dockerTools.pullImage: Fix build with sandboxing

Regression introduced in 736848723e.

This commit most certainly hasn't been tested with sandboxing enabled
and breaks not only pullImage but also the docker-tools NixOS VM test
because it doesn't find it's certificate path and also relies on
/var/tmp being there.

Fixing the certificate path is the easiest one because it can be done
via environment variable.

I've used overrideAttrs for changing the hardcoded path to /tmp (which
is available in sandboxed builds and even hardcoded in Nix), so that
whenever someone uses Skopeo from all-packages.nix the path is still
/var/tmp.

The reason why this is hardcoded to /var/tmp can be seen in a comment in
vendor/github.com/containers/image/storage/storage_image.go:

  Do not use the system default of os.TempDir(), usually /tmp, because
  with systemd it could be a tmpfs.

With sandboxed builds this isn't the case, however for using Nix without
NixOS this could turn into a problem if this indeed is the case.

So in the long term this needs to have a proper solution.

In addition to that, I cleaned up the expression a bit.

Tested by building dockerTools.examples.nixFromDockerHub and the
docker-tools NixOS VM test.

Signed-off-by: aszlig <aszlig@nix.build>
Cc: @nlewo, @Mic92, @Profpatsch, @globin, @LnL7
This commit is contained in:
aszlig 2018-05-06 04:38:47 +02:00
parent cd960b965f
commit 42a0b11450
No known key found for this signature in database
GPG Key ID: 684089CE67EBB691

View File

@ -32,28 +32,42 @@ rec {
inherit pkgs buildImage pullImage shadowSetup buildImageWithNixDb;
};
pullImage =
let
fixName = name: builtins.replaceStrings ["/" ":"] ["-" "-"] name;
in {
imageName,
pullImage = let
fixName = name: builtins.replaceStrings ["/" ":"] ["-" "-"] name;
in
{ imageName
# To find the digest of an image, you can use skopeo:
# skopeo inspect docker://docker.io/nixos/nix:1.11 | jq -r '.Digest'
# sha256:20d9485b25ecfd89204e843a962c1bd70e9cc6858d65d7f5fadc340246e2116b
imageDigest,
sha256,
, imageDigest
, sha256
# This used to set a tag to the pulled image
finalImageTag ? "latest",
name ? (fixName "docker-image-${imageName}-${finalImageTag}.tar") }:
runCommand name {
impureEnvVars=pkgs.stdenv.lib.fetchers.proxyImpureEnvVars;
outputHashMode="flat";
outputHashAlgo="sha256";
outputHash=sha256;
}
''
${pkgs.skopeo}/bin/skopeo copy docker://${imageName}@${imageDigest} docker-archive://$out:${imageName}:${finalImageTag}
'';
, finalImageTag ? "latest"
, name ? fixName "docker-image-${imageName}-${finalImageTag}.tar"
}:
runCommand name {
impureEnvVars = pkgs.stdenv.lib.fetchers.proxyImpureEnvVars;
outputHashMode = "flat";
outputHashAlgo = "sha256";
outputHash = sha256;
# One of the dependencies of Skopeo uses a hardcoded /var/tmp for storing
# big image files, which is not available in sandboxed builds.
nativeBuildInputs = lib.singleton (pkgs.skopeo.overrideAttrs (drv: {
postPatch = (drv.postPatch or "") + ''
sed -i -e 's!/var/tmp!/tmp!g' \
vendor/github.com/containers/image/storage/storage_image.go \
vendor/github.com/containers/image/internal/tmpdir/tmpdir.go
'';
}));
SSL_CERT_FILE = "${pkgs.cacert.out}/etc/ssl/certs/ca-bundle.crt";
sourceURL = "docker://${imageName}@${imageDigest}";
destNameTag = "${imageName}:${finalImageTag}";
} ''
skopeo copy "$sourceURL" "docker-archive://$out:$destNameTag"
'';
# We need to sum layer.tar, not a directory, hence tarsum instead of nix-hash.
# And we cannot untar it, because then we cannot preserve permissions ecc.