Docker: Difference between revisions

From NixOS Wiki
← Older editNewer edit →
VisualWikitext
imported>Nix
m category: cookbook
imported>Vater
Line 2: Line 2:


== Enabling the docker service ==
== Enabling the docker service ==
Inside your <code>configuration.nix</code>:
Inside your <code>configuration.nix</code>:


<syntaxHighlight lang="nix">
<syntaxHighlight lang=nix>
{
{
   ...
   ...
   virtualisation.docker.enable = true;
   virtualisation.docker.enable = true;
  ...
}
}
</syntaxHighlight>
</syntaxHighlight>
Line 14: Line 16:


Adding users to the <code>docker</code> group will provide them access to the socket:
Adding users to the <code>docker</code> group will provide them access to the socket:
<syntaxHighlight lang="nix">
<syntaxHighlight lang=nix>
{
{
   users.users.<myuser>.extraGroups = [ "docker" ];
   users.users.<myuser>.extraGroups = [ "docker" ];
Line 24: Line 26:


== Building a docker image with nixpkgs ==
== Building a docker image with nixpkgs ==
There is [https://nixos.org/nixpkgs/manual/#sec-pkgs-dockerTools an entry for dockerTools in the nixpkgs manual ] for reference.
 
There is [https://nixos.org/nixpkgs/manual/#sec-pkgs-dockerTools an entry for dockerTools in the nixpkgs manual] for reference.
In the nixpkgs repo some [https://github.com/NixOS/nixpkgs/blob/master/pkgs/build-support/docker/examples.nix examples] can be found.
In the nixpkgs repo some [https://github.com/NixOS/nixpkgs/blob/master/pkgs/build-support/docker/examples.nix examples] can be found.


Line 32: Line 35:


The <code>sha256</code> argument of the <code>dockerTools.pullImage</code> function is the checksum of the archive generated by Skopeo. Since the archive contains the name and the tag of the image, Skopeo arguments used to fetch the image have to be identical to those used by the <code>dockerTools.pullImage</code> function.
The <code>sha256</code> argument of the <code>dockerTools.pullImage</code> function is the checksum of the archive generated by Skopeo. Since the archive contains the name and the tag of the image, Skopeo arguments used to fetch the image have to be identical to those used by the <code>dockerTools.pullImage</code> function.
For instance, the sha of the following image
For instance, the sha of the following image
<syntaxHighlight lang="nix">
<syntaxHighlight lang=nix>
pkgs.dockerTools.pullImage{
pkgs.dockerTools.pullImage{
   imageName = "lnl7/nix";
   imageName = "lnl7/nix";
Line 43: Line 47:


can be manually generated with the following shell commands
can be manually generated with the following shell commands
<syntaxHighlight>
 
$ skopeo copy docker://lnl7/nix@sha256:632268d5fd9ca87169c65353db99be8b4e2eb41833b626e09688f484222e860f docker-archive:///tmp/image.tgz:lnl7/nix:2.0
<syntaxHighlight lang=bash>
$ nix-hash --base32 --flat --type sha256 /tmp/image.tgz  
skopeo copy docker://lnl7/nix@sha256:632268d5fd9ca87169c65353db99be8b4e2eb41833b626e09688f484222e860f docker-archive:///tmp/image.tgz:lnl7/nix:2.0
</syntaxHighlight>
 
<syntaxHighlight lang=bash>
nix-hash --base32 --flat --type sha256 /tmp/image.tgz  
</syntaxHighlight>
<syntaxHighlight lang=shell>
1x00ks05cz89k3wc460i03iyyjr7wlr28krk7znavfy2qx5a0hfd
1x00ks05cz89k3wc460i03iyyjr7wlr28krk7znavfy2qx5a0hfd
</syntaxHighlight>
</syntaxHighlight>

Revision as of 15:16, 9 January 2022

Enabling the docker service

Inside your configuration.nix: 

{
  ...
  virtualisation.docker.enable = true;
  ...
}

More options are available.

Adding users to the docker group will provide them access to the socket: 

{
  users.users.<myuser>.extraGroups = [ "docker" ];
}
Note:

BEWARE that the docker group membership is effectively equivalent to being root!

Building a docker image with nixpkgs

There is an entry for dockerTools in the nixpkgs manual for reference. In the nixpkgs repo some examples can be found.

Also check out the excellent article by lethalman about building minimal docker images with nix.

How to calculate the sha256 of a pulled image

The sha256 argument of the dockerTools.pullImage function is the checksum of the archive generated by Skopeo. Since the archive contains the name and the tag of the image, Skopeo arguments used to fetch the image have to be identical to those used by the dockerTools.pullImage function.

For instance, the sha of the following image 

pkgs.dockerTools.pullImage{
  imageName = "lnl7/nix";
  finalImageTag = "2.0";
  imageDigest = "sha256:632268d5fd9ca87169c65353db99be8b4e2eb41833b626e09688f484222e860f";
  sha256 = "1x00ks05cz89k3wc460i03iyyjr7wlr28krk7znavfy2qx5a0hfd";
};

can be manually generated with the following shell commands 

skopeo copy docker://lnl7/nix@sha256:632268d5fd9ca87169c65353db99be8b4e2eb41833b626e09688f484222e860f docker-archive:///tmp/image.tgz:lnl7/nix:2.0

nix-hash --base32 --flat --type sha256 /tmp/image.tgz

1x00ks05cz89k3wc460i03iyyjr7wlr28krk7znavfy2qx5a0hfd

Container images with nix

While dockerTools allows to build lightweight containers, it requires nix to be installed on the host system. An alternative are docker images with nix preinstalled, maintained by LnL7.

Docker Compose with Nix

Arion is optimized for running Nix-based projects in Docker Compose. It uses the NixOS module system for configuration, it can bypass docker build and lets you use dockerTools or use the store directly in the containers. The images/containers can be typical dockerTools style images or full NixOS configs.

See also

Workgroup:Container

For rootless docker containers : https://nixos.wiki/wiki/Podman

Retrieved from "https://wiki.nixos.org/w/index.php?title=Docker&oldid=3654"