feat: add and install nix as tool#35
Conversation
Signed-off-by: matttrach <matt.trachier@suse.com>
|
Overall looks okay, it's a solid idea for an area we should cover too. I will need to take a deeper look tomorrow to provide more complete review. My first feedback is around:
I would prefer we ensure that the |
|
Like maybe a Nix template? Maybe we should have an "install-template" attribute in the deps.yaml to specify a template to insert into the dockerfile? |
I was thinking that but then I started thinking about tool "before hooks" of some sort. I'm playing with something tonight and should have a PR this could be based on tomorrow. |
|
Here is a new hooks feature to accommodate this PRs needs: #36. I think that this will be more flexible for all tools needs than some nix specific solutions here. Additionally it will consolidate all the "extra tool specific logic" into these new hook files. After that PR the tool config will look different, use: Then you will want to make:
# Create unprivileged user for Nix installation
RUN useradd -m suse && \
if [ ! -f /etc/sudoers ]; then touch /etc/sudoers; fi && \
echo "suse ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
# Add suse user to runner group and create /etc/nix directory and configuration
RUN usermod -a -G runner suse && \
sudo mkdir -p /etc/nix && \
printf "build-users-group =\nsandbox = false\nfilter-syscalls = false\n" > /etc/nix/nix.conf && \
sudo chown -R suse:runner /etc/nix && \
sudo mkdir -p /nix && \
sudo chown -R suse:runner /nix && \
echo 'source /home/suse/.nix-profile/etc/profile.d/nix.sh' > /etc/profile.d/nix.sh && \
echo 'source /home/suse/.nix-profile/etc/profile.d/nix.sh' > /etc/bash.bashrc.localAnd # Fix ownership and run Nix installer from the extracted archive
RUN set -e; \
sudo chown -R suse:runner /var/ci-tools/nix
# Switch to unprivileged user for installation
USER suse
WORKDIR /home/suse
ENV USER=suse
RUN set -e; \
case "${ARCH}" in \
amd64) extract="nix-2.34.5-x86_64-linux/install" ;; \
arm64) extract="nix-2.34.5-aarch64-linux/install" ;; \
*) echo "unsupported architecture: ${ARCH}" >&2; exit 1 ;; \
esac; \
cd /var/ci-tools/nix && \
./${extract} --no-daemon
# Restore root user for remaining Dockerfile operations
USER root
ENV USER=root |
|
@matttrach can you please rebase your pr and update it to the new config of hooks made by @mallardduck in #36? |
Signed-off-by: matttrach <matt.trachier@suse.com>
Signed-off-by: matttrach <matt.trachier@suse.com>
Signed-off-by: matttrach <matt.trachier@suse.com>
|
The version variable allows further templates know the version selected in the deps.yaml. Without this the deps.yaml won't be the single source of truth for the version information. |
| u := urlExt(url) | ||
| return strings.HasSuffix(u, ".gz") && !strings.HasSuffix(u, ".tar.gz") | ||
| } | ||
|
|
| chmod 2755 /var/ci-tools | ||
|
|
||
| {{range .Tools}}# {{.Name}} {{.Version}} | ||
| ENV {{.Name}}_version="{{.Version}}" |
There was a problem hiding this comment.
I saw your comment about this line, but sorry, I didn't get exactly its need.
There was a problem hiding this comment.
These are supposed to be in the project root as hooks/nix-pre.tmpl
🤔 Ok - I see where you might want to add the version env. However I think that I see this as highlighting a different gap in the hook mechanism. Think this should be pretty easy to extend so that the hook templates have context of and access to variables related to their package. OK - 2 things I see a super simple fix that is pretty obvious in hindsight. Gist being that even To save us some cycles I also prepared a branch to validate this produces expected results: main...fix-test I don't use nix but the dockerfile fully builds for me now so I think that's a good sign. The other part is "Hook Variables" which could allow Hook files to be more complex if needed. However the first fix will make it moot - so this becomes a future "nice to have". |
|
@matttrach #39 is merged and will require a new rebase and re-run to update your code, please. |
|
@mallardduck I think that we should be good to merge this one, wdyt? |
| chmod 2755 /var/ci-tools | ||
|
|
||
| {{range .Tools}}# {{.Name}} {{.Version}} | ||
| ENV {{.Name}}_version="{{.Version}}" |
There was a problem hiding this comment.
| ENV {{.Name}}_version="{{.Version}}" |
I don't think we need this any more - a design goal of this system is to not need to know the specific version number of a tool. The changes I made to the other PR should allow things to work without this.
| @@ -0,0 +1,21 @@ | |||
| # Fix ownership and run Nix installer from the extracted archive | |||
There was a problem hiding this comment.
This whole file needs to move to hooks/nix-post.tmpl per my example: main...fix-test
There was a problem hiding this comment.
Same as other one - this whole file should live at: hooks/ per example main...fix-test
| helm: helmv4 | ||
| go_version: 1.26.2 | ||
| description: CI image with Go 1.26 toolchain | ||
| nix: |
There was a problem hiding this comment.
Because the hooks are not in the expected path the lock file does not track them as it should.
|
@matttrach can you please check Dan's comment so when can merge this pr? |
3 participants
This adds and installs Nix into a new Nix image.
It also adds a new build type archive_script which downloads an archive matching the checksum, extracts the install script and runs the installer. Nix has some specific install needs, so I added them into the archive_script template, making sure to switch on tool name. The normal case for archive_script will download the script from the url, extract the installer and run it. For Nix we need to add sudo and a new user, I added the user suse since that is standard on sles.
Closes #34