Merge pull request #26 from hercules-ci/images-with-dockertools

Images with dockertools
This commit is contained in:
Robert Hensing 2019-03-12 09:41:16 +01:00 committed by GitHub
commit 15386e5145
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 259 additions and 14 deletions

View file

@ -20,7 +20,15 @@ let
} '' } ''
export NIX_LOG_DIR=$PWD export NIX_LOG_DIR=$PWD
export NIX_STATE_DIR=$PWD export NIX_STATE_DIR=$PWD
nix-instantiate --option sandbox false --readonly-mode --eval --expr "$optionsExpr" --xml --strict >$out nix-instantiate \
--option sandbox false \
--readonly-mode \
--eval \
--expr "$optionsExpr" \
--xml \
--strict \
--show-trace \
>$out
''; '';
optionsDocBook = runCommand "options-db.xml" {} '' optionsDocBook = runCommand "options-db.xml" {} ''
@ -61,7 +69,7 @@ let
declarations = map (d: "src/nix" + (lib.strings.removePrefix (toString ${src}) (toString d))) opt.declarations; declarations = map (d: "src/nix" + (lib.strings.removePrefix (toString ${src}) (toString d))) opt.declarations;
}; };
inherit (pkgs) lib; inherit (pkgs) lib;
composition = pkgs.callPackage ${src}/eval-service.nix {} { modules = []; host = {}; }; composition = pkgs.callPackage ${src}/eval-service.nix {} { modules = []; host = {}; name = abort "The manual's service options section must not depend on the service name."; };
in map fixPaths (lib.filter (opt: opt.visible && !opt.internal) (lib.optionAttrSetToDocList composition.options)) in map fixPaths (lib.filter (opt: opt.visible && !opt.internal) (lib.optionAttrSetToDocList composition.options))
''; '';
}; };

View file

@ -163,6 +163,32 @@ do_build() {
--show-trace \ --show-trace \
--attr 'config.build.dockerComposeYaml' \ --attr 'config.build.dockerComposeYaml' \
>/dev/null ; >/dev/null ;
echo 1>&2 "Ensuring required images are loaded..."
jq -r <"$docker_compose_yaml" \
'.["x-arion"].images | map(" - " + .imageName + ":" + .imageTag) | join("\n")'
eval "$(
jq -r '.["docker-compose"]["x-arion"].images as $images
| .["existing-images"] as $loaded
| $images
| map(
if $loaded[.imageName + ":" + .imageTag]
then ""
else "docker load <" + .image + ";" end
)
| join("\n")
' <<EOF
{
"docker-compose": $(cat $docker_compose_yaml),
"existing-images": {
$(docker images \
--filter "dangling=false" \
--format '"{{.Repository}}:{{.Tag}}": true,')
"": false
}
}
EOF
)"
} }
@ -184,7 +210,7 @@ To get started:
To see deployment-wide configuration To see deployment-wide configuration
type config. and hit TAB type config. and hit TAB
To see the services To see the services
type config.docker-compose.services TAB or ENTER type config.docker-compose.evaluatedServices TAB or ENTER
To bring the top-level Nixpkgs attributes into scope To bring the top-level Nixpkgs attributes into scope
type :a (config._module.args.pkgs) // { inherit config; } type :a (config._module.args.pkgs) // { inherit config; }

View file

@ -20,6 +20,7 @@ let
argsModule argsModule
./modules/composition/docker-compose.nix ./modules/composition/docker-compose.nix
./modules/composition/host-environment.nix ./modules/composition/host-environment.nix
./modules/composition/images.nix
]; ];
argsModule = { argsModule = {

View file

@ -1,6 +1,6 @@
{ lib, pkgs, ... }: { lib, pkgs, ... }:
{ modules, host }: { modules, host, name }:
let let
composite = lib.evalModules { composite = lib.evalModules {
check = true; check = true;
@ -12,6 +12,7 @@ let
./modules/service/docker-compose-service.nix ./modules/service/docker-compose-service.nix
./modules/service/host-store.nix ./modules/service/host-store.nix
./modules/service/host.nix ./modules/service/host.nix
./modules/service/image.nix
./modules/service/nixos.nix ./modules/service/nixos.nix
./modules/service/nixos-init.nix ./modules/service/nixos-init.nix
]; ];
@ -21,6 +22,7 @@ let
key = ./docker-compose.nix; key = ./docker-compose.nix;
config._module.args.pkgs = lib.mkForce pkgs; config._module.args.pkgs = lib.mkForce pkgs;
config.host = host; config.host = host;
config.service.name = name;
}; };
in in

View file

@ -11,7 +11,7 @@
*/ */
{ pkgs, lib, config, ... }: { pkgs, lib, config, ... }:
let let
evalService = name: modules: (pkgs.callPackage ../../eval-service.nix {} { inherit modules; inherit (config) host; }).config.build.service; evalService = name: modules: pkgs.callPackage ../../eval-service.nix {} { inherit name modules; inherit (config) host; };
in in
{ {
@ -33,14 +33,20 @@ in
type = with lib.types; attrsOf (coercedTo unspecified (a: [a]) (listOf unspecified)); type = with lib.types; attrsOf (coercedTo unspecified (a: [a]) (listOf unspecified));
description = "A attribute set of service configurations. A service specifies how to run an image. Each of these service configurations is specified using modules whose options are described in the Service Options section."; description = "A attribute set of service configurations. A service specifies how to run an image. Each of these service configurations is specified using modules whose options are described in the Service Options section.";
}; };
docker-compose.evaluatedServices = lib.mkOption {
type = lib.types.attrsOf lib.types.attrs;
description = "Attribute set of evaluated service configurations.";
readOnly = true;
};
}; };
config = { config = {
build.dockerComposeYaml = pkgs.writeText "docker-compose.yaml" config.build.dockerComposeYamlText; build.dockerComposeYaml = pkgs.writeText "docker-compose.yaml" config.build.dockerComposeYamlText;
build.dockerComposeYamlText = builtins.toJSON (config.docker-compose.raw); build.dockerComposeYamlText = builtins.toJSON (config.docker-compose.raw);
docker-compose.evaluatedServices = lib.mapAttrs evalService config.docker-compose.services;
docker-compose.raw = { docker-compose.raw = {
version = "3"; version = "3.4";
services = lib.mapAttrs evalService config.docker-compose.services; services = lib.mapAttrs (k: c: c.config.build.service) config.docker-compose.evaluatedServices;
}; };
}; };
} }

View file

@ -0,0 +1,36 @@
{ pkgs, lib, config, ... }:
let
inherit (lib.types) listOf package unspecified;
serviceImages =
lib.mapAttrs addDetails (
lib.filterAttrs filterFunction config.docker-compose.evaluatedServices
);
filterFunction = _serviceName: service:
service.config.image.nixBuild;
addDetails = _serviceName: service:
let
inherit (service.config) build;
in {
image = build.image.outPath;
imageName = build.imageName or service.image.name;
imageTag =
if build.image.imageTag != ""
then build.image.imageTag
else lib.head (lib.strings.splitString "-" (baseNameOf build.image.outPath));
};
in
{
options = {
build.imagesToLoad = lib.mkOption {
type = listOf unspecified;
description = "List of dockerTools image derivations.";
};
};
config = {
build.imagesToLoad = lib.attrValues serviceImages;
docker-compose.raw.x-arion.images = config.build.imagesToLoad;
};
}

View file

@ -19,6 +19,6 @@
systemd.services.systemd-logind.enable = false; systemd.services.systemd-logind.enable = false;
systemd.services.console-getty.enable = false; systemd.services.console-getty.enable = false;
systemd.sockets.nix-daemon.enable = false; systemd.sockets.nix-daemon.enable = lib.mkDefault false;
systemd.services.nix-daemon.enable = false; systemd.services.nix-daemon.enable = lib.mkDefault false;
} }

View file

@ -10,13 +10,19 @@ let
inherit (lib) mkOption types; inherit (lib) mkOption types;
inherit (types) listOf nullOr attrsOf str either int bool; inherit (types) listOf nullOr attrsOf str either int bool;
link = url: text:
''<link xlink:href="${url}">${text}</link>'';
dockerComposeRef = fragment: dockerComposeRef = fragment:
''See <link xlink:href="https://docs.docker.com/compose/compose-file/#${fragment}">Docker Compose#${fragment}</link>''; ''See <link xlink:href="https://docs.docker.com/compose/compose-file/#${fragment}">Docker Compose#${fragment}</link>'';
dockerComposeKitchenSink = '' dockerComposeKitchenSink = ''
Analogous to the <code>docker run</code> counterpart. Analogous to the <code>docker run</code> counterpart.
${dockerComposeRef "domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir"} ${dockerComposeRef "domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir"}
''; '';
cap_add = lib.attrNames (lib.filterAttrs (name: value: value == true) config.service.capabilities);
cap_drop = lib.attrNames (lib.filterAttrs (name: value: value == false) config.service.capabilities);
in in
{ {
options = { options = {
@ -33,6 +39,14 @@ in
''; '';
}; };
service.name = mkOption {
type = str;
description = ''
The name of the service - <code>&lt;name></code> in the composition-level <code>docker-compose.services.&lt;name></code>
'';
readOnly = true;
};
service.volumes = mkOption { service.volumes = mkOption {
type = listOf types.unspecified; type = listOf types.unspecified;
default = []; default = [];
@ -81,6 +95,16 @@ in
default = []; default = [];
description = dockerComposeRef "depends_on"; description = dockerComposeRef "depends_on";
}; };
service.devices = mkOption {
type = listOf str;
default = [];
description = ''
See ${link "https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities"
"<code>docker run --device</code> documentation"}
${dockerComposeRef "devices"}
'';
};
service.links = mkOption { service.links = mkOption {
type = listOf str; type = listOf str;
default = []; default = [];
@ -145,6 +169,24 @@ in
default = null; default = null;
description = dockerComposeRef "stop_signal"; description = dockerComposeRef "stop_signal";
}; };
service.capabilities = mkOption {
type = attrsOf (nullOr bool);
default = {};
example = { ALL = true; SYS_ADMIN = false; NET_ADMIN = false; };
description = ''
Enable/disable linux capabilities, or pick Docker's default.
Setting a capability to <code>true</code> means that it will be
"added". Setting it to <code>false</code> means that it will be "dropped".
${dockerComposeRef "cap_add-cap_drop"}
Omitted and <code>null</code> capabilities will therefore be set
according to Docker's ${
link "https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities"
"default list of capabilities."
}
'';
};
}; };
config.build.service = { config.build.service = {
@ -155,10 +197,16 @@ in
; ;
} // lib.optionalAttrs (config.service.build.context != null) { } // lib.optionalAttrs (config.service.build.context != null) {
inherit (config.service) build; inherit (config.service) build;
} // lib.optionalAttrs (cap_add != []) {
inherit cap_add;
} // lib.optionalAttrs (cap_drop != []) {
inherit cap_drop;
} // lib.optionalAttrs (config.service.command != null) { } // lib.optionalAttrs (config.service.command != null) {
inherit (config.service) command; inherit (config.service) command;
} // lib.optionalAttrs (config.service.depends_on != []) { } // lib.optionalAttrs (config.service.depends_on != []) {
inherit (config.service) depends_on; inherit (config.service) depends_on;
} // lib.optionalAttrs (config.service.devices != []) {
inherit (config.service) devices;
} // lib.optionalAttrs (config.service.entrypoint != null) { } // lib.optionalAttrs (config.service.entrypoint != null) {
inherit (config.service) entrypoint; inherit (config.service) entrypoint;
} // lib.optionalAttrs (config.service.env_file != []) { } // lib.optionalAttrs (config.service.env_file != []) {

View file

@ -8,6 +8,7 @@
let let
inherit (lib) mkOption types mkIf; inherit (lib) mkOption types mkIf;
escape = s: lib.replaceStrings ["$"] ["$$"] s;
in in
{ {
options = { options = {
@ -23,11 +24,13 @@ in
}; };
}; };
config = mkIf config.service.useHostStore { config = mkIf config.service.useHostStore {
image.nixBuild = false; # no need to build and load
service.image = "arion-base"; service.image = "arion-base";
service.build.context = "${../../../arion-image}"; service.build.context = "${../../../arion-image}";
service.volumes = [ service.volumes = [
"${config.host.nixStorePrefix}/nix/store:/nix/store" "${config.host.nixStorePrefix}/nix/store:/nix/store"
"${config.host.nixStorePrefix}${pkgs.buildEnv { name = "container-system-env"; paths = [ pkgs.bashInteractive pkgs.coreutils ]; }}:/run/system" "${config.host.nixStorePrefix}${pkgs.buildEnv { name = "container-system-env"; paths = [ pkgs.bashInteractive pkgs.coreutils ]; }}:/run/system"
] ++ lib.optional config.service.useHostNixDaemon "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket"; ] ++ lib.optional config.service.useHostNixDaemon "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket";
service.command = lib.mkDefault (map escape (config.image.rawConfig.Cmd or []));
}; };
} }

View file

@ -0,0 +1,115 @@
{ pkgs, lib, config, ... }:
let
inherit (lib) types mkOption;
inherit (types) attrsOf listOf nullOr package str unspecified bool;
# TODO: dummy-config is a useless layer. Nix 2.3 will let us inspect
# the string context instead, so we can avoid this.
contentsList = config.image.contents ++ [
(pkgs.writeText "dummy-config.json" (builtins.toJSON config.image.rawConfig))
];
builtImage = pkgs.dockerTools.buildLayeredImage {
inherit (config.image)
name
contents
;
config = config.image.rawConfig;
maxLayers = 100;
# TODO: allow use of image's Nix package instead
# TODO: option to disable db generation
extraCommands = ''
echo "Generating the nix database..."
echo "Warning: only the database of the deepest Nix layer is loaded."
echo " If you want to use nix commands in the container, it would"
echo " be better to only have one layer that contains a nix store."
export NIX_REMOTE=local?root=$PWD
${pkgs.nix}/bin/nix-store --load-db < ${pkgs.closureInfo {rootPaths = contentsList;}}/registration
mkdir -p nix/var/nix/gcroots/docker/
for i in ${lib.concatStringsSep " " contentsList}; do
ln -s $i nix/var/nix/gcroots/docker/$(basename $i)
done;
'';
};
in
{
options = {
build.image = mkOption {
type = nullOr package;
description = ''
Docker image derivation to be <code>docker load</code>ed.
'';
internal = true;
};
build.imageName = mkOption {
type = str;
description = "Derived from build.image";
internal = true;
};
build.imageTag = mkOption {
type = str;
description = "Derived from build.image";
internal = true;
};
image.nixBuild = mkOption {
type = bool;
description = ''
Whether to build this image with Nixpkgs'
<code>dockerTools.buildLayeredImage</code>
and then load it with <code>docker load</code>.
'';
default = true;
};
image.name = mkOption {
type = str;
default = config.service.name;
defaultText = lib.literalExample "config.service.name";
description = ''
A human readable name for the docker image.
Shows up in the <code>docker ps</code> output in the
<code>IMAGE</code> column, among other places.
'';
};
image.contents = mkOption {
type = listOf package;
default = [];
description = ''
Top level paths in the container.
'';
};
image.rawConfig = mkOption {
type = attrsOf unspecified;
default = {};
description = ''
This is a low-level fallback for when a container option has not
been modeled in the Arion module system.
This attribute set does not have an appropriate merge function.
Please use the specific <code>image</code> options instead.
Run-time configuration of the container. A full list of the
options are available at in the <link xlink:href="https://github.com/moby/moby/blob/master/image/spec/v1.2.md#image-json-field-descriptions">Docker Image Specification
v1.2.0</link>.
'';
};
image.command = mkOption {
type = listOf str;
default = [];
description = ''
'';
};
};
config = {
build.image = builtImage;
build.imageName = config.build.image.imageName;
build.imageTag =
if config.build.image.imageTag != ""
then config.build.image.imageTag
else lib.head (lib.strings.splitString "-" (baseNameOf config.build.image.outPath));
service.image = lib.mkDefault "${config.build.imageName}:${config.build.imageTag}";
image.rawConfig.Cmd = config.image.command;
};
}

View file

@ -23,15 +23,15 @@ in
../nixos/container-systemd.nix ../nixos/container-systemd.nix
(pkgs.path + "/nixos/modules/profiles/minimal.nix") (pkgs.path + "/nixos/modules/profiles/minimal.nix")
]; ];
service.command = [ "${config.nixos.build.toplevel}/init" ]; image.command = [ "${config.nixos.build.toplevel}/init" ];
service.environment.container = "docker"; service.environment.container = "docker";
service.volumes = [ service.volumes = [
"/sys/fs/cgroup:/sys/fs/cgroup:ro" "/sys/fs/cgroup:/sys/fs/cgroup:ro"
]; ];
service.tmpfs = [ service.tmpfs = [
"/tmp" "/tmp:exec,mode=777"
"/run" "/run" # noexec is fine because exes should be symlinked from elsewhere anyway
"/run/wrappers" "/run/wrappers" # noexec breaks this intentionally
]; ];
service.stop_signal = "SIGRTMIN+3"; service.stop_signal = "SIGRTMIN+3";
service.tty = true; service.tty = true;