about summary refs log tree commit diff
path: root/pkgs/build-support
diff options
context:
space:
mode:
Diffstat (limited to 'pkgs/build-support')
-rw-r--r--pkgs/build-support/docker/default.nix16
-rw-r--r--pkgs/build-support/docker/examples.nix12
2 files changed, 17 insertions, 11 deletions
diff --git a/pkgs/build-support/docker/default.nix b/pkgs/build-support/docker/default.nix
index 374b71d42a39..0e10ba036a06 100644
--- a/pkgs/build-support/docker/default.nix
+++ b/pkgs/build-support/docker/default.nix
@@ -52,15 +52,7 @@ rec {
       outputHashAlgo = "sha256";
       outputHash = sha256;
 
-      # One of the dependencies of Skopeo uses a hardcoded /var/tmp for storing
-      # big image files, which is not available in sandboxed builds.
-      nativeBuildInputs = lib.singleton (pkgs.skopeo.overrideAttrs (drv: {
-        postPatch = (drv.postPatch or "") + ''
-          sed -i -e 's!/var/tmp!/tmp!g' \
-            vendor/github.com/containers/image/storage/storage_image.go \
-            vendor/github.com/containers/image/internal/tmpdir/tmpdir.go
-        '';
-      }));
+      nativeBuildInputs = lib.singleton (pkgs.skopeo);
       SSL_CERT_FILE = "${pkgs.cacert.out}/etc/ssl/certs/ca-bundle.crt";
 
       sourceURL = "docker://${imageName}@${imageDigest}";
@@ -360,7 +352,9 @@ rec {
     extraCommands ? ""
   }:
     # Generate an executable script from the `runAsRoot` text.
-    let runAsRootScript = shellScript "run-as-root.sh" runAsRoot;
+    let
+      runAsRootScript = shellScript "run-as-root.sh" runAsRoot;
+      extraCommandsScript = shellScript "extra-commands.sh" extraCommands;
     in runWithOverlay {
       name = "docker-layer-${name}";
 
@@ -398,7 +392,7 @@ rec {
       '';
 
       postUmount = ''
-        (cd layer; eval "${extraCommands}")
+        (cd layer; ${extraCommandsScript})
 
         echo "Packing layer..."
         mkdir $out
diff --git a/pkgs/build-support/docker/examples.nix b/pkgs/build-support/docker/examples.nix
index eb5b9fe36e41..ca7f78093794 100644
--- a/pkgs/build-support/docker/examples.nix
+++ b/pkgs/build-support/docker/examples.nix
@@ -124,4 +124,16 @@ rec {
     fromImage = nixFromDockerHub;
     contents = [ pkgs.hello ];
   };
+
+  # 8. regression test for erroneous use of eval and string expansion.
+  # See issue #34779 and PR #40947 for details.
+  runAsRootExtraCommands = pkgs.dockerTools.buildImage {
+    name = "runAsRootExtraCommands";
+    contents = [ pkgs.coreutils ];
+    # The parens here are to create problematic bash to embed and eval. In case
+    # this is *embedded* into the script (with nix expansion) the initial quotes
+    # will close the string and the following parens are unexpected
+    runAsRoot = ''echo "(runAsRoot)" > runAsRoot'';
+    extraCommands = ''echo "(extraCommand)" > extraCommands'';
+  };
 }
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-06 21:26:25 +0000