Skip to content

Reproducible build using Nix (nerdctl build-nix)#582

Closed
AkihiroSuda wants to merge 1 commit intocontainerd:masterfrom
AkihiroSuda:experimental-build-nix
Closed

Reproducible build using Nix (nerdctl build-nix)#582
AkihiroSuda wants to merge 1 commit intocontainerd:masterfrom
AkihiroSuda:experimental-build-nix

Conversation

@AkihiroSuda
Copy link
Copy Markdown
Member

@AkihiroSuda AkihiroSuda commented Dec 1, 2021
edited
Loading

See examples/build-nix/nginx

nerdctl build-nix
nerdctl run -d -p 8080:80 nginx:nix

WIP: still not fully reproducible

$ nerdctl -v
nerdctl version 0.14.0-46-g9022539

$ nerdctl build-nix -f examples/build-nix/nginx/default.nix
WARN[0000] This command is experimental and subject to change.
INFO[0000] Creating a Nix container                      image="ghcr.io/stargz-containers/nixos/nix:2.3.12-org@sha256:d9bb3b85b846eb0b6c5204e0d76639dff72c7871fb68f5d4edcfbb727f8a5653"
INFO[0000] Starting Nix                                 
/nix/store/zc9cc6q6669cy58s2pwjcl8k1hvbl2qd-docker-image-nginx.tar.gz
unpacking docker.io/library/nginx:nix (sha256:e3db533a4440dd8ed1a64e9963ebf2386cc9bfc25b014dd4bd36b1635ec49695)...done
INFO[0002] Tar digest: sha256:0407cfb8e7195c62b58fe5f4b4f8ef92f8fbdaeb7b4b444a9d4da5496f855ec4 
INFO[0002] Image ID: sha256:e3db533a4440dd8ed1a64e9963ebf2386cc9bfc25b014dd4bd36b1635ec49695

Tar digest: sha256:0407cfb8e7195c62b58fe5f4b4f8ef92f8fbdaeb7b4b444a9d4da5496f855ec4 is always reproducible, but ImageID changes after nuking ~/.local/share/containerd

Due to:

@AkihiroSuda AkihiroSuda added the enhancement New feature or request label Dec 1, 2021
@AkihiroSuda AkihiroSuda force-pushed the experimental-build-nix branch 2 times, most recently from a7a7ac2 to 9022539 Compare December 1, 2021 11:48
@AkihiroSuda AkihiroSuda mentioned this pull request Dec 1, 2021
Closed
fahedouch
fahedouch reviewed Dec 1, 2021
View reviewed changes
Comment thread cmd/nerdctl/run_mount_linux_test.go
fahedouch
fahedouch reviewed Dec 1, 2021
View reviewed changes
Comment thread cmd/nerdctl/build_nix_linux.go
"-v", nixutil.CacheVolumeName + ":/nix",
"-w", "/mnt",
nixImage,
"sleep", "infinity",
Copy link
Copy Markdown
Member

@fahedouch fahedouch Dec 1, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume that a non-null entrypoint can cause problems

Copy link
Copy Markdown
Member Author

@AkihiroSuda AkihiroSuda Dec 2, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why?

Copy link
Copy Markdown
Member

@fahedouch fahedouch Dec 2, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cmd.Flags().String("nix-image", defaults.NixImage, "Nix image")
nix-image can be set by the user and nothing prevents having an image with an entrypoint ["/ bin/sh /," sleep","infinity"] => /bin/sh sleep infinity sleep infinity.

not sure if this should be considered the responsibility of nerdctl user or us

@AkihiroSuda
[WIP] Reproducible build using Nix (nerdctl build-nix)
cc4556a 
See `examples/build-nix/nginx`

```
nerdctl build-nix
nerdctl run -d -p 8080:80 nginx:nix
```

(WIP: still not fully reproducible)

Signed-off-by: Akihiro Suda <[email protected]>
@AkihiroSuda AkihiroSuda force-pushed the experimental-build-nix branch from 9022539 to cc4556a Compare December 2, 2021 05:44
ktock
ktock reviewed Dec 2, 2021
View reviewed changes
Comment thread cmd/nerdctl/build_nix_linux.go
if _, err := os.Stat(file); err != nil {
return err
}
dir := filepath.Dir(file)
Copy link
Copy Markdown
Member

@ktock ktock Dec 2, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nix-build can only refer to files under filepath.Dir(file)? Should be documented somewhere maybe.

And the following doesn't work:

nerdctl build-nix -f /hello.nix
WARN[0000] This command is experimental and subject to change. 
FATA[0004] failed to read link: /proc/12988/fd/3: readlink /proc/12988/fd/3: no such file or directory

nerdctl build-nix -f /tmp/ctx/hello.nix do work though.

ktock
ktock reviewed Dec 2, 2021
View reviewed changes
Comment thread docs/build-nix.md
Comment on lines +9 to +12
```
nerdctl build-nix
nerdctl run -d -p 8080:80 nginx:nix
```
Copy link
Copy Markdown
Member

@ktock ktock Dec 2, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe the expected digest of the result image should be documented so that users can confirm that build-nix is reproducible.

@AkihiroSuda
Copy link
Copy Markdown
Member Author

AkihiroSuda commented Dec 3, 2021

Now I'm experimenting this as a Dockerfile frontend

https://github.com/AkihiroSuda/buildkit-nix

@AkihiroSuda AkihiroSuda closed this Dec 3, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fahedouch fahedouch fahedouch left review comments

@ktock ktock ktock left review comments

Assignees

No one assigned

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@AkihiroSuda @fahedouch @ktock