hocker icon indicating copy to clipboard operation
hocker copied to clipboard
verified publisher icon awakesecurity

Write a tutorial

Open ixmatus opened this issue 8 years ago • 17 comments

ixmatus avatar Sep 24 '17 21:09 ixmatus

Are there any other resources than the following? I've read the README and produced a fetchdocker derivation but now I'm a bit lost.

  • http://ixmatus.net/articles/docker-without-docker.html
  • http://ixmatus.net/articles/hocker-nixos-docker.html

paulyoung avatar Jun 04 '19 22:06 paulyoung

I've also looked at https://github.com/NixOS/nixpkgs/pull/32248 but still missing something fundamental I think.

paulyoung avatar Jun 04 '19 22:06 paulyoung

@paulyoung what are you lost on?

Also, if you're on a newer version of Nix, there was a lot of work done to upgrade the stock dockerTools to support V2 registries: https://nixos.org/nixpkgs/manual/#ssec-pkgs-dockerTools-fetchFromRegistry. Though, I don't know if that works with credential protected private registeries (hocker will, however).

ixmatus avatar Jun 04 '19 22:06 ixmatus

I'm trying to depend on something that invokes docker run --rm ... and figured the first step was to fetch the image using hocker/fetchdocker.

I've done the equivalent of hocker-manifest library/debian jessie | docker2nix library/debian jessie > container.nix from the README and not sure where to go from there.

paulyoung avatar Jun 04 '19 22:06 paulyoung

Ah okay. Next you need to load it into a running docker daemon instance by:

$(nix-build --no-out-link container.nix)/compositeImage.sh | docker load

ixmatus avatar Jun 04 '19 22:06 ixmatus

We do that as part of the preStart script of a systemd unit responsible for "running" a container, e.g.

preStart = '' ${importedContainerDerivation}/compositeImage.sh | ${docker}/bin/docker load '';
script = ''${docker}/bin/docker run ${importedContainerDerivation}.name ...''

(very roughly)

ixmatus avatar Jun 04 '19 22:06 ixmatus

Very helpful. Thanks.

paulyoung avatar Jun 04 '19 22:06 paulyoung

Note, to avoid running docker load everytime (because docker load isn't very smart) we also check if the image already exists ala

if [[ "$(${docker}/bin/docker images -q ${importedContainerDerivation.image} 2>/dev/null)" == "" ]]; then
# docker load
fi

ixmatus avatar Jun 04 '19 22:06 ixmatus

@paulyoung no problem!

ixmatus avatar Jun 04 '19 22:06 ixmatus

For posterity, I'm now running into this and gather that there's a virtualisation.docker.enable = true; config setting for NixOS, but I'm on macOS.

Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?

paulyoung avatar Jun 04 '19 23:06 paulyoung

@paulyoung correct. You need to download the official Docker app for MacOS which includes tooling to run the docker daemon in a VM (but it makes it transparent to the docker client utility).

ixmatus avatar Jun 04 '19 23:06 ixmatus

Success :) Thanks Parnell!

paulyoung avatar Jun 04 '19 23:06 paulyoung

@paulyoung no problem!

ixmatus avatar Jun 04 '19 23:06 ixmatus

I don't mean to hijack this thread but figured it might help someone else if all of this was in the same place.

Apparently there is a Nix sandbox restriction that prevents access to the docker daemon, resulting in Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?

Is there a recommended way to address this?

paulyoung avatar Jun 07 '19 18:06 paulyoung

Investigating extra-sandbox-paths.

paulyoung avatar Jun 07 '19 18:06 paulyoung

This has also been suggested: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/virtualisation/docker-preloader.nix

paulyoung avatar Jun 07 '19 19:06 paulyoung

Specifically pkgs.vmTools.runInLinuxVM

paulyoung avatar Jun 07 '19 19:06 paulyoung