diff options
| author | Robert K. Bell <robert.k.bell@gmail.com> | 2023-12-04 14:39:18 +1100 |
|---|---|---|
| committer | github-actions[bot] <github-actions[bot]@users.noreply.github.com> | 2024-02-14 22:39:15 +0000 |
| commit | 630a4058f19f08870ddfc1a568b934e98f0812f4 (patch) | |
| tree | a85a67f774d07afea500fe68fa3cbb0dd89bbd9c | |
| parent | Merge pull request #288868 from NixOS/backport-288858-to-release-23.11 (diff) | |
| download | nixpkgs-630a4058f19f08870ddfc1a568b934e98f0812f4.tar.gz | |
nixos/dockerTools: fix includeStorePaths when enableFakechroot
After #268458, when setting `enableFakechroot = true` and
`includeStorePaths = false`, some of the store paths were getting
included into the image anyway, thru `bind-paths`.
This resulted in unexpectedly large images.
Now, the images will not contain any store paths under those
circumstances.
(cherry picked from commit 8353fad13da8983b95c47426a355e044099cee91)
| -rw-r--r-- | nixos/tests/docker-tools.nix | 2 | ||||
| -rw-r--r-- | pkgs/build-support/docker/default.nix | 1 | ||||
| -rw-r--r-- | pkgs/build-support/docker/examples.nix | 1 |
3 files changed, 4 insertions, 0 deletions
diff --git a/nixos/tests/docker-tools.nix b/nixos/tests/docker-tools.nix index fcdfa586fd55..9ff286af4c26 100644 --- a/nixos/tests/docker-tools.nix +++ b/nixos/tests/docker-tools.nix @@ -75,6 +75,8 @@ in { docker.succeed("${examples.helloOnRootNoStore} | docker load") docker.fail("docker run --rm hello | grep -i hello") docker.succeed("docker image rm hello:latest") + with subtest("Ensure ZERO paths are added to the store"): + docker.fail("${examples.helloOnRootNoStore} | ${pkgs.crane}/bin/crane export - - | tar t | grep 'nix/store/'") with subtest("includeStorePath = false; works with mounted store"): docker.succeed("${examples.helloOnRootNoStore} | docker load") docker.succeed("docker run --rm --volume ${builtins.storeDir}:${builtins.storeDir}:ro hello | grep -i hello") diff --git a/pkgs/build-support/docker/default.nix b/pkgs/build-support/docker/default.nix index 23e439c6c423..99dc59fa4666 100644 --- a/pkgs/build-support/docker/default.nix +++ b/pkgs/build-support/docker/default.nix @@ -922,6 +922,7 @@ rec { --sort name \ --exclude=./proc \ --exclude=./sys \ + --exclude=.${builtins.storeDir} \ --numeric-owner --mtime "@$SOURCE_DATE_EPOCH" \ --hard-dereference \ -cf $out/layer.tar . diff --git a/pkgs/build-support/docker/examples.nix b/pkgs/build-support/docker/examples.nix index 5784e650dc2e..109bea54ec0c 100644 --- a/pkgs/build-support/docker/examples.nix +++ b/pkgs/build-support/docker/examples.nix @@ -637,6 +637,7 @@ rec { ]; config.Cmd = [ "hello" ]; includeStorePaths = false; + enableFakechroot = true; }; etc = |