pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #282886 from WxNzEMof/docker-tools-uid

Allow streaming layered containers with non-root Nix store

Robert Hensing 57c11082 f5622df4

options
unified split
Changed files
+76 -46
doc
build-helpers
images
dockertools.section.md
nixos
tests
docker-tools.nix
pkgs
build-support
docker
default.nix
stream_layered_image.py
+10
doc/build-helpers/images/dockertools.section.md 
···

       
507

       
507

       
 

       



     

       
508

       
508

       
 

       
  _Default value:_ `"1970-01-01T00:00:01Z"`.


     

       
509

       
509

       
 

       



     

       

       
510

       
+

       
`uid` (Number; _optional_) []{#dockerTools-buildLayeredImage-arg-uid}


     

       

       
511

       
+

       
`gid` (Number; _optional_) []{#dockerTools-buildLayeredImage-arg-gid}


     

       

       
512

       
+

       
`uname` (String; _optional_) []{#dockerTools-buildLayeredImage-arg-uname}


     

       

       
513

       
+

       
`gname` (String; _optional_) []{#dockerTools-buildLayeredImage-arg-gname}


     

       

       
514

       
+

       



     

       

       
515

       
+

       
: Credentials for Nix store ownership.


     

       

       
516

       
+

       
  Can be overridden to e.g. `1000` / `1000` / `"user"` / `"user"` to enable building a container where Nix can be used as an unprivileged user in single-user mode.


     

       

       
517

       
+

       



     

       

       
518

       
+

       
  _Default value:_ `0` / `0` / `"root"` / `"root"`


     

       

       
519

       
+

       



     

       
510

       
520

       
 

       
`maxLayers` (Number; _optional_) []{#dockerTools-buildLayeredImage-arg-maxLayers}


     

       
511

       
521

       
 

       



     

       
512

       
522

       
 

       
: The maximum number of layers that will be used by the generated image.
+21 -1
nixos/tests/docker-tools.nix 
···

       
58

       
58

       
 

       
      '';


     

       
59

       
59

       
 

       
      config.Cmd = [ "${pkgs.coreutils}/bin/stat" "-c" "%u:%g" "/testfile" ];


     

       
60

       
60

       
 

       
    };


     

       

       
61

       
+

       



     

       

       
62

       
+

       
  nonRootTestImage =


     

       

       
63

       
+

       
    pkgs.dockerTools.streamLayeredImage rec {


     

       

       
64

       
+

       
      name = "non-root-test";


     

       

       
65

       
+

       
      tag = "latest";


     

       

       
66

       
+

       
      uid = 1000;


     

       

       
67

       
+

       
      gid = 1000;


     

       

       
68

       
+

       
      uname = "user";


     

       

       
69

       
+

       
      gname = "user";


     

       

       
70

       
+

       
      config = {


     

       

       
71

       
+

       
        User = "user";


     

       

       
72

       
+

       
        Cmd = [ "${pkgs.coreutils}/bin/stat" "-c" "%u:%g" "${pkgs.coreutils}/bin/stat" ];


     

       

       
73

       
+

       
      };


     

       

       
74

       
+

       
    };


     

       
61

       
75

       
 

       
in {


     

       
62

       
76

       
 

       
  name = "docker-tools";


     

       
63

       
77

       
 

       
  meta = with pkgs.lib.maintainers; {


     
···

       
181

       
195

       
 

       
    ):


     

       
182

       
196

       
 

       
        docker.succeed(


     

       
183

       
197

       
 

       
            "docker load --input='${examples.bashLayeredWithUser}'",


     

       
184

       

       
-

       
            "docker run -u somebody --rm ${examples.bashLayeredWithUser.imageName} ${pkgs.bash}/bin/bash -c 'test 555 == $(stat --format=%a /nix) && test 555 == $(stat --format=%a /nix/store)'",


     

       

       
198

       
+

       
            "docker run -u somebody --rm ${examples.bashLayeredWithUser.imageName} ${pkgs.bash}/bin/bash -c 'test 755 == $(stat --format=%a /nix) && test 755 == $(stat --format=%a /nix/store)'",


     

       
185

       
199

       
 

       
            "docker rmi ${examples.bashLayeredWithUser.imageName}",


     

       
186

       
200

       
 

       
        )


     

       
187

       
201

       
 

       



     
···

       
602

       
616

       
 

       
    with subtest("streamLayeredImage: chown is persistent in fakeRootCommands"):


     

       
603

       
617

       
 

       
        docker.succeed(


     

       
604

       
618

       
 

       
            "${chownTestImage} | docker load",


     

       

       
619

       
+

       
            "docker run --rm ${chownTestImage.imageName} | diff /dev/stdin <(echo 12345:12345)"


     

       

       
620

       
+

       
        )


     

       

       
621

       
+

       



     

       

       
622

       
+

       
    with subtest("streamLayeredImage: with non-root user"):


     

       

       
623

       
+

       
        docker.succeed(


     

       

       
624

       
+

       
            "${nonRootTestImage} | docker load",


     

       
605

       
625

       
 

       
            "docker run --rm ${chownTestImage.imageName} | diff /dev/stdin <(echo 12345:12345)"


     

       
606

       
626

       
 

       
        )


     

       
607

       
627

       
 

       
  '';
+28 -35
pkgs/build-support/docker/default.nix 
···

       
890

       
890

       
 

       
    })


     

       
891

       
891

       
 

       
  );


     

       
892

       
892

       
 

       



     

       

       
893

       
+

       
  # Arguments are documented in ../../../doc/build-helpers/images/dockertools.section.md


     

       
893

       
894

       
 

       
  streamLayeredImage = lib.makeOverridable (


     

       
894

       
895

       
 

       
    {


     

       
895

       

       
-

       
      # Image Name


     

       
896

       
896

       
 

       
      name


     

       
897

       

       
-

       
    , # Image tag, the Nix's output hash will be used if null


     

       
898

       

       
-

       
      tag ? null


     

       
899

       

       
-

       
    , # Parent image, to append to.


     

       
900

       

       
-

       
      fromImage ? null


     

       
901

       

       
-

       
    , # Files to put on the image (a nix store path or list of paths).


     

       
902

       

       
-

       
      contents ? [ ]


     

       
903

       

       
-

       
    , # Docker config; e.g. what command to run on the container.


     

       
904

       

       
-

       
      config ? { }


     

       
905

       

       
-

       
    , # Image architecture, defaults to the architecture of the `hostPlatform` when unset


     

       
906

       

       
-

       
      architecture ? defaultArchitecture


     

       
907

       

       
-

       
    , # Time of creation of the image. Passing "now" will make the


     

       
908

       

       
-

       
      # created date be the time of building.


     

       
909

       

       
-

       
      created ? "1970-01-01T00:00:01Z"


     

       
910

       

       
-

       
    , # Optional bash script to run on the files prior to fixturizing the layer.


     

       
911

       

       
-

       
      extraCommands ? ""


     

       
912

       

       
-

       
    , # Optional bash script to run inside fakeroot environment.


     

       
913

       

       
-

       
      # Could be used for changing ownership of files in customisation layer.


     

       
914

       

       
-

       
      fakeRootCommands ? ""


     

       
915

       

       
-

       
    , # Whether to run fakeRootCommands in fakechroot as well, so that they


     

       
916

       

       
-

       
      # appear to run inside the image, but have access to the normal Nix store.


     

       
917

       

       
-

       
      # Perhaps this could be enabled on by default on pkgs.stdenv.buildPlatform.isLinux


     

       
918

       

       
-

       
      enableFakechroot ? false


     

       
919

       

       
-

       
    , # We pick 100 to ensure there is plenty of room for extension. I


     

       
920

       

       
-

       
      # believe the actual maximum is 128.


     

       
921

       

       
-

       
      maxLayers ? 100


     

       
922

       

       
-

       
    , # Whether to include store paths in the image. You generally want to leave


     

       
923

       

       
-

       
      # this on, but tooling may disable this to insert the store paths more


     

       
924

       

       
-

       
      # efficiently via other means, such as bind mounting the host store.


     

       
925

       

       
-

       
      includeStorePaths ? true


     

       
926

       

       
-

       
    , # Passthru arguments for the underlying derivation.


     

       
927

       

       
-

       
      passthru ? {}


     

       

       
897

       
+

       
    , tag ? null


     

       

       
898

       
+

       
    , fromImage ? null


     

       

       
899

       
+

       
    , contents ? [ ]


     

       

       
900

       
+

       
    , config ? { }


     

       

       
901

       
+

       
    , architecture ? defaultArchitecture


     

       

       
902

       
+

       
    , created ? "1970-01-01T00:00:01Z"


     

       

       
903

       
+

       
    , uid ? 0


     

       

       
904

       
+

       
    , gid ? 0


     

       

       
905

       
+

       
    , uname ? "root"


     

       

       
906

       
+

       
    , gname ? "root"


     

       

       
907

       
+

       
    , maxLayers ? 100


     

       

       
908

       
+

       
    , extraCommands ? ""


     

       

       
909

       
+

       
    , fakeRootCommands ? ""


     

       

       
910

       
+

       
    , enableFakechroot ? false


     

       

       
911

       
+

       
    , includeStorePaths ? true


     

       

       
912

       
+

       
    , passthru ? {}


     

       
928

       
913

       
 

       
    ,


     

       
929

       
914

       
 

       
    }:


     

       
930

       
915

       
 

       
      assert


     
···

       
1007

       
992

       
 

       



     

       
1008

       
993

       
 

       
        conf = runCommand "${baseName}-conf.json"


     

       
1009

       
994

       
 

       
          {


     

       
1010

       

       
-

       
            inherit fromImage maxLayers created;


     

       

       
995

       
+

       
            inherit fromImage maxLayers created uid gid uname gname;


     

       
1011

       
996

       
 

       
            imageName = lib.toLower name;


     

       
1012

       
997

       
 

       
            preferLocalBuild = true;


     

       
1013

       
998

       
 

       
            passthru.imageTag =


     
···

       
1086

       
1071

       
 

       
              "store_layers": $store_layers[0],


     

       
1087

       
1072

       
 

       
              "customisation_layer", $customisation_layer,


     

       
1088

       
1073

       
 

       
              "repo_tag": $repo_tag,


     

       
1089

       

       
-

       
              "created": $created


     

       

       
1074

       
+

       
              "created": $created,


     

       

       
1075

       
+

       
              "uid": $uid,


     

       

       
1076

       
+

       
              "gid": $gid,


     

       

       
1077

       
+

       
              "uname": $uname,


     

       

       
1078

       
+

       
              "gname": $gname


     

       
1090

       
1079

       
 

       
            }


     

       
1091

       
1080

       
 

       
            ' --arg store_dir "${storeDir}" \


     

       
1092

       
1081

       
 

       
              --argjson from_image ${if fromImage == null then "null" else "'\"${fromImage}\"'"} \


     

       
1093

       
1082

       
 

       
              --slurpfile store_layers store_layers.json \


     

       
1094

       
1083

       
 

       
              --arg customisation_layer ${customisationLayer} \


     

       
1095

       
1084

       
 

       
              --arg repo_tag "$imageName:$imageTag" \


     

       
1096

       

       
-

       
              --arg created "$created" |


     

       

       
1085

       
+

       
              --arg created "$created" \


     

       

       
1086

       
+

       
              --arg uid "$uid" \


     

       

       
1087

       
+

       
              --arg gid "$gid" \


     

       

       
1088

       
+

       
              --arg uname "$uname" \


     

       

       
1089

       
+

       
              --arg gname "$gname" |


     

       
1097

       
1090

       
 

       
            tee $out


     

       
1098

       
1091

       
 

       
        '';


     

       
1099

       
1092
+17 -10
pkgs/build-support/docker/stream_layered_image.py 
···

       
9

       
9

       
 

       
  the fields with the same name on the image spec [2].


     

       
10

       
10

       
 

       
* "created" can be "now".


     

       
11

       
11

       
 

       
* "created" is also used as mtime for files added to the image.


     

       

       
12

       
+

       
* "uid", "gid", "uname", "gname" is the file ownership, for example,


     

       

       
13

       
+

       
  0, 0, "root", "root".


     

       
12

       
14

       
 

       
* "store_layers" is a list of layers in ascending order, where each


     

       
13

       
15

       
 

       
  layer is the list of store paths to include in that layer.


     

       
14

       
16

       
 

       



     
···

       
45

       
47

       
 

       
from collections import namedtuple


     

       
46

       
48

       
 

       



     

       
47

       
49

       
 

       



     

       
48

       

       
-

       
def archive_paths_to(obj, paths, mtime):


     

       

       
50

       
+

       
def archive_paths_to(obj, paths, mtime, uid, gid, uname, gname):


     

       
49

       
51

       
 

       
    """


     

       
50

       
52

       
 

       
    Writes the given store paths as a tar file to the given stream.


     

       
51

       
53

       
 

       



     
···

       
61

       
63

       
 

       



     

       
62

       
64

       
 

       
    def apply_filters(ti):


     

       
63

       
65

       
 

       
        ti.mtime = mtime


     

       
64

       

       
-

       
        ti.uid = 0


     

       
65

       

       
-

       
        ti.gid = 0


     

       
66

       

       
-

       
        ti.uname = "root"


     

       
67

       

       
-

       
        ti.gname = "root"


     

       

       
66

       
+

       
        ti.uid = uid


     

       

       
67

       
+

       
        ti.gid = gid


     

       

       
68

       
+

       
        ti.uname = uname


     

       

       
69

       
+

       
        ti.gname = gname


     

       
68

       
70

       
 

       
        return ti


     

       
69

       
71

       
 

       



     

       
70

       
72

       
 

       
    def nix_root(ti):


     

       
71

       

       
-

       
        ti.mode = 0o0555  # r-xr-xr-x


     

       

       
73

       
+

       
        ti.mode = 0o0755  # rwxr-xr-x


     

       
72

       
74

       
 

       
        return ti


     

       
73

       
75

       
 

       



     

       
74

       
76

       
 

       
    def dir(path):


     
···

       
208

       
210

       
 

       
    return final_config


     

       
209

       
211

       
 

       



     

       
210

       
212

       
 

       



     

       
211

       

       
-

       
def add_layer_dir(tar, paths, store_dir, mtime):


     

       

       
213

       
+

       
def add_layer_dir(tar, paths, store_dir, mtime, uid, gid, uname, gname):


     

       
212

       
214

       
 

       
    """


     

       
213

       
215

       
 

       
    Appends given store paths to a TarFile object as a new layer.


     

       
214

       
216

       
 

       



     
···

       
231

       
233

       
 

       
    archive_paths_to(


     

       
232

       
234

       
 

       
        extract_checksum,


     

       
233

       
235

       
 

       
        paths,


     

       
234

       

       
-

       
        mtime=mtime,


     

       

       
236

       
+

       
        mtime, uid, gid, uname, gname


     

       
235

       
237

       
 

       
    )


     

       
236

       
238

       
 

       
    (checksum, size) = extract_checksum.extract()


     

       
237

       
239

       
 

       



     
···

       
247

       
249

       
 

       
            archive_paths_to(


     

       
248

       
250

       
 

       
                write,


     

       
249

       
251

       
 

       
                paths,


     

       
250

       

       
-

       
                mtime=mtime,


     

       

       
252

       
+

       
                mtime, uid, gid, uname, gname


     

       
251

       
253

       
 

       
            )


     

       
252

       
254

       
 

       
            write.close()


     

       
253

       
255

       
 

       



     
···

       
324

       
326

       
 

       
      else datetime.fromisoformat(conf["created"])


     

       
325

       
327

       
 

       
    )


     

       
326

       
328

       
 

       
    mtime = int(created.timestamp())


     

       

       
329

       
+

       
    uid = int(conf["uid"])


     

       

       
330

       
+

       
    gid = int(conf["gid"])


     

       

       
331

       
+

       
    uname = conf["uname"]


     

       

       
332

       
+

       
    gname = conf["gname"]


     

       
327

       
333

       
 

       
    store_dir = conf["store_dir"]


     

       
328

       
334

       
 

       



     

       
329

       
335

       
 

       
    from_image = load_from_image(conf["from_image"])


     
···

       
336

       
342

       
 

       
        for num, store_layer in enumerate(conf["store_layers"], start=start):


     

       
337

       
343

       
 

       
            print("Creating layer", num, "from paths:", store_layer,


     

       
338

       
344

       
 

       
                  file=sys.stderr)


     

       
339

       

       
-

       
            info = add_layer_dir(tar, store_layer, store_dir, mtime=mtime)


     

       

       
345

       
+

       
            info = add_layer_dir(tar, store_layer, store_dir,


     

       

       
346

       
+

       
                                 mtime, uid, gid, uname, gname)


     

       
340

       
347

       
 

       
            layers.append(info)


     

       
341

       
348

       
 

       



     

       
342

       
349

       
 

       
        print("Creating layer", len(layers) + 1, "with customisation...",