diff options
| author | Robert Hensing <roberth@users.noreply.github.com> | 2022-08-31 14:08:02 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-08-31 14:08:02 +0200 |
| commit | 62b25a28fe64cfdcd8bfe8c50d9d03257733d172 (patch) | |
| tree | 3b8cb16326662e2a15f51a85067a5e1c6a767dfa | |
| parent | 4415574d237c6b6b8d239d32d499c897e5e60597 (diff) | |
| parent | c9d8e34fc44c103f402275e13d010ed3febd2424 (diff) | |
| download | nixpkgs-62b25a28fe64cfdcd8bfe8c50d9d03257733d172.tar nixpkgs-62b25a28fe64cfdcd8bfe8c50d9d03257733d172.tar.gz nixpkgs-62b25a28fe64cfdcd8bfe8c50d9d03257733d172.tar.bz2 nixpkgs-62b25a28fe64cfdcd8bfe8c50d9d03257733d172.tar.lz nixpkgs-62b25a28fe64cfdcd8bfe8c50d9d03257733d172.tar.xz nixpkgs-62b25a28fe64cfdcd8bfe8c50d9d03257733d172.tar.zst nixpkgs-62b25a28fe64cfdcd8bfe8c50d9d03257733d172.zip | |
Merge pull request #170906 from Sohalt/dockerTools.ca-certificates.crt
dockerTools ca-certificates.crt helper
| -rw-r--r-- | doc/builders/images/dockertools.section.md | 39 | ||||
| -rw-r--r-- | pkgs/build-support/docker/default.nix | 10 |
2 files changed, 48 insertions, 1 deletions
diff --git a/doc/builders/images/dockertools.section.md b/doc/builders/images/dockertools.section.md index 6fdd4b5cadd..db1a2a214d1 100644 --- a/doc/builders/images/dockertools.section.md +++ b/doc/builders/images/dockertools.section.md @@ -308,7 +308,44 @@ The parameters relative to the base image have the same synopsis as described in The `name` argument is the name of the derivation output, which defaults to `fromImage.name`. -## shadowSetup {#ssec-pkgs-dockerTools-shadowSetup} +## Environment Helpers {#ssec-pkgs-dockerTools-helpers} + +Some packages expect certain files to be available globally. +When building an image from scratch (i.e. without `fromImage`), these files are missing. +`pkgs.dockerTools` provides some helpers to set up an environment with the necessary files. +You can include them in `copyToRoot` like this: + +```nix +buildImage { + name = "environment-example"; + copyToRoot = with pkgs.dockerTools; [ + usrBinEnv + binSh + caCertificates + fakeNss + ]; +} +``` + +### usrBinEnv {#sssec-pkgs-dockerTools-helpers-usrBinEnv} + +This provides the `env` utility at `/usr/bin/env`. + +### binSh {#sssec-pkgs-dockerTools-helpers-binSh} + +This provides `bashInteractive` at `/bin/sh`. + +### caCertificates {#sssec-pkgs-dockerTools-helpers-caCertificates} + +This sets up `/etc/ssl/certs/ca-certificates.crt`. + +### fakeNss {#sssec-pkgs-dockerTools-helpers-fakeNss} + +Provides `/etc/passwd` and `/etc/group` that contain root and nobody. +Useful when packaging binaries that insist on using nss to look up +username/groups (like nginx). + +### shadowSetup {#ssec-pkgs-dockerTools-shadowSetup} This constant string is a helper for setting up the base files for managing users and groups, only if such files don't exist already. It is suitable for being used in a [`buildImage` `runAsRoot`](#ex-dockerTools-buildImage-runAsRoot) script for cases like in the example below: diff --git a/pkgs/build-support/docker/default.nix b/pkgs/build-support/docker/default.nix index 7468f056005..6876e9e7358 100644 --- a/pkgs/build-support/docker/default.nix +++ b/pkgs/build-support/docker/default.nix @@ -792,6 +792,16 @@ rec { ln -s ${bashInteractive}/bin/bash $out/bin/sh ''; + # This provides the ca bundle in common locations + caCertificates = runCommand "ca-certificates" { } '' + # Old NixOS compatibility. + ln -s ${cacert}/etc/ssl/certs/ca-bundle.crt $out/etc/ssl/certs/ca-bundle.crt + # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility. + ln -s ${cacert}/etc/ssl/certs/ca-bundle.crt $out/etc/ssl/certs/ca-certificates.crt + # CentOS/Fedora compatibility. + ln -s ${cacert}/etc/ssl/certs/ca-bundle.crt $out/etc/pki/tls/certs/ca-bundle.crt + ''; + # Build an image and populate its nix database with the provided # contents. The main purpose is to be able to use nix commands in # the container. |