4.6 KiB
pkgs.ociTools
pkgs.ociTools is a set of functions for creating runtime container bundles according to the OCI runtime specification v1.0.0.
It makes no assumptions about the container runner you choose to use to run the created container.
The set of functions in pkgs.ociTools currently does not handle the OCI image specification.
At a high-level an OCI implementation would download an OCI Image then unpack that image into an OCI Runtime filesystem bundle.
At this point the OCI Runtime Bundle would be run by an OCI Runtime.
pkgs.ociTools provides utilities to create OCI Runtime bundles.
buildContainer
This function creates an OCI runtime container (consisting of a config.json and a root filesystem directory) that runs a single command inside of it.
The nix store of the container will contain all referenced dependencies of the given command.
This function has an assumption that the container will run on POSIX platforms, and sets configurations (such as the user running the process or certain mounts) according to this assumption.
Because of this, a container built with buildContainer will not work on Windows or other non-POSIX platforms without modifications to the container configuration.
These modifications aren't supported by buildContainer.
For linux platforms, buildContainer also configures the following namespaces (see {manpage}unshare(1)) to isolate the OCI container from the global namespace:
PID, network, mount, IPC, and UTS.
Note that no user namespace is created, which means that you won't be able to run the container unless you are the root user.
Inputs
buildContainer expects an argument with the following attributes:
args(List of String)-
Specifies a set of arguments to run inside the container. Any packages referenced by
argswill be made available inside the container. mounts(Attribute Set; optional)-
Would specify additional mounts that the runtime must make available to the container.
:::{.warning} As explained in issue #290879, this attribute is currently ignored. :::
:::{.note}
buildContainerincludes a minimal set of necessary filesystems to be mounted into the container, and this set can't be changed with themountsattribute. :::Default value:
{}. readonly(Boolean; optional)-
If
true, sets the container's root filesystem as read-only.Default value:
false. osDEPRECATED-
Specifies the operating system on which the container filesystem is based on. If specified, its value should follow the OCI Image Configuration Specification. According to the linked specification, all possible values for
$GOOSin the Go docs should be valid, but will commonly be one ofdarwinorlinux.Default value:
"linux". archDEPRECATED-
Used to specify the architecture for which the binaries in the container filesystem have been compiled. If specified, its value should follow the OCI Image Configuration Specification. According to the linked specification, all possible values for
$GOARCHin the Go docs should be valid, but will commonly be one of386,amd64,arm, orarm64.Default value:
x86_64.
Examples
::: {.example #ex-ociTools-buildContainer-bash}
Creating an OCI runtime container that runs bash
This example uses ociTools.buildContainer to create a simple container that runs bash.
{ ociTools, lib, bash }:
ociTools.buildContainer {
args = [
(lib.getExe bash)
];
readonly = false;
}
As an example of how to run the container generated by this package, we'll use runc to start the container.
Any other tool that supports OCI containers could be used instead.
$ nix-build
(some output removed for clarity)
/nix/store/7f9hgx0arvhzp2a3qphp28rxbn748l25-join
$ cd /nix/store/7f9hgx0arvhzp2a3qphp28rxbn748l25-join
$ nix-shell -p runc
[nix-shell:/nix/store/7f9hgx0arvhzp2a3qphp28rxbn748l25-join]$ sudo runc run ocitools-example
help
GNU bash, version 5.2.26(1)-release (x86_64-pc-linux-gnu)
(some output removed for clarity)
:::