pkgs/applications/virtualization/docker/default.nix at fix-function-merge

tjh.dev / nixpkgs
Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)
nixpkgs / pkgs / applications / virtualization / docker / default.nix
at fix-function-merge 339 lines 13 kB view raw
wrap content
  1{ lib, callPackage }:
  2
  3rec {
  4  dockerGen = {
  5      version
  6      , cliRev, cliHash
  7      , mobyRev, mobyHash
  8      , runcRev, runcHash
  9      , containerdRev, containerdHash
 10      , tiniRev, tiniHash
 11      , buildxSupport ? true, composeSupport ? true, sbomSupport ? false
 12      # package dependencies
 13      , stdenv, fetchFromGitHub, fetchpatch, buildGoModule
 14      , makeWrapper, installShellFiles, pkg-config, glibc
 15      , go-md2man, go, containerd, runc, tini, libtool
 16      , sqlite, iproute2, docker-buildx, docker-compose, docker-sbom
 17      , iptables, e2fsprogs, xz, util-linux, xfsprogs, git
 18      , procps, rootlesskit, slirp4netns, fuse-overlayfs, nixosTests
 19      , clientOnly ? !stdenv.isLinux, symlinkJoin
 20      , withSystemd ? lib.meta.availableOn stdenv.hostPlatform systemd, systemd
 21      , withBtrfs ? stdenv.isLinux, btrfs-progs
 22      , withLvm ? stdenv.isLinux, lvm2
 23      , withSeccomp ? stdenv.isLinux, libseccomp
 24      , knownVulnerabilities ? []
 25    }:
 26  let
 27    docker-runc = runc.overrideAttrs {
 28      pname = "docker-runc";
 29      inherit version;
 30
 31      src = fetchFromGitHub {
 32        owner = "opencontainers";
 33        repo = "runc";
 34        rev = runcRev;
 35        hash = runcHash;
 36      };
 37
 38      # docker/runc already include these patches / are not applicable
 39      patches = [];
 40    };
 41
 42    docker-containerd = containerd.overrideAttrs (oldAttrs: {
 43      pname = "docker-containerd";
 44      inherit version;
 45
 46      src = fetchFromGitHub {
 47        owner = "containerd";
 48        repo = "containerd";
 49        rev = containerdRev;
 50        hash = containerdHash;
 51      };
 52
 53      buildInputs = oldAttrs.buildInputs
 54        ++ lib.optionals withSeccomp [ libseccomp ];
 55    });
 56
 57    docker-tini = tini.overrideAttrs {
 58      pname = "docker-init";
 59      inherit version;
 60
 61      src = fetchFromGitHub {
 62        owner = "krallin";
 63        repo = "tini";
 64        rev = tiniRev;
 65        hash = tiniHash;
 66      };
 67
 68      # Do not remove static from make files as we want a static binary
 69      postPatch = "";
 70
 71      buildInputs = [ glibc glibc.static ];
 72
 73      env.NIX_CFLAGS_COMPILE = "-DMINIMAL=ON";
 74    };
 75
 76    moby-src = fetchFromGitHub {
 77      owner = "moby";
 78      repo = "moby";
 79      rev = mobyRev;
 80      hash = mobyHash;
 81    };
 82
 83    moby = buildGoModule (lib.optionalAttrs stdenv.isLinux rec {
 84      pname = "moby";
 85      inherit version;
 86
 87      src = moby-src;
 88
 89      vendorHash = null;
 90
 91      nativeBuildInputs = [ makeWrapper pkg-config go-md2man go libtool installShellFiles ];
 92      buildInputs = [ sqlite ]
 93        ++ lib.optional withLvm lvm2
 94        ++ lib.optional withBtrfs btrfs-progs
 95        ++ lib.optional withSystemd systemd
 96        ++ lib.optional withSeccomp libseccomp;
 97
 98      extraPath = lib.optionals stdenv.isLinux (lib.makeBinPath [ iproute2 iptables e2fsprogs xz xfsprogs procps util-linux git ]);
 99
100      extraUserPath = lib.optionals (stdenv.isLinux && !clientOnly) (lib.makeBinPath [ rootlesskit slirp4netns fuse-overlayfs ]);
101
102      patches = lib.optionals (lib.versionOlder version "23") [
103        # This patch incorporates code from a PR fixing using buildkit with the ZFS graph driver.
104        # It could be removed when a version incorporating this patch is released.
105        (fetchpatch {
106          name = "buildkit-zfs.patch";
107          url = "https://github.com/moby/moby/pull/43136.patch";
108          hash = "sha256-1WZfpVnnqFwLMYqaHLploOodls0gHF8OCp7MrM26iX8=";
109        })
110      ] ++ lib.optionals (lib.versions.major version == "24") [
111        # docker_24 has LimitNOFILE set to "infinity", which causes a wide variety of issues in containers.
112        # Issues range from higher-than-usual ressource usage, to containers not starting at all.
113        # This patch (part of the release candidates for docker_25) simply removes this unit option
114        # making systemd use its default "1024:524288", which is sane. See commit message and/or the PR for
115        # more details: https://github.com/moby/moby/pull/45534
116        (fetchpatch {
117          name = "LimitNOFILE-systemd-default.patch";
118          url = "https://github.com/moby/moby/pull/45534/commits/c8930105bc9fc3c1a8a90886c23535cc6c41e130.patch";
119          hash = "sha256-nyGLxFrJaD0TrDqsAwOD6Iph0aHcFH9sABj1Fy74sec=";
120        })
121      ];
122
123      postPatch = ''
124        patchShebangs hack/make.sh hack/make/ hack/with-go-mod.sh
125      '';
126
127      buildPhase = ''
128        export GOCACHE="$TMPDIR/go-cache"
129        # build engine
130        export AUTO_GOPATH=1
131        export DOCKER_GITCOMMIT="${cliRev}"
132        export VERSION="${version}"
133        ./hack/make.sh dynbinary
134      '';
135
136      installPhase = ''
137        install -Dm755 ./bundles/dynbinary-daemon/dockerd $out/libexec/docker/dockerd
138        install -Dm755 ./bundles/dynbinary-daemon/docker-proxy $out/libexec/docker/docker-proxy
139
140        makeWrapper $out/libexec/docker/dockerd $out/bin/dockerd \
141          --prefix PATH : "$out/libexec/docker:$extraPath"
142
143        ln -s ${docker-containerd}/bin/containerd $out/libexec/docker/containerd
144        ln -s ${docker-containerd}/bin/containerd-shim $out/libexec/docker/containerd-shim
145        ln -s ${docker-runc}/bin/runc $out/libexec/docker/runc
146        ln -s ${docker-tini}/bin/tini-static $out/libexec/docker/docker-init
147
148        # systemd
149        install -Dm644 ./contrib/init/systemd/docker.service $out/etc/systemd/system/docker.service
150        substituteInPlace $out/etc/systemd/system/docker.service --replace-fail /usr/bin/dockerd $out/bin/dockerd
151        install -Dm644 ./contrib/init/systemd/docker.socket $out/etc/systemd/system/docker.socket
152
153        # rootless Docker
154        install -Dm755 ./contrib/dockerd-rootless.sh $out/libexec/docker/dockerd-rootless.sh
155        makeWrapper $out/libexec/docker/dockerd-rootless.sh $out/bin/dockerd-rootless \
156          --prefix PATH : "$out/libexec/docker:$extraPath:$extraUserPath"
157      '';
158
159      DOCKER_BUILDTAGS = lib.optional withSystemd "journald"
160        ++ lib.optional (!withBtrfs) "exclude_graphdriver_btrfs"
161        ++ lib.optional (!withLvm) "exclude_graphdriver_devicemapper"
162        ++ lib.optional withSeccomp "seccomp";
163    });
164
165    plugins = lib.optional buildxSupport docker-buildx
166      ++ lib.optional composeSupport docker-compose
167      ++ lib.optional sbomSupport docker-sbom;
168    pluginsRef = symlinkJoin { name = "docker-plugins"; paths = plugins; };
169  in
170  buildGoModule (lib.optionalAttrs (!clientOnly) {
171    # allow overrides of docker components
172    # TODO: move packages out of the let...in into top-level to allow proper overrides
173    inherit docker-runc docker-containerd docker-tini moby;
174  } // rec {
175    pname = "docker";
176    inherit version;
177
178    src = fetchFromGitHub {
179      owner = "docker";
180      repo = "cli";
181      rev = cliRev;
182      hash = cliHash;
183    };
184
185    vendorHash = null;
186
187    nativeBuildInputs = [
188      makeWrapper pkg-config go-md2man go libtool installShellFiles
189    ];
190
191    buildInputs = plugins ++ lib.optionals (lib.versionAtLeast version "23" && stdenv.isLinux) [
192      glibc
193      glibc.static
194    ];
195
196    postPatch = ''
197      patchShebangs man scripts/build/
198      substituteInPlace ./scripts/build/.variables --replace-fail "set -eu" ""
199    '' + lib.optionalString (plugins != []) ''
200      substituteInPlace ./cli-plugins/manager/manager_unix.go --replace-fail /usr/libexec/docker/cli-plugins \
201          "${pluginsRef}/libexec/docker/cli-plugins"
202    '';
203
204    # Keep eyes on BUILDTIME format - https://github.com/docker/cli/blob/${version}/scripts/build/.variables
205    buildPhase = ''
206      export GOCACHE="$TMPDIR/go-cache"
207
208      # Mimic AUTO_GOPATH
209      mkdir -p .gopath/src/github.com/docker/
210      ln -sf $PWD .gopath/src/github.com/docker/cli
211      export GOPATH="$PWD/.gopath:$GOPATH"
212      export GITCOMMIT="${cliRev}"
213      export VERSION="${version}"
214      export BUILDTIME="1970-01-01T00:00:00Z"
215      make dynbinary
216
217    '';
218
219    outputs = ["out"] ++ lib.optional (lib.versionOlder version "23") "man";
220
221    installPhase = ''
222      install -Dm755 ./build/docker $out/libexec/docker/docker
223
224      makeWrapper $out/libexec/docker/docker $out/bin/docker \
225        --prefix PATH : "$out/libexec/docker:$extraPath"
226    '' + lib.optionalString (!clientOnly) ''
227      # symlink docker daemon to docker cli derivation
228      ln -s ${moby}/bin/dockerd $out/bin/dockerd
229      ln -s ${moby}/bin/dockerd-rootless $out/bin/dockerd-rootless
230
231      # systemd
232      mkdir -p $out/etc/systemd/system
233      ln -s ${moby}/etc/systemd/system/docker.service $out/etc/systemd/system/docker.service
234      ln -s ${moby}/etc/systemd/system/docker.socket $out/etc/systemd/system/docker.socket
235    '' + ''
236      # completion (cli)
237      installShellCompletion --bash ./contrib/completion/bash/docker
238      installShellCompletion --fish ./contrib/completion/fish/docker.fish
239      installShellCompletion --zsh  ./contrib/completion/zsh/_docker
240    '' + lib.optionalString (stdenv.hostPlatform == stdenv.buildPlatform && lib.versionOlder version "23") ''
241      # Generate man pages from cobra commands
242      echo "Generate man pages from cobra"
243      mkdir -p ./man/man1
244      go build -o ./gen-manpages github.com/docker/cli/man
245      ./gen-manpages --root . --target ./man/man1
246    '' + lib.optionalString (lib.versionOlder version "23") ''
247      # Generate legacy pages from markdown
248      echo "Generate legacy manpages"
249      ./man/md2man-all.sh -q
250
251      installManPage man/*/*.[1-9]
252    '';
253
254    passthru = {
255      # Exposed for tarsum build on non-linux systems (build-support/docker/default.nix)
256      inherit moby-src;
257      tests = lib.optionals (!clientOnly) { inherit (nixosTests) docker; };
258    };
259
260    meta = with lib; {
261      homepage = "https://www.docker.com/";
262      description = "Open source project to pack, ship and run any application as a lightweight container";
263      longDescription = ''
264        Docker is a platform designed to help developers build, share, and run modern applications.
265
266        To enable the docker daemon on NixOS, set the `virtualisation.docker.enable` option to `true`.
267      '';
268      license = licenses.asl20;
269      maintainers = with maintainers; [ offline vdemeester periklis teutat3s ];
270      mainProgram = "docker";
271      inherit knownVulnerabilities;
272    };
273  });
274
275  # Get revisions from
276  # https://github.com/moby/moby/tree/${version}/hack/dockerfile/install/*
277  docker_24 = callPackage dockerGen rec {
278    version = "24.0.9";
279    cliRev = "v${version}";
280    cliHash = "sha256-nXIZtE0X1OoQT908IGuRhVHb0tiLbqQLP0Md3YWt0/Q=";
281    mobyRev = "v${version}";
282    mobyHash = "sha256-KRS99heyMAPBnjjr7If8TOlJf6v6866S7J3YGkOhFiA=";
283    runcRev = "v1.1.12";
284    runcHash = "sha256-N77CU5XiGYIdwQNPFyluXjseTeaYuNJ//OsEUS0g/v0=";
285    containerdRev = "v1.7.13";
286    containerdHash = "sha256-y3CYDZbA2QjIn1vyq/p1F1pAVxQHi/0a6hGWZCRWzyk=";
287    tiniRev = "v0.19.0";
288    tiniHash = "sha256-ZDKu/8yE5G0RYFJdhgmCdN3obJNyRWv6K/Gd17zc1sI=";
289    knownVulnerabilities = [
290      "CVE-2024-23651"
291      "CVE-2024-23652"
292      "CVE-2024-23653"
293      "CVE-2024-41110"
294    ];
295  };
296
297  docker_25 = callPackage dockerGen rec {
298    version = "25.0.6";
299    cliRev = "v25.0.5";
300    cliHash = "sha256-CACMi3bXUN6oGc2f/Z+lNQqMgQ4llRWPRKgijdpiPGg=";
301    mobyRev = "v${version}";
302    mobyHash = "sha256-+zkhUMeVD3HNq8WrWQmLskq+HykvD5kzSACmf67YbJE=";
303    runcRev = "v1.1.12";
304    runcHash = "sha256-N77CU5XiGYIdwQNPFyluXjseTeaYuNJ//OsEUS0g/v0=";
305    containerdRev = "v1.7.20";
306    containerdHash = "sha256-Q9lTzz+G5PSoChy8MZtbOpO81AyNWXC+CgGkdOg14uY=";
307    tiniRev = "v0.19.0";
308    tiniHash = "sha256-ZDKu/8yE5G0RYFJdhgmCdN3obJNyRWv6K/Gd17zc1sI=";
309  };
310
311  docker_26 = callPackage dockerGen rec {
312    version = "26.1.5";
313    cliRev = "v${version}";
314    cliHash = "sha256-UlN+Uc0YHhLyu14h5oDBXP4K9y2tYKPOIPTGZCe4PVY=";
315    mobyRev = "v${version}";
316    mobyHash = "sha256-6Hx7GnA7P6HqDlnGoc+HpPHSl69XezwAEGbvWYUVQlE=";
317    runcRev = "v1.1.12";
318    runcHash = "sha256-N77CU5XiGYIdwQNPFyluXjseTeaYuNJ//OsEUS0g/v0=";
319    containerdRev = "v1.7.18";
320    containerdHash = "sha256-IlK5IwniaBhqMgxQzV8btQcbdJkNEQeUMoh6aOsBOHQ=";
321    tiniRev = "v0.19.0";
322    tiniHash = "sha256-ZDKu/8yE5G0RYFJdhgmCdN3obJNyRWv6K/Gd17zc1sI=";
323  };
324
325  docker_27 = callPackage dockerGen rec {
326    version = "27.1.1";
327    cliRev = "v${version}";
328    cliHash = "sha256-r9figEMYHHSbMYVFiw7GUMzjZBhlF+jyZqKixyCpoQ0=";
329    mobyRev = "v${version}";
330    mobyHash = "sha256-LuCEdQQ3eWt8VyzmWkQTxlxTok9h/UlACTVls5LcI7g=";
331    runcRev = "v1.1.13";
332    runcHash = "sha256-RQsM8Q7HogDVGbNpen3wxXNGR9lfqmNhkXTRoC+LBk8=";
333    containerdRev = "v1.7.20";
334    containerdHash = "sha256-Q9lTzz+G5PSoChy8MZtbOpO81AyNWXC+CgGkdOg14uY=";
335    tiniRev = "v0.19.0";
336    tiniHash = "sha256-ZDKu/8yE5G0RYFJdhgmCdN3obJNyRWv6K/Gd17zc1sI=";
337  };
338
339}