dockerTools.buildImage: Fix incorrect layer unpack order before executing runAsRoot script

[agbrooks]

Motivation for this change

When dockerTools.buildImage is provided both a multi-layer fromImage and a runAsRoot script, it incorrectly unpacks the layers specified in the parent image's manifest.json in reverse order before the runAsRoot script is executed in a VM.

This is particularly problematic when the fromImage and one of its ancestors' layers both contain the same path with different contents: the ancestor's "version" of that file incorrectly overwrites its descendants' in the VM where the runAsRoot script executes (it should be the other way around).

The image used for our existing layer ordering test doesn't catch this problem (the test image only uses extraCommands, and therefore can't test whether the layers get unpacked in the correct order in the VM when executing the runAsRoot script). I've added an additional test that is able to detect this problem and confirms that this fix is able to address it.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 22.05 Release Notes (or backporting 21.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
  • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
• Fits CONTRIBUTING.md.

[roberth]

@ofborg test docker-tools

[roberth]

Thanks for the well executed fix!

[github-actions]

Backport failed for release-21.05, because it was unable to cherry-pick the commit(s).

Please cherry-pick the changes locally.

git fetch origin release-21.05
git worktree add -d .worktree/backport-151150-to-release-21.05 origin/release-21.05
cd .worktree/backport-151150-to-release-21.05
git checkout -b backport-151150-to-release-21.05
ancref=$(git merge-base f020f2bf2f0c03093e9644cf7b5cbdc8e6377967 57718902e34486288f63760faddda49ce2eecbdb)
git cherry-pick -x $ancref..57718902e34486288f63760faddda49ce2eecbdb

[github-actions]

Successfully created backport PR #151172 for release-21.11.

[roberth]

Backport failed for release-21.05,

This backport I will skip because this release is very close to end of life.