unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* Building container images with nix2container
@ 2024-02-24  9:27 Antoine Eiche
  2024-02-25 10:07 ` Ricardo Wurmus
  0 siblings, 1 reply; 8+ messages in thread
From: Antoine Eiche @ 2024-02-24  9:27 UTC (permalink / raw)
  To: guix-devel

Hello Guix,

Two years ago, i released nix2container [1], a Go library and binary to
build container images from Nix expressions.
However, this Go code is not tightly coupled with Nix and has been
designed to potentially work with Guix [2]!

nix2container offers the following main features:
- It uses a layering algorithm to group storepaths into layers [3]
- It avoids writing an image tarball in your Guix store (reduce IOs and storage)

Basically, to build a container image, nix2container relies on two steps:
1. The nix2container Go binary takes the reference graph [4]
   of the container image closure to generates a JSON file describing
   the image configuration and the layers.
2. This JSON file can then be consumed by a patched Skopeo version[5] to
   build or push an image [8].

In case you would like to try nix2container with Guix, in theory, you
would need to add the support of another input reference graph format
[6] and a write simple Guix derivations [7] calling the nix2container
binary.

Hoping it could be useful,
lewo.

[1] https://github.com/nlewo/nix2container
[2] https://github.com/nlewo/containers-image-nix/blob/e342762cf7274dd7449343f3488723898da63f00/nix/utils.go#L55
[3] https://grahamc.com/blog/nix-and-layered-docker-images/
[4] https://nixos.org/manual/nix/stable/language/advanced-attributes.html?highlight=exportReferencesGraph#adv-attr-exportReferencesGraph
[5] https://github.com/nlewo/containers-image-nix/blob/9d7f33ef0058f4df4c0912025f43c758a3289d76/default.nix#L31
[6] https://github.com/nlewo/containers-image-nix/blob/9d7f33ef0058f4df4c0912025f43c758a3289d76/data/closure-graph.json#L1
[7] https://github.com/nlewo/containers-image-nix/blob/9d7f33ef0058f4df4c0912025f43c758a3289d76/default.nix#L305
[8] https://github.com/nlewo/containers-image-nix/blob/9d7f33ef0058f4df4c0912025f43c758a3289d76/default.nix#L47


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Building container images with nix2container
  2024-02-24  9:27 Building container images with nix2container Antoine Eiche
@ 2024-02-25 10:07 ` Ricardo Wurmus
  2024-02-26 10:09   ` Antoine Eiche
  0 siblings, 1 reply; 8+ messages in thread
From: Ricardo Wurmus @ 2024-02-25 10:07 UTC (permalink / raw)
  To: Antoine Eiche; +Cc: guix-devel


Antoine Eiche <lewo@abesis.fr> writes:

> In case you would like to try nix2container with Guix, in theory, you
> would need to add the support of another input reference graph format
> [6] and a write simple Guix derivations [7] calling the nix2container
> binary.

We have "guix pack" as part of Guix.  It builds Docker or squashfs
images as well as various other formats.  What does nix2container offer
beyond what we have?

-- 
Ricardo


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Building container images with nix2container
  2024-02-25 10:07 ` Ricardo Wurmus
@ 2024-02-26 10:09   ` Antoine Eiche
  2024-02-26 10:24     ` Ricardo Wurmus
  2024-02-26 17:33     ` Simon Tournier
  0 siblings, 2 replies; 8+ messages in thread
From: Antoine Eiche @ 2024-02-26 10:09 UTC (permalink / raw)
  To: Ricardo Wurmus; +Cc: guix-devel

Ricardo Wurmus <rekado@elephly.net> writes:

> We have "guix pack" as part of Guix.  It builds Docker or squashfs
> images as well as various other formats.  What does nix2container offer
> beyond what we have?

I acutally don't know how you currently build Docker images. But if
nix2container brings something, i think it would mainly be
optimizations (time and space).

Does your built images contains several layers?

nix2container uses an heuristic to group store paths into layers. The
goal is to share common layers between images and to avoid full image
rebuild when only a storepath differs.

Do you write the image tarball into your store when you build an image?

nix2container is able to build layers on the fly from the Nix store. The
goal is to reduce IOs and storage. Instead of writing an image tarball
into the store, it generates a script which stream layers from store
paths to the destination (a Docker registry, the Docker deamon, Podman
or a file).

nix2container also has more advanced features allowing to control the
layers that are rebuilt. For instance, if you work on a Python
application, nix2container would allow to isolate your application and
the Python libraries into dedicated layers. When you change something in
your application, the layers containing the Python libraries won't have
to be rebuilt and pushed to a registry.

lewo.


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Building container images with nix2container
  2024-02-26 10:09   ` Antoine Eiche
@ 2024-02-26 10:24     ` Ricardo Wurmus
  2024-02-26 17:33     ` Simon Tournier
  1 sibling, 0 replies; 8+ messages in thread
From: Ricardo Wurmus @ 2024-02-26 10:24 UTC (permalink / raw)
  To: Antoine Eiche; +Cc: guix-devel


Antoine Eiche <lewo@abesis.fr> writes:

> Ricardo Wurmus <rekado@elephly.net> writes:
>
>> We have "guix pack" as part of Guix.  It builds Docker or squashfs
>> images as well as various other formats.  What does nix2container offer
>> beyond what we have?
>
> I acutally don't know how you currently build Docker images. But if
> nix2container brings something, i think it would mainly be
> optimizations (time and space).
>
> Does your built images contains several layers?

Yes.  See
https://guix.gnu.org/manual/devel/en/html_node/Invoking-guix-pack.html

-- 
Ricardo


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Building container images with nix2container
  2024-02-26 10:09   ` Antoine Eiche
  2024-02-26 10:24     ` Ricardo Wurmus
@ 2024-02-26 17:33     ` Simon Tournier
  2024-03-08 10:31       ` Simon Tournier
  2024-03-17 17:09       ` Antoine Eiche
  1 sibling, 2 replies; 8+ messages in thread
From: Simon Tournier @ 2024-02-26 17:33 UTC (permalink / raw)
  To: Antoine Eiche, Ricardo Wurmus; +Cc: guix-devel

Hi lewo,

On lun., 26 févr. 2024 at 11:09, Antoine Eiche <lewo@abesis.fr> wrote:

> Does your built images contains several layers?

This had recently been introduced.

        0cf75c9b2f23869201144917cea7f6ad49683d3d
        AuthorDate: Tue Dec 26 03:54:12 2023 +0300
        CommitDate: Mon Jan 8 21:04:44 2024 +0300

> nix2container uses an heuristic to group store paths into layers. The
> goal is to share common layers between images and to avoid full image
> rebuild when only a storepath differs.

Well, I have not followed on which strategy Guix relies.  What is the
one of nix2container?  The one described here:

    https://grahamc.com/blog/nix-and-layered-docker-images/

> Do you write the image tarball into your store when you build an image?
>
> nix2container is able to build layers on the fly from the Nix store. The
> goal is to reduce IOs and storage. Instead of writing an image tarball
> into the store, it generates a script which stream layers from store
> paths to the destination (a Docker registry, the Docker deamon, Podman
> or a file).

To my knowledge, this is not implemented in Guix.  And indeed, it could
improve the dance.  Currently, it reads:

    docker load < $(guix pack -f docker …)


Cheers,
simon


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Building container images with nix2container
  2024-02-26 17:33     ` Simon Tournier
@ 2024-03-08 10:31       ` Simon Tournier
  2024-03-17 17:32         ` Antoine Eiche
  2024-03-17 17:09       ` Antoine Eiche
  1 sibling, 1 reply; 8+ messages in thread
From: Simon Tournier @ 2024-03-08 10:31 UTC (permalink / raw)
  To: Antoine Eiche, Ricardo Wurmus; +Cc: guix-devel

Hi Antoine,

Reading this blog post:

    https://lewo.abesis.fr/posts/nix-build-container-image/

and from my understanding, “guix pack” is currently something similar to
’dockerTools.buildImage’ [1]

On lun., 26 févr. 2024 at 18:33, Simon Tournier <zimon.toutoune@gmail.com> wrote:

> Well, I have not followed on which strategy Guix relies.  What is the
> one of nix2container?  The one described here:
>
>     https://grahamc.com/blog/nix-and-layered-docker-images/

To answer to my question, the way to build the container image is
different, hence it does not make much sense to speak about a
“strategy“. :-)

However, the blog post says:

        To address this issue, we could add a nonReproducible option in
        the containerTools.buildLayer function. Instead of only storing
        the digest, we would also store the tar. Note in practice, an
        important part of nixpkgs is bit reproducible and this would
        rarely be needed.

And so the question is how do you know beforehand if the flag
’nonReproducible’ must be applied or not?

Indeed, the approach of nix2container could be helpful in addition to
‘guix pack’.  Maybe an extension… :-)

Cheers,
simon


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Building container images with nix2container
  2024-02-26 17:33     ` Simon Tournier
  2024-03-08 10:31       ` Simon Tournier
@ 2024-03-17 17:09       ` Antoine Eiche
  1 sibling, 0 replies; 8+ messages in thread
From: Antoine Eiche @ 2024-03-17 17:09 UTC (permalink / raw)
  To: Simon Tournier, Ricardo Wurmus; +Cc: guix-devel

Simon Tournier <zimon.toutoune@gmail.com> writes:

>> Does your built images contains several layers?
>
> This had recently been introduced.
>
>         0cf75c9b2f23869201144917cea7f6ad49683d3d
>         AuthorDate: Tue Dec 26 03:54:12 2023 +0300
>         CommitDate: Mon Jan 8 21:04:44 2024 +0300

Thanks.

>> nix2container uses an heuristic to group store paths into layers. The
>> goal is to share common layers between images and to avoid full image
>> rebuild when only a storepath differs.
>
> Well, I have not followed on which strategy Guix relies.  What is the
> one of nix2container?  The one described here:
>
>     https://grahamc.com/blog/nix-and-layered-docker-images/

Yes.
But I think it could be improved by taking the nar size into account.

lewo.


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Building container images with nix2container
  2024-03-08 10:31       ` Simon Tournier
@ 2024-03-17 17:32         ` Antoine Eiche
  0 siblings, 0 replies; 8+ messages in thread
From: Antoine Eiche @ 2024-03-17 17:32 UTC (permalink / raw)
  To: Simon Tournier, Ricardo Wurmus; +Cc: guix-devel

Simon Tournier <zimon.toutoune@gmail.com> writes:

>> Well, I have not followed on which strategy Guix relies.  What is the
>> one of nix2container?  The one described here:
>>
>>     https://grahamc.com/blog/nix-and-layered-docker-images/
>
> To answer to my question, the way to build the container image is
> different, hence it does not make much sense to speak about a
> “strategy“. :-)

nix2container actually uses this strategy. To build an image,
nix2container builds several derivations. Each of these derivation
contains a set of layers. The layers of each set are determined by using
the algorithm mentionned above. At runtime, all of these derivations are
packed to build the final image.

> However, the blog post says:
>
>         To address this issue, we could add a nonReproducible option in
>         the containerTools.buildLayer function. Instead of only storing
>         the digest, we would also store the tar. Note in practice, an
>         important part of nixpkgs is bit reproducible and this would
>         rarely be needed.
>
> And so the question is how do you know beforehand if the flag
> ’nonReproducible’ must be applied or not?

Sorry, i have missed your mails:/ So, here is the answer I provided on
Mastodon few days ago.

Generally, i don't think it's possible to know when this flag is needed
before encountering an issue at image push time: Skopeo would then say
layer hashes mismatch.

However, in practice, it seems this flag is not often used.
To hit this issue, I think you need to substitute the JSON file from a
binary cache while building non bit reproducible store paths locally. In
this case, the hash specified in the JSON file could be different from
the hash of the derivation locally built. But, the locally built store
path is a dependency of the JSON file, they should also be in the binary
cache and would generally also be substituted.
I admit this is not rock-solid science... but it seems to make the job
in practice. And if it occurs, a strategy could be to isolate this
storepath into a layer with the non-reproducible flag.

There is also another option which is currently used by
nixpkgs.dockerTools.streamLayeredImage. To avoid the reproducibility
issue while still avoiding writing layer tarballs, we could introduce
another option to let nix2container generating the layer hashes on the
fly, just before pushing the image. This would then require more IOs
since nix2container would need to read layer store paths on each image
push.

> Indeed, the approach of nix2container could be helpful in addition to
> ‘guix pack’.  Maybe an extension… :-)

From my point of view, another advantage of the nix2container
approach is to delegate a important part of the build image mecanism
to Skopeo, a tool well maintained and used by a lot of people.

lewo.


^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2024-03-17 17:32 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-02-24  9:27 Building container images with nix2container Antoine Eiche
2024-02-25 10:07 ` Ricardo Wurmus
2024-02-26 10:09   ` Antoine Eiche
2024-02-26 10:24     ` Ricardo Wurmus
2024-02-26 17:33     ` Simon Tournier
2024-03-08 10:31       ` Simon Tournier
2024-03-17 17:32         ` Antoine Eiche
2024-03-17 17:09       ` Antoine Eiche

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).