Container workgroup: Difference between revisions

Latest revision as of 17:58, 8 June 2025

✖︎︎

This article is a deletion candidate. This workgroup may no longer be active; last page edit was before import. Further information may be found on the related discussion page.

⏲︎︎

This article or section is outdated. Other than site-wide fixes, this page has not seen recent updates. Further information might be found in the corresponding discussion. Please remove this notice once the information has been updated.

We are interested in directly building (minimal) OCI containers from the nixpkgs ecosystem.

People

Tooling

opencontainers.org
- runc: spawn and run OCI containers (nixpkgs: runc)
- image-spec: container image specification
- runtime-spec: container runtime specification
- image-tools: tools for working with the image-spec
- runtime-tools: tools for working with the runtime-spec
- umoci: intends to be a complete manipulation tool for OCI images with a rootless mode
projectatomic.io
- skopeo: modify and inspect images on registries (nixpkgs: skopeo)
- buildah: build/generate OCI images (nixpkgs: buildah)
containers Github project: golang libraries for interacting with containers
- image: library used by skopeo
- oci-fetch: CLI tool for fetching OCI containers over various transports
awakesecurity
- hocker: fetch from docker (v2) registry and generate nix derivations

Nix images

There are a few images that contain Nix with various trade-offs:

nixos/nix (source) - 200 MB - Official images based on pkgs.dockerTools, updated automatically.
u/nixpkgs - (source) - various docker images from nixpkgs, updated daily.
lnl7/nix/ (source) - 57 MB - Images built out of a Nix derivation.

Interesting threads

https://github.com/projectatomic/buildah/issues/386: about rootless support

Work In Progress

Improve image storage in the Nix store

https://github.com/projectatomic/skopeo/issues/481

Projects

Self-Hosted, Minimal Docker/OSI Images

For our platform at Techcultivation we want to generate docker images for all parts of our system. Those images should come in two flavors, development (to quickly spin up local test services, with mock data) and deployment (secure/production-ready). We chose to generate these images purely out of nixpkgs code, so no binary (base) images have to be included.

The current version of the deployment code can be found on our Gitlab.

A basic (pretty messy) postgres image is already done, complete with in-build setup of a mock database. The resulting image is smaller than the “official” one in the docker registry, only uses nixpkgs-native dependencies and only contains the most minimal filetree needed to run the postgres binary.

Still to do: rabbitmq, frontend code, api, refactor, various others.

— Profpatsch (talk) 02:47, 10 February 2018 (UTC)

@@ Line 1: / Line 1: @@
+{{delete|reason=This workgroup may no longer be active; last page edit was before import.}}
+{{outdated|Other than site-wide fixes, this page has not seen recent updates.}}
 We are interested in directly building (minimal) OCI containers from the nixpkgs ecosystem.
@@ Line 24: / Line 26: @@
 * awakesecurity
 ** [https://github.com/awakesecurity/hocker hocker]: fetch from docker (v2) registry and generate nix derivations
+== Nix images ==
+There are a few images that contain Nix with various trade-offs:
+* [https://hub.docker.com/r/nixos/nix/ nixos/nix] ([https://github.com/NixOS/nix/blob/master/docker.nix source]) - 200 MB - Official images based on <code>pkgs.dockerTools</code>, updated automatically.
+* [https://hub.docker.com/u/nixpkgs u/nixpkgs] - ([https://github.com/nix-community/docker-nixpkgs source]) - [https://github.com/nix-community/docker-nixpkgs#list-of-images various] docker images from nixpkgs, updated daily.
+* [https://hub.docker.com/r/lnl7/nix/ lnl7/nix/] ([https://github.com/LnL7/nix-docker source]) - 57 MB - Images built out of a Nix derivation.
 == Interesting threads ==
@@ Line 30: / Line 40: @@
 == Work In Progress ==
-* Add legacy Docker image support in Skopeo
-nixpkgs.dockerTools.pullImage boots a VM to pull the image by using the Docker daemon. Skopeo could do this but it produces images that are not compatible with the Docker legacy format. The consequence is some NixOS tests are failing and it breaks some NixOS user scripts [https://github.com/containers/image/pull/370 skopeo PR].
-* Use DigestID instead of image tag to pull images (tag is mutable)
-Will be implemented when Skopeo is used to pull images
 * Improve image storage in the Nix store
@@ Line 56: / Line 58: @@
 — [[User:Profpatsch|Profpatsch]] ([[User talk:Profpatsch|talk]]) 02:47, 10 February 2018 (UTC)
+[[Category:Container]]