Merge pull request #26 from hercules-ci/images-with-dockertools

Images with dockertools
2019-03-12 09:41:16 +01:00 · 2019-03-12 09:41:16 +01:00 · 15386e5145
commit 15386e5145
parent 6fd435c38e 4ce69bbfba
11 changed files with 259 additions and 14 deletions
--- a/doc/manual/default.nix
+++ b/doc/manual/default.nix
@ -20,7 +20,15 @@ let
      } ''
        export NIX_LOG_DIR=$PWD
        export NIX_STATE_DIR=$PWD
-        nix-instantiate --option sandbox false --readonly-mode --eval --expr "$optionsExpr" --xml --strict >$out
+        nix-instantiate \
+          --option sandbox false \
+          --readonly-mode \
+          --eval \
+          --expr "$optionsExpr" \
+          --xml \
+          --strict \
+          --show-trace \
+          >$out
      '';

    optionsDocBook = runCommand "options-db.xml" {} ''
@ -61,7 +69,7 @@ let
            declarations = map (d: "src/nix" + (lib.strings.removePrefix (toString ${src}) (toString d))) opt.declarations;
          };
          inherit (pkgs) lib;
-          composition = pkgs.callPackage ${src}/eval-service.nix {} { modules = []; host = {}; };
+          composition = pkgs.callPackage ${src}/eval-service.nix {} { modules = []; host = {}; name = abort "The manual's service options section must not depend on the service name."; };
      in map fixPaths (lib.filter (opt: opt.visible && !opt.internal) (lib.optionAttrSetToDocList composition.options))
    '';
  };
--- a/src/arion
+++ b/src/arion
@ -163,6 +163,32 @@ do_build() {
    --show-trace \
    --attr 'config.build.dockerComposeYaml' \
    >/dev/null ;
+
+  echo 1>&2 "Ensuring required images are loaded..."
+  jq -r <"$docker_compose_yaml" \
+    '.["x-arion"].images | map("  - " + .imageName + ":" + .imageTag) | join("\n")'
+  eval "$(
+    jq -r '.["docker-compose"]["x-arion"].images as $images
+         | .["existing-images"] as $loaded
+         | $images
+         | map(
+             if $loaded[.imageName + ":" + .imageTag]
+             then ""
+             else "docker load <" + .image + ";" end
+           )
+         | join("\n")
+     ' <<EOF
+{
+  "docker-compose": $(cat $docker_compose_yaml),
+  "existing-images": {
+    $(docker images \
+        --filter "dangling=false" \
+        --format '"{{.Repository}}:{{.Tag}}": true,')
+    "": false
+  }
+}
+EOF
+      )"
 }


@ -184,7 +210,7 @@ To get started:
 To see deployment-wide configuration
  type config. and hit TAB
 To see the services
-  type config.docker-compose.services TAB or ENTER
+  type config.docker-compose.evaluatedServices TAB or ENTER
 To bring the top-level Nixpkgs attributes into scope
  type :a (config._module.args.pkgs) // { inherit config; }

--- a/src/nix/eval-composition.nix
+++ b/src/nix/eval-composition.nix
@ -20,6 +20,7 @@ let
    argsModule
    ./modules/composition/docker-compose.nix
    ./modules/composition/host-environment.nix
+    ./modules/composition/images.nix
  ];

  argsModule = {
--- a/src/nix/eval-service.nix
+++ b/src/nix/eval-service.nix
@ -1,6 +1,6 @@
 { lib, pkgs, ... }:

-{ modules, host }:
+{ modules, host, name }:
 let
  composite = lib.evalModules {
    check = true;
@ -12,6 +12,7 @@ let
    ./modules/service/docker-compose-service.nix
    ./modules/service/host-store.nix
    ./modules/service/host.nix
+    ./modules/service/image.nix
    ./modules/service/nixos.nix
    ./modules/service/nixos-init.nix
  ];
@ -21,6 +22,7 @@ let
    key = ./docker-compose.nix;
    config._module.args.pkgs = lib.mkForce pkgs;
    config.host = host;
+    config.service.name = name;
  };

 in
--- a/src/nix/modules/composition/docker-compose.nix
+++ b/src/nix/modules/composition/docker-compose.nix
@ -11,7 +11,7 @@
 */
 { pkgs, lib, config, ... }:
 let
-evalService = name: modules: (pkgs.callPackage ../../eval-service.nix {} { inherit modules; inherit (config) host; }).config.build.service;
+  evalService = name: modules: pkgs.callPackage ../../eval-service.nix {} { inherit name modules; inherit (config) host; };

 in
 {
@ -33,14 +33,20 @@ in
      type = with lib.types; attrsOf (coercedTo unspecified (a: [a]) (listOf unspecified));
      description = "A attribute set of service configurations. A service specifies how to run an image. Each of these service configurations is specified using modules whose options are described in the Service Options section.";
    };
+    docker-compose.evaluatedServices = lib.mkOption {
+      type = lib.types.attrsOf lib.types.attrs;
+      description = "Attribute set of evaluated service configurations.";
+      readOnly = true;
+    };
  };
  config = {
    build.dockerComposeYaml = pkgs.writeText "docker-compose.yaml" config.build.dockerComposeYamlText;
    build.dockerComposeYamlText = builtins.toJSON (config.docker-compose.raw);

+    docker-compose.evaluatedServices = lib.mapAttrs evalService config.docker-compose.services;
    docker-compose.raw = {
-      version = "3";
-      services = lib.mapAttrs evalService config.docker-compose.services;
+      version = "3.4";
+      services = lib.mapAttrs (k: c: c.config.build.service) config.docker-compose.evaluatedServices;
    };
  };
 }
--- a/src/nix/modules/composition/images.nix
+++ b/src/nix/modules/composition/images.nix
@ -0,0 +1,36 @@
+{ pkgs, lib, config, ... }:
+let
+  inherit (lib.types) listOf package unspecified;
+
+  serviceImages =
+    lib.mapAttrs addDetails (
+      lib.filterAttrs filterFunction config.docker-compose.evaluatedServices
+    );
+
+  filterFunction = _serviceName: service:
+    service.config.image.nixBuild;
+
+  addDetails = _serviceName: service:
+    let
+      inherit (service.config) build;
+    in {
+      image = build.image.outPath;
+      imageName = build.imageName or service.image.name;
+      imageTag =
+                 if build.image.imageTag != ""
+                 then build.image.imageTag
+                 else lib.head (lib.strings.splitString "-" (baseNameOf build.image.outPath));
+    };
+in
+{
+  options = {
+    build.imagesToLoad = lib.mkOption {
+      type = listOf unspecified;
+      description = "List of dockerTools image derivations.";
+    };
+  };
+  config = {
+    build.imagesToLoad = lib.attrValues serviceImages;
+    docker-compose.raw.x-arion.images = config.build.imagesToLoad;
+  };
+}
--- a/src/nix/modules/nixos/container-systemd.nix
+++ b/src/nix/modules/nixos/container-systemd.nix
@ -19,6 +19,6 @@
  systemd.services.systemd-logind.enable = false;
  systemd.services.console-getty.enable = false;

-  systemd.sockets.nix-daemon.enable = false;
-  systemd.services.nix-daemon.enable = false;
+  systemd.sockets.nix-daemon.enable = lib.mkDefault false;
+  systemd.services.nix-daemon.enable = lib.mkDefault false;
 }
--- a/src/nix/modules/service/docker-compose-service.nix
+++ b/src/nix/modules/service/docker-compose-service.nix
@ -10,13 +10,19 @@ let
  inherit (lib) mkOption types;
  inherit (types) listOf nullOr attrsOf str either int bool;

+  link = url: text:
+    ''<link xlink:href="${url}">${text}</link>'';
  dockerComposeRef = fragment:
-  ''See <link xlink:href="https://docs.docker.com/compose/compose-file/#${fragment}">Docker Compose#${fragment}</link>'';
+    ''See <link xlink:href="https://docs.docker.com/compose/compose-file/#${fragment}">Docker Compose#${fragment}</link>'';
  dockerComposeKitchenSink = ''
    Analogous to the <code>docker run</code> counterpart.

    ${dockerComposeRef "domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir"}
  '';
+
+  cap_add = lib.attrNames (lib.filterAttrs (name: value: value == true) config.service.capabilities);
+  cap_drop = lib.attrNames (lib.filterAttrs (name: value: value == false) config.service.capabilities);
+
 in
 {
  options = {
@ -33,6 +39,14 @@ in
      '';
    };

+    service.name = mkOption {
+      type = str;
+      description = ''
+        The name of the service - <code>&lt;name></code> in the composition-level <code>docker-compose.services.&lt;name></code>
+      '';
+      readOnly = true;
+    };
+
    service.volumes = mkOption {
      type = listOf types.unspecified;
      default = [];
@ -81,6 +95,16 @@ in
      default = [];
      description = dockerComposeRef "depends_on";
    };
+    service.devices = mkOption {
+      type = listOf str;
+      default = [];
+      description = ''
+        See ${link "https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities"
+        "<code>docker run --device</code> documentation"}
+
+        ${dockerComposeRef "devices"}
+      '';
+    };
    service.links = mkOption {
      type = listOf str;
      default = [];
@ -145,6 +169,24 @@ in
      default = null;
      description = dockerComposeRef "stop_signal";
    };
+    service.capabilities = mkOption {
+      type = attrsOf (nullOr bool);
+      default = {};
+      example = { ALL = true; SYS_ADMIN = false; NET_ADMIN = false; };
+      description = ''
+        Enable/disable linux capabilities, or pick Docker's default.
+
+        Setting a capability to <code>true</code> means that it will be
+        "added". Setting it to <code>false</code> means that it will be "dropped".
+        ${dockerComposeRef "cap_add-cap_drop"}
+
+        Omitted and <code>null</code> capabilities will therefore be set
+        according to Docker's ${
+          link "https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities"
+               "default list of capabilities."
+        }
+      '';
+    };
  };

  config.build.service = {
@ -155,10 +197,16 @@ in
      ;
  } // lib.optionalAttrs (config.service.build.context != null) {
    inherit (config.service) build;
+  } // lib.optionalAttrs (cap_add != []) {
+    inherit cap_add;
+  } // lib.optionalAttrs (cap_drop != []) {
+    inherit cap_drop;
  } // lib.optionalAttrs (config.service.command != null) {
    inherit (config.service) command;
  } // lib.optionalAttrs (config.service.depends_on != []) {
    inherit (config.service) depends_on;
+  } // lib.optionalAttrs (config.service.devices != []) {
+    inherit (config.service) devices;
  } // lib.optionalAttrs (config.service.entrypoint != null) {
    inherit (config.service) entrypoint;
  } // lib.optionalAttrs (config.service.env_file != []) {
--- a/src/nix/modules/service/host-store.nix
+++ b/src/nix/modules/service/host-store.nix
@ -8,6 +8,7 @@

 let
  inherit (lib) mkOption types mkIf;
+  escape = s: lib.replaceStrings ["$"] ["$$"] s;
 in
 {
  options = {
@ -23,11 +24,13 @@ in
    };
  };
  config = mkIf config.service.useHostStore {
+    image.nixBuild = false; # no need to build and load
    service.image = "arion-base";
    service.build.context = "${../../../arion-image}";
    service.volumes = [
      "${config.host.nixStorePrefix}/nix/store:/nix/store"
      "${config.host.nixStorePrefix}${pkgs.buildEnv { name = "container-system-env"; paths = [ pkgs.bashInteractive pkgs.coreutils ]; }}:/run/system"
      ] ++ lib.optional config.service.useHostNixDaemon "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket";
+    service.command = lib.mkDefault (map escape (config.image.rawConfig.Cmd or []));
  };
 }
--- a/src/nix/modules/service/image.nix
+++ b/src/nix/modules/service/image.nix
@ -0,0 +1,115 @@
+{ pkgs, lib, config, ... }:
+let
+  inherit (lib) types mkOption;
+  inherit (types) attrsOf listOf nullOr package str unspecified bool;
+
+  # TODO: dummy-config is a useless layer. Nix 2.3 will let us inspect
+  #       the string context instead, so we can avoid this.
+  contentsList = config.image.contents ++ [
+    (pkgs.writeText "dummy-config.json" (builtins.toJSON config.image.rawConfig))
+  ];
+
+  builtImage = pkgs.dockerTools.buildLayeredImage {
+    inherit (config.image)
+      name
+      contents
+      ;
+    config = config.image.rawConfig;
+    maxLayers = 100;
+
+    # TODO: allow use of image's Nix package instead
+    # TODO: option to disable db generation
+    extraCommands = ''
+        echo "Generating the nix database..."
+        echo "Warning: only the database of the deepest Nix layer is loaded."
+        echo "         If you want to use nix commands in the container, it would"
+        echo "         be better to only have one layer that contains a nix store."
+        export NIX_REMOTE=local?root=$PWD
+        ${pkgs.nix}/bin/nix-store --load-db < ${pkgs.closureInfo {rootPaths = contentsList;}}/registration
+        mkdir -p nix/var/nix/gcroots/docker/
+        for i in ${lib.concatStringsSep " " contentsList}; do
+          ln -s $i nix/var/nix/gcroots/docker/$(basename $i)
+        done;
+      '';
+  };
+in
+{
+  options = {
+    build.image = mkOption {
+      type = nullOr package;
+      description = ''
+        Docker image derivation to be <code>docker load</code>ed.
+      '';
+      internal = true;
+    };
+    build.imageName = mkOption {
+      type = str;
+      description = "Derived from build.image";
+      internal = true;
+    };
+    build.imageTag = mkOption {
+      type = str;
+      description = "Derived from build.image";
+      internal = true;
+    };
+    image.nixBuild = mkOption {
+      type = bool;
+      description = ''
+        Whether to build this image with Nixpkgs'
+        <code>dockerTools.buildLayeredImage</code>
+        and then load it with <code>docker load</code>.
+      '';
+      default = true;
+    };
+    image.name = mkOption {
+      type = str;
+      default = config.service.name;
+      defaultText = lib.literalExample "config.service.name";
+      description = ''
+        A human readable name for the docker image.
+
+        Shows up in the <code>docker ps</code> output in the
+        <code>IMAGE</code> column, among other places.
+      '';
+    };
+    image.contents = mkOption {
+      type = listOf package;
+      default = [];
+      description = ''
+         Top level paths in the container.
+      '';
+    };
+    image.rawConfig = mkOption {
+      type = attrsOf unspecified;
+      default = {};
+      description = ''
+        This is a low-level fallback for when a container option has not
+        been modeled in the Arion module system.
+
+        This attribute set does not have an appropriate merge function.
+        Please use the specific <code>image</code> options instead.
+
+        Run-time configuration of the container. A full list of the
+        options are available at in the <link xlink:href="https://github.com/moby/moby/blob/master/image/spec/v1.2.md#image-json-field-descriptions">Docker Image Specification
+        v1.2.0</link>.
+      '';
+    };
+    image.command = mkOption {
+      type = listOf str;
+      default = [];
+      description = ''
+      '';
+    };
+  };
+  config = {
+    build.image = builtImage;
+    build.imageName = config.build.image.imageName;
+    build.imageTag =
+                 if config.build.image.imageTag != ""
+                 then config.build.image.imageTag
+                 else lib.head (lib.strings.splitString "-" (baseNameOf config.build.image.outPath));
+
+    service.image = lib.mkDefault "${config.build.imageName}:${config.build.imageTag}";
+    image.rawConfig.Cmd = config.image.command;
+  };
+}
--- a/src/nix/modules/service/nixos-init.nix
+++ b/src/nix/modules/service/nixos-init.nix
@ -23,15 +23,15 @@ in
      ../nixos/container-systemd.nix
      (pkgs.path + "/nixos/modules/profiles/minimal.nix")
    ];
-    service.command = [ "${config.nixos.build.toplevel}/init" ];
+    image.command = [ "${config.nixos.build.toplevel}/init" ];
    service.environment.container = "docker";
    service.volumes = [
      "/sys/fs/cgroup:/sys/fs/cgroup:ro"
    ];
    service.tmpfs = [
-      "/tmp"
-      "/run"
-      "/run/wrappers"
+      "/tmp:exec,mode=777"
+      "/run"          # noexec is fine because exes should be symlinked from elsewhere anyway
+      "/run/wrappers" # noexec breaks this intentionally
    ];
    service.stop_signal = "SIGRTMIN+3";
    service.tty = true;