Docker: Difference between revisions

From NixOS Wiki
imported>Roberth
m Add docker options link
imported>Cyounkins
m root must also be added to docker group
Line 13: Line 13:
[https://search.nixos.org/options?from=0&size=50&sort=alpha_asc&query=virtualisation.docker More options] are available.
[https://search.nixos.org/options?from=0&size=50&sort=alpha_asc&query=virtualisation.docker More options] are available.


Adding users to the <code>docker</code> group will provide them access to the socket:
Adding users to the <code>docker</code> group will provide them access to the socket. This is required even for <code>root</code>.
<syntaxHighlight lang="nix">
<syntaxHighlight lang="nix">
{
{

Revision as of 02:20, 7 June 2021

Enabling the docker service

Inside your configuration.nix:

{
  ...
  virtualisation.docker.enable = true;
}

More options are available.

Adding users to the docker group will provide them access to the socket. This is required even for root.

{
  users.users.<myuser>.extraGroups = [ "docker" ];
}
Note:

BEWARE that the docker group membership is effectively equivalent to being root!

Building a docker image with nixpkgs

There is an entry for dockerTools in the nixpkgs manual for reference. In the nixpkgs repo some examples can be found.

Also check out the excellent article by lethalman about building minimal docker images with nix.

How to calculate the sha256 of a pulled image

The sha256 argument of the dockerTools.pullImage function is the checksum of the archive generated by Skopeo. Since the archive contains the name and the tag of the image, Skopeo arguments used to fetch the image have to be identical to those used by the dockerTools.pullImage function. For instance, the sha of the following image

pkgs.dockerTools.pullImage{
  imageName = "lnl7/nix";
  finalImageTag = "2.0";
  imageDigest = "sha256:632268d5fd9ca87169c65353db99be8b4e2eb41833b626e09688f484222e860f";
  sha256 = "1x00ks05cz89k3wc460i03iyyjr7wlr28krk7znavfy2qx5a0hfd";
};

can be manually generated with the following shell commands

$ skopeo copy docker://lnl7/nix@sha256:632268d5fd9ca87169c65353db99be8b4e2eb41833b626e09688f484222e860f docker-archive:///tmp/image.tgz:lnl7/nix:2.0
$ nix-hash --base32 --flat --type sha256 /tmp/image.tgz 
1x00ks05cz89k3wc460i03iyyjr7wlr28krk7znavfy2qx5a0hfd

Container images with nix

While dockerTools allows to build lightweight containers, it requires nix to be installed on the host system. An alternative are docker images with nix preinstalled, maintained by LnL7.

Docker Compose with Nix

Arion is optimized for running Nix-based projects in Docker Compose. It uses the NixOS module system for configuration, it can bypass docker build and lets you use dockerTools or use the store directly in the containers. The images/containers can be typical dockerTools style images or full NixOS configs.

See also

Workgroup:Container

For rootless docker containers : https://nixos.wiki/wiki/Podman