Admins will be upgrading ORNL GitLab Servers on Saturday, 16 May 2026, from 7 AM until 11 AM EST. Repositories will experience intermittent outages during this time.
Create a Docker image that sets up an environment similar to that of running `nix-shell` on a derivation.
When run in Docker, this environment somewhat resembles the Nix sandbox typically used by `nix-build`, with a major difference being that access to the internet is allowed.
It additionally also behaves like an interactive `nix-shell`, running things like `shellHook` and setting an interactive prompt.
If the derivation is fully buildable (i.e. `nix-build` can be used on it), running `buildDerivation` inside such a Docker image will build the derivation, with all its outputs being available in the correct `/nix/store` paths, pointed to by the respective environment variables like `$out`, etc.
`buildNixShellImage` uses [`streamNixShellImage`](#ssec-pkgs-dockerTools-streamNixShellImage) underneath to build a compressed Docker-compatible repository tarball of an image that sets up an environment similar to that of running `nix-shell` on a derivation.
Basically, `buildNixShellImage` runs the script created by `streamNixShellImage` to save the compressed image in the Nix store.
::: {.warning}
The behavior doesn't match `nix-shell` or `nix-build` exactly and this function is known not to work correctly for e.g. fixed-output derivations, content-addressed derivations, impure derivations and other special types of derivations.
`buildNixShellImage` supports the same options as `streamNixShellImage`, see [`streamNixShellImage`](#ssec-pkgs-dockerTools-streamNixShellImage) for details.
`streamNixShellImage` builds a **script** which, when run, will stream to stdout a Docker-compatible repository tarball of an image that sets up an environment similar to that of running `nix-shell` on a derivation.
This means that `streamNixShellImage` does not output an image into the Nix store, but only a script that builds the image, saving on IO and disk/cache space, particularly with large images.
See [](#ex-dockerTools-streamNixShellImage-hello) to understand how to load in Docker the image generated by this script.
`tag` _optional_
The environment set up by `streamNixShellImage` somewhat resembles the Nix sandbox typically used by `nix-build`, with a major difference being that access to the internet is allowed.
It also behaves like an interactive `nix-shell`, running things like `shellHook` (see [](#ex-dockerTools-streamNixShellImage-addingShellHook)) and setting an interactive prompt.
If the derivation is buildable (i.e. `nix-build` can be used on it), running `buildDerivation` in the container will build the derivation, with all its outputs being available in the correct `/nix/store` paths, pointed to by the respective environment variables (e.g. `$out`).
::: {.caution}
The environment in the image doesn't match `nix-shell` or `nix-build` exactly, and this function is known not to work correctly for fixed-output derivations, content-addressed derivations, impure derivations and other special types of derivations.
`streamNixShellImage` expects one argument with the following attributes:
`drv` (Attribute Set)
: The derivation for which the environment in the image will be set up.
Adding packages to the Docker image is possible by extending the list of `nativeBuildInputs` of this derivation.
See [](#ex-dockerTools-streamNixShellImage-extendingBuildInputs) for how to do that.
Similarly, you can extend the image initialization script by extending `shellHook`.
[](#ex-dockerTools-streamNixShellImage-addingShellHook) shows how to do that.
`name` (String; _optional_)
: The name of the generated image.
_Default value:_ the value of `drv.name + "-env"`.
`tag` (String or Null; _optional_)
: Tag of the generated image.
If `null`, the hash of the nix derivation that builds the Docker image will be used as the tag.
*Default:* the resulting image derivation output path's hash
_Default value:_ `null`.
`uid`/`gid` _optional_
`uid` (Number; _optional_)
: The user/group ID to run the container as. This is like a `nixbld` build user.
: The user ID to run the container as.
This can be seen as a `nixbld` build user.
*Default:* 1000/1000
_Default value:_ 1000.
`homeDirectory` _optional_
`gid` (Number; _optional_)
: The home directory of the user the container is running as
: The group ID to run the container as.
This can be seen as a `nixbld` build group.
*Default:* `/build`
_Default value:_ 1000.
`shell` _optional_
`homeDirectory` (String; _optional_)
: The path to the `bash` binary to use as the shell. This shell is started when running the image.
: The home directory of the user the container is running as.
*Default:* `pkgs.bashInteractive + "/bin/bash"`
_Default value:_ `/build`.
`command` _optional_
`shell` (String; _optional_)
: Run this command in the environment of the derivation, in an interactive shell. See the `--command` option in the [`nix-shell` documentation](https://nixos.org/manual/nix/stable/command-ref/nix-shell.html?highlight=nix-shell#options).
: The path to the `bash` binary to use as the shell.
This shell is started when running the image.
This can be seen as an equivalent of the `NIX_BUILD_SHELL`[environment variable](https://nixos.org/manual/nix/stable/command-ref/nix-shell.html#environment-variables) for {manpage}`nix-shell(1)`.
*Default:* (none)
_Default value:_ the `bash` binary from the `bashInteractive` package.
`run` _optional_
`command` (String or Null; _optional_)
: Same as `command`, but runs the command in a non-interactive shell instead. See the `--run` option in the [`nix-shell` documentation](https://nixos.org/manual/nix/stable/command-ref/nix-shell.html?highlight=nix-shell#options).
: If specified, this command will be run in the environment of the derivation in an interactive shell.
A call to `exit` will be added after the command if it is specified, so the shell will exit after it's finished running.
This can be seen as an equivalent of the `--command` option in {manpage}`nix-shell(1)`.
*Default:* (none)
_Default value:_ `null`.
### Example {#ssec-pkgs-dockerTools-buildNixShellImage-example}
`run` (String or Null; _optional_)
The following shows how to build the `pkgs.hello` package inside a Docker container built with `buildNixShellImage`.
: Similar to the `command` attribute, but runs the command in a non-interactive shell instead.
A call to `exit` will be added after the command if it is specified, so the shell will exit after it's finished running.
This can be seen as an equivalent of the `--run` option in {manpage}`nix-shell(1)`.
