Skip to content
This repository has been archived by the owner on Apr 29, 2024. It is now read-only.

Commit

Permalink
Sam/nix2container (#45)
Browse files Browse the repository at this point in the history 
* feat: nix2container

* WIP stash

* feat: refactor docker image build to use nix2container for image builds
  • Loading branch information
@samrose
samrose authored Feb 22, 2024
1 parent 8c679b7 commit 72cddc5
Show file tree
Hide file tree
Showing 4 changed files with 171 additions and 35 deletions.
1 change: 1 addition & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,3 +11,4 @@ result*

# shell history
.history
container.sh
7 changes: 3 additions & 4 deletions docker/init.sh.in
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
#!/bin/bash
# shellcheck shell=bash

sudo -u postgres /bin/initdb --locale=C -D /data
sudo -u postgres ln -s /etc/postgresql.conf /data/postgresql.conf
sudo -u postgres /bin/postgres -p @PGSQL_DEFAULT_PORT@ -D /data
/bin/initdb --locale=C -D /data/postgresql
ln -s /etc/postgresql.conf /data/postgresql/postgresql.conf
/bin/postgres -p @PGSQL_DEFAULT_PORT@ -D /data/postgresql
70 changes: 69 additions & 1 deletion flake.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

128 changes: 98 additions & 30 deletions flake.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-unstable";
flake-utils.url = "github:numtide/flake-utils";
nix2container.url = "github:nlewo/nix2container";
};

nixConfig = {
Expand All @@ -16,7 +17,7 @@
];
};

outputs = { self, nixpkgs, flake-utils }: let
outputs = { self, nixpkgs, flake-utils, nix2container }: let
gitRev = "vcs=${self.shortRev or "dirty"}+${builtins.substring 0 8 (self.lastModifiedDate or self.lastModified or "19700101")}";

ourSystems = with flake-utils.lib; [
Expand All @@ -26,6 +27,7 @@
let
pgsqlDefaultPort = "5435";
pgsqlSuperuser = "postgres";
nix2img = nix2container.packages.${system}.nix2container;

# The 'pkgs' variable holds all the upstream packages in nixpkgs, which
# we can use to build our own images; it is the common name to refer to
Expand Down Expand Up @@ -177,8 +179,9 @@
};

# Make a Docker Image from a given PostgreSQL version and binary package.
makePostgresDocker = version: binPackage:
let
# updated to use https://github.com/nlewo/nix2container (samrose)
makePostgresDocker = version: binPackage:
let
initScript = pkgs.runCommand "docker-init.sh" {} ''
mkdir -p $out/bin
substitute ${./docker/init.sh.in} $out/bin/init.sh \
Expand All @@ -194,37 +197,102 @@
--subst-var-by PGSODIUM_GETKEY_SCRIPT "${./tests/util/pgsodium_getkey.sh}"
'';

in pkgs.dockerTools.buildImage {
name = "postgresql-${version}";
tag = "latest";

runAsRoot = ''
#!${pkgs.runtimeShell}
${pkgs.dockerTools.shadowSetup}
groupadd -r postgres
useradd -r -g postgres postgres
mkdir -p /data /run/postgresql
chown postgres:postgres /data /run/postgresql
'';
l = pkgs.lib // builtins;

user = "postgres";
group = "postgres";
uid = "1001";
gid = "1001";

mkUser = pkgs.runCommand "mkUser" { } ''
mkdir -p $out/etc/pam.d
echo "${user}:x:${uid}:${gid}::" > $out/etc/passwd
echo "${user}:!x:::::::" > $out/etc/shadow
echo "${group}:x:${gid}:" > $out/etc/group
echo "${group}:x::" > $out/etc/gshadow
cat > $out/etc/pam.d/other <<EOF
account sufficient pam_unix.so
auth sufficient pam_rootok.so
password requisite pam_unix.so nullok sha512
session required pam_unix.so
EOF
touch $out/etc/login.defs
'';
run = pkgs.runCommand "run" { } ''
mkdir -p $out/run/postgresql
'';
data = pkgs.runCommand "data" { } ''
mkdir -p $out/data/postgresql
'';
pgconf = pkgs.runCommand "pgconf" { } ''
mkdir -p $out/data/pgconf
'';
in
nix2img.buildImage {
name = "postgresql-${version}";
tag = "latest";

nixUid = l.toInt uid;
nixGid = l.toInt gid;

copyToRoot = [
(pkgs.buildEnv {
name = "image-root";
paths = [ data run pkgs.coreutils pkgs.which pkgs.bash pkgs.nix pkgs.less initScript binPackage postgresqlConfig pkgs.dockerTools.binSh pkgs.sudo ];
pathsToLink = [ "/bin" "/etc" "/var" "/share" "/data" "/run" ];
})
mkUser
];

copyToRoot = pkgs.buildEnv {
name = "image-root";
paths = with pkgs; [
initScript coreutils bash binPackage
dockerTools.binSh sudo postgresqlConfig
perms = [
{
path = data;
regex = "";
mode = "0744";
uid = l.toInt uid;
gid = l.toInt gid;
uname = user;
gname = group;
}
{
path = pgconf;
regex = "";
mode = "0744";
uid = l.toInt uid;
gid = l.toInt gid;
uname = user;
gname = group;
}
{
path = run;
regex = "";
mode = "0744";
uid = l.toInt uid;
gid = l.toInt gid;
uname = user;
gname = group;
}
];
pathsToLink = [ "/bin" "/etc" "/var" "/share" ];
buildInputs = [ pkgs.qemu ];
};

config = {
Cmd = [ "/bin/init.sh" ];
ExposedPorts = { "${pgsqlDefaultPort}/tcp" = {}; };
WorkingDir = "/data";
Volumes = { "/data" = { }; };
config = {
Entrypoint = ["/bin/init.sh"];
User = "postgres";
WorkingDir = "/data";
Env = [
"NIX_PAGER=cat"
"USER=postgres"
"PGDATA=/data/postgresql"
"PGHOST=/run/postgresql"
];
ExposedPorts = { "${pgsqlDefaultPort}/tcp" = {}; };
Volumes = { "/data" = { }; };
};
};
};


# Create an attribute set, containing all the relevant packages for a
# PostgreSQL install, wrapped up with a bow on top. There are three
# packages:
Expand Down

0 comments on commit 72cddc5

Please sign in to comment.