dockerTools ca-certificates.crt helper #170906
Conversation
github-actions
bot
added
the
8.has: documentation
Sohalt
changed the title
ofborg
bot
added
10.rebuild-darwin: 0
| @@ -773,6 +773,11 @@ rec { | |||
| ln -s ${bashInteractive}/bin/bash $out/bin/sh | |||
| ''; | |||
|
|
|||
| # This provides /etc/ssl/certs/ca-certificates.crt | |||
| caCertificates = runCommand "ca-certificates" { } '' | |||
| ln -s ${cacert}/etc/ssl/certs/ca-bundle.crt $out/etc/ssl/certs/ca-certificates.crt | |||
There was a problem hiding this comment.
I thought the cacert package already provided the extra symlink. Wouldn't it be simpler to add it there?
There was a problem hiding this comment.
The symlinks are setup by the nixos ca module. If the package provided the symlinks itself, it wouldn't be of much help, since they would still be under the full store path, wouldn't they? It would work with the docker specific use case, since the image builders create the symlinks at the root directory, but eg for NixOS you'd still need the extra logic outside the package to provide the links.
There was a problem hiding this comment.
The whole premise of this is that non-store paths are created at the container root from the paths below store paths, but you're right. What I was suggesting would run the risk of duplicating store paths. There's too many ways to add stuff and we should probably use the module system to take care of this stuff anyway. (poc: #148456). Your derivation will be helpful in the meanwhile.
There was a problem hiding this comment.
Shouldn't this provide both names, like NixOS does? ca-bundle.crt and ca-certificates.crt.
There was a problem hiding this comment.
ca-bundle.crt is the name of the bundle in $out of cacert, so it's already set up by the dockerTools symlink. We might want to add the other symlink from the ca module for Fedora compatibility though.
There was a problem hiding this comment.
Wait it isn't. Nvm. We should add it.
| @@ -773,6 +773,11 @@ rec { | |||
| ln -s ${bashInteractive}/bin/bash $out/bin/sh | |||
| ''; | |||
|
|
|||
| # This provides /etc/ssl/certs/ca-certificates.crt | |||
| caCertificates = runCommand "ca-certificates" { } '' | |||
| ln -s ${cacert}/etc/ssl/certs/ca-bundle.crt $out/etc/ssl/certs/ca-certificates.crt | |||
There was a problem hiding this comment.
Shouldn't this provide both names, like NixOS does? ca-bundle.crt and ca-certificates.crt.
Various tools (e.g. wget) expect the ca bundle to be available at /etc/ssl/certs/ca-certificates.crt
Sohalt
force-pushed
the
dockerTools.ca-certificates.crt
branch
from
5c17f7c to
f93491a
Compare
|
Anything left to do here? @roberth |
| Some packages expect certain files to be available globally. | ||
| When building an image from scratch (i.e. without `fromImage`), these files are missing. | ||
| `pkgs.dockerTools` provides some helpers to set up an environment with the necessary files. | ||
| You can include them in the `contents` like this: |
There was a problem hiding this comment.
contents has changed to copyToRoot. Otherwise lgtm.
Sohalt
force-pushed
the
dockerTools.ca-certificates.crt
branch
from
d7bcb84 to
c9d8e34
Compare
|
What's missing to get this merged? |
Description of changes
Add a helper to install
ca-bundle.crtin containers built withdockerToolsat/etc/ssl/certs/ca-certificates.crt, where different programs such aswgetlook for them.Add documentation.
Things done
sandbox = trueset innix.conf? (See Nix manual)nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)nixos/doc/manual/md-to-db.shto update generated release notes