dockerTools: Eliminate layer creation copypasta #51587
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Docker images used to be, essentially, a linked list of layers. Each
layer would have a tarball and a json document pointing to its parent,
and the image pointed to the top layer:
imageA ----> layerA
|
v
layerB
|
v
layerC
The current image spec changed this format to where the Image defined
the order and set of layers:
imageA ---> layerA
|--> layerB
`--> layerC
For backwards compatibility, docker produces images which follow both
specs: layers point to parents, and images also point to the entire
list:
imageA ---> layerA
| |
| v
|--> layerB
| |
| v
`--> layerC
This is nice for tooling which supported the older version and never
updated to support the newer format.
Our `buildImage` code only supported the old version, so in order for
`buildImage` to properly generate an image based on another image
with `fromImage`, the parent image's layers must fully support the old
mechanism.
This is not a problem in general, but is a problem with
`buildLayeredImage`.
`buildLayeredImage` creates images with newer image spec, because
individual store paths don't have a guaranteed parent layer. Including
a specific parent ID in the layer's json makes the output less likely
to cache hit when published or pulled.
This means until now, `buildLayeredImage` could not be the input to
`buildImage`.
The changes in this PR change `buildImage` to only use the layer's
manifest when locating parent IDs. This does break buildImage on
extremely old Docker images, though I do wonder how many of these
exist.
This work has been sponsored by Target.
Extract the layer creation code in to make-layer.sh and update each layer creation function to use it.
|
@GrahamcOfBorg build nixosTests.docker-tools |
puffnfresh
approved these changes
Dec 7, 2018
Mic92
reviewed
Dec 7, 2018
| tar -C image/$parentID/layer -xpf image/$parentID/layer.tar | ||
| rm image/$parentID/layer.tar | ||
| extractionID=0 | ||
| for layerTar in $(cat layer-list); do |
There was a problem hiding this comment.
while IFS= read layerTar; do
# ...
done <layer-list| while [[ -n "$currentID" ]]; do | ||
| layerChecksum=$(sha256sum image/$currentID/layer.tar | cut -d ' ' -f1) | ||
|
|
||
| for layerTar in $(cat ./layer-list); do |
Mic92
reviewed
Dec 7, 2018
| # would fail if layer-list was completely empty. | ||
| echo "$layerID/layer.tar" | ||
| cat layer-list | ||
| ) | ${pkgs.moreutils}/bin/sponge layer-list |
There was a problem hiding this comment.
That would break in the cross-compiling case.
Better to use:
(
echo "$layerID/layer.tar"
cat layer-list
) > layer-list-new
mv layer-list-new layer-listThis also removes the dependency on moreutils while having the same amount of external commands.
There was a problem hiding this comment.
Speaking of cross-compiling: All buildInputs above should become nativeBuildInputs
Mic92
reviewed
Dec 7, 2018
| @@ -673,6 +646,9 @@ rec { | |||
| if [[ -n "$fromImage" ]]; then | |||
| echo "Unpacking base image..." | |||
| tar -C image -xpf "$fromImage" | |||
|
|
|||
| cat ./image/manifest.json | jq -r '.[0].Layers | .[]' > layer-list | |||
There was a problem hiding this comment.
There are several cases of cat file | over the whole file, that could become:
Suggested change
| cat ./image/manifest.json | jq -r '.[0].Layers | .[]' > layer-list | |
| jq < ./image/manifest.json -r '.[0].Layers | .[]' > layer-list |
There was a problem hiding this comment.
I know that cat is useless, but I find it much more readable.
There was a problem hiding this comment.
There is also jq -r '.[0].Layers | .[]' ./image/manifest.json > layer-list :)
There was a problem hiding this comment.
This is an improvement, but if performance is a concern, this should probably be rewritten in a 'real' language that doesn't need to start processes to perform non-trivial operations.
GrahamcOfBorg
requested review from
disassembler
and removed request for
globin and
disassembler
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation for this change
See the second commit, as the first commit is in #51528.
Essentially, there were several places which ran the same exact commands to build a docker layer, and now there is only one copy of that code :)
I experimented with deduplicating the image creation code, but boy howdy that is for another day.
Things done
sandboxinnix.confon non-NixOS)nix-shell -p nox --run "nox-review wip"./result/bin/)nix path-info -Sbefore and after)