Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build-support/docker: pass tlsVerify to support http registries #125211

Merged
merged 1 commit into from
Jun 1, 2021
Merged

build-support/docker: pass tlsVerify to support http registries #125211

merged 1 commit into from
Jun 1, 2021

Conversation

edwtjo
Copy link
Member

@edwtjo edwtjo commented Jun 1, 2021

Disable TLS fetch for skopeo, default is unchanged and to use TLS.

Motivation for this change

Sometimes you have to deal with internal registries which do not have TLS gasp. In such cases this option should be useful.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Added a release notes entry if the change is major or breaking
  • Fits CONTRIBUTING.md.

@edwtjo edwtjo requested a review from roberth as a code owner June 1, 2021 11:50
@roberth roberth merged commit 7f6a395 into NixOS:master Jun 1, 2021
@roberth
Copy link
Member

roberth commented Jun 1, 2021

Thanks!

roberth added a commit to hercules-ci/nixpkgs that referenced this pull request Jun 1, 2021
@roberth
nixosTests.docker-tools: Fix nixFromDockerHub example sha
d155b8c 
For NixOS#125211 I tried to test
the fetcher with

    nix-build -A dockerTools.examples.nixFromDockerHub --option substitute false

But it failed. I haven't figured out the cause, but the outputs
match, so it's probably the hashing method (flat/recursive) that
changed at some point. (The names did match.)
@roberth roberth mentioned this pull request Jun 1, 2021
Merged
9 tasks
@teto
Copy link
Member

teto commented Aug 10, 2021

I've just tried to update one of my images with

let
  pkgs = import ./nixpkgs.nix { };

  # To enable sandboxing the container has to be started with the --privileged flag and sandbox = true set in /etc/nix/nix.conf.
  nixBase = pkgs.dockerTools.pullImage {
    imageName = "nixos/nix";
    imageDigest = "sha256:d9bb3b85b846eb0b6c5204e0d76639dff72c7871fb68f5d4edcfbb727f8a5653";
    sha256 = "sha256-+ZEWyHjZ65P8Fl0rhFY5e5tGBogHDy3gHhv+lqJaHWs=";
    finalImageTag = "2.3.12";
    finalImageName = "nix";
  };

  haskellBase = pkgs.dockerTools.buildImage {
    name = "jinko-base-layer";
    # depending from nix-base brings certificates support etc
    fromImage = nixBase;
    contents = with pkgs; [
      bashInteractive
      coreutils
      llvm_8.lib
      libxml2
      postgresql.lib # for libpq
      sundials
      liblapack
      gmp
      xz
      openblas
      nlopt
      curl
    ];
  };
in
{
  inherit haskellBase;
  inherit nixBase;

  uncompressedImage = pkgs.runCommand "base-image" { } ''
    mkdir -p $out
    gunzip -c ${haskellBase} > $out/image
  '';
}

but I got (nixos-unstable).

       last 1 log lines:
       > FATA[0000] unknown flag: --src-tls-verify

NB: the image hash is wrong but that shouldn't matter

@roberth
Copy link
Member

roberth commented Aug 13, 2021

To prevent this, we need something like #133739 and use it to define skopeo.passthru.tests.dockerTools-pullImage

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@roberth roberth roberth approved these changes

Assignees
No one assigned
Labels
10.rebuild-darwin: 0 10.rebuild-linux: 0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@edwtjo @roberth @teto