docker-nixpkgs
docker-nixpkgs copied to clipboard
Image errors for GitHub Actions
Trying to use these images in GitHub Actions gives an error, see e.g. https://github.com/Infinisil/github-actions-docker/runs/1271863329:
/usr/bin/docker exec de645264c246e9831bfdda7ede83a62ed2d14583037ddb6b317acabd8fdfb1fa sh -c "cat /etc/*release | grep ^ID"
OCI runtime exec failed: exec failed: container_linux.go:370: starting container process caused: no such file or directory: unknown
This has already been reported in https://github.com/actions/checkout/issues/334, but it doesn't really have anything to do with the checkout action (that's just the first action that tries to run the container).
Most likely it's some file missing in the image, but the error really doesn't help a lot to figure out which file.
A possible way to figure this out is to do a long-winded bisection with e.g. an alpine image, because that one works, and the image contents can be inspected with https://stackoverflow.com/a/53481010. So by incrementally copying files from that image to the docker-nixpkgs one, it should start working at some point.
$ drun nixpkgs/nix:nixos-unstable sh -c "cat /etc/*release | grep ^ID"
sh: grep: command not found
cat: '/etc/*release': No such file or directory
The nix image is fairly minimal right now but it could be extended.
It's a bit misleading, but the error happens before the command is actually started and has nothing to do with either grep
or /etc/*release
.
For https://github.com/niteoweb/nix-docker-base, which uses the same nixpkgs Docker builders as this repo, both grep
and /etc/os-release
exist:
docker run -it niteo/nixpkgs-nixos-20.03:925ae0dee63cf2c59533a6258340812e5643428a sh -c "cat /etc/*release | grep ^ID"
ID=nix
Yet on GitHub Actions, it fails in the very same way: https://github.com/Infinisil/github-actions-docker/runs/1271712451?check_suite_focus=true
It's possible that GitHub Actions sets a custom entry point for the container. That would explain the error.
To test that I would create an image with tons of wrappers in /bin
that echo $0
. And then symlink /bin
to /usr/bin
.
Looks like somebody figured it out! https://github.com/actions/checkout/issues/334#issuecomment-713845806 With nixpkgs' Docker builders, these dynamic libraries could be added relatively easily, though this will sacrifice a bit of purity. I'll certainly give that a try soonish
Was able to fix it for https://github.com/niteoweb/nix-docker-base with https://github.com/niteoweb/nix-docker-base/commit/0a5ceed0441a32b25a33b6904a47e007231b58c6, turns out it's a bit different for Nix. See also https://github.com/actions/checkout/issues/334#issuecomment-716068696. Feel free to reuse this fix for docker-nixpkgs
.
I am a bit torn. It allows running programs that didn't go through patchelf, which is both a bad and good thing. Depending if the binary was packaged by Nix or not.
I do a similar trick in the devcontainer image because VSCode injects their own binary as well: https://github.com/nix-community/docker-nixpkgs/blob/a720d8ee4f8665b3a4516d1453a09446bf8f3e9c/images/devcontainer/default.nix#L98-L99
hi, could we do this for other images? I would love to use the nixpkgs nix-unstable image in our CI, instead of devcontainer.