dockerTools.buildImage: add /nix/store with correct permissions #38837
Conversation
| # image /nix/store has read permissions for non-root users. | ||
| mkdir -p nix/store | ||
| chmod -R 555 nix | ||
| tar -rpf temp/layer.tar --mtime="@$SOURCE_DATE_EPOCH" --owner=0 --group=0 ./nix |
There was a problem hiding this comment.
This introduces code about the Nix store into buildImage, I think it's been agnostic about the content until this. I don't think everything which uses buildImage will necessarily use /nix. I'd prefer to keep references outside of this function.
There was a problem hiding this comment.
I think it was the case before this patch: ce838e5
However I understand your point but looking at the code I'm not sure where to put this elsewhere.
Maybe we could check if some file in newFiles is in /nix/store/. If yes we add /nix/store to the layer.
There was a problem hiding this comment.
Yeah I like that better. Not great, but I think it's better.
There was a problem hiding this comment.
I think you can test if layerClosure is non empty to create /nix and /nix/store. Moreover, we should also test if /nix and /nix/store are not in baseFiles (not already existing in parent layers).
|
I think that I ran into this same problem with LnL7/nix-docker#14 (comment), but didn't really look into it afterwards. I'll do some testing since I've still seen problems on some systems after the workaround. |
eonpatapon
force-pushed
the
fix-38835
branch
2 times, most recently
from
95bb159
to
590caca
Compare
|
With the latest patch I'm checking that there is more than one item in $layerClosure. There is always one item which is the layer definition. More if there is some
|
|
@GrahamcOfBorg test docker-tools |
|
Success on aarch64-linux Attempted: tests.docker-tools No partial log is available. |
|
No attempt on x86_64-linux (full log) The following builds were skipped because they don't evaluate on x86_64-linux: tests.docker-tools Partial log (click to expand)
|
|
Tests failure is not related to this PR. |
|
@GrahamcOfBorg test docker-tools docker-tools-overlay |
|
Success on aarch64-linux Attempted: tests.docker-tools, tests.docker-tools-overlay No partial log is available. |
|
No attempt on x86_64-linux (full log) The following builds were skipped because they don't evaluate on x86_64-linux: tests.docker-tools, tests.docker-tools-overlay Partial log (click to expand)
|
There was a problem hiding this comment.
One of the tests broke (buildImageWithNixDb).
$ nix-build nixos/release.nix -A tests.docker-tools
docker: must succeed: docker load --input='/nix/store/i8m0p37qm8k492n40z9b3fhr7mwxsphs-docker-image-nix.tar.gz'
docker# Error processing tar file(duplicates of file paths not supported):
docker: exit status 1
|
I ran into this as well: Applying this patch seems to fix the problem. We should make sure the tests pass again and add a regression test, though. |
|
Ah, it did fix it for one image, the other has the duplicate error: |
|
@Profpatsch I already added a test in #38933. I looks like overlay2 is basicallly the only storage driver that doesn't suffer from this issue. |
|
@GrahamcOfBorg test docker-tools docker-tools-overlay |
|
@GrahamcOfBorg test docker-tools docker-tools-overlay |
|
Success on aarch64-linux Attempted: tests.docker-tools, tests.docker-tools-overlay No partial log is available. |
1 similar comment
|
Success on aarch64-linux Attempted: tests.docker-tools, tests.docker-tools-overlay No partial log is available. |
|
@Profpatsch @LnL7 I successfully executed |
|
Backported to 18.03 in f3353ff. |
LnL7
added
the
8.has: port to stable
|
Success on x86_64-linux (full log) Attempted: tests.docker-tools, tests.docker-tools-overlay Partial log (click to expand)
|
|
Success on x86_64-linux (full log) Attempted: tests.docker-tools, tests.docker-tools-overlay Partial log (click to expand)
|
This adds
/nix/storeto the layer files with correct permissions so that non-root users can use the storeinside the container.
build-use-sandboxinnix.confon non-NixOS)nix-shell -p nox --run "nox-review wip"./result/bin/)Fixes #38835.