1 files changed, 336 insertions, 0 deletions
diff --git a/doc/functions.xml b/doc/functions.xml
index 7f40ba33cd4..5a350a23e0a 100644
--- a/doc/functions.xml
+++ b/doc/functions.xml
@@ -291,4 +291,340 @@ c = lib.makeOverridable f { a = 1; b = 2; }</programlisting>
   </para>
 </section>
 
+<section xml:id="sec-pkgs-dockerTools">
+ <title>pkgs.dockerTools</title>
+
+ <para>
+  <varname>pkgs.dockerTools</varname> is a set of functions for creating and
+  manipulating Docker images according to the
+  <link xlink:href="https://github.com/docker/docker/blob/master/image/spec/v1.md#docker-image-specification-v100">
+   Docker Image Specification v1.0.0
+  </link>. Docker itself is not used to perform any of the operations done by these
+  functions.
+ </para>
+
+ <warning>
+  <para>
+   The <varname>dockerTools</varname> API is unstable and may be subject to
+   backwards-incompatible changes in the future.
+  </para>
+ </warning>
+
+ <section xml:id="ssec-pkgs-dockerTools-buildImage">
+  <title>buildImage</title>
+
+  <para>
+   This function is analogous to the <command>docker build</command> command,
+   in that can used to build a Docker-compatible repository tarball containing
+   a single image with one or multiple layers. As such, the result
+   is suitable for being loaded in Docker with <command>docker load</command>.
+  </para>
+
+  <para>
+   The parameters of <varname>buildImage</varname> with relative example values are
+   described below:
+  </para>
+
+  <example xml:id='ex-dockerTools-buildImage'><title>Docker build</title>
+  <programlisting>
+  buildImage {
+    name = "redis"; <co xml:id='ex-dockerTools-buildImage-1' />
+    tag = "latest"; <co xml:id='ex-dockerTools-buildImage-2' />
+    
+    fromImage = someBaseImage; <co xml:id='ex-dockerTools-buildImage-3' />
+    fromImageName = null; <co xml:id='ex-dockerTools-buildImage-4' />
+    fromImageTag = "latest"; <co xml:id='ex-dockerTools-buildImage-5' />
+    
+    contents = pkgs.redis; <co xml:id='ex-dockerTools-buildImage-6' />
+    runAsRoot = '' <co xml:id='ex-dockerTools-buildImage-runAsRoot' />
+      #!${stdenv.shell}
+      mkdir -p /data
+    '';
+
+    config = { <co xml:id='ex-dockerTools-buildImage-8' />
+      Cmd = [ "/bin/redis-server" ];
+      WorkingDir = "/data";
+      Volumes = {
+        "/data" = {};
+      };
+    };
+  }
+  </programlisting>
+  </example>
+
+  <para>The above example will build a Docker image <literal>redis/latest</literal>
+   from the given base image. Loading and running this image in Docker results in
+   <literal>redis-server</literal> being started automatically.
+  </para>
+
+  <calloutlist>
+   <callout arearefs='ex-dockerTools-buildImage-1'>
+    <para>
+     <varname>name</varname> specifies the name of the resulting image.
+     This is the only required argument for <varname>buildImage</varname>.
+    </para>
+   </callout>
+
+   <callout arearefs='ex-dockerTools-buildImage-2'>
+    <para>
+     <varname>tag</varname> specifies the tag of the resulting image.
+     By default it's <literal>latest</literal>.
+    </para>
+   </callout>
+
+   <callout arearefs='ex-dockerTools-buildImage-3'>
+    <para>
+     <varname>fromImage</varname> is the repository tarball containing the base image.
+     It must be a valid Docker image, such as exported by <command>docker save</command>.
+     By default it's <literal>null</literal>, which can be seen as equivalent
+     to <literal>FROM scratch</literal> of a <filename>Dockerfile</filename>.
+    </para>
+   </callout>
+   
+   <callout arearefs='ex-dockerTools-buildImage-4'>
+    <para>
+     <varname>fromImageName</varname> can be used to further specify
+     the base image within the repository, in case it contains multiple images.
+     By default it's <literal>null</literal>, in which case
+     <varname>buildImage</varname> will peek the first image available
+     in the repository.
+    </para>
+   </callout>
+
+   <callout arearefs='ex-dockerTools-buildImage-5'>
+    <para>
+     <varname>fromImageTag</varname> can be used to further specify the tag
+     of the base image within the repository, in case an image contains multiple tags.
+     By default it's <literal>null</literal>, in which case
+     <varname>buildImage</varname> will peek the first tag available for the base image.
+    </para>
+   </callout>
+
+   <callout arearefs='ex-dockerTools-buildImage-6'>
+    <para>
+     <varname>contents</varname> is a derivation that will be copied in the new
+     layer of the resulting image. This can be similarly seen as
+     <command>ADD contents/ /</command> in a <filename>Dockerfile</filename>.
+     By default it's <literal>null</literal>.
+    </para>
+   </callout>
+
+   <callout arearefs='ex-dockerTools-buildImage-runAsRoot'>
+    <para>
+     <varname>runAsRoot</varname> is a bash script that will run as root
+     in an environment that overlays the existing layers of the base image with
+     the new resulting layer, including the previously copied
+     <varname>contents</varname> derivation.
+     This can be similarly seen as
+     <command>RUN ...</command> in a <filename>Dockerfile</filename>.
+     
+     <note>
+      <para>
+       Using this parameter requires the <literal>kvm</literal>
+       device to be available.
+      </para>
+     </note>
+    </para>
+   </callout>
+
+   <callout arearefs='ex-dockerTools-buildImage-8'>
+    <para>
+     <varname>config</varname> is used to specify the configuration of the
+     containers that will be started off the built image in Docker.
+     The available options are listed in the
+     <link xlink:href="https://github.com/docker/docker/blob/master/image/spec/v1.md#container-runconfig-field-descriptions">
+      Docker Image Specification v1.0.0
+     </link>.
+    </para>
+   </callout>
+
+  </calloutlist>
+
+  <para>
+   After the new layer has been created, its closure
+   (to which <varname>contents</varname>, <varname>config</varname> and
+   <varname>runAsRoot</varname> contribute) will be copied in the layer itself.
+   Only new dependencies that are not already in the existing layers will be copied.
+  </para>
+
+  <para>
+   At the end of the process, only one new single layer will be produced and
+   added to the resulting image.
+  </para>
+
+  <para>
+   The resulting repository will only list the single image
+   <varname>image/tag</varname>. In the case of <xref linkend='ex-dockerTools-buildImage'/>
+   it would be <varname>redis/latest</varname>.
+  </para>
+
+  <para>
+   It is possible to inspect the arguments with which an image was built
+   using its <varname>buildArgs</varname> attribute.
+  </para>
+
+ </section>
+
+ <section xml:id="ssec-pkgs-dockerTools-fetchFromRegistry">
+  <title>pullImage</title>
+
+  <para>
+   This function is analogous to the <command>docker pull</command> command,
+   in that can be used to fetch a Docker image from a Docker registry.
+   Currently only registry <literal>v1</literal> is supported.
+   By default <link xlink:href="https://hub.docker.com/">Docker Hub</link>
+   is used to pull images.
+  </para>
+
+  <para>
+   Its parameters are described in the example below:
+  </para>
+
+  <example xml:id='ex-dockerTools-pullImage'><title>Docker pull</title>
+  <programlisting>
+  pullImage {
+    imageName = "debian"; <co xml:id='ex-dockerTools-pullImage-1' />
+    imageTag = "jessie"; <co xml:id='ex-dockerTools-pullImage-2' />
+    imageId = null; <co xml:id='ex-dockerTools-pullImage-3' />
+    sha256 = "1bhw5hkz6chrnrih0ymjbmn69hyfriza2lr550xyvpdrnbzr4gk2"; <co xml:id='ex-dockerTools-pullImage-4' />
+
+    indexUrl = "https://index.docker.io"; <co xml:id='ex-dockerTools-pullImage-5' />
+    registryUrl = "https://registry-1.docker.io";
+    registryVersion = "v1";
+  }
+  </programlisting>
+  </example>
+
+  <calloutlist>
+   <callout arearefs='ex-dockerTools-pullImage-1'>
+    <para>
+     <varname>imageName</varname> specifies the name of the image to be downloaded,
+     which can also include the registry namespace (e.g. <literal>library/debian</literal>).
+     This argument is required.
+    </para>
+   </callout>
+   
+   <callout arearefs='ex-dockerTools-pullImage-2'>
+    <para>
+     <varname>imageTag</varname> specifies the tag of the image to be downloaded.
+     By default it's <literal>latest</literal>.
+    </para>
+   </callout>
+
+   <callout arearefs='ex-dockerTools-pullImage-3'>
+    <para>
+     <varname>imageId</varname>, if specified this exact image will be fetched, instead
+     of <varname>imageName/imageTag</varname>. However, the resulting repository
+     will still be named <varname>imageName/imageTag</varname>.
+     By default it's <literal>null</literal>.
+    </para>
+   </callout>
+
+   <callout arearefs='ex-dockerTools-pullImage-4'>
+    <para>
+     <varname>sha256</varname> is the checksum of the whole fetched image.
+     This argument is required.
+    </para>
+
+    <note>
+     <para>The checksum is computed on the unpacked directory, not on the final tarball.</para>
+    </note>
+
+   </callout>
+
+   <callout arearefs='ex-dockerTools-pullImage-5'>
+    <para>
+     In the above example the default values are shown for the variables <varname>indexUrl</varname>,
+     <varname>registryUrl</varname> and <varname>registryVersion</varname>.
+     Hence by default the Docker.io registry is used to pull the images.
+    </para>
+   </callout>
+  </calloutlist>
+   
+ </section>
+  
+ <section xml:id="ssec-pkgs-dockerTools-exportImage">
+  <title>exportImage</title>
+
+  <para>
+   This function is analogous to the <command>docker export</command> command,
+   in that can used to flatten a Docker image that contains multiple layers.
+   It is in fact the result of the merge of all the layers of the image.
+   As such, the result is suitable for being imported in Docker
+   with <command>docker import</command>.
+  </para>
+
+  <note>
+   <para>
+    Using this function requires the <literal>kvm</literal>
+    device to be available.
+   </para>
+  </note>
+
+  <para>
+   The parameters of <varname>exportImage</varname> are the following:
+  </para>
+
+  <example xml:id='ex-dockerTools-exportImage'><title>Docker export</title>
+  <programlisting>
+  exportImage {
+    fromImage = someLayeredImage;
+    fromImageName = null;
+    fromImageTag = null;
+    
+    name = someLayeredImage.name;
+  }
+  </programlisting>
+  </example>
+
+  <para>
+   The parameters relative to the base image have the same synopsis as
+   described in <xref linkend='ssec-pkgs-dockerTools-buildImage'/>, except that
+   <varname>fromImage</varname> is the only required argument in this case.
+  </para>
+
+  <para>
+   The <varname>name</varname> argument is the name of the derivation output,
+   which defaults to <varname>fromImage.name</varname>.
+  </para>
+ </section>
+
+ <section xml:id="ssec-pkgs-dockerTools-shadowSetup">
+  <title>shadowSetup</title>
+
+  <para>
+   This constant string is a helper for setting up the base files for managing
+   users and groups, only if such files don't exist already.
+   It is suitable for being used in a
+   <varname>runAsRoot</varname> <xref linkend='ex-dockerTools-buildImage-runAsRoot'/> script for cases like
+   in the example below:
+  </para>
+  
+  <example xml:id='ex-dockerTools-shadowSetup'><title>Shadow base files</title>
+  <programlisting>
+  buildImage {
+    name = "shadow-basic";
+
+    runAsRoot = ''
+      #!${stdenv.shell}
+      ${shadowSetup}
+      groupadd -r redis
+      useradd -r -g redis redis
+      mkdir /data
+      chown redis:redis /data
+    '';
+  }
+  </programlisting>
+  </example>
+
+  <para>
+   Creating base files like <literal>/etc/passwd</literal> or
+   <literal>/etc/login.defs</literal> are necessary for shadow-utils to
+   manipulate users and groups.
+  </para>
+  
+ </section>
+ 
+</section>
+
 </chapter>