Unverified Commit dcf98538 authored by Robert Hensing's avatar Robert Hensing Committed by GitHub
Browse files

Merge pull request #271976 from r-k-b/fix-dockerTools-includeStorePaths 

nixos/dockerTools: fix includeStorePaths when enableFakechroot
parents 8affaaf9 1f9e86f3

nixos/tests/docker-tools.nix

+15 −0
Original line number Diff line number Diff line
@@ -71,14 +71,29 @@ in { 
            docker.succeed("${examples.helloOnRoot} | docker load")

            docker.succeed("docker run --rm hello | grep -i hello")

            docker.succeed("docker image rm hello:latest")



        with subtest("includeStorePath = false; breaks example"):

            docker.succeed("${examples.helloOnRootNoStore} | docker load")

            docker.fail("docker run --rm hello | grep -i hello")

            docker.succeed("docker image rm hello:latest")

        with subtest("includeStorePath = false; breaks example (fakechroot)"):

            docker.succeed("${examples.helloOnRootNoStoreFakechroot} | docker load")

            docker.fail("docker run --rm hello | grep -i hello")

            docker.succeed("docker image rm hello:latest")



        with subtest("Ensure ZERO paths are added to the store"):

            docker.fail("${examples.helloOnRootNoStore} | ${pkgs.crane}/bin/crane export - - | tar t | grep 'nix/store/'")

        with subtest("Ensure ZERO paths are added to the store (fakechroot)"):

            docker.fail("${examples.helloOnRootNoStoreFakechroot} | ${pkgs.crane}/bin/crane export - - | tar t | grep 'nix/store/'")



        with subtest("includeStorePath = false; works with mounted store"):

            docker.succeed("${examples.helloOnRootNoStore} | docker load")

            docker.succeed("docker run --rm --volume ${builtins.storeDir}:${builtins.storeDir}:ro hello | grep -i hello")

            docker.succeed("docker image rm hello:latest")

        with subtest("includeStorePath = false; works with mounted store (fakechroot)"):

            docker.succeed("${examples.helloOnRootNoStoreFakechroot} | docker load")

            docker.succeed("docker run --rm --volume ${builtins.storeDir}:${builtins.storeDir}:ro hello | grep -i hello")

            docker.succeed("docker image rm hello:latest")



    with subtest("Ensure Docker images use a stable date by default"):

        docker.succeed(

pkgs/build-support/docker/default.nix

+1 −0
Original line number Diff line number Diff line
@@ -923,6 +923,7 @@ rec { 
                  --sort name \

                  --exclude=./proc \

                  --exclude=./sys \

                  --exclude=.${builtins.storeDir} \

                  --numeric-owner --mtime "@$SOURCE_DATE_EPOCH" \

                  --hard-dereference \

                  -cf $out/layer.tar .

pkgs/build-support/docker/examples.nix

+14 −0
Original line number Diff line number Diff line
@@ -639,6 +639,20 @@ rec { 
    includeStorePaths = false;

  };



  helloOnRootNoStoreFakechroot = pkgs.dockerTools.streamLayeredImage {

    name = "hello";

    tag = "latest";

    contents = [

      (pkgs.buildEnv {

        name = "hello-root";

        paths = [ pkgs.hello ];

      })

    ];

    config.Cmd = [ "hello" ];

    includeStorePaths = false;

    enableFakechroot = true;

  };



  etc =

    let

      inherit (pkgs) lib;