https://wiki.nixos.org/w/index.php?action=history&feed=atom&title=Docker%2Fzh 2026-05-05T01:38:39Z Revision history for this page on the wiki MediaWiki 1.45.0 https://wiki.nixos.org/w/index.php?title=Docker/zh&diff=29614&oldid=prev 2026-01-30T15:38:15Z

<p>Created page with &quot;==== Shell ====&quot;</p> <p><b>New page</b></p><div>&lt;languages/&gt;<br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> [https://www.docker.com/ Docker] is a platform for building, packaging, and distributing applications inside containers. Containers bundle an application&#039;s code, configurations, and dependencies into a single object that runs consistently across different computing environments. Docker works well with NixOS through the virtualization module.&lt;ref&gt;https://www.docker.com/resources/what-container/&lt;/ref&gt;<br /> &lt;/div&gt;<br /> <br /> &lt;span id=&quot;Installation&quot;&gt;&lt;/span&gt;<br /> == 安装 ==<br /> <br /> ==== Shell ====<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> To temporarily use Docker in a shell environment, you can run:<br /> &lt;/div&gt;<br /> &lt;syntaxhighlight lang=&quot;bash&quot;&gt;<br /> nix-shell -p docker<br /> &lt;/syntaxhighlight&gt;<br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> This will provide a shell with Docker CLI available, but note that the Docker daemon will not be running. For full functionality, you&#039;ll need a system-level installation.<br /> &lt;/div&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> ==== System setup ====<br /> &lt;/div&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> To install Docker on NixOS, add the virtualization.docker module to your system configuration at &lt;code&gt;/etc/nixos/configuration.nix&lt;/code&gt;:&lt;ref&gt;https://nixos.org/manual/nixos/stable/options#opt-virtualisation.docker.enable&lt;/ref&gt;<br /> &lt;/div&gt;<br /> &lt;syntaxhighlight lang=&quot;nix&quot;&gt;<br /> # In /etc/nixos/configuration.nix<br /> virtualisation.docker = {<br /> enable = true;<br /> };<br /> <br /> # Optional: Add your user to the &quot;docker&quot; group to run docker without sudo<br /> users.users.&lt;username&gt;.extraGroups = [ &quot;docker&quot; ];<br /> &lt;/syntaxhighlight&gt;<br /> {{Security Warning|Beware that the docker group membership is effectively [https://github.com/moby/moby/issues/9976 equivalent to being root]! &lt;br&gt; Consider using [[#Rootless Docker|rootless mode]].}}<br /> <br /> {{evaluate}}<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> For a comprehensive list of configuration options, refer to the {{nixos:option|virtualisation.docker}} module options.<br /> &lt;/div&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> == Configuration ==<br /> &lt;/div&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> ==== Basic ====<br /> &lt;/div&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> The basic Docker configuration on NixOS includes several options you can set in your &lt;code&gt;configuration.nix&lt;/code&gt; file:<br /> &lt;/div&gt;<br /> &lt;syntaxhighlight lang=&quot;nix&quot;&gt;<br /> virtualisation.docker = {<br /> enable = true;<br /> # Set up resource limits<br /> daemon.settings = {<br /> experimental = true;<br /> default-address-pools = [<br /> {<br /> base = &quot;172.30.0.0/16&quot;;<br /> size = 24;<br /> }<br /> ];<br /> };<br /> };<br /> &lt;/syntaxhighlight&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> ==== Advanced ====<br /> &lt;/div&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> For more advanced configuration, you can customize Docker daemon options and networking:<br /> &lt;/div&gt;<br /> &lt;syntaxhighlight lang=&quot;nix&quot;&gt;<br /> virtualisation.docker = {<br /> enable = true;<br /> # Customize Docker daemon settings using the daemon.settings option<br /> daemon.settings = {<br /> dns = [ &quot;1.1.1.1&quot; &quot;8.8.8.8&quot; ];<br /> log-driver = &quot;journald&quot;;<br /> registry-mirrors = [ &quot;https://mirror.gcr.io&quot; ];<br /> storage-driver = &quot;overlay2&quot;;<br /> };<br /> # Use the rootless mode - run Docker daemon as non-root user<br /> rootless = {<br /> enable = true;<br /> setSocketVariable = true;<br /> };<br /> };<br /> &lt;/syntaxhighlight&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> == Docker Compose ==<br /> &lt;/div&gt;<br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> Currently, there are two options to use Docker Compose with NixOS: Arion or Compose2Nix.<br /> &lt;/div&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> With Arion, you can specify most Docker Compose options in Nix Syntax, and Arion will generate a &lt;code&gt;docker-compose.yml&lt;/code&gt; file internally. The result is a systemd service that starts and stops the container.<br /> &lt;/div&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> Compose2Nix, generates all necessary configs directly from the &lt;code&gt;docker-compose.yml&lt;/code&gt;, which is easier when using an already existing Docker Compose project. The result is similar to that from Arion: a systemd service is created that handles starting and stopping the container.<br /> &lt;/div&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> === Arion ===<br /> &lt;/div&gt;<br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> [https://docs.hercules-ci.com/arion/ Arion] is created for running Nix-based projects in Docker Compose. It uses the NixOS module system for configuration, it can bypass &lt;code&gt;docker build&lt;/code&gt; and lets you use dockerTools or use the store directly in the containers. The images/containers can be typical dockerTools style images or full NixOS configs.<br /> &lt;/div&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> To use Arion, you first need to add its module to your NixOS configuration:<br /> &lt;/div&gt;<br /> <br /> &lt;syntaxhighlight lang=&quot;nix&quot;&gt;<br /> modules = [ arion.nixosModules.arion ];<br /> &lt;/syntaxhighlight&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> After that, you can access its options under<br /> &lt;/div&gt;<br /> &lt;syntaxhighlight lang=&quot;nix&quot;&gt;<br /> virtualisation.arion = {}<br /> &lt;/syntaxhighlight&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> A config for a simple container could look like this:<br /> &lt;/div&gt;<br /> <br /> &lt;syntaxhighlight lang=&quot;nix&quot;&gt;<br /> virtualisation.arion = {<br /> backend = &quot;docker&quot;;<br /> projects = {<br /> &quot;db&quot;.settings.services.&quot;db&quot;.service = {<br /> image = &quot;&quot;;<br /> restart = &quot;unless-stopped&quot;;<br /> environment = { POSTGRESS_PASSWORD = &quot;password&quot;; };<br /> };<br /> };<br /> };<br /> &lt;/syntaxhighlight&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> === Compose2Nix ===<br /> &lt;/div&gt;<br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> With [https://github.com/aksiksi/compose2nix compose2nix] you can generate [https://search.nixos.org/options?query=virtualisation.oci-containers oci-containers] config from a &lt;code&gt;docker-compose.yaml&lt;/code&gt;.<br /> &lt;/div&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> ==== Install ====<br /> &lt;/div&gt;<br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> To use &lt;code&gt;compose2nix&lt;/code&gt; with &lt;code&gt;nix-shell&lt;/code&gt; you can use<br /> &lt;/div&gt;<br /> &lt;syntaxhighlight lang=&quot;bash&quot;&gt;<br /> nix shell github:aksiksi/compose2nix<br /> compose2nix -h<br /> &lt;/syntaxhighlight&gt;<br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> To install &lt;code&gt;compose2nix&lt;/code&gt; to NixOS, add the repo to your flake inputs<br /> &lt;/div&gt;<br /> &lt;syntaxhighlight lang=&quot;nix&quot;&gt;<br /> compose2nix = {<br /> url = &quot;github:aksiksi/compose2nix&quot;;<br /> inputs.nixpkgs.follows = &quot;nixpkgs&quot;;<br /> };<br /> &lt;/syntaxhighlight&gt;<br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> and add the package to your configuration<br /> &lt;/div&gt;<br /> &lt;syntaxhighlight lang=&quot;nix&quot;&gt;<br /> environment.systemPackages = [<br /> inputs.compose2nix.packages.x86_64-linux.default<br /> ];<br /> &lt;/syntaxhighlight&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> ==== Usage ====<br /> &lt;/div&gt;<br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> After you have installed &lt;code&gt;compose2nix&lt;/code&gt;, you can run &lt;code&gt;compose2nix&lt;/code&gt; in the directory with your &lt;code&gt;docker-compose.yml&lt;/code&gt;, which will output a &lt;code&gt;docker-compose.nix&lt;/code&gt;.<br /> &lt;/div&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> Alternatively, you can specify the input and output files with the following flags<br /> &lt;/div&gt;<br /> &lt;syntaxhighlight lang=&quot;bash&quot;&gt;<br /> compose2nix -inputs input.yml -output output.nix -runtime docker<br /> &lt;/syntaxhighlight&gt;<br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> The &lt;code&gt;-runtime&lt;/code&gt; flag specifies the runtime. Here, we select &lt;code&gt;docker&lt;/code&gt;. Options are &lt;code&gt;podman&lt;/code&gt; and &lt;code&gt;docker&lt;/code&gt;. The default is &lt;code&gt;podman&lt;/code&gt;<br /> &lt;/div&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> == Tips and tricks ==<br /> &lt;/div&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> === Docker on btrfs ===<br /> &lt;/div&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> If you use the [[btrfs]] file system, you might need to set the {{nixos:option|virtualisation.docker.storageDriver|storageDriver}} option:<br /> &lt;/div&gt;<br /> &lt;syntaxhighlight lang=&quot;nix&quot;&gt;<br /> virtualisation.docker.storageDriver = &quot;btrfs&quot;;<br /> &lt;/syntaxhighlight&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> === Rootless Docker ===<br /> &lt;/div&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> [https://docs.docker.com/engine/security/rootless/ Rootless Docker] lets you run the Docker daemon as a non-root user for improved security. To do so, enable {{nixos:option|virtualisation.docker.rootless}}. This activates the user-level systemd Docker service. Additionally, the option {{nixos:option|virtualisation.docker.rootless.setSocketVariable|setSocketVariable}} configures the &lt;code&gt;DOCKER_HOST&lt;/code&gt; environment variable to point to the rootless Docker instance.<br /> &lt;/div&gt; <br /> <br /> &lt;syntaxhighlight lang=&quot;nix&quot;&gt;<br /> virtualisation.docker = {<br /> # Consider disabling the system wide Docker daemon<br /> enable = false;<br /> <br /> rootless = {<br /> enable = true;<br /> setSocketVariable = true;<br /> # Optionally customize rootless Docker daemon settings<br /> daemon.settings = {<br /> dns = [ &quot;1.1.1.1&quot; &quot;8.8.8.8&quot; ];<br /> registry-mirrors = [ &quot;https://mirror.gcr.io&quot; ];<br /> };<br /> };<br /> };<br /> &lt;/syntaxhighlight&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> A system reboot is required for these changes to take effect. Alternatively, the environment variable can be set manually in the current shell session, and the user Docker service can be started with the following commands:<br /> &lt;/div&gt;<br /> <br /> &lt;syntaxhighlight lang=&quot;console&quot;&gt;<br /> $ export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/docker.sock<br /> $ systemctl --user start docker<br /> &lt;/syntaxhighlight&gt;<br /> <br /> {{note|User services do not persist after logging out by default. This will cause any Docker containers to stop if a user logs out. Set option {{nixos:option|users.users.*.linger|users.users.&lt;name&gt;.linger}} to true for Docker containers to persist. See [[Systemd/User Services#Keeping user services running after logout]] for more details.}}<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> To verify the status of the rootless Docker service:<br /> &lt;/div&gt; <br /> &lt;syntaxhighlight lang=&quot;console&quot;&gt;<br /> $ systemctl --user status docker<br /> &lt;/syntaxhighlight&gt;<br /> <br /> To confirm that Docker is running in rootless mode:<br /> <br /> &lt;syntaxhighlight lang=&quot;console&quot;&gt;<br /> $ docker info -f &quot;{{println .SecurityOptions}}&quot; | grep rootless <br /> &lt;/syntaxhighlight&gt;<br /> <br /> === Using Privileged Ports for Rootless Docker ===<br /> Rootless containers are not able to ports from 0 to 1023 as such port can only be used by privileged users. This problem can be solved by using port forwarding.<br /> <br /> Assume you&#039;d like a rootless container to make use of ports 53 (DNS; TPC and UDP) and 80 (web; TCP). We may force the container to use port 8000 while the firewall is instructed for forward traffic from port 80 to 8000. Same logic applies for port 53. Refer to the following example:&lt;syntaxhighlight lang=&quot;nixos&quot;&gt;# Firewall<br /> networking.firewall = {<br /> enable = true;<br /> allowedTCPPorts = [ 80 8000 53 5300 ]; <br /> allowedUDPPorts = [ 53 5300 ];<br /> };<br /> <br /> boot.kernel.sysctl = {<br /> &quot;net.ipv4.conf.eth0.forwarding&quot; = 1; # enable port forwarding<br /> };<br /> <br /> networking = {<br /> firewall.extraCommands = &#039;&#039;<br /> iptables -A PREROUTING -t nat -i eth0 -p TCP --dport 80 -j REDIRECT --to-port 8000<br /> iptables -A PREROUTING -t nat -i eth0 -p TCP --dport 53 -j REDIRECT --to-port 5300<br /> iptables -A PREROUTING -t nat -i eth0 -p UDP --dport 53 -j REDIRECT --to-port 5300<br /> &#039;&#039;;<br /> };&lt;/syntaxhighlight&gt;Whilst the docker-compose.yaml might look like this:&lt;syntaxhighlight lang=&quot;dockerfile&quot;&gt;<br /> services:<br /> myserver:<br /> image: ...<br /> restart: always<br /> ports:<br /> - &quot;5300:53/tcp&quot;<br /> - &quot;5300:53/udp&quot;<br /> - &quot;8000:80&quot;<br /> &lt;/syntaxhighlight&gt;<br /> <br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> === Creating images with Nix ===<br /> &lt;/div&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> ==== Building a docker image with nixpkgs ====<br /> &lt;/div&gt;<br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> There is an entry for [https://nixos.org/nixpkgs/manual/#sec-pkgs-dockerTools dockerTools] in the Nixpkgs manual for reference. In the linked page, they give the following example config:<br /> &lt;/div&gt;<br /> <br /> &lt;syntaxhighlight lang=&quot;nix&quot;&gt;<br /> buildImage {<br /> name = &quot;redis&quot;;<br /> tag = &quot;latest&quot;;<br /> <br /> fromImage = someBaseImage;<br /> fromImageName = null;<br /> fromImageTag = &quot;latest&quot;;<br /> <br /> copyToRoot = pkgs.buildEnv {<br /> name = &quot;image-root&quot;;<br /> paths = [ pkgs.redis ];<br /> pathsToLink = [ &quot;/bin&quot; ];<br /> };<br /> <br /> runAsRoot = &#039;&#039;<br /> #!${pkgs.runtimeShell}<br /> mkdir -p /data<br /> &#039;&#039;;<br /> <br /> config = {<br /> Cmd = [ &quot;/bin/redis-server&quot; ];<br /> WorkingDir = &quot;/data&quot;;<br /> Volumes = { &quot;/data&quot; = { }; };<br /> };<br /> <br /> diskSize = 1024;<br /> buildVMMemorySize = 512;<br /> }<br /> &lt;/syntaxhighlight&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> More examples can be found in the [https://github.com/NixOS/nixpkgs/blob/master/pkgs/build-support/docker/examples.nix nixpkgs] repo.<br /> &lt;/div&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> Also check out the excellent article by [https://lucabrunox.github.io/2016/04/cheap-docker-images-with-nix_15.html lethalman] about building minimal docker images with nix.<br /> &lt;/div&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> ==== Reproducible image dates ====<br /> &lt;/div&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> The manual advises against using &lt;code&gt;created = &quot;now&quot;&lt;/code&gt;, as that prevents images from being reproducible.<br /> &lt;/div&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> An alternative, if using [[flakes]], is to do &lt;code&gt;created = builtins.substring 0 8 self.lastModifiedDate&lt;/code&gt;, which uses the commit date, and is therefore reproducible.<br /> &lt;/div&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> ==== Calculating the sha256 for a pulled Docker image ====<br /> &lt;/div&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> The &lt;code&gt;sha256&lt;/code&gt; argument of the &lt;code&gt;dockerTools.pullImage&lt;/code&gt; function is the checksum of the archive generated by Skopeo. Since the archive contains the name and the tag of the image, Skopeo arguments used to fetch the image have to be identical to those used by the &lt;code&gt;dockerTools.pullImage&lt;/code&gt; function.<br /> &lt;/div&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> For instance, the SHA of the following image<br /> &lt;/div&gt;<br /> &lt;syntaxhighlight lang=&quot;nix&quot;&gt;<br /> pkgs.dockerTools.pullImage{<br /> imageName = &quot;lnl7/nix&quot;;<br /> finalImageTag = &quot;2.0&quot;;<br /> imageDigest = &quot;sha256:632268d5fd9ca87169c65353db99be8b4e2eb41833b626e09688f484222e860f&quot;;<br /> sha256 = &quot;1x00ks05cz89k3wc460i03iyyjr7wlr28krk7znavfy2qx5a0hfd&quot;;<br /> };<br /> &lt;/syntaxhighlight&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> can be manually generated with the following shell commands<br /> &lt;/div&gt;<br /> <br /> &lt;syntaxhighlight lang=&quot;bash&quot;&gt;<br /> skopeo copy docker://lnl7/nix@sha256:632268d5fd9ca87169c65353db99be8b4e2eb41833b626e09688f484222e860f docker-archive:///tmp/image.tgz:lnl7/nix:2.0<br /> &lt;/syntaxhighlight&gt;<br /> <br /> &lt;syntaxhighlight lang=&quot;bash&quot;&gt;<br /> nix-hash --base32 --flat --type sha256 /tmp/image.tgz <br /> &lt;/syntaxhighlight&gt;<br /> &lt;syntaxhighlight lang=&quot;shell&quot;&gt;<br /> 1x00ks05cz89k3wc460i03iyyjr7wlr28krk7znavfy2qx5a0hfd<br /> &lt;/syntaxhighlight&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> ==== Directly Using Nix in Image Layers ====<br /> &lt;/div&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> Instead of copying Nix packages into Docker image layers, Docker can be configured to directly utilize the &lt;code&gt;nix-store&lt;/code&gt; by integrating with [https://github.com/pdtpartners/nix-snapshotter nix-snapshotter].<br /> &lt;/div&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> This will significantly reduce data duplication and the time it takes to pull images.<br /> &lt;/div&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> === Using Podman as an alternative ===<br /> &lt;/div&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> Podman is a daemonless container engine that can run Docker containers without elevated privileges. It can be used as a drop-in replacement for Docker in many cases:<br /> &lt;/div&gt;<br /> &lt;syntaxhighlight lang=&quot;nix&quot;&gt;<br /> # Enable Podman in configuration.nix<br /> virtualisation.podman = {<br /> enable = true;<br /> # Create the default bridge network for podman<br /> defaultNetwork.settings.dns_enabled = true;<br /> };<br /> <br /> # Optionally, create a Docker compatibility alias<br /> programs.zsh.shellAliases = {<br /> docker = &quot;podman&quot;;<br /> };<br /> &lt;/syntaxhighlight&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> === Changing Docker Daemon&#039;s Data Root ===<br /> &lt;/div&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> By default, the Docker daemon stores images, containers, and build context on the root file system. To use a different storage location, specify a new &lt;code&gt;data-root&lt;/code&gt; in your configuration:<br /> &lt;/div&gt;<br /> &lt;syntaxhighlight lang=&quot;nix&quot;&gt;<br /> virtualisation.docker.daemon.settings = {<br /> data-root = &quot;/some-place/to-store-the-docker-data&quot;;<br /> };<br /> &lt;/syntaxhighlight&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> === Docker Containers as systemd Services ===<br /> &lt;/div&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> You can run Docker containers as systemd services using the &lt;code&gt;oci-containers&lt;/code&gt; module:<br /> &lt;/div&gt;<br /> &lt;syntaxhighlight lang=&quot;nix&quot;&gt;<br /> virtualisation.oci-containers = {<br /> # backend defaults to &quot;podman&quot;<br /> backend = &quot;docker&quot;;<br /> containers = {<br /> foo = {<br /> # ...<br /> };<br /> };<br /> };<br /> &lt;/syntaxhighlight&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> A more advanced example:<br /> &lt;/div&gt;<br /> &lt;syntaxhighlight lang=&quot;nix&quot;&gt;<br /> { config, pkgs, ... }:<br /> <br /> {<br /> config.virtualisation.oci-containers.containers = {<br /> hackagecompare = {<br /> image = &quot;chrissound/hackagecomparestats-webserver:latest&quot;;<br /> ports = [&quot;127.0.0.1:3010:3010&quot;];<br /> volumes = [<br /> &quot;/root/hackagecompare/packageStatistics.json:/root/hackagecompare/packageStatistics.json&quot;<br /> ];<br /> cmd = [<br /> &quot;--base-url&quot;<br /> &quot;\&quot;/hackagecompare\&quot;&quot;<br /> ];<br /> };<br /> };<br /> }<br /> &lt;/syntaxhighlight&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> See [https://search.nixos.org/options?from=0&amp;size=50&amp;sort=alpha_asc&amp;query=virtualisation.oci-containers oci-containers] for further options.<br /> &lt;/div&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> ==== Usage ====<br /> &lt;/div&gt;<br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> Unless otherwise specified, NixOS uses Podman to run OCI containers. Note that these are &#039;&#039;&#039;user-specific&#039;&#039;&#039;, so running commands with or without sudo can change your output.<br /> &lt;/div&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> List containers<br /> &lt;/div&gt;<br /> &lt;syntaxhighlight lang=&quot;console&quot;&gt;<br /> # podman ps<br /> &lt;/syntaxhighlight&gt;<br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> Update image<br /> &lt;/div&gt;<br /> &lt;syntaxhighlight lang=&quot;console&quot;&gt;<br /> # podman restart hackagecompare<br /> &lt;/syntaxhighlight&gt;<br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> List images<br /> &lt;/div&gt;<br /> &lt;syntaxhighlight lang=&quot;console&quot;&gt;<br /> # podman ls<br /> &lt;/syntaxhighlight&gt;<br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> Remove container<br /> &lt;/div&gt;<br /> &lt;syntaxhighlight lang=&quot;console&quot;&gt;<br /> # podman rm hackagecompare<br /> &lt;/syntaxhighlight&gt;<br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> Remove image<br /> &lt;/div&gt;<br /> &lt;syntaxhighlight lang=&quot;console&quot;&gt;<br /> # podman rmi c0d9a5f58afe<br /> &lt;/syntaxhighlight&gt;<br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> Update image<br /> &lt;/div&gt;<br /> &lt;syntaxhighlight lang=&quot;console&quot;&gt;<br /> # podman pull chrissound/hackagecomparestats-webserver:latest<br /> &lt;/syntaxhighlight&gt;<br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> Run interactive shell in running container<br /> &lt;/div&gt;<br /> &lt;syntaxhighlight lang=&quot;console&quot;&gt;<br /> # podman exec -ti $ContainerId /bin/sh<br /> &lt;/syntaxhighlight&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> ===== Exposing ports from the host =====<br /> &lt;/div&gt;<br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> If you have a service running on the host that you want to connect to from the container, you could try connecting to the hostname &lt;code&gt;host.containers.internal&lt;/code&gt; (or &lt;code&gt;host.docker.internal&lt;/code&gt; for podman), but this might require additional networking setup<br /> &lt;/div&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> ===== Exposing sockets from the host =====<br /> &lt;/div&gt;<br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> If you have a service running on the host that exposes a socket, such as mariadb, you can also expose that socket to the container instead. You&#039;ll want to expose the folder the socket is in as a volume - so:<br /> &lt;/div&gt;<br /> &lt;syntaxhighlight lang=&quot;bash&quot;&gt;<br /> volumes = [<br /> &quot;/var/run/mysqld:/mysqld&quot;<br /> ];<br /> &lt;/syntaxhighlight&gt;<br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> to provide access to &lt;code&gt;/var/run/mysqld/mysqld.sock&lt;/code&gt;. Sadly, this means you&#039;ll have to restart the container when /var/run/mysqld is replaced, e.g. on an upgrade.<br /> &lt;/div&gt;<br /> <br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> === Running the docker daemon from nix-the-package-manager - not NixOS ===<br /> &lt;/div&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> This is not supported. You&#039;re better off installing the docker daemon [https://docs.docker.com/engine/install/ &quot;the normal non-nix way&quot;].<br /> &lt;/div&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> See the discourse discussion: [https://discourse.nixos.org/t/how-to-run-docker-daemon-from-nix-not-nixos/43413 How to run docker daemon from nix (not NixOS)] for more.<br /> &lt;/div&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> == Troubleshooting ==<br /> &lt;/div&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> === Cannot connect to the Docker daemon ===<br /> &lt;/div&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> If you encounter errors connecting to the Docker daemon, check that:<br /> &lt;/div&gt;<br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> - The Docker service is running: &lt;code&gt;systemctl status docker&lt;/code&gt;<br /> &lt;/div&gt;<br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> - Your user is in the docker [[User management#Adding User to a group|group]]: &lt;code&gt;groups | grep docker&lt;/code&gt;<br /> &lt;/div&gt;<br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> - You&#039;ve logged out and back in after adding your user to the docker group<br /> &lt;/div&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> === Storage space issues ===<br /> &lt;/div&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> When Docker uses too much disk space:<br /> &lt;/div&gt;<br /> &lt;syntaxhighlight lang=&quot;bash&quot;&gt;<br /> # Remove unused containers, networks, images, and volumes<br /> docker system prune -a --volumes<br /> <br /> # Configure Docker daemon to automatically prune in configuration.nix<br /> virtualisation.docker.daemon.settings = {<br /> pruning = {<br /> enabled = true;<br /> interval = &quot;24h&quot;;<br /> };<br /> };<br /> &lt;/syntaxhighlight&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> === Network conflicts ===<br /> &lt;/div&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> Docker&#039;s default subnet (`172.17.0.0/16`) might conflict with your existing network. Configure a different subnet in your `configuration.nix`:<br /> &lt;/div&gt;<br /> &lt;syntaxhighlight lang=&quot;nix&quot;&gt;<br /> virtualisation.docker.daemon.settings = {<br /> default-address-pools = [<br /> {<br /> base = &quot;192.168.0.0/16&quot;;<br /> size = 24;<br /> }<br /> ];<br /> };<br /> &lt;/syntaxhighlight&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> === Cannot connect to public Wi-Fi, when using Docker ===<br /> &lt;/div&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> When connecting to a public Wi-Fi, where the login page&#039;s IP-Address is within the Docker network range, accessing the Internet might not be possible. This has been reported when trying to connect to the WIFIonICE of the Deutsche Bahn (DB). They use the &lt;code&gt;172.18.x.x&lt;/code&gt; address range.<br /> &lt;/div&gt;<br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> This can be resolved by changing the default address pool that Docker uses.<br /> &lt;/div&gt;<br /> &lt;syntaxhighlight lang=&quot;nix&quot;&gt;<br /> virtualisation.docker = {<br /> enable = true;<br /> daemon.settings = {<br /> &quot;default-address-pools&quot; = [<br /> { &quot;base&quot; = &quot;172.27.0.0/16&quot;; &quot;size&quot; = 24; }<br /> ];<br /> };<br /> };<br /> &lt;/syntaxhighlight&gt;<br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> Restarting the container or Docker might be required.<br /> &lt;/div&gt;<br /> <br /> <br /> &lt;div lang=&quot;en&quot; dir=&quot;ltr&quot; class=&quot;mw-content-ltr&quot;&gt;<br /> == References ==<br /> &lt;/div&gt;<br /> <br /> &lt;references/&gt;<br /> <br /> [[Category:Applications]]<br /> [[Category:Virtualization]]<br /> [[Category:Cookbook]]<br /> [[Category:Software]]<br /> [[Category:Server]]<br /> [[Category:Container]]</div>

Mosheng