From 8353fad13da8983b95c47426a355e044099cee91 Mon Sep 17 00:00:00 2001 From: "Robert K. Bell" Date: Mon, 4 Dec 2023 14:39:18 +1100 Subject: [PATCH 1/2] nixos/dockerTools: fix includeStorePaths when enableFakechroot After #268458, when setting `enableFakechroot = true` and `includeStorePaths = false`, some of the store paths were getting included into the image anyway, thru `bind-paths`. This resulted in unexpectedly large images. Now, the images will not contain any store paths under those circumstances. --- nixos/tests/docker-tools.nix | 2 ++ pkgs/build-support/docker/default.nix | 1 + pkgs/build-support/docker/examples.nix | 1 + 3 files changed, 4 insertions(+) diff --git a/nixos/tests/docker-tools.nix b/nixos/tests/docker-tools.nix index fcdfa586fd55..9ff286af4c26 100644 --- a/nixos/tests/docker-tools.nix +++ b/nixos/tests/docker-tools.nix @@ -75,6 +75,8 @@ in { docker.succeed("${examples.helloOnRootNoStore} | docker load") docker.fail("docker run --rm hello | grep -i hello") docker.succeed("docker image rm hello:latest") + with subtest("Ensure ZERO paths are added to the store"): + docker.fail("${examples.helloOnRootNoStore} | ${pkgs.crane}/bin/crane export - - | tar t | grep 'nix/store/'") with subtest("includeStorePath = false; works with mounted store"): docker.succeed("${examples.helloOnRootNoStore} | docker load") docker.succeed("docker run --rm --volume ${builtins.storeDir}:${builtins.storeDir}:ro hello | grep -i hello") diff --git a/pkgs/build-support/docker/default.nix b/pkgs/build-support/docker/default.nix index 7218d67062e7..8cdfd7cddb28 100644 --- a/pkgs/build-support/docker/default.nix +++ b/pkgs/build-support/docker/default.nix @@ -922,6 +922,7 @@ rec { --sort name \ --exclude=./proc \ --exclude=./sys \ + --exclude=.${builtins.storeDir} \ --numeric-owner --mtime "@$SOURCE_DATE_EPOCH" \ --hard-dereference \ -cf $out/layer.tar . diff --git a/pkgs/build-support/docker/examples.nix b/pkgs/build-support/docker/examples.nix index 5784e650dc2e..109bea54ec0c 100644 --- a/pkgs/build-support/docker/examples.nix +++ b/pkgs/build-support/docker/examples.nix @@ -637,6 +637,7 @@ rec { ]; config.Cmd = [ "hello" ]; includeStorePaths = false; + enableFakechroot = true; }; etc = From 1f9e86f31462b395d77151469a53543a94e46c36 Mon Sep 17 00:00:00 2001 From: Robert Hensing Date: Wed, 17 Jan 2024 13:46:41 +0100 Subject: [PATCH 2/2] nixosTests.docker-tools: Use both code paths in includeStorePath test --- nixos/tests/docker-tools.nix | 13 +++++++++++++ pkgs/build-support/docker/examples.nix | 13 +++++++++++++ 2 files changed, 26 insertions(+) diff --git a/nixos/tests/docker-tools.nix b/nixos/tests/docker-tools.nix index 9ff286af4c26..0987e1920b00 100644 --- a/nixos/tests/docker-tools.nix +++ b/nixos/tests/docker-tools.nix @@ -71,16 +71,29 @@ in { docker.succeed("${examples.helloOnRoot} | docker load") docker.succeed("docker run --rm hello | grep -i hello") docker.succeed("docker image rm hello:latest") + with subtest("includeStorePath = false; breaks example"): docker.succeed("${examples.helloOnRootNoStore} | docker load") docker.fail("docker run --rm hello | grep -i hello") docker.succeed("docker image rm hello:latest") + with subtest("includeStorePath = false; breaks example (fakechroot)"): + docker.succeed("${examples.helloOnRootNoStoreFakechroot} | docker load") + docker.fail("docker run --rm hello | grep -i hello") + docker.succeed("docker image rm hello:latest") + with subtest("Ensure ZERO paths are added to the store"): docker.fail("${examples.helloOnRootNoStore} | ${pkgs.crane}/bin/crane export - - | tar t | grep 'nix/store/'") + with subtest("Ensure ZERO paths are added to the store (fakechroot)"): + docker.fail("${examples.helloOnRootNoStoreFakechroot} | ${pkgs.crane}/bin/crane export - - | tar t | grep 'nix/store/'") + with subtest("includeStorePath = false; works with mounted store"): docker.succeed("${examples.helloOnRootNoStore} | docker load") docker.succeed("docker run --rm --volume ${builtins.storeDir}:${builtins.storeDir}:ro hello | grep -i hello") docker.succeed("docker image rm hello:latest") + with subtest("includeStorePath = false; works with mounted store (fakechroot)"): + docker.succeed("${examples.helloOnRootNoStoreFakechroot} | docker load") + docker.succeed("docker run --rm --volume ${builtins.storeDir}:${builtins.storeDir}:ro hello | grep -i hello") + docker.succeed("docker image rm hello:latest") with subtest("Ensure Docker images use a stable date by default"): docker.succeed( diff --git a/pkgs/build-support/docker/examples.nix b/pkgs/build-support/docker/examples.nix index 109bea54ec0c..88f36d337f25 100644 --- a/pkgs/build-support/docker/examples.nix +++ b/pkgs/build-support/docker/examples.nix @@ -637,6 +637,19 @@ rec { ]; config.Cmd = [ "hello" ]; includeStorePaths = false; + }; + + helloOnRootNoStoreFakechroot = pkgs.dockerTools.streamLayeredImage { + name = "hello"; + tag = "latest"; + contents = [ + (pkgs.buildEnv { + name = "hello-root"; + paths = [ pkgs.hello ]; + }) + ]; + config.Cmd = [ "hello" ]; + includeStorePaths = false; enableFakechroot = true; };