pijul nest
guest [sign in] [explore]

Add 05-static-container

[?]
Mar 22, 2023, 4:29 PM
X3HISPCS4DYF7L5FA6WA2L2SJNO2FAALGFYFLFUQNPNQQENX3CVAC

Dependencies

  • [2] ZFMPQAFV Fix and extend cross compilation with static builds
  • [*] 7AUC4NKI Initial commit
  • [*] 52F4Q6CJ Update README

Change contents

  • edit in README.md at line 27
    [2.450]
    [5.473]
    * [05-static-container](05-static-container/demo.sh): Build a container with only a static binary, combining 03 and 04.
  • file addition: 05-static-container (d--r------)
    [4.2]
  • file addition: wttr-delft.nix (----------)
    [0.133]
    # This file looks very similar to what official packages in nixpkgs look like
    { stdenv
    , cmake
    , pkgconfig
    , curl
    }:
    stdenv.mkDerivation rec {
    name = "wttr-delft";
    src = builtins.path { path = ../src; name = name; };
    # Build-time dependencies
    # Since we include CMake, Nix will automatically do all the right things:
    # We don't need a custom 'buildPhase' or 'installPhase' anymore.
    nativeBuildInputs = [ cmake pkgconfig ];
    # Dependencies
    buildInputs = [ curl.dev ];
    # Strict separation of
    # nativeBuildInputs (needed at build time only) and
    # buildInputs (needed at runtime as well)
    strictDeps = true;
    }
  • file addition: podman-setup-script.nix (----------)
    [0.133]
    { pkgs }:
    let
    registriesConf = pkgs.writeText "registries.conf" ''
    [registries.search]
    registries = ['docker.io']
    [registries.block]
    registries = []
    '';
    storageConf = pkgs.writeText "storage.conf" ''
    [storage]
    driver = "overlay"
    # rootless_storage_path="$XDG_DATA_HOME/containers/storage"
    '';
    in pkgs.writeShellScript "podman-setup" ''
    # Dont overwrite customised configuration
    if ! test -f ~/.config/containers/policy.json; then
    echo "Installing missing ~/.config/containers/policy.json"
    install -Dm644 ${pkgs.skopeo.src}/default-policy.json ~/.config/containers/policy.json
    fi
    if ! test -f ~/.config/containers/registries.conf; then
    echo "Installing missing ~/.config/containers/registries.conf"
    install -Dm644 ${registriesConf} ~/.config/containers/registries.conf
    fi
    if ! test -f ~/.config/containers/storage.conf; then
    echo "Installing missing ~/.config/containers/storage.conf"
    install -Dm644 ${storageConf} ~/.config/containers/storage.conf
    fi
    if ! grep -q "^''${USER}:" /etc/subuid; then
    echo "No subuid range defined for user, consider running 'sudo usermod --add-subuids 10000-75535 ''${USER}' to allow rootless podman to work"
    fi
    ''
  • file addition: podman-devshell.nix (----------)
    [0.133]
    { pkgs }:
    # Development shell for interacting with containers
    # Based on https://gist.github.com/adisbladis/187204cb772800489ee3dac4acdd9947
    let
    # Provides a script that copies/creates files that are required for rootless podman
    podmanSetupScript = import ./podman-setup-script.nix { inherit pkgs; };
    # Provides a fake "docker" binary mapping to podman
    dockerCompat = pkgs.runCommandNoCC "docker-podman-compat" {} ''
    mkdir -p $out/bin
    ln -s ${pkgs.podman}/bin/podman $out/bin/docker
    '';
    in pkgs.mkShell {
    name = "podman";
    buildInputs = with pkgs; [
    podman # Manage pods, containers and images
    runc # Container runtime
    conmon # Container runtime monitor
    skopeo # Interact with container registry
    slirp4netns # User-mode networking for unprivileged namespaces
    fuse-overlayfs # CoW for images, much faster than default vfs
    dockerCompat # Aliases for docker / podman
    ];
    shellHook = ''
    # Install configuration required for rootless podman
    ${podmanSetupScript}
    '';
    }
  • file addition: flake.nix (----------)
    [0.133]
    {
    description = "Simple flake for simple libcurl example";
    inputs = {
    flake-utils.url = "github:numtide/flake-utils";
    nixpkgs.url = "github:NixOS/nixpkgs";
    };
    outputs = { self, nixpkgs, flake-utils }:
    flake-utils.lib.eachDefaultSystem (system:
    let
    pkgs = import nixpkgs {
    inherit system;
    overlays = [
    (final: prev: {
    wttr-delft = prev.callPackage ./wttr-delft.nix {};
    })
    ];
    };
    # We copy only the static binary to avoid pulling in any unwanted dependencies
    wttr-delft-only-binary = pkgs.runCommand "wttr-delft-only-binary" {} ''
    mkdir $out
    cp ${pkgs.pkgsCross.musl64.pkgsStatic.wttr-delft}/bin/wttr-delft $out
    '';
    # Docker image containing only the wttr-delft static binary
    wttr-delft-container = pkgs.dockerTools.buildImage {
    name = "wttr-delft";
    tag = "nix";
    # created = "now";
    config = {
    Cmd = [ "${wttr-delft-only-binary}/wttr-delft" ];
    Env = [ "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ];
    };
    };
    in
    {
    packages.default = wttr-delft-container;
    devShells.default = import ./podman-devshell.nix { inherit pkgs; };
    }
    );
    }
  • file addition: flake.lock (----------)
    [0.133]
    {
    "nodes": {
    "flake-utils": {
    "locked": {
    "lastModified": 1678901627,
    "narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=",
    "owner": "numtide",
    "repo": "flake-utils",
    "rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6",
    "type": "github"
    },
    "original": {
    "owner": "numtide",
    "repo": "flake-utils",
    "type": "github"
    }
    },
    "nixpkgs": {
    "locked": {
    "lastModified": 1679396235,
    "narHash": "sha256-RjmNVFuZQ2e6u35B98JcY9IzVDtZb3d4QcbtfLtNWkE=",
    "owner": "NixOS",
    "repo": "nixpkgs",
    "rev": "008ce261a7e3c532e792cb8e39482f2cc1b192f5",
    "type": "github"
    },
    "original": {
    "owner": "NixOS",
    "repo": "nixpkgs",
    "type": "github"
    }
    },
    "root": {
    "inputs": {
    "flake-utils": "flake-utils",
    "nixpkgs": "nixpkgs"
    }
    }
    },
    "root": "root",
    "version": 7
    }
  • file addition: demo.sh (---r------)
    [0.133]
    #!/usr/bin/env bash
    # shellcheck disable=SC1010,SC2288
    set -Eeuo pipefail
    dir="$(dirname "${BASH_SOURCE[0]}")"
    source "${dir}/../libdemo/libdemo.sh"
    h Putting wttr-delft into a container as a small static binary
    , We now combine our knowledge of making OCI containers with our knowledge of making static binaries
    x pygmentize "${dir}/flake.nix"
    h We now choose the \'container\' package we defined:
    x nix build "${dir}" -L
    x ls -lhH "${dir}/result"
    x nix develop "${dir}" --command "${dir}/demo-inside-nix-develop.sh"
  • file addition: demo-inside-nix-develop.sh (---r------)
    [0.133]
    #!/usr/bin/env bash
    # shellcheck disable=SC2288
    set -Eeuo pipefail
    dir="$(dirname "${BASH_SOURCE[0]}")"
    source "${dir}/../libdemo/libdemo.sh"
    h Now we are inside a development shell that has rootless podman again.
    h So we start by loading the container we just made into the registry:
    x docker load -i "${dir}/result"
    h We can see it\'s there:
    x "docker image ls | grep 'wttr-delft\|^REPOSITORY'"
    h And now we can run it:
    x docker run -it localhost/wttr-delft:nix
    h The image is very minimal, e.g. there is no interactive shell:
    f podman run --entrypoint sh -it localhost/wttr-delft:nix
    h We have running containers:
    x "podman ps --all --storage | grep 'wttr-delft\|^CONTAINER ID'"
    h Let\'s kill them and remove them:
    x "podman ps --all --storage | tail -n +2 | grep wttr-delft | awk '{print \$1}' | xargs podman rm"
    x "podman image ls | tail -n +2 | grep wttr-delft | awk '{print \$3}' | xargs podman image rm -f"