Age | Commit message (Collapse) | Author | Files | Lines |
|
dockerTools: Fix changing compression method for `buildLayeredImage`
|
|
dockerTools: discard closure reference in imageTag
|
|
dockerTools: add streamed image as passthru to buildLayeredImage
|
|
This is convenient for debugging the underlying streamed image used by
`dockerTools.buildLayeredImage`.
Here's an example of how you might use this:
```console
$ nix repl ./.
nix-repl> dockerTools.examples.nginx.passthru.stream
«derivation /nix/store/9zczmlp2kraszx4ssmh6fawnlnsa5a4n-stream-nginx-container.drv»
```
|
|
|
|
trivial-builders: replace writeReferencesToFile with writeClosure
|
|
The nixpkgs-unstable channel's programs.sqlite was used to identify
packages producing exactly one binary, and these automatically added
to their package definitions wherever possible.
|
|
|
|
dockerTools: set NIX_SSL_CERT_FILE in image
|
|
|
|
|
|
Make `dockerTools.buildImageWithNixDb` reproducible
|
|
|
|
The proper place to describe them is the documentation, where they are
described thoroughly.
|
|
The change is insignificant when the owner is root. However, when it
is not root, this change is needed to allow using Nix (as an
unprivileged user) inside the container.
|
|
This opens the way towards building images where Nix can be used as an
unprivileged user (in single-user mode).
|
|
dockerTools: configurable compression schema
|
|
The loaded database contains timestamps of when the nix paths were
registered. Depending on the host store, these can differ between runs.
Resetting them to a well known values ensures that the produced image is
reproducible.
|
|
This commit adds support for swapping out the compression algorithm
used in all major docker-tools commands that generate images. The
default algorithm remains unchanged (gzip).
|
|
nixos/dockerTools: fix includeStorePaths when enableFakechroot
|
|
Co-authored-by: Robert Hensing <roberth@users.noreply.github.com>
|
|
Resolves #275705
|
|
|
|
After #268458, when setting `enableFakechroot = true` and
`includeStorePaths = false`, some of the store paths were getting
included into the image anyway, thru `bind-paths`.
This resulted in unexpectedly large images.
Now, the images will not contain any store paths under those
circumstances.
|
|
Not sure how this ever worked but tar was trying to archive /proc and /sys, which failed to work.
Since this is never useful for containers to do, we exclude this now in the proot case.
Also fakeroot is not needed when proot is used as it provideds the same feature.
We now cleanly seperate those cases as both are kind of hacks and it's more likely
that the combination will just trigger new bugs.
|
|
|
|
this allows nix users to modify existing images without having
to rely on container image inheritance mechanisms via fromImage
|
|
The command `fakechroot` errored with buffer overflows. The `proot`
command doesn't seem to suffer from the same problem. The tar command
creating the layer errors with "permission denied" on a bunch of paths
in /proc but the layer seems to get built anyway.
|
|
Since coreutils v9.2 the `--no-clobber` flag results in a non-zero exit
code when the destination files exist. Using `--update=none` will now
reproduce the old behavior of `--no-clobber`.
However, the `--update=none` flag was introduced in coreutils v9.3 and
thus `mergeImages` will fail if you have an older version than v9.3 in
stdenv after applying this commit.
[coreutils v9.3 changelog](https://github.com/coreutils/coreutils/blob/f386722dc0d996d5379f12b4a8d4dd15ca7df4b5/NEWS#L48)
|
|
|
|
Without this change, the `--os` and `--arch` switches are disregarded
for operations involving `skopeo inspect` invocations. This means that,
for example, one cannot fetch Linux images while on macOS.
|
|
This ensures `passwd` will default to yescrypt for newly generated
passwords.
|
|
|
|
This PR addresses issue #214434 by preventing
dockerTools.buildImage from deleting rootfs diffs until after
they've been unpacked.
|
|
This passes --rsyncable / -R to pigz for input-determined block
locations, to improve rsync-ability.
|
|
|
|
|
|
> has to fit its domain, which is the OCI spec, which uses
> `architecture`. The `defaultArch` and `GOARCH` names are irrelevant.
|
|
... for buildImage, buildLayeredImage and streamLayeredImage,
adding docs and tests.
|
|
|
|
This is a regression from PR #172736
|
|
|
|
|
|
To the user running the docker image. If a Nix binary is available in
the resulting derivation, this then behaves like a single-user Nix
installation, except that already-written /nix/store paths can't be
changed. Most notably it makes Nix work not have to rely on a chroot
store in the image
|
|
build-support: Fix error when building images with many layers
|
|
When building a docker image using `dockertools.buildLayeredImage`, the
resulting image layers are passed to `jq` through the command line. When
building an image with too many layers this would exceed the maximum
command line argument length.
Hence, we store the list of layers in the Nix store and pass them to
`jq` as a file argument using `--slurpfile`.
Fixes #140908.
|
|
|
|
|
|
|
|
|