Difference between revisions of "Workgroup:Container"

Latest revision as of 10:56, 6 April 2024

We are interested in directly building (minimal) OCI containers from the nixpkgs ecosystem.

People

Tooling

opencontainers.org
- runc: spawn and run OCI containers (nixpkgs: runc)
- image-spec: container image specification
- runtime-spec: container runtime specification
- image-tools: tools for working with the image-spec
- runtime-tools: tools for working with the runtime-spec
- umoci: intends to be a complete manipulation tool for OCI images with a rootless mode
projectatomic.io
- skopeo: modify and inspect images on registries (nixpkgs: skopeo)
- buildah: build/generate OCI images (nixpkgs: buildah)
containers Github project: golang libraries for interacting with containers
- image: library used by skopeo
- oci-fetch: CLI tool for fetching OCI containers over various transports
awakesecurity
- hocker: fetch from docker (v2) registry and generate nix derivations

Nix images

There are a few images that contain Nix with various trade-offs:

nixos/nix (source) - 77 MB - Official images based on alpine using a Dockerfile. Not updated automatically.
nixorg/nix (source) - 84 MB - Batteries included by the Nix Community group also based on a Dockerfile but only using Nixpkgs dependencies. Images are automatically built from master.
lnl7/nix/ (source) - 57 MB - Images built out of a Nix derivation.

Interesting threads

https://github.com/projectatomic/buildah/issues/386: about rootless support

Work In Progress

Improve image storage in the Nix store

https://github.com/projectatomic/skopeo/issues/481

Projects

Self-Hosted, Minimal Docker/OSI Images

For our platform at Techcultivation we want to generate docker images for all parts of our system. Those images should come in two flavors, development (to quickly spin up local test services, with mock data) and deployment (secure/production-ready). We chose to generate these images purely out of nixpkgs code, so no binary (base) images have to be included.

The current version of the deployment code can be found on our Gitlab.

A basic (pretty messy) postgres image is already done, complete with in-build setup of a mock database. The resulting image is smaller than the “official” one in the docker registry, only uses nixpkgs-native dependencies and only contains the most minimal filetree needed to run the postgres binary.

Still to do: rabbitmq, frontend code, api, refactor, various others.

— Profpatsch (talk) 02:47, 10 February 2018 (UTC)

@@ Line 5: / Line 5: @@
 * [[User:Profpatsch|Profpatsch]]
 * [[User:nlewo|Lewo]]
+* [[User:moretea|MoreTea]]
 == Tooling ==
@@ Line 14: / Line 15: @@
 ** [https://github.com/opencontainers/image-tools image-tools]: tools for working with the image-spec
 ** [https://github.com/opencontainers/runtime-tools runtime-tools]: tools for working with the runtime-spec
+** [https://github.com/openSUSE/umoci umoci]: intends to be a complete manipulation tool for OCI images with a rootless mode
 * [https://www.projectatomic.io/ projectatomic.io]
 ** [https://github.com/projectatomic/skopeo skopeo]: modify and inspect images on registries (nixpkgs: [https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/tools/skopeo/default.nix skopeo])
@@ Line 23: / Line 25: @@
 ** [https://github.com/awakesecurity/hocker hocker]: fetch from docker (v2) registry and generate nix derivations
-== Work In Progress ==
+== Nix images ==
+There are a few images that contain Nix with various trade-offs:
+* [https://hub.docker.com/r/nixos/nix/ nixos/nix] ([https://github.com/NixOS/nix/tree/master/misc/docker source]) - 77 MB - Official images based on alpine using a Dockerfile. Not updated automatically.
+* [https://hub.docker.com/r/nixorg/nix/ nixorg/nix] ([https://github.com/nix-community/docker-nix source]) - 84 MB - Batteries included by the Nix Community group also based on a Dockerfile but only using Nixpkgs dependencies. Images are automatically built from master.
+* [https://hub.docker.com/r/lnl7/nix/ lnl7/nix/] ([https://github.com/LnL7/nix-docker source]) - 57 MB - Images built out of a Nix derivation.
+== Interesting threads ==
-* Add legacy Docker image support in Skopeo
+* https://github.com/projectatomic/buildah/issues/386: about rootless support
-nixpkgs.dockerTools.pullImage boots a VM to pull the image by using the Docker daemon. Skopeo could do this but it produces images that are not compatible with the Docker legacy format. The consequence is some NixOS tests are failing and it breaks some NixOS user scripts [https://github.com/containers/image/pull/370 skopeo PR].
+== Work In Progress ==
-* Use DigestID instead of image tag to pull images (tag is mutable)
+* Improve image storage in the Nix store
+https://github.com/projectatomic/skopeo/issues/481
-Will be implemented when Skopeo is used to pull images
 == Projects ==
@@ Line 43: / Line 53: @@
 A basic (pretty messy) [https://gitlab.techcultivation.org/sangha/sangha-deployment/blob/2f3877e71ea7a9a2c3cf03d4fc88931b90cad6b7/containers/postgres.nix postgres] image is already done, complete with in-build setup of a mock database. The resulting image is smaller than the “official” one in the docker registry, only uses nixpkgs-native dependencies and only contains the most minimal filetree needed to run the postgres binary.
-Still to do: rabbitmq, frontend code, api, refactor, various others.
+Still to do: [https://gitlab.techcultivation.org/sangha/sangha-deployment/blob/master/containers/rabbitmq.nix rabbitmq], frontend code, api, refactor, various others.
 — [[User:Profpatsch|Profpatsch]] ([[User talk:Profpatsch|talk]]) 02:47, 10 February 2018 (UTC)

Navigation menu