Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to create a docker image with nix2container that can be used to build nix2container images? #123

Open
terlar opened this issue Mar 16, 2024 · 0 comments
Open

How to create a docker image with nix2container that can be used to build nix2container images? #123

terlar opened this issue Mar 16, 2024 · 0 comments

Comments

@terlar
Copy link

terlar commented Mar 16, 2024
edited
Loading

Hello, thank you very much for this project. It looks quite promising.

I want to use nix2container to automate building of container images, and doing that on my CI requires to be executed within a container image. What better way than to build that container image with nix2container?

Currently I have this:

{
  # Build support
  buildEnv,
  nix2container,
  writeShellApplication,
  # Runtime
  curl,
  gnugrep,
  jaq,
}:

let
  get-access-token-from-metadata-server = writeShellApplication {
    name = "get-access-token-from-metadata-server";
    runtimeInputs = [
      curl
      jaq
    ];
    text = ''
      curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" \
        --silent \
        -H "Metadata-Flavor: Google" |
        jaq --raw-output .access_token
    '';
  };

  root = buildEnv {
    name = "container-builder-root";
    paths = [
      get-access-token-from-metadata-server
      gnugrep
    ];
    pathsToLink = "/bin";
  };

  nix-flakes = nix2container.pullImage {
    imageName = "nixpkgs/nix-flakes";
    imageDigest = "sha256:89c86767d32fb27675f7bcb4f5f3a1f9f481b0fd9a4c4a4e08b283fde265e4c5";
    sha256 = "sha256-r6rGUpJZDY11NdC6ToxCegybkdZsq1vmK6rVdytsk8k=";
  };
in
nix2container.buildImage {
  name = "europe-docker.pkg.dev/seb-k8s-ci-cd-junxa/seb-k8s-ci-cd/container-builder";

  fromImage = nix-flakes;

  copyToRoot = [ root ];

  config = {
    entrypoint = [ "/bin/bash" ];
    env = [ "SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt" ];
  };
}

This is working, but then the image has to build (or pull from cache I guess, haven't enabled yet):

  • /nix/store/y7pja4n2b04j45sknwmivkl27mg3dgg1-skopeo-1.14.2.drv
  • /nix/store/p387dfxsh9myf2bc6lbdpngp8idilvrg-nix2container-1.0.0-go-modules.drv
  • /nix/store/699r95xr9zxdd013z06h7i3y954li8w0-nix2container-1.0.0.drv

But I wanted these derivations to be part of the image, I thought I could achieve this with:

  layers = [
    (nix2container.buildLayer {
      deps = [
        nix2container-bin
        skopeo-nix2container
      ];
    })
  ];

However, that just added a bunch of stuff, but it still built those derivations. I guess it is due to the drv files not being copied, but just the resulting outpath?

Is there a way to add "nix cache" to the image itself?

PS. I'm also using the nixpkgs nix-flakes docker image as base as it seemed quite difficult to get a working nix image otherwise. First it complained about build users not working and when I got that working it refused to build the same image I built within that image, seems those derivations were "locked" and caused issues.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@terlar