tvl-depot/tools/nixery/README.md

100 lines
3.7 KiB
Markdown
Raw Normal View History

# Nixery
This package implements a Docker-compatible container registry that is capable
of transparently building and serving container images using [Nix][].
The project started out with the intention of becoming a Kubernetes controller
that can serve declarative image specifications specified in CRDs as container
images. The design for this is outlined in [a public gist][gist].
Currently it focuses on the ad-hoc creation of container images as outlined
below with an example instance available at
[nixery.appspot.com](https://nixery.appspot.com).
This is not an officially supported Google project.
## Ad-hoc container images
Nixery supports building images on-demand based on the *image name*. Every
package that the user intends to include in the image is specified as a path
component of the image name.
The path components refer to top-level keys in `nixpkgs` and are used to build a
container image using Nix's [buildLayeredImage][] functionality.
The special meta-package `shell` provides an image base with many core
components (such as `bash` and `coreutils`) that users commonly expect in
interactive images.
## Usage example
Using the publicly available Nixery instance at `nixery.appspot.com`, one could
retrieve a container image containing `curl` and an interactive shell like this:
```shell
tazjin@tazbox:~$ sudo docker run -ti nixery.appspot.com/shell/curl bash
Unable to find image 'nixery.appspot.com/shell/curl:latest' locally
latest: Pulling from shell/curl
7734b79e1ba1: Already exists
b0d2008d18cd: Pull complete
< ... some layers omitted ...>
Digest: sha256:178270bfe84f74548b6a43347d73524e5c2636875b673675db1547ec427cf302
Status: Downloaded newer image for nixery.appspot.com/shell/curl:latest
bash-4.4# curl --version
curl 7.64.0 (x86_64-pc-linux-gnu) libcurl/7.64.0 OpenSSL/1.0.2q zlib/1.2.11 libssh2/1.8.0 nghttp2/1.35.1
```
## Known issues
* Initial build times for an image can be somewhat slow while Nixery retrieves
the required derivations from the Nix cache under-the-hood.
Due to how the Docker Registry API works, there is no way to provide
feedback to the user during this period - hence the UX (in interactive mode)
is currently that "nothing is happening" for a while after the `Unable to
find image` message is printed.
* For some reason these images do not currently work in GKE clusters.
Launching a Kubernetes pod that uses a Nixery image results in an error
stating `unable to convert a nil pointer to a runtime API image:
ImageInspectError`.
This error comes from
[here](https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/dockershim/convert.go#L35)
and it occurs *after* the Kubernetes node has retrieved the image from
Nixery (as per the Nixery logs).
## Kubernetes integration (in the future)
**Note**: The Kubernetes integration is not yet implemented.
The basic idea of the Kubernetes integration is to provide a way for users to
specify the contents of a container image as an API object in Kubernetes which
will be transparently built by Nix when the container is started up.
For example, given a resource that looks like this:
```yaml
---
apiVersion: k8s.nixos.org/v1alpha
kind: NixImage
metadata:
name: curl-and-jq
data:
tag: v1
contents:
- curl
- jq
- bash
```
One could create a container that references the `curl-and-jq` image, which will
then be created by Nix when the container image is pulled.
The controller itself runs as a daemonset on every node in the cluster,
providing a host-mounted `/nix/store`-folder for caching purposes.
[Nix]: https://nixos.org/
[gist]: https://gist.github.com/tazjin/08f3d37073b3590aacac424303e6f745
[buildLayeredImage]: https://grahamc.com/blog/nix-and-layered-docker-images