath = false; works with mounted store"): + docker.succeed("${examples.helloOnRootNoStore} | docker load") + docker.succeed("set -euo pipefail; docker run --rm --volume ${builtins.storeDir}:${builtins.storeDir}:ro hello | grep -i hello") + docker.succeed("docker image rm hello:latest") + with subtest("Ensure Docker images use a stable date by default"): docker.succeed( "docker load --input='${examples.bash}'" diff --git a/pkgs/build-support/docker/default.nix b/pkgs/build-support/docker/default.nix index 5e66c81e4ff..5bbf1b63f2b 100644 --- a/pkgs/build-support/docker/default.nix +++ b/pkgs/build-support/docker/default.nix @@ -37,6 +37,10 @@ let + inherit (lib) + optionals + ; + mkDbExtraCommand = contents: let contentsList = if builtins.isList contents then contents else [ contents ]; in '' @@ -787,6 +791,10 @@ rec { # We pick 100 to ensure there is plenty of room for extension. I # believe the actual maximum is 128. maxLayers ? 100, + # Whether to include store paths in the image. You generally want to leave + # this on, but tooling may disable this to insert the store paths more + # efficiently via other means, such as bind mounting the host store. + includeStorePaths ? true, }: assert (lib.assertMsg (maxLayers > 1) @@ -834,7 +842,9 @@ rec { ''; }; - closureRoots = [ baseJson ] ++ contentsList; + closureRoots = optionals includeStorePaths /* normally true */ ( + [ baseJson ] ++ contentsList + ); overallClosure = writeText "closure" (lib.concatStringsSep " " closureRoots); # These derivations are only created as implementation details of docker-tools, diff --git a/pkgs/build-support/docker/examples.nix b/pkgs/build-support/docker/examples.nix index 7dbee38feeb..de90eab3ea1 100644 --- a/pkgs/build-support/docker/examples.nix +++ b/pkgs/build-support/docker/examples.nix @@ -516,4 +516,29 @@ rec { bash layeredImageWithFakeRootCommands ]; + + helloOnRoot = pkgs.dockerTools.streamLayeredImage { + name = "hello"; + tag = "latest"; + contents = [ + (pkgs.buildEnv { + name = "hello-root"; + paths = [ pkgs.hello ]; + }) + ]; + config.Cmd = [ "hello" ]; + }; + + helloOnRootNoStore = pkgs.dockerTools.streamLayeredImage { + name = "hello"; + tag = "latest"; + contents = [ + (pkgs.buildEnv { + name = "hello-root"; + paths = [ pkgs.hello ]; + }) + ]; + config.Cmd = [ "hello" ]; + includeStorePaths = false; + }; }