From fa93df0d5a690bcfaf87db921f635e352cd9a837 Mon Sep 17 00:00:00 2001 From: Tristan Cacqueray Date: Wed, 4 Oct 2023 14:58:12 +0000 Subject: [PATCH] nix: use ubi8 as the container base image --- nix/default.nix | 34 ++++++++++++++++++++-------------- 1 file changed, 20 insertions(+), 14 deletions(-) diff --git a/nix/default.nix b/nix/default.nix index 69589cb47..5b632c9fd 100644 --- a/nix/default.nix +++ b/nix/default.nix @@ -462,35 +462,41 @@ in rec { monocle-exe = pkgs.haskell.lib.justStaticExecutables (hsPkgs.monocle.overrideAttrs (_: { MONOCLE_COMMIT = rev; })); + monocle-wrapper = pkgs.writeScriptBin "monocle" '' + #!/usr/bin/sh -e + # Use fakeroot to avoid `No user exists for uid` error + env LD_PRELOAD=${pkgs.fakeroot}/lib/libfakeroot.so ${monocle-exe}/bin/monocle $* + ''; + containerMonocle = let # Container user info user = "monocle"; home = "var/lib/${user}"; # Create a passwd entry so that openssh can find the .ssh config - createPasswd = "echo ${user}:x:0:0:monocle:/${home}:/bin/bash > etc/passwd"; - - # Make ca-bundles.crt available to HSOpenSSL as plain file - # https://hackage.haskell.org/package/HsOpenSSL-x509-system-0.1.0.4/docs/src/OpenSSL.X509.SystemStore.Unix.html#contextLoadSystemCerts - fixCABundle = - "mkdir -p etc/pki/tls/certs/ && cp etc/ssl/certs/ca-bundle.crt etc/pki/tls/certs/ca-bundle.crt"; + createPasswd = + "mkdir etc; echo ${user}:x:0:0:monocle:/${home}:/bin/bash >> etc/passwd"; # Ensure the home directory is r/w for any uid rwHome = "mkdir -p -m 1777 ${home}"; in pkgs.dockerTools.buildLayeredImage { name = "quay.io/change-metrics/monocle-exe"; - contents = [ pkgs.coreutils pkgs.cacert pkgs.bash pkgs.curl monocle-exe ]; - extraCommands = "${createPasswd} && ${fixCABundle} && ${rwHome}"; + contents = [ monocle-wrapper ]; + extraCommands = "${createPasswd} && ${rwHome}"; tag = "latest"; created = "now"; config = { USER = "1000"; - Env = [ - "SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt" - "HOME=/${home}" - # Use fakeroot to avoid `No user exists for uid` error - "LD_PRELOAD=${pkgs.fakeroot}/lib/libfakeroot.so" - ]; + Env = [ "HOME=/${home}" ]; + }; + # To update, run: nix run github:TristanCacqueray/nixpkgs/skopeo-fix#nix-prefetch-docker -- -c nix-prefetch-docker --image-name registry.access.redhat.com/ubi8/ubi --image-tag 8.8-1067 + fromImage = pkgs.dockerTools.pullImage { + imageName = "registry.access.redhat.com/ubi8/ubi"; + imageDigest = + "sha256:269e9753043a4066af12649e921c6ad3201702fda5b2652f7a4aa010c2ed4c1a"; + sha256 = "0wc566pph59mwn1dyw9h06lmfzc4x2p665lxffplpgqc10cr3w2c"; + finalImageName = "registry.access.redhat.com/ubi8/ubi"; + finalImageTag = "8.8-1067"; }; };