diff options
Diffstat (limited to 'pkgs/build-support')
-rw-r--r-- | pkgs/build-support/docker/default.nix | 23 | ||||
-rwxr-xr-x | pkgs/build-support/docker/nix-prefetch-docker | 7 | ||||
-rwxr-xr-x | pkgs/build-support/docker/store-path-to-layer.sh | 46 | ||||
-rw-r--r-- | pkgs/build-support/skaware/clean-packaging.nix | 4 |
4 files changed, 34 insertions, 46 deletions
diff --git a/pkgs/build-support/docker/default.nix b/pkgs/build-support/docker/default.nix index f2a1378b8b27..83f4a9e0c01b 100644 --- a/pkgs/build-support/docker/default.nix +++ b/pkgs/build-support/docker/default.nix @@ -95,7 +95,7 @@ rec { sourceURL = "docker://${imageName}@${imageDigest}"; destNameTag = "${finalImageName}:${finalImageTag}"; } '' - skopeo --override-os ${os} --override-arch ${arch} copy "$sourceURL" "docker-archive://$out:$destNameTag" + skopeo --insecure-policy --tmpdir=$TMPDIR --override-os ${os} --override-arch ${arch} copy "$sourceURL" "docker-archive://$out:$destNameTag" ''; # We need to sum layer.tar, not a directory, hence tarsum instead of nix-hash. @@ -392,14 +392,10 @@ rec { (cd layer; eval "$extraCommands") fi - # Tar up the layer and throw it into 'layer.tar'. + # Tar up the layer and throw it into 'layer.tar', while calculating its checksum. echo "Packing layer..." mkdir $out - tar --transform='s|^\./||' -C layer --sort=name --mtime="@$SOURCE_DATE_EPOCH" --owner=${toString uid} --group=${toString gid} -cf $out/layer.tar . - - # Compute a checksum of the tarball. - echo "Computing layer checksum..." - tarhash=$(tarsum < $out/layer.tar) + tarhash=$(tar --transform='s|^\./||' -C layer --sort=name --mtime="@$SOURCE_DATE_EPOCH" --owner=${toString uid} --group=${toString gid} -cf - . | tee $out/layer.tar | tarsum) # Add a 'checksum' field to the JSON, with the value set to the # checksum of the tarball. @@ -449,11 +445,7 @@ rec { # Tar up the layer and throw it into 'layer.tar'. echo "Packing layer..." mkdir $out - tar -C layer --hard-dereference --sort=name --mtime="@$SOURCE_DATE_EPOCH" --owner=${toString uid} --group=${toString gid} -cf $out/layer.tar . - - # Compute a checksum of the tarball. - echo "Computing layer checksum..." - tarhash=$(tarsum < $out/layer.tar) + tarhash=$(tar -C layer --hard-dereference --sort=name --mtime="@$SOURCE_DATE_EPOCH" --owner=${toString uid} --group=${toString gid} -cf - . | tee $out/layer.tar | tarsum) # Add a 'checksum' field to the JSON, with the value set to the # checksum of the tarball. @@ -537,11 +529,10 @@ rec { echo "Packing layer..." mkdir -p $out - tar -C layer --hard-dereference --sort=name --mtime="@$SOURCE_DATE_EPOCH" -cf $out/layer.tar . + tarhash=$(tar -C layer --hard-dereference --sort=name --mtime="@$SOURCE_DATE_EPOCH" -cf - . | + tee $out/layer.tar | + ${tarsum}/bin/tarsum) - # Compute the tar checksum and add it to the output json. - echo "Computing checksum..." - tarhash=$(${tarsum}/bin/tarsum < $out/layer.tar) cat ${baseJson} | jshon -s "$tarhash" -i checksum > $out/json # Indicate to docker that we're using schema version 1.0. echo -n "1.0" > $out/VERSION diff --git a/pkgs/build-support/docker/nix-prefetch-docker b/pkgs/build-support/docker/nix-prefetch-docker index 839dc87487a0..bf01384ccdb4 100755 --- a/pkgs/build-support/docker/nix-prefetch-docker +++ b/pkgs/build-support/docker/nix-prefetch-docker @@ -12,6 +12,7 @@ finalImageTag= hashType=$NIX_HASH_ALGO hashFormat=$hashFormat format=nix +skopeoCmd="skopeo --insecure-policy --tmpdir=$TMPDIR" usage(){ echo >&2 "syntax: nix-prefetch-docker [options] [IMAGE_NAME [IMAGE_TAG|IMAGE_DIGEST]] @@ -38,7 +39,7 @@ get_image_digest(){ imageTag="latest" fi - skopeo inspect "docker://$imageName:$imageTag" | jq '.Digest' -r + "$skopeoCmd" inspect "docker://$imageName:$imageTag" | jq '.Digest' -r } get_name() { @@ -127,9 +128,9 @@ trap "rm -rf \"$tmpPath\"" EXIT tmpFile="$tmpPath/$(get_name $finalImageName $finalImageTag)" if test -z "$QUIET"; then - skopeo --override-os ${os} --override-arch ${arch} copy "$sourceUrl" "docker-archive://$tmpFile:$finalImageName:$finalImageTag" + "$skopeoCmd" --override-os ${os} --override-arch ${arch} copy "$sourceUrl" "docker-archive://$tmpFile:$finalImageName:$finalImageTag" else - skopeo --override-os ${os} --override-arch ${arch} copy "$sourceUrl" "docker-archive://$tmpFile:$finalImageName:$finalImageTag" > /dev/null + "$skopeoCmd" --override-os ${os} --override-arch ${arch} copy "$sourceUrl" "docker-archive://$tmpFile:$finalImageName:$finalImageTag" > /dev/null fi # Compute the hash. diff --git a/pkgs/build-support/docker/store-path-to-layer.sh b/pkgs/build-support/docker/store-path-to-layer.sh index 7e8efeea1c10..d834716e4b21 100755 --- a/pkgs/build-support/docker/store-path-to-layer.sh +++ b/pkgs/build-support/docker/store-path-to-layer.sh @@ -11,39 +11,35 @@ echo "Creating layer #$layerNumber for $@" mkdir -p "$layerPath" # Make sure /nix and /nix/store appear first in the archive. +# # We create the directories here and use them because # when there are other things being added to the # nix store, tar could fail, saying, # "tar: /nix/store: file changed as we read it" mkdir -p nix/store -tar -cf "$layerPath/layer.tar" \ - --mtime="@$SOURCE_DATE_EPOCH" \ - --owner=0 --group=0 \ - --transform='s,nix,/nix,' \ - nix - -# We change into the /nix/store in order to avoid a similar -# "file changed as we read it" error as above. Namely, -# if we use the absolute path of /nix/store/123-pkg -# and something new is added to the nix store while tar -# is running, it will detect a change to /nix/store and -# fail. Instead, if we cd into the nix store and copy -# the relative nix store path, tar will ignore changes -# to /nix/store. In order to create the correct structure -# in the tar file, we transform the relative nix store -# path to the absolute store path. -for storePath in "$@"; do - n=$(basename "$storePath") - tar -C /nix/store -rpf "$layerPath/layer.tar" \ + +# Then we change into the /nix/store in order to +# avoid a similar "file changed as we read it" error +# as above. Namely, if we use the absolute path of +# /nix/store/123-pkg and something new is added to the nix +# store while tar is running, it will detect a change to +# /nix/store and fail. Instead, if we cd into the nix store +# and copy the relative nix store path, tar will ignore +# changes to /nix/store. In order to create the correct +# structure in the tar file, we transform the relative nix +# store path to the absolute store path. +tarhash=$( + basename -a "$@" | + tar -cp nix \ + -C /nix/store --verbatim-files-from --files-from - \ --hard-dereference --sort=name \ --mtime="@$SOURCE_DATE_EPOCH" \ --owner=0 --group=0 \ - --transform="s,$n,/nix/store/$n," \ - $n -done - -# Compute a checksum of the tarball. -tarhash=$(tarsum < $layerPath/layer.tar) + --transform 's,^nix(/|$),/nix/,' \ + --transform 's,^[^/],/nix/store/\0,rS' | + tee "$layerPath/layer.tar" | + tarsum +) # Add a 'checksum' field to the JSON, with the value set to the # checksum of the tarball. diff --git a/pkgs/build-support/skaware/clean-packaging.nix b/pkgs/build-support/skaware/clean-packaging.nix index 16bae04b21e2..762fe25c0acf 100644 --- a/pkgs/build-support/skaware/clean-packaging.nix +++ b/pkgs/build-support/skaware/clean-packaging.nix @@ -26,11 +26,11 @@ let writeScript "common-file-actions.sh" '' #!${stdenv.shell} set -e - DOCDIR="$1" + DOCDIR="''${1?commonFileActions: DOCDIR as argv[1] required}" shopt -s globstar extglob nullglob - ${rmNoise noiseFiles} mkdir -p "$DOCDIR" ${mvDoc docFiles} + ${rmNoise noiseFiles} ''; # Shell script to check whether the build directory is empty. |