commit 2c2b366c592054b67824665272ba5cd4fbae3db1 · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

fork atom

Merge pull request #283106 from DanielSidhion/update-dockertools-pullimage

doc: update dockerTools.pullImage content and use doc conventions

authored by Silvan Mosberger and committed by GitHub 2 years ago 2c2b366c c02e516a

+143 -31

1 changed file

expand all

unified split

doc

build-helpers

images

dockertools.section.md

+143 -31

doc/build-helpers/images/dockertools.section.md

··· 715 715 ``` 716 716 ::: 717 717 718 - ## pullImage {#ssec-pkgs-dockerTools-fetchFromRegistry} 718 + []{#ssec-pkgs-dockerTools-fetchFromRegistry} 719 + ## pullImage {#ssec-pkgs-dockerTools-pullImage} 720 + 721 + This function is similar to the `docker pull` command, which means it can be used to pull a Docker image from a registry that implements the [Docker Registry HTTP API V2](https://distribution.github.io/distribution/spec/api/). 722 + By default, the `docker.io` registry is used. 723 + 724 + The image will be downloaded as an uncompressed Docker-compatible repository tarball, which is suitable for use with other `dockerTools` functions such as [`buildImage`](#ssec-pkgs-dockerTools-buildImage), [`buildLayeredImage`](#ssec-pkgs-dockerTools-buildLayeredImage), and [`streamLayeredImage`](#ssec-pkgs-dockerTools-streamLayeredImage). 725 + 726 + This function requires two different types of hashes/digests to be specified: 727 + 728 + - One of them is used to identify a unique image within the registry (see the documentation for the `imageDigest` attribute). 729 + - The other is used by Nix to ensure the contents of the output haven't changed (see the documentation for the `sha256` attribute). 730 + 731 + Both hashes are required because they must uniquely identify some content in two completely different systems (the Docker registry and the Nix store), but their values will not be the same. 732 + See [](#ex-dockerTools-pullImage-nixprefetchdocker) for a tool that can help gather these values. 733 + 734 + ### Inputs {#ssec-pkgs-dockerTools-pullImage-inputs} 735 + 736 + `pullImage` expects a single argument with the following attributes: 737 + 738 + `imageName` (String) 719 739 720 - This function is analogous to the `docker pull` command, in that it can be used to pull a Docker image from a Docker registry. By default [Docker Hub](https://hub.docker.com/) is used to pull images. 740 + : Specifies the name of the image to be downloaded, as well as the registry endpoint. 741 + By default, the `docker.io` registry is used. 742 + To specify a different registry, prepend the endpoint to `imageName`, separated by a slash (`/`). 743 + See [](#ex-dockerTools-pullImage-differentregistry) for how to do that. 744 + 745 + `imageDigest` (String) 746 + 747 + : Specifies the digest of the image to be downloaded. 748 + 749 + :::{.tip} 750 + **Why can't I specify a tag to pull from, and have to use a digest instead?** 751 + 752 + Tags are often updated to point to different image contents. 753 + The most common example is the `latest` tag, which is usually updated whenever a newer image version is available. 754 + 755 + An image tag isn't enough to guarantee the contents of an image won't change, but a digest guarantees this. 756 + Providing a digest helps ensure that you will still be able to build the same Nix code and get the same output even if newer versions of an image are released. 757 + ::: 758 + 759 + `sha256` (String) 760 + 761 + : The hash of the image after it is downloaded. 762 + Internally, this is passed to the [`outputHash`](https://nixos.org/manual/nix/stable/language/advanced-attributes#adv-attr-outputHash) attribute of the resulting derivation. 763 + This is needed to provide a guarantee to Nix that the contents of the image haven't changed, because Nix doesn't support the value in `imageDigest`. 721 764 722 - Its parameters are described in the example below: 765 + `finalImageName` (String; _optional_) 723 766 724 - ```nix 725 - pullImage { 726 - imageName = "nixos/nix"; 727 - imageDigest = 728 - "sha256:473a2b527958665554806aea24d0131bacec46d23af09fef4598eeab331850fa"; 729 - finalImageName = "nix"; 730 - finalImageTag = "2.11.1"; 731 - sha256 = "sha256-qvhj+Hlmviz+KEBVmsyPIzTB3QlVAFzwAY1zDPIBGxc="; 732 - os = "linux"; 733 - arch = "x86_64"; 734 - } 735 - ``` 767 + : Specifies the name that will be used for the image after it has been downloaded. 768 + This only applies after the image is downloaded, and is not used to identify the image to be downloaded in the registry. 769 + Use `imageName` for that instead. 736 770 737 - - `imageName` specifies the name of the image to be downloaded, which can also include the registry namespace (e.g. `nixos`). This argument is required. 771 + _Default value:_ the same value specified in `imageName`. 738 772 739 - - `imageDigest` specifies the digest of the image to be downloaded. This argument is required. 773 + `finalImageTag` (String; _optional_) 740 774 741 - - `finalImageName`, if specified, this is the name of the image to be created. Note it is never used to fetch the image since we prefer to rely on the immutable digest ID. By default it's equal to `imageName`. 775 + : Specifies the tag that will be used for the image after it has been downloaded. 776 + This only applies after the image is downloaded, and is not used to identify the image to be downloaded in the registry. 742 777 743 - - `finalImageTag`, if specified, this is the tag of the image to be created. Note it is never used to fetch the image since we prefer to rely on the immutable digest ID. By default it's `latest`. 778 + _Default value:_ `"latest"`. 744 779 745 - - `sha256` is the checksum of the whole fetched image. This argument is required. 780 + `os` (String; _optional_) 746 781 747 - - `os`, if specified, is the operating system of the fetched image. By default it's `linux`. 782 + : Specifies the operating system of the image to pull. 783 + If specified, its value should follow the [OCI Image Configuration Specification](https://github.com/opencontainers/image-spec/blob/main/config.md#properties), which should still be compatible with Docker. 784 + According to the linked specification, all possible values for `$GOOS` in [the Go docs](https://go.dev/doc/install/source#environment) should be valid, but will commonly be one of `darwin` or `linux`. 748 785 749 - - `arch`, if specified, is the cpu architecture of the fetched image. By default it's `x86_64`. 786 + _Default value:_ `"linux"`. 750 787 751 - `nix-prefetch-docker` command can be used to get required image parameters: 788 + `arch` (String; _optional_) 752 789 753 - ```ShellSession 754 - $ nix run nixpkgs#nix-prefetch-docker -- --image-name mysql --image-tag 5 790 + : Specifies the architecture of the image to pull. 791 + If specified, its value should follow the [OCI Image Configuration Specification](https://github.com/opencontainers/image-spec/blob/main/config.md#properties), which should still be compatible with Docker. 792 + According to the linked specification, all possible values for `$GOARCH` in [the Go docs](https://go.dev/doc/install/source#environment) should be valid, but will commonly be one of `386`, `amd64`, `arm`, or `arm64`. 793 + 794 + _Default value:_ the same value from `pkgs.go.GOARCH`. 795 + 796 + `tlsVerify` (Boolean; _optional_) 797 + 798 + : Used to enable or disable HTTPS and TLS certificate verification when communicating with the chosen Docker registry. 799 + Setting this to `false` will make `pullImage` connect to the registry through HTTP. 800 + 801 + _Default value:_ `true`. 802 + 803 + `name` (String; _optional_) 804 + 805 + : The name used for the output in the Nix store path. 806 + 807 + _Default value:_ a value derived from `finalImageName` and `finalImageTag`, with some symbols replaced. 808 + It is recommended to treat the default as an opaque value. 809 + 810 + ### Examples {#ssec-pkgs-dockerTools-pullImage-examples} 811 + 812 + ::: {.example #ex-dockerTools-pullImage-niximage} 813 + # Pulling the nixos/nix Docker image from the default registry 814 + 815 + This example pulls the [`nixos/nix` image](https://hub.docker.com/r/nixos/nix) and saves it in the Nix store. 816 + 817 + ```nix 818 + { dockerTools }: 819 + dockerTools.pullImage { 820 + imageName = "nixos/nix"; 821 + imageDigest = "sha256:b8ea88f763f33dfda2317b55eeda3b1a4006692ee29e60ee54ccf6d07348c598"; 822 + finalImageName = "nix"; 823 + finalImageTag = "2.19.3"; 824 + sha256 = "zRwlQs1FiKrvHPaf8vWOR/Tlp1C5eLn1d9pE4BZg3oA="; 825 + } 755 826 ``` 827 + ::: 756 828 757 - Since a given `imageName` may transparently refer to a manifest list of images which support multiple architectures and/or operating systems, you can supply the `--os` and `--arch` arguments to specify exactly which image you want. By default it will match the OS and architecture of the host the command is run on. 829 + ::: {.example #ex-dockerTools-pullImage-differentregistry} 830 + # Pulling the nixos/nix Docker image from a specific registry 831 + 832 + This example pulls the [`coreos/etcd` image](https://quay.io/repository/coreos/etcd) from the `quay.io` registry. 833 + 834 + ```nix 835 + { dockerTools }: 836 + dockerTools.pullImage { 837 + imageName = "quay.io/coreos/etcd"; 838 + imageDigest = "sha256:24a23053f29266fb2731ebea27f915bb0fb2ae1ea87d42d890fe4e44f2e27c5d"; 839 + finalImageName = "etcd"; 840 + finalImageTag = "v3.5.11"; 841 + sha256 = "Myw+85f2/EVRyMB3axECdmQ5eh9p1q77FWYKy8YpRWU="; 842 + } 843 + ``` 844 + ::: 845 + 846 + ::: {.example #ex-dockerTools-pullImage-nixprefetchdocker} 847 + # Finding the digest and hash values to use for `dockerTools.pullImage` 758 848 759 - ```ShellSession 760 - $ nix-prefetch-docker --image-name mysql --image-tag 5 --arch x86_64 --os linux 849 + Since [`dockerTools.pullImage`](#ssec-pkgs-dockerTools-pullImage) requires two different hashes, one can run the `nix-prefetch-docker` tool to find out the values for the hashes. 850 + The tool outputs some text for an attribute set which you can pass directly to `pullImage`. 851 + 852 + ```shell 853 + $ nix run nixpkgs#nix-prefetch-docker -- --image-name nixos/nix --image-tag 2.19.3 --arch amd64 --os linux 854 + (some output removed for clarity) 855 + Writing manifest to image destination 856 + -> ImageName: nixos/nix 857 + -> ImageDigest: sha256:498fa2d7f2b5cb3891a4edf20f3a8f8496e70865099ba72540494cd3e2942634 858 + -> FinalImageName: nixos/nix 859 + -> FinalImageTag: latest 860 + -> ImagePath: /nix/store/4mxy9mn6978zkvlc670g5703nijsqc95-docker-image-nixos-nix-latest.tar 861 + -> ImageHash: 1q6cf2pdrasa34zz0jw7pbs6lvv52rq2aibgxccbwcagwkg2qj1q 862 + { 863 + imageName = "nixos/nix"; 864 + imageDigest = "sha256:498fa2d7f2b5cb3891a4edf20f3a8f8496e70865099ba72540494cd3e2942634"; 865 + sha256 = "1q6cf2pdrasa34zz0jw7pbs6lvv52rq2aibgxccbwcagwkg2qj1q"; 866 + finalImageName = "nixos/nix"; 867 + finalImageTag = "latest"; 868 + } 761 869 ``` 762 870 763 - Desired image name and tag can be set using `--final-image-name` and `--final-image-tag` arguments: 871 + It is important to supply the `--arch` and `--os` arguments to `nix-prefetch-docker` to filter to a single image, in case there are multiple architectures and/or operating systems supported by the image name and tags specified. 872 + By default, `nix-prefetch-docker` will set `os` to `linux` and `arch` to `amd64`. 764 873 765 - ```ShellSession 766 - $ nix-prefetch-docker --image-name mysql --image-tag 5 --final-image-name eu.gcr.io/my-project/mysql --final-image-tag prod 874 + Run `nix-prefetch-docker --help` for a list of all supported arguments: 875 + ```shell 876 + $ nix run nixpkgs#nix-prefetch-docker -- --help 877 + (output removed for clarity) 767 878 ``` 879 + ::: 768 880 769 881 ## exportImage {#ssec-pkgs-dockerTools-exportImage} 770 882