diff options
| author | Robert Hensing <roberth@users.noreply.github.com> | 2021-12-18 11:46:55 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-12-18 11:46:55 +0100 |
| commit | cc5ddb53e6d43cb9506a2481b0e593f966c0f06b (patch) | |
| tree | c2c54cd90f1014bda9cbe782c89941b926c11710 | |
| parent | Merge pull request #151170 from NixOS/backport-151160-to-release-21.11 (diff) | |
| parent | nixos/tests/docker-tools: add test for pre-runAsRoot layer unpack order (diff) | |
| download | nixpkgs-cc5ddb53e6d43cb9506a2481b0e593f966c0f06b.tar.gz | |
Merge pull request #151172 from NixOS/backport-151150-to-release-21.11
[Backport release-21.11] dockerTools.buildImage: Fix incorrect layer unpack order before executing runAsRoot script
| -rw-r--r-- | nixos/tests/docker-tools.nix | 6 | ||||
| -rw-r--r-- | pkgs/build-support/docker/default.nix | 2 | ||||
| -rw-r--r-- | pkgs/build-support/docker/examples.nix | 23 |
3 files changed, 30 insertions, 1 deletions
diff --git a/nixos/tests/docker-tools.nix b/nixos/tests/docker-tools.nix index 7110187e8d76..ac1555a8847f 100644 --- a/nixos/tests/docker-tools.nix +++ b/nixos/tests/docker-tools.nix @@ -215,6 +215,12 @@ import ./make-test-python.nix ({ pkgs, ... }: { f"docker run --rm ${examples.layersOrder.imageName} cat /tmp/layer{index}" ) + with subtest("Ensure layers unpacked in correct order before runAsRoot runs"): + assert "abc" in docker.succeed( + "docker load --input='${examples.layersUnpackOrder}'", + "docker run --rm ${examples.layersUnpackOrder.imageName} cat /layer-order" + ) + with subtest("Ensure environment variables are correctly inherited"): docker.succeed( "docker load --input='${examples.environmentVariables}'" diff --git a/pkgs/build-support/docker/default.nix b/pkgs/build-support/docker/default.nix index dcfa5ec593d1..2d8a29366670 100644 --- a/pkgs/build-support/docker/default.nix +++ b/pkgs/build-support/docker/default.nix @@ -235,7 +235,7 @@ rec { # Unpack all of the parent layers into the image. lowerdir="" extractionID=0 - for layerTar in $(tac layer-list); do + for layerTar in $(cat layer-list); do echo "Unpacking layer $layerTar" extractionID=$((extractionID + 1)) diff --git a/pkgs/build-support/docker/examples.nix b/pkgs/build-support/docker/examples.nix index 141c2ba0ea45..01e0ee5225c2 100644 --- a/pkgs/build-support/docker/examples.nix +++ b/pkgs/build-support/docker/examples.nix @@ -402,6 +402,29 @@ rec { created = "now"; }; + # 23. Ensure that layers are unpacked in the correct order before the + # runAsRoot script is executed. + layersUnpackOrder = + let + layerOnTopOf = parent: layerName: + pkgs.dockerTools.buildImage { + name = "layers-unpack-order-${layerName}"; + tag = "latest"; + fromImage = parent; + contents = [ pkgs.coreutils ]; + runAsRoot = '' + #!${pkgs.runtimeShell} + echo -n "${layerName}" >> /layer-order + ''; + }; + # When executing the runAsRoot script when building layer C, if layer B is + # not unpacked on top of layer A, the contents of /layer-order will not be + # "ABC". + layerA = layerOnTopOf null "a"; + layerB = layerOnTopOf layerA "b"; + layerC = layerOnTopOf layerB "c"; + in layerC; + # buildImage without explicit tag bashNoTag = pkgs.dockerTools.buildImage { name = "bash-no-tag"; |