| Commit message (Collapse) | Author | Age |
| |
|
|
|
|
|
| |
this allows nix users to modify existing images without having
to rely on container image inheritance mechanisms via fromImage
|
|
|
|
|
|
|
| |
The command `fakechroot` errored with buffer overflows. The `proot`
command doesn't seem to suffer from the same problem. The tar command
creating the layer errors with "permission denied" on a bunch of paths
in /proc but the layer seems to get built anyway.
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since coreutils v9.2 the `--no-clobber` flag results in a non-zero exit
code when the destination files exist. Using `--update=none` will now
reproduce the old behavior of `--no-clobber`.
However, the `--update=none` flag was introduced in coreutils v9.3 and
thus `mergeImages` will fail if you have an older version than v9.3 in
stdenv after applying this commit.
[coreutils v9.3 changelog](https://github.com/coreutils/coreutils/blob/f386722dc0d996d5379f12b4a8d4dd15ca7df4b5/NEWS#L48)
|
| |
|
|
|
|
|
| |
This ensures `passwd` will default to yescrypt for newly generated
passwords.
|
| |
|
|
|
|
|
|
| |
This PR addresses issue #214434 by preventing
dockerTools.buildImage from deleting rootfs diffs until after
they've been unpacked.
|
|
|
|
|
| |
This passes --rsyncable / -R to pigz for input-determined block
locations, to improve rsync-ability.
|
| |
|
|
|
|
|
| |
> has to fit its domain, which is the OCI spec, which uses
> `architecture`. The `defaultArch` and `GOARCH` names are irrelevant.
|
|
|
|
|
| |
... for buildImage, buildLayeredImage and streamLayeredImage,
adding docs and tests.
|
|
|
|
| |
This is a regression from PR #172736
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| | |
To the user running the docker image. If a Nix binary is available in
the resulting derivation, this then behaves like a single-user Nix
installation, except that already-written /nix/store paths can't be
changed. Most notably it makes Nix work not have to rely on a chroot
store in the image
|
| | |
|
| | |
|
| | |
|
|\ \
| |/
|/| |
build-support: Fix error when building images with many layers
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When building a docker image using `dockertools.buildLayeredImage`, the
resulting image layers are passed to `jq` through the command line. When
building an image with too many layers this would exceed the maximum
command line argument length.
Hence, we store the list of layers in the Nix store and pass them to
`jq` as a file argument using `--slurpfile`.
Fixes #140908.
|
| | |
|
|\ \
| | |
| | | |
dockerTools ca-certificates.crt helper
|
| | |
| | |
| | |
| | |
| | | |
Various tools (e.g. wget) expect the ca bundle to be available at
/etc/ssl/certs/ca-certificates.crt
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Fixes #186752. This adds buildVMMemorySize (defaults to 512 MiB) to
buildImage, which is passed to vm.runInLinuxVM. This is needed for
larger base images, which may otherwise cause container build failures
due to OOM in the VM.
|
| | | |
|
|/ / |
|
| |
| |
| |
| |
| | |
- add nixosTests to `dockerTools.tests`
- don't use `pkgs` or `lib.singleton`
|
| |
| |
| |
| |
| |
| |
| | |
Make this reachable from pkgs.fakeNss. This is useful outside docker
contexts, too.
https://github.com/NixOS/nixpkgs/pull/164943#discussion_r833220769
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This is useful for a use-case we have with a Nix-based CI system that
specifies things like deploy steps as passthru attributes[0].
Previously the only way to do this would have been to concatenate
attributes onto the resulting derivation, but passing them in and
actually treating them as proper passthru attributes is cleaner.
[0]: https://cs.tvl.fyi/depot@f7d7da6aceb407b719cf4683a75878fd3aca319e/-/blob/nix/buildkite/default.nix?L222-226
|
| | |
|
| |
| |
| |
| | |
Avoid risk of breaking existing images by making it opt-in.
|
| | |
|
|\ \
| | |
| | |
| | |
| | | |
hercules-ci/add-dockerTools-customization-layer-dependencies
dockerTools: Add store dependencies of the customization layer
|
| |/ |
|
| | |
|
|/ |
|
| |
|
| |
|
| |
|
|
|
|
| |
https://www.gnu.org/software/tar/manual/html_node/files.html
files starting with - can be treated as command line options, which isn't desirable here
|
|
|
|
|
| |
This provides a /usr/bin/env, for shell scripts using the
"/usr/bin/env executable" shebang.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Apparently, a non-existent nsswitch.conf causes a very misleading host
resolution, differing from the defaults people are used to.
According to
https://github.com/golang/go/issues/22846#issuecomment-346377144, glibc
says the default is "dns [!UNAVAIL=return] files".
This means, `/etc/hosts` isn't really honored, causing all sorts of
unexpected behaviour.
Let's prevent this, and first ask `/etc/hosts` before querying DNS, like
we do on NixOS too.
|
|
|
|
|
|
|
|
| |
skopeo 1.4.x doesn't accept --src-tls-verify as a flag to the *program*,
only as a flag to copy; we must pass it after the "copy" verb, or it
will fail with:
> FATA[0000] unknown flag: --src-tls-verify
|
| |
|
|\
| |
| | |
tarsum: init
|
| |
| |
| |
| |
| | |
- move from dockerTools.tarsum
- remove go from runtime closure
|
|/
|
|
| |
Indeed Docker can not run darwin exes, but darwin can build
Docker images, as some users already do with buildLayeredImage.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
skopeo will disable the progress bar if it detects that stdout isn't a
TTY - in order to make it think that stdout _isn't_ a TTY and therefore
avoid it printing a lot of "…" on separate lines, we pipe the output
through cat.
This changes the output from:
…
…
…
…
…
…
to the eminently more useful and less spammy:
Getting image source signatures
Copying blob sha256:[snip]
Copying blob sha256:[snip]
Copying blob sha256:[snip]
Copying config sha256:[snip]
Writing manifest to image destination
Storing signatures
|
|\
| |
| | |
dockerTools: Fix passthru image tag
|