Use imageName, supply included getManifest script.

2024-09-11 16:36:39 +03:00 · 2023-05-29 12:28:57 -04:00 · 2023-05-29 12:28:57 -04:00 · 7e0f38c51b
commit 7e0f38c51b
parent 1304a8b90e
4 changed files with 37 additions and 26 deletions
--- a/default.nix
+++ b/default.nix
@ -130,19 +130,29 @@ let
    '';

  pullImageByManifest =
-    { imagePath
+    { imageName
    , imageManifest
+    # The manifest dictates what is pulled; these three are only used for
+    # the supplied manifest-updating scripts.
+    , imageTag ? "latest"
+    , os ? "linux"
+    , arch ? pkgs.go.GOARCH
    , tlsVerify ? true
    , registryApiUrl ? "registry.hub.docker.com/v2"
+    , meta ? {}
    }: let
      manifest = l.fromJSON (l.readFile imageManifest);

      buildImageBlob = digest:
        let
-          blobUrl = "https://${registryApiUrl}/${imagePath}/blobs/${digest}";
+          blobUrl = "https://${registryApiUrl}/${imageName}/blobs/${digest}";
          plainDigest = l.replaceStrings ["sha256:"] [""] digest;
          insecureFlag = l.strings.optionalString (!tlsVerify) "--insecure";
-        in (pkgs.runCommand plainDigest {} ''
+        in pkgs.runCommand plainDigest {
+          outputHash = plainDigest;
+          outputHashMode = "flat";
+          outputHashAlgo = "sha256";
+        } ''
          SSL_CERT_FILE="${pkgs.cacert.out}/etc/ssl/certs/ca-bundle.crt";

          # This initial access is expected to fail as we don't have a token.
@ -155,11 +165,7 @@ let

          echo "Blob URL: ${blobUrl}"
          ${pkgs.curl}/bin/curl ${insecureFlag} --fail -H "Authorization: Bearer $token" "${blobUrl}" --location --output $out
-        '').overrideAttrs(_: {
-          outputHash = plainDigest;
-          outputHashMode = "flat";
-          outputHashAlgo = "sha256";
-        });
+        '';

      # Pull the blobs (archives) for all layers, as well as the one for the image's config JSON.
      layerBlobs = map (layerManifest: buildImageBlob layerManifest.digest) manifest.layers;
@ -167,8 +173,24 @@ let

      # Write the blob map out to a JSON file for the GO executable to consume.
      blobMap = l.listToAttrs(map (drv: { name = drv.name; value = drv; }) (layerBlobs ++ [configBlob]));
-      blobMapFile = pkgs.writeText "${imagePath}-blobs.json" (l.toJSON blobMap);
-    in pkgs.runCommand "nix2container-${imagePath}.json" { } ''
+      blobMapFile = pkgs.writeText "${imageName}-blobs.json" (l.toJSON blobMap);
+
+      # Convenience scripts for manifest-updating.
+      filter = ''.manifests[] | select((.platform.os=="${os}") and (.platform.architecture=="${arch}")) | .digest'';
+      getManifest = pkgs.writeShellApplication {
+        name = "get-manifest";
+        runtimeInputs = [ pkgs.jq skopeo-nix2container ];
+        text = ''
+          set -e
+          hash=$(skopeo inspect docker://${imageName} --raw | jq -r '${filter}')
+          skopeo inspect "docker://${imageName}@$hash" --raw | jq
+        '';
+      };
+      updateManifest = pkgs.writeShellScriptBin "update-manifest" ''
+        ${getManifest}/bin/get-manifest > ?????
+      '';
+
+    in pkgs.runCommand "nix2container-${imageName}.json" { inherit getManifest updateManifest; } ''
      ${nix2container-bin}/bin/nix2container image-from-manifest $out ${imageManifest} ${blobMapFile}
    '';

@ -373,7 +395,7 @@ let
      {
        inherit imageName meta;
        passthru = {
-          inherit imageTag;
+          inherit fromImage imageTag;
          # provide a cheap to evaluate image reference for use with external tools like docker
          # DO NOT use as an input to other derivations, as there is no guarantee that the image
          # reference will exist in the store.
--- a/examples/default.nix
+++ b/examples/default.nix
@ -1,4 +1,4 @@
-{ pkgs, nix2container, skopeo-nix2container }: {
+{ pkgs, nix2container }: {
  hello = pkgs.callPackage ./hello.nix { inherit nix2container; };
  nginx = pkgs.callPackage ./nginx.nix { inherit nix2container; };
  bash = pkgs.callPackage ./bash.nix { inherit nix2container; };
@ -13,15 +13,4 @@
  nix = pkgs.callPackage ./nix.nix { inherit nix2container; };
  nix-user = pkgs.callPackage ./nix-user.nix { inherit nix2container; };
  ownership = pkgs.callPackage ./ownership.nix { inherit nix2container; };
-
-  update-manifests = let
-    image = "library/alpine";
-    skopeo = "${skopeo-nix2container}/bin/skopeo";
-    jq = "${pkgs.jq}/bin/jq";
-    filter = ''.manifests[] | select((.platform.os=="linux") and (.platform.architecture=="amd64")) | .digest'';
-  in pkgs.writeShellScriptBin "update-manifests" ''
-    set -e
-    hash=$(${skopeo} inspect docker://${image} --raw | ${jq} -r '${filter}')
-    ${skopeo} inspect docker://${image}@$hash --raw | ${jq} > examples/alpine-manifest.json
-  '';
 }
--- a/examples/from-image-manifest.nix
+++ b/examples/from-image-manifest.nix
@ -1,7 +1,7 @@
 { pkgs, nix2container }: let
  alpine = nix2container.pullImageByManifest {
-    imagePath = "library/alpine";
-    # nix run .#examples.update-manifests to update this to the latest.
+    imageName = "library/alpine";
+    # nix run .#examples.fromImageManifest.fromImage.getManifest > examples/alpine-manifest.json
    imageManifest = ./alpine-manifest.json;
  };
 in
--- a/flake.nix
+++ b/flake.nix
@ -13,7 +13,7 @@
        };
        examples = import ./examples {
          inherit pkgs;
-          inherit (nix2container) nix2container skopeo-nix2container;
+          inherit (nix2container) nix2container;
        };
        tests = import ./tests {
          inherit pkgs examples;