2016-09-28 01:42:05 +02:00
|
|
|
{
|
|
|
|
callPackage,
|
|
|
|
coreutils,
|
|
|
|
docker,
|
|
|
|
e2fsprogs,
|
|
|
|
findutils,
|
|
|
|
go,
|
|
|
|
jshon,
|
2017-07-26 21:53:35 +02:00
|
|
|
jq,
|
2016-09-28 01:42:05 +02:00
|
|
|
lib,
|
2016-10-03 19:07:33 +02:00
|
|
|
pkgs,
|
2016-09-28 01:42:05 +02:00
|
|
|
pigz,
|
2017-08-25 11:47:28 +02:00
|
|
|
nixUnstable,
|
|
|
|
perl,
|
2016-09-28 01:42:05 +02:00
|
|
|
runCommand,
|
2016-10-03 22:12:29 +02:00
|
|
|
rsync,
|
2016-09-28 01:42:05 +02:00
|
|
|
shadow,
|
|
|
|
stdenv,
|
|
|
|
storeDir ? builtins.storeDir,
|
|
|
|
utillinux,
|
|
|
|
vmTools,
|
|
|
|
writeReferencesToFile,
|
|
|
|
writeScript,
|
|
|
|
writeText,
|
|
|
|
}:
|
2015-11-19 13:11:17 +01:00
|
|
|
|
|
|
|
# WARNING: this API is unstable and may be subject to backwards-incompatible changes in the future.
|
2016-09-28 01:42:05 +02:00
|
|
|
|
2015-11-19 13:11:17 +01:00
|
|
|
rec {
|
|
|
|
|
2016-10-03 19:07:33 +02:00
|
|
|
examples = import ./examples.nix {
|
2017-08-25 11:47:28 +02:00
|
|
|
inherit pkgs buildImage pullImage shadowSetup buildImageWithNixDb;
|
2016-10-03 19:07:33 +02:00
|
|
|
};
|
|
|
|
|
2017-09-13 09:44:07 +02:00
|
|
|
pullImage =
|
|
|
|
let
|
|
|
|
nameReplace = name: builtins.replaceStrings ["/" ":"] ["-" "-"] name;
|
|
|
|
in
|
|
|
|
# For simplicity we only support sha256.
|
|
|
|
{ imageName, imageTag ? "latest", imageId ? "${imageName}:${imageTag}"
|
|
|
|
, sha256, name ? (nameReplace "docker-image-${imageName}-${imageTag}.tar") }:
|
|
|
|
runCommand name {
|
|
|
|
impureEnvVars=pkgs.stdenv.lib.fetchers.proxyImpureEnvVars;
|
|
|
|
outputHashMode="flat";
|
|
|
|
outputHashAlgo="sha256";
|
|
|
|
outputHash=sha256;
|
|
|
|
}
|
|
|
|
"${pkgs.skopeo}/bin/skopeo copy docker://${imageId} docker-archive://$out:${imageId}";
|
2016-09-28 01:42:05 +02:00
|
|
|
|
2015-11-19 13:11:17 +01:00
|
|
|
# We need to sum layer.tar, not a directory, hence tarsum instead of nix-hash.
|
|
|
|
# And we cannot untar it, because then we cannot preserve permissions ecc.
|
|
|
|
tarsum = runCommand "tarsum" {
|
2016-06-06 02:28:52 +02:00
|
|
|
buildInputs = [ go ];
|
2015-11-19 13:11:17 +01:00
|
|
|
} ''
|
|
|
|
mkdir tarsum
|
|
|
|
cd tarsum
|
|
|
|
|
|
|
|
cp ${./tarsum.go} tarsum.go
|
|
|
|
export GOPATH=$(pwd)
|
|
|
|
mkdir src
|
2017-07-13 23:09:04 +02:00
|
|
|
ln -sT ${docker.src}/components/engine/pkg/tarsum src/tarsum
|
2015-11-19 13:11:17 +01:00
|
|
|
go build
|
|
|
|
|
|
|
|
cp tarsum $out
|
|
|
|
'';
|
2016-09-28 01:42:05 +02:00
|
|
|
|
2015-11-19 13:11:17 +01:00
|
|
|
# buildEnv creates symlinks to dirs, which is hard to edit inside the overlay VM
|
2016-09-28 01:42:05 +02:00
|
|
|
mergeDrvs = {
|
|
|
|
derivations,
|
|
|
|
onlyDeps ? false
|
|
|
|
}:
|
2015-11-19 13:11:17 +01:00
|
|
|
runCommand "merge-drvs" {
|
2016-09-28 01:42:05 +02:00
|
|
|
inherit derivations onlyDeps;
|
2015-11-19 13:11:17 +01:00
|
|
|
} ''
|
2016-09-28 01:42:05 +02:00
|
|
|
if [[ -n "$onlyDeps" ]]; then
|
|
|
|
echo $derivations > $out
|
2015-11-19 13:11:17 +01:00
|
|
|
exit 0
|
|
|
|
fi
|
2016-09-28 01:42:05 +02:00
|
|
|
|
2015-11-19 13:11:17 +01:00
|
|
|
mkdir $out
|
2016-09-28 01:42:05 +02:00
|
|
|
for derivation in $derivations; do
|
|
|
|
echo "Merging $derivation..."
|
|
|
|
if [[ -d "$derivation" ]]; then
|
|
|
|
# If it's a directory, copy all of its contents into $out.
|
|
|
|
cp -drf --preserve=mode -f $derivation/* $out/
|
2015-11-19 13:11:17 +01:00
|
|
|
else
|
2016-09-28 01:42:05 +02:00
|
|
|
# Otherwise treat the derivation as a tarball and extract it
|
|
|
|
# into $out.
|
2015-11-19 13:11:17 +01:00
|
|
|
tar -C $out -xpf $drv || true
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
'';
|
|
|
|
|
2016-09-28 01:42:05 +02:00
|
|
|
# Helper for setting up the base files for managing users and
|
|
|
|
# groups, only if such files don't exist already. It is suitable for
|
|
|
|
# being used in a runAsRoot script.
|
2015-11-19 13:11:17 +01:00
|
|
|
shadowSetup = ''
|
|
|
|
export PATH=${shadow}/bin:$PATH
|
|
|
|
mkdir -p /etc/pam.d
|
2016-09-28 01:42:05 +02:00
|
|
|
if [[ ! -f /etc/passwd ]]; then
|
2017-01-15 13:44:52 +01:00
|
|
|
echo "root:x:0:0::/root:${stdenv.shell}" > /etc/passwd
|
2015-11-19 13:11:17 +01:00
|
|
|
echo "root:!x:::::::" > /etc/shadow
|
|
|
|
fi
|
2016-09-28 01:42:05 +02:00
|
|
|
if [[ ! -f /etc/group ]]; then
|
2015-11-19 13:11:17 +01:00
|
|
|
echo "root:x:0:" > /etc/group
|
|
|
|
echo "root:x::" > /etc/gshadow
|
|
|
|
fi
|
2016-09-28 01:42:05 +02:00
|
|
|
if [[ ! -f /etc/pam.d/other ]]; then
|
2015-11-19 13:11:17 +01:00
|
|
|
cat > /etc/pam.d/other <<EOF
|
2016-09-28 01:42:05 +02:00
|
|
|
account sufficient pam_unix.so
|
|
|
|
auth sufficient pam_rootok.so
|
|
|
|
password requisite pam_unix.so nullok sha512
|
|
|
|
session required pam_unix.so
|
|
|
|
EOF
|
2015-11-19 13:11:17 +01:00
|
|
|
fi
|
2016-09-28 01:42:05 +02:00
|
|
|
if [[ ! -f /etc/login.defs ]]; then
|
2015-11-19 13:11:17 +01:00
|
|
|
touch /etc/login.defs
|
|
|
|
fi
|
|
|
|
'';
|
|
|
|
|
2016-09-28 01:42:05 +02:00
|
|
|
# Run commands in a virtual machine.
|
|
|
|
runWithOverlay = {
|
|
|
|
name,
|
|
|
|
fromImage ? null,
|
|
|
|
fromImageName ? null,
|
|
|
|
fromImageTag ? null,
|
|
|
|
diskSize ? 1024,
|
|
|
|
preMount ? "",
|
|
|
|
postMount ? "",
|
|
|
|
postUmount ? ""
|
|
|
|
}:
|
2015-11-19 13:11:17 +01:00
|
|
|
vmTools.runInLinuxVM (
|
|
|
|
runCommand name {
|
2016-09-28 01:42:05 +02:00
|
|
|
preVM = vmTools.createEmptyImage {
|
|
|
|
size = diskSize;
|
|
|
|
fullName = "docker-run-disk";
|
|
|
|
};
|
2015-11-19 13:11:17 +01:00
|
|
|
inherit fromImage fromImageName fromImageTag;
|
2016-09-28 01:42:05 +02:00
|
|
|
|
2017-09-22 08:55:24 +02:00
|
|
|
buildInputs = [ utillinux e2fsprogs jshon rsync jq ];
|
2015-11-19 13:11:17 +01:00
|
|
|
} ''
|
|
|
|
rm -rf $out
|
2016-09-28 01:42:05 +02:00
|
|
|
|
2015-11-19 13:11:17 +01:00
|
|
|
mkdir disk
|
|
|
|
mkfs /dev/${vmTools.hd}
|
|
|
|
mount /dev/${vmTools.hd} disk
|
|
|
|
cd disk
|
|
|
|
|
2017-09-22 08:55:24 +02:00
|
|
|
layers=""
|
2016-09-28 01:42:05 +02:00
|
|
|
if [[ -n "$fromImage" ]]; then
|
|
|
|
echo "Unpacking base image..."
|
2015-11-19 13:11:17 +01:00
|
|
|
mkdir image
|
|
|
|
tar -C image -xpf "$fromImage"
|
2017-09-22 08:55:24 +02:00
|
|
|
layers=$(jq -r '.[0].Layers | join(" ")' image/manifest.json)
|
2015-11-19 13:11:17 +01:00
|
|
|
fi
|
|
|
|
|
2017-09-22 08:55:24 +02:00
|
|
|
# Unpack all of the layers into the image.
|
|
|
|
# Layer list is ordered starting from the base image
|
2015-11-19 13:11:17 +01:00
|
|
|
lowerdir=""
|
2017-09-22 08:55:24 +02:00
|
|
|
for layer in $layers; do
|
|
|
|
echo "Unpacking layer $layer"
|
|
|
|
layerDir=image/$(echo $layer | cut -d':' -f2)"_unpacked"
|
|
|
|
mkdir -p $layerDir
|
|
|
|
tar -C $layerDir -xpf image/$layer
|
|
|
|
chmod a+w image/$layer
|
|
|
|
rm image/$layer
|
2015-11-19 13:11:17 +01:00
|
|
|
|
2017-09-22 08:55:24 +02:00
|
|
|
find $layerDir -name ".wh.*" -exec bash -c 'name="$(basename {}|sed "s/^.wh.//")"; mknod "$(dirname {})/$name" c 0 0; rm {}' \;
|
2015-11-19 13:11:17 +01:00
|
|
|
|
2016-09-28 01:42:05 +02:00
|
|
|
# Get the next lower directory and continue the loop.
|
2017-09-22 08:55:24 +02:00
|
|
|
lowerdir=$lowerdir''${lowerdir:+:}$layerDir
|
2015-11-19 13:11:17 +01:00
|
|
|
done
|
|
|
|
|
|
|
|
mkdir work
|
|
|
|
mkdir layer
|
|
|
|
mkdir mnt
|
|
|
|
|
2016-09-28 01:42:05 +02:00
|
|
|
${lib.optionalString (preMount != "") ''
|
|
|
|
# Execute pre-mount steps
|
|
|
|
echo "Executing pre-mount steps..."
|
|
|
|
${preMount}
|
|
|
|
''}
|
2015-11-19 13:11:17 +01:00
|
|
|
|
|
|
|
if [ -n "$lowerdir" ]; then
|
|
|
|
mount -t overlay overlay -olowerdir=$lowerdir,workdir=work,upperdir=layer mnt
|
|
|
|
else
|
|
|
|
mount --bind layer mnt
|
|
|
|
fi
|
|
|
|
|
2016-09-28 01:42:05 +02:00
|
|
|
${lib.optionalString (postMount != "") ''
|
|
|
|
# Execute post-mount steps
|
|
|
|
echo "Executing post-mount steps..."
|
|
|
|
${postMount}
|
|
|
|
''}
|
|
|
|
|
2015-11-19 13:11:17 +01:00
|
|
|
umount mnt
|
|
|
|
|
2016-09-28 01:42:05 +02:00
|
|
|
(
|
|
|
|
cd layer
|
|
|
|
cmd='name="$(basename {})"; touch "$(dirname {})/.wh.$name"; rm "{}"'
|
|
|
|
find . -type c -exec bash -c "$cmd" \;
|
|
|
|
)
|
2015-11-19 13:11:17 +01:00
|
|
|
|
|
|
|
${postUmount}
|
|
|
|
'');
|
|
|
|
|
|
|
|
exportImage = { name ? fromImage.name, fromImage, fromImageName ? null, fromImageTag ? null, diskSize ? 1024 }:
|
|
|
|
runWithOverlay {
|
|
|
|
inherit name fromImage fromImageName fromImageTag diskSize;
|
|
|
|
|
|
|
|
postMount = ''
|
2016-09-28 01:42:05 +02:00
|
|
|
echo "Packing raw image..."
|
2017-04-16 08:39:02 +02:00
|
|
|
tar -C mnt --mtime="@$SOURCE_DATE_EPOCH" -cf $out .
|
2015-11-19 13:11:17 +01:00
|
|
|
'';
|
|
|
|
};
|
2016-09-28 01:42:05 +02:00
|
|
|
|
|
|
|
|
|
|
|
# Create an executable shell script which has the coreutils in its
|
|
|
|
# PATH. Since root scripts are executed in a blank environment, even
|
|
|
|
# things like `ls` or `echo` will be missing.
|
|
|
|
shellScript = name: text:
|
|
|
|
writeScript name ''
|
|
|
|
#!${stdenv.shell}
|
|
|
|
set -e
|
|
|
|
export PATH=${coreutils}/bin:/bin
|
|
|
|
${text}
|
|
|
|
'';
|
|
|
|
|
2017-08-25 11:47:28 +02:00
|
|
|
nixRegistration = contents: runCommand "nix-registration" {
|
|
|
|
buildInputs = [ nixUnstable perl ];
|
|
|
|
# For obtaining the closure of `contents'.
|
|
|
|
exportReferencesGraph =
|
|
|
|
let contentsList = if builtins.isList contents then contents else [ contents ];
|
|
|
|
in map (x: [("closure-" + baseNameOf x) x]) contentsList;
|
|
|
|
}
|
|
|
|
''
|
2017-09-13 11:40:26 +02:00
|
|
|
mkdir $out
|
|
|
|
printRegistration=1 perl ${pkgs.pathsFromGraph} closure-* > $out/db.dump
|
|
|
|
perl ${pkgs.pathsFromGraph} closure-* > $out/storePaths
|
2017-08-25 11:47:28 +02:00
|
|
|
'';
|
|
|
|
|
2016-09-28 01:42:05 +02:00
|
|
|
# Create a "layer" (set of files).
|
|
|
|
mkPureLayer = {
|
|
|
|
# Name of the layer
|
|
|
|
name,
|
|
|
|
# JSON containing configuration and metadata for this layer.
|
|
|
|
baseJson,
|
|
|
|
# Files to add to the layer.
|
|
|
|
contents ? null,
|
|
|
|
# Additional commands to run on the layer before it is tar'd up.
|
2017-07-01 13:23:12 +02:00
|
|
|
extraCommands ? "", uid ? 0, gid ? 0
|
2016-09-28 01:42:05 +02:00
|
|
|
}:
|
|
|
|
runCommand "docker-layer-${name}" {
|
2015-11-19 13:11:17 +01:00
|
|
|
inherit baseJson contents extraCommands;
|
2016-10-03 22:12:29 +02:00
|
|
|
buildInputs = [ jshon rsync ];
|
2016-09-28 01:42:05 +02:00
|
|
|
}
|
|
|
|
''
|
2015-11-19 13:11:17 +01:00
|
|
|
mkdir layer
|
2016-09-28 01:42:05 +02:00
|
|
|
if [[ -n "$contents" ]]; then
|
|
|
|
echo "Adding contents..."
|
|
|
|
for item in $contents; do
|
|
|
|
echo "Adding $item"
|
2017-04-16 08:39:02 +02:00
|
|
|
rsync -ak --chown=0:0 $item/ layer/
|
2015-11-19 13:11:17 +01:00
|
|
|
done
|
2016-09-28 01:42:05 +02:00
|
|
|
else
|
|
|
|
echo "No contents to add to layer."
|
|
|
|
fi
|
|
|
|
|
2017-07-01 16:59:15 +02:00
|
|
|
chmod ug+w layer
|
|
|
|
|
2016-09-28 01:42:05 +02:00
|
|
|
if [[ -n $extraCommands ]]; then
|
|
|
|
(cd layer; eval "$extraCommands")
|
2015-11-19 13:11:17 +01:00
|
|
|
fi
|
|
|
|
|
2016-09-28 01:42:05 +02:00
|
|
|
# Tar up the layer and throw it into 'layer.tar'.
|
|
|
|
echo "Packing layer..."
|
2015-11-19 13:11:17 +01:00
|
|
|
mkdir $out
|
2017-07-01 13:23:12 +02:00
|
|
|
tar -C layer --mtime="@$SOURCE_DATE_EPOCH" --owner=${toString uid} --group=${toString gid} -cf $out/layer.tar .
|
2016-09-28 01:42:05 +02:00
|
|
|
|
|
|
|
# Compute a checksum of the tarball.
|
|
|
|
echo "Computing layer checksum..."
|
|
|
|
tarsum=$(${tarsum} < $out/layer.tar)
|
|
|
|
|
|
|
|
# Add a 'checksum' field to the JSON, with the value set to the
|
|
|
|
# checksum of the tarball.
|
|
|
|
cat ${baseJson} | jshon -s "$tarsum" -i checksum > $out/json
|
|
|
|
|
|
|
|
# Indicate to docker that we're using schema version 1.0.
|
2015-11-19 13:11:17 +01:00
|
|
|
echo -n "1.0" > $out/VERSION
|
2016-09-28 01:42:05 +02:00
|
|
|
|
|
|
|
echo "Finished building layer '${name}'"
|
2015-11-19 13:11:17 +01:00
|
|
|
'';
|
|
|
|
|
2016-09-28 01:42:05 +02:00
|
|
|
# Make a "root" layer; required if we need to execute commands as a
|
|
|
|
# privileged user on the image. The commands themselves will be
|
|
|
|
# performed in a virtual machine sandbox.
|
|
|
|
mkRootLayer = {
|
|
|
|
# Name of the image.
|
|
|
|
name,
|
|
|
|
# Script to run as root. Bash.
|
|
|
|
runAsRoot,
|
|
|
|
# Files to add to the layer. If null, an empty layer will be created.
|
|
|
|
contents ? null,
|
|
|
|
# JSON containing configuration and metadata for this layer.
|
|
|
|
baseJson,
|
|
|
|
# Existing image onto which to append the new layer.
|
|
|
|
fromImage ? null,
|
|
|
|
# Name of the image we're appending onto.
|
|
|
|
fromImageName ? null,
|
|
|
|
# Tag of the image we're appending onto.
|
|
|
|
fromImageTag ? null,
|
|
|
|
# How much disk to allocate for the temporary virtual machine.
|
|
|
|
diskSize ? 1024,
|
|
|
|
# Commands (bash) to run on the layer; these do not require sudo.
|
|
|
|
extraCommands ? ""
|
|
|
|
}:
|
|
|
|
# Generate an executable script from the `runAsRoot` text.
|
|
|
|
let runAsRootScript = shellScript "run-as-root.sh" runAsRoot;
|
2015-11-19 13:11:17 +01:00
|
|
|
in runWithOverlay {
|
2016-09-28 01:42:05 +02:00
|
|
|
name = "docker-layer-${name}";
|
|
|
|
|
2015-11-19 13:11:17 +01:00
|
|
|
inherit fromImage fromImageName fromImageTag diskSize;
|
|
|
|
|
2016-09-28 01:42:05 +02:00
|
|
|
preMount = lib.optionalString (contents != null && contents != []) ''
|
|
|
|
echo "Adding contents..."
|
|
|
|
for item in ${toString contents}; do
|
|
|
|
echo "Adding $item..."
|
2017-04-16 08:39:02 +02:00
|
|
|
rsync -ak --chown=0:0 $item/ layer/
|
2015-11-19 13:11:17 +01:00
|
|
|
done
|
2017-07-01 16:59:15 +02:00
|
|
|
|
|
|
|
chmod ug+w layer
|
2015-11-19 13:11:17 +01:00
|
|
|
'';
|
|
|
|
|
|
|
|
postMount = ''
|
2016-09-28 01:42:05 +02:00
|
|
|
mkdir -p mnt/{dev,proc,sys} mnt${storeDir}
|
|
|
|
|
|
|
|
# Mount /dev, /sys and the nix store as shared folders.
|
2015-11-19 13:11:17 +01:00
|
|
|
mount --rbind /dev mnt/dev
|
|
|
|
mount --rbind /sys mnt/sys
|
2016-09-28 01:42:05 +02:00
|
|
|
mount --rbind ${storeDir} mnt${storeDir}
|
2015-11-19 13:11:17 +01:00
|
|
|
|
2016-09-28 01:42:05 +02:00
|
|
|
# Execute the run as root script. See 'man unshare' for
|
|
|
|
# details on what's going on here; basically this command
|
|
|
|
# means that the runAsRootScript will be executed in a nearly
|
|
|
|
# completely isolated environment.
|
2015-11-19 13:11:17 +01:00
|
|
|
unshare -imnpuf --mount-proc chroot mnt ${runAsRootScript}
|
2016-09-28 01:42:05 +02:00
|
|
|
|
|
|
|
# Unmount directories and remove them.
|
|
|
|
umount -R mnt/dev mnt/sys mnt${storeDir}
|
|
|
|
rmdir --ignore-fail-on-non-empty \
|
|
|
|
mnt/dev mnt/proc mnt/sys mnt${storeDir} \
|
|
|
|
mnt$(dirname ${storeDir})
|
2015-11-19 13:11:17 +01:00
|
|
|
'';
|
2016-09-28 01:42:05 +02:00
|
|
|
|
2015-11-19 13:11:17 +01:00
|
|
|
postUmount = ''
|
2016-09-28 01:42:05 +02:00
|
|
|
(cd layer; eval "${extraCommands}")
|
2015-11-19 13:11:17 +01:00
|
|
|
|
2016-09-28 01:42:05 +02:00
|
|
|
echo "Packing layer..."
|
2015-11-19 13:11:17 +01:00
|
|
|
mkdir $out
|
2017-04-16 08:39:02 +02:00
|
|
|
tar -C layer --mtime="@$SOURCE_DATE_EPOCH" -cf $out/layer.tar .
|
2016-09-28 01:42:05 +02:00
|
|
|
|
|
|
|
# Compute the tar checksum and add it to the output json.
|
|
|
|
echo "Computing checksum..."
|
2015-11-19 13:11:17 +01:00
|
|
|
ts=$(${tarsum} < $out/layer.tar)
|
|
|
|
cat ${baseJson} | jshon -s "$ts" -i checksum > $out/json
|
2016-09-28 01:42:05 +02:00
|
|
|
# Indicate to docker that we're using schema version 1.0.
|
2015-11-19 13:11:17 +01:00
|
|
|
echo -n "1.0" > $out/VERSION
|
2016-09-28 01:42:05 +02:00
|
|
|
|
|
|
|
echo "Finished building layer '${name}'"
|
2015-11-19 13:11:17 +01:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
# 1. extract the base image
|
|
|
|
# 2. create the layer
|
|
|
|
# 3. add layer deps to the layer itself, diffing with the base image
|
|
|
|
# 4. compute the layer id
|
|
|
|
# 5. put the layer in the image
|
|
|
|
# 6. repack the image
|
2016-09-28 01:42:05 +02:00
|
|
|
buildImage = args@{
|
|
|
|
# Image name.
|
|
|
|
name,
|
|
|
|
# Image tag.
|
|
|
|
tag ? "latest",
|
|
|
|
# Parent image, to append to.
|
|
|
|
fromImage ? null,
|
|
|
|
# Name of the parent image; will be read from the image otherwise.
|
|
|
|
fromImageName ? null,
|
|
|
|
# Tag of the parent image; will be read from the image otherwise.
|
|
|
|
fromImageTag ? null,
|
|
|
|
# Files to put on the image (a nix store path or list of paths).
|
|
|
|
contents ? null,
|
|
|
|
# Docker config; e.g. what command to run on the container.
|
|
|
|
config ? null,
|
|
|
|
# Optional bash script to run on the files prior to fixturizing the layer.
|
2017-07-01 13:23:12 +02:00
|
|
|
extraCommands ? "", uid ? 0, gid ? 0,
|
2016-09-28 01:42:05 +02:00
|
|
|
# Optional bash script to run as root on the image when provisioning.
|
|
|
|
runAsRoot ? null,
|
|
|
|
# Size of the virtual machine disk to provision when building the image.
|
|
|
|
diskSize ? 1024,
|
2017-06-27 22:11:17 +02:00
|
|
|
# Time of creation of the image.
|
|
|
|
created ? "1970-01-01T00:00:01Z",
|
2016-09-28 01:42:05 +02:00
|
|
|
}:
|
2015-11-19 13:11:17 +01:00
|
|
|
|
|
|
|
let
|
2016-02-18 17:16:15 +01:00
|
|
|
baseName = baseNameOf name;
|
|
|
|
|
2016-09-28 01:42:05 +02:00
|
|
|
# Create a JSON blob of the configuration. Set the date to unix zero.
|
2016-02-18 17:16:15 +01:00
|
|
|
baseJson = writeText "${baseName}-config.json" (builtins.toJSON {
|
2017-06-27 22:22:08 +02:00
|
|
|
inherit created config;
|
2016-09-28 01:42:05 +02:00
|
|
|
architecture = "amd64";
|
|
|
|
os = "linux";
|
2015-11-19 13:11:17 +01:00
|
|
|
});
|
2016-03-10 08:29:28 +01:00
|
|
|
|
2016-09-28 01:42:05 +02:00
|
|
|
layer =
|
|
|
|
if runAsRoot == null
|
2016-10-31 16:11:48 +01:00
|
|
|
then mkPureLayer {
|
|
|
|
name = baseName;
|
2017-07-01 13:23:12 +02:00
|
|
|
inherit baseJson contents extraCommands uid gid;
|
2016-10-31 16:11:48 +01:00
|
|
|
} else mkRootLayer {
|
|
|
|
name = baseName;
|
|
|
|
inherit baseJson fromImage fromImageName fromImageTag
|
|
|
|
contents runAsRoot diskSize extraCommands;
|
|
|
|
};
|
2016-09-28 01:42:05 +02:00
|
|
|
result = runCommand "docker-image-${baseName}.tar.gz" {
|
2017-07-26 21:53:35 +02:00
|
|
|
buildInputs = [ jshon pigz coreutils findutils jq ];
|
2017-07-25 10:47:51 +02:00
|
|
|
# Image name and tag must be lowercase
|
|
|
|
imageName = lib.toLower name;
|
|
|
|
imageTag = lib.toLower tag;
|
2015-11-19 13:11:17 +01:00
|
|
|
inherit fromImage baseJson;
|
2016-03-10 08:29:28 +01:00
|
|
|
layerClosure = writeReferencesToFile layer;
|
2016-09-28 01:42:05 +02:00
|
|
|
passthru.buildArgs = args;
|
|
|
|
passthru.layer = layer;
|
2015-11-19 13:11:17 +01:00
|
|
|
} ''
|
2016-09-23 23:10:47 +02:00
|
|
|
# Print tar contents:
|
|
|
|
# 1: Interpreted as relative to the root directory
|
|
|
|
# 2: With no trailing slashes on directories
|
2016-09-28 01:42:05 +02:00
|
|
|
# This is useful for ensuring that the output matches the
|
|
|
|
# values generated by the "find" command
|
2016-09-23 23:10:47 +02:00
|
|
|
ls_tar() {
|
2016-09-28 01:42:05 +02:00
|
|
|
for f in $(tar -tf $1 | xargs realpath -ms --relative-to=.); do
|
|
|
|
if [[ "$f" != "." ]]; then
|
|
|
|
echo "/$f"
|
|
|
|
fi
|
|
|
|
done
|
2016-09-23 23:10:47 +02:00
|
|
|
}
|
2016-09-28 01:42:05 +02:00
|
|
|
|
2015-11-19 13:11:17 +01:00
|
|
|
mkdir image
|
|
|
|
touch baseFiles
|
2017-09-22 08:55:24 +02:00
|
|
|
layers=""
|
2016-09-28 01:42:05 +02:00
|
|
|
if [[ -n "$fromImage" ]]; then
|
|
|
|
echo "Unpacking base image..."
|
2015-11-19 13:11:17 +01:00
|
|
|
tar -C image -xpf "$fromImage"
|
2017-09-22 08:55:24 +02:00
|
|
|
config=$(jq -r '.[0].Config' image/manifest.json)
|
|
|
|
layers=$(jq -r '.[0].Layers | join(" ")' image/manifest.json)
|
|
|
|
for l in $layers; do
|
|
|
|
ls_tar image/$l >> baseFiles
|
2015-11-19 13:11:17 +01:00
|
|
|
done
|
2017-09-22 08:55:24 +02:00
|
|
|
chmod u+w image image/$config
|
|
|
|
rm image/$config
|
2015-11-19 13:11:17 +01:00
|
|
|
fi
|
|
|
|
|
|
|
|
chmod -R ug+rw image
|
2016-09-28 01:42:05 +02:00
|
|
|
|
2015-11-19 13:11:17 +01:00
|
|
|
mkdir temp
|
|
|
|
cp ${layer}/* temp/
|
|
|
|
chmod ug+w temp/*
|
2016-03-10 08:29:28 +01:00
|
|
|
|
2016-09-28 01:42:05 +02:00
|
|
|
echo "$(dirname ${storeDir})" >> layerFiles
|
|
|
|
echo '${storeDir}' >> layerFiles
|
2016-03-10 08:29:28 +01:00
|
|
|
for dep in $(cat $layerClosure); do
|
2016-09-28 01:42:05 +02:00
|
|
|
find $dep >> layerFiles
|
2016-03-10 08:29:28 +01:00
|
|
|
done
|
|
|
|
|
2016-09-28 01:42:05 +02:00
|
|
|
echo "Adding layer..."
|
|
|
|
# Record the contents of the tarball with ls_tar.
|
2016-09-23 23:10:47 +02:00
|
|
|
ls_tar temp/layer.tar >> baseFiles
|
2016-03-10 08:29:28 +01:00
|
|
|
|
2016-09-28 01:42:05 +02:00
|
|
|
# Get the files in the new layer which were *not* present in
|
|
|
|
# the old layer, and record them as newFiles.
|
|
|
|
comm <(sort -n baseFiles|uniq) \
|
|
|
|
<(sort -n layerFiles|uniq|grep -v ${layer}) -1 -3 > newFiles
|
|
|
|
# Append the new files to the layer.
|
2017-04-16 08:39:02 +02:00
|
|
|
tar -rpf temp/layer.tar --mtime="@$SOURCE_DATE_EPOCH" \
|
|
|
|
--owner=0 --group=0 --no-recursion --files-from newFiles
|
2016-09-28 01:42:05 +02:00
|
|
|
|
2017-09-22 08:55:24 +02:00
|
|
|
gzip temp/layer.tar
|
|
|
|
layerID="sha256:$(sha256sum temp/layer.tar.gz | cut -d ' ' -f 1)"
|
|
|
|
mv temp/layer.tar.gz image/$layerID
|
2016-09-28 01:42:05 +02:00
|
|
|
|
2017-09-22 08:55:24 +02:00
|
|
|
echo "Generating image configuration and manifest..."
|
2017-08-02 19:27:19 +02:00
|
|
|
imageJson=$(cat ${baseJson} | jq ". + {\"rootfs\": {\"diff_ids\": [], \"type\": \"layers\"}}")
|
|
|
|
manifestJson=$(jq -n "[{\"RepoTags\":[\"$imageName:$imageTag\"]}]")
|
|
|
|
|
2017-09-22 08:55:24 +02:00
|
|
|
# The layer list is ordered starting from the base image
|
|
|
|
layers=$(echo $layers $layerID)
|
|
|
|
for i in $(echo $layers); do
|
|
|
|
imageJson=$(echo "$imageJson" | jq ".history |= [{\"created\": \"${created}\"}] + .")
|
|
|
|
diffId=$(gzip -dc image/$i | sha256sum | cut -d" " -f1)
|
|
|
|
imageJson=$(echo "$imageJson" | jq ".rootfs.diff_ids |= [\"sha256:$diffId\"] + .")
|
|
|
|
manifestJson=$(echo "$manifestJson" | jq ".[0].Layers |= [\"$i\"] + .")
|
2017-08-02 19:27:19 +02:00
|
|
|
done
|
|
|
|
|
|
|
|
imageJsonChecksum=$(echo "$imageJson" | sha256sum | cut -d ' ' -f1)
|
2017-09-22 08:55:24 +02:00
|
|
|
echo "$imageJson" > "image/sha256:$imageJsonChecksum"
|
|
|
|
manifestJson=$(echo "$manifestJson" | jq ".[0].Config = \"sha256:$imageJsonChecksum\"")
|
2017-08-02 19:27:19 +02:00
|
|
|
echo "$manifestJson" > image/manifest.json
|
2017-07-26 21:53:35 +02:00
|
|
|
|
2016-09-28 01:42:05 +02:00
|
|
|
# Make the image read-only.
|
2015-11-19 13:11:17 +01:00
|
|
|
chmod -R a-w image
|
|
|
|
|
2016-09-28 01:42:05 +02:00
|
|
|
echo "Cooking the image..."
|
2017-07-26 21:49:35 +02:00
|
|
|
tar -C image --mtime="@$SOURCE_DATE_EPOCH" --owner=0 --group=0 --xform s:'./':: -c . | pigz -nT > $out
|
2016-09-28 01:42:05 +02:00
|
|
|
|
|
|
|
echo "Finished."
|
2015-11-19 13:11:17 +01:00
|
|
|
'';
|
|
|
|
|
|
|
|
in
|
2016-09-28 01:42:05 +02:00
|
|
|
result;
|
2017-08-25 11:47:28 +02:00
|
|
|
|
|
|
|
# Build an image and populate its nix database with the provided
|
|
|
|
# contents. The main purpose is to be able to use nix commands in
|
|
|
|
# the container.
|
|
|
|
# Be careful since this doesn't work well with multilayer.
|
|
|
|
buildImageWithNixDb = args@{ contents ? null, extraCommands ? "", ... }:
|
|
|
|
buildImage (args // {
|
|
|
|
extraCommands = ''
|
|
|
|
echo "Generating the nix database..."
|
|
|
|
echo "Warning: only the database of the deepest Nix layer is loaded."
|
|
|
|
echo " If you want to use nix commands in the container, it would"
|
|
|
|
echo " be better to only have one layer that contains a nix store."
|
|
|
|
# This requires Nix 1.12 or higher
|
|
|
|
export NIX_REMOTE=local?root=$PWD
|
2017-09-13 11:40:26 +02:00
|
|
|
${nixUnstable}/bin/nix-store --load-db < ${nixRegistration contents}/db.dump
|
|
|
|
|
|
|
|
# We fill the store in order to run the 'verify' command that
|
|
|
|
# generates hash and size of output paths.
|
|
|
|
# Note when Nix 1.12 is be the stable one, the database dump
|
|
|
|
# generated by the exportReferencesGraph function will
|
|
|
|
# contains sha and size. See
|
|
|
|
# https://github.com/NixOS/nix/commit/c2b0d8749f7e77afc1c4b3e8dd36b7ee9720af4a
|
|
|
|
storePaths=$(cat ${nixRegistration contents}/storePaths)
|
|
|
|
echo "Copying everything to /nix/store (will take a while)..."
|
|
|
|
cp -prd $storePaths nix/store/
|
|
|
|
${nixUnstable}/bin/nix-store --verify --check-contents
|
|
|
|
|
|
|
|
mkdir -p nix/var/nix/gcroots/docker/
|
|
|
|
for i in ${lib.concatStringsSep " " contents}; do
|
|
|
|
ln -s $i nix/var/nix/gcroots/docker/$(basename $i)
|
|
|
|
done;
|
2017-08-25 11:47:28 +02:00
|
|
|
'' + extraCommands;
|
|
|
|
});
|
2015-11-19 13:11:17 +01:00
|
|
|
}
|