提出一个问题https://github.com/NixOS/nix/issues/2663
如何重现
docker run --privileged --rm --name some-docker docker:stable-dind
cat > /tmp/test.nix << 'EOL'
{ pkgs ? import <nixpkgs> {} }:
with pkgs;
stdenv.mkDerivation {
pname = "test";
version = "0.0.1";
DOCKER_HOST = builtins.getEnv "DOCKER_HOST";
buildInputs = [docker curl nettools];
phases = "installPhase";
installPhase = ''
(ls -al /etc || true)
(cat /etc/nsswitch.conf || true)
(cat /etc/hosts || true)
(cat /etc/resolv.conf || true)
# without --store returns
#
# Kernel IP routing table
# Destination Gateway Genmask Flags MSS Window irtt Iface
# 0.0.0.0 172.17.0.1 0.0.0.0 UG 0 0 0 eth0
# 172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
#
# with --store returns empty
#
# Kernel IP routing table
# Destination Gateway Genmask Flags MSS Window irtt Iface
netstat --numeric --route
# without --store - returns without error
# with --store - error "Could not resolve host: docker"
curl -v http://docker:2375/v1.39/version
# without --store - returns without error, prints server info
# with --store - error "error during connect: Get http://docker:2375/v1.39/version: dial tcp: lookup docker on [::1]:53: read udp [::1]:39506->[::1]:53: read: connection refused"
docker version
# create dummy package if everything above did work fine
mkdir -p $out
'';
}
EOL
--store说法docker run -it --rm --link some-docker:docker -v /tmp/test.nix:/tmp/test.nix nixos/nix@sha256:85299d86263a3059cf19f419f9d286cc9f06d3c13146a8ebbb21b3437f598357 sh -c 'export DOCKER_HOST=tcp://docker:2375/ && (echo "hosts: files dns" > /etc/nsswitch.conf) && nix-build /tmp/test.nix'
输出 - https://pastebin.com/DZmXrATR
--store论证工作docker run -it --rm --link some-docker:docker --privileged -v /tmp/test.nix:/tmp/test.nix nixos/nix@sha256:85299d86263a3059cf19f419f9d286cc9f06d3c13146a8ebbb21b3437f598357 sh -c 'export DOCKER_HOST=tcp://docker:2375/ && (echo "hosts: files dns" > /etc/nsswitch.conf) && nix-build --store /tmp/store /tmp/test.nix'
输出https://pastebin.com/Z4DxtLQr
如何使它工作?
更新:
好像是因为使用--store /etc/nsswitch.conf文件时未安装
不幸的是,尼克斯没有让我来创建它自己(touch /etc/nsswitch.conf抛出权限被拒绝)
更新:
我发现我可以用extra-sandbox-paths安装从容器到尼克斯建造沙箱文件
安装的/etc/nsswitch.conf解决curl: (6) Could not resolve host: docker
但我不能修复* Immediate connect fail for 172.17.0.2: Network is unreachable错误,我试图从/ etc安装所有网络相关的文件,但它不工作
docker run --privileged --rm --name some-docker docker:stable-dind
docker run -it --rm --link some-docker:docker --privileged -v /tmp/test.nix:/tmp/test.nix nixos/nix@sha256:85299d86263a3059cf19f419f9d286cc9f06d3c13146a8ebbb21b3437f598357 sh
nix-env -i curl nettools
# works
curl -v http://172.17.0.2:2375/v1.39/version
# works
curl -v http://docker:2375/v1.39/version
# lo and eth
ifconfig -a
# not empty
netstat -rn
export DOCKER_HOST=tcp://docker:2375/ && (echo "hosts: files dns" > /etc/nsswitch.conf)
cat > /etc/nix/nix.conf << 'EOL'
sandbox = false
extra-sandbox-paths = /etc/nsswitch.conf=/etc/nsswitch.conf /etc/resolv.conf=/etc/resolv.conf /etc/hosts=/etc/hosts /etc/protocols=/etc/protocols /etc/udhcpd.conf=/etc/udhcpd.conf /etc/modules=/etc/modules
EOL
cat > /tmp/test.nix << 'EOL'
{ pkgs ? import <nixpkgs> {} }:
with pkgs;
stdenv.mkDerivation {
pname = "test";
version = "0.0.1";
DOCKER_HOST = builtins.getEnv "DOCKER_HOST";
buildInputs = [docker curl nettools];
phases = "installPhase";
installPhase = ''
# only lo
ifconfig -a
# empty
netstat --numeric --route
# fails
curl -v http://172.17.0.2:2375/v1.39/version
curl -v http://docker:2375/v1.39/version
docker version
mkdir -p $out
'';
}
EOL
nix-build --store /tmp/store /tmp/test.nix
UPDATE
目前的研究状况
https://gitlab.com/gitlab-org/gitlab-ce/issues/31312#note_138576414
如果您installPhase运行curl,你这样做是错误的。在尼克斯导应该是纯粹的:有自己的输出只取决于其既定的投入,而不是其他。连接到网络的推导本质上是不纯的:它的结果将取决于对什么是出现在当它被调用时给定的网络资源落后。因此,尼克斯的沙盒有意(并按照它的文档)不允许通过其助洗剂的网络访问。
考虑下面的,这仍然是不纯的,但使用builtins.fetchurl代替,因此不能从操作阻止:
{ pkgs ? import <nixpkgs> {} }:
with pkgs; let
# WARNING: This is impure; usually, downloads should include an explicit hash
versionFile = builtins.fetchurl http://172.17.0.2:2375/v1.39/version
in stdenv.mkDerivation {
pname = "test";
version = "0.0.1";
DOCKER_HOST = builtins.getEnv "DOCKER_HOST";
buildInputs = [docker curl nettools];
phases = "installPhase";
installPhase = ''
cat ${escapeShellArg versionFile}
docker version
mkdir -p "$out"
'';
}
我们强烈建议您使用pkgs.dockerTools只使用纯尼克斯代码,而不是试图运行多克尔一个尼克斯推导内建立多克尔兼容的图像。