fix(nix/docker.nix): add init.d and docker cli

ThomasK33 · ThomasK33 · commit 3bcc415046c7 · 2025-02-04T14:38:08.000+01:00
Change-Id: I530de9066ea94ab54488de6e83ed64e7d44a1d72
Signed-off-by: Thomas Kosiewski &lt;tk@coder.com&gt;
diff --git a/flake.nix b/flake.nix
@@ -71,70 +71,91 @@
           vendorHash = null;
         };
 
+        # Packages required to build the frontend
+        frontendPackages =
+          with pkgs;
+          [
+            cairo
+            pango
+            pixman
+            libpng
+            libjpeg
+            giflib
+            librsvg
+            python312Packages.setuptools # Needed for node-gyp
+          ]
+          ++ (lib.optionals stdenv.targetPlatform.isDarwin [
+            darwin.apple_sdk.frameworks.Foundation
+            xcbuild
+          ]);
+
         # The minimal set of packages to build Coder.
-        devShellPackages = with pkgs; [
-          # google-chrome is not available on aarch64 linux
-          (lib.optionalDrvAttr (!stdenv.isLinux || !stdenv.isAarch64) google-chrome)
-          # strace is not available on OSX
-          (lib.optionalDrvAttr (!pkgs.stdenv.isDarwin) strace)
-          bat
-          cairo
-          curl
-          delve
-          dive
-          drpc.defaultPackage.${system}
-          formatter
-          fzf
-          gcc13
-          gdk
-          getopt
-          gh
-          git
-          (lib.optionalDrvAttr stdenv.isLinux glibcLocales)
-          gnumake
-          gnused
-          go_1_22
-          go-migrate
-          (pinnedPkgs.golangci-lint)
-          gopls
-          gotestsum
-          jq
-          kubectl
-          kubectx
-          kubernetes-helm
-          lazygit
-          less
-          mockgen
-          moreutils
-          neovim
-          nfpm
-          nix-prefetch-git
-          nodejs
-          openssh
-          openssl
-          pango
-          pixman
-          pkg-config
-          playwright-driver.browsers
-          pnpm
-          postgresql_16
-          proto_gen_go_1_30
-          protobuf_23
-          ripgrep
-          shellcheck
-          (pinnedPkgs.shfmt)
-          sqlc
-          terraform
-          typos
-          # Needed for many LD system libs!
-          (lib.optional stdenv.isLinux util-linux)
-          vim
-          wget
-          yq-go
-          zip
-          zsh
-          zstd
-        ];
+        devShellPackages =
+          with pkgs;
+          [
+            # google-chrome is not available on aarch64 linux
+            (lib.optionalDrvAttr (!stdenv.isLinux || !stdenv.isAarch64) google-chrome)
+            # strace is not available on OSX
+            (lib.optionalDrvAttr (!pkgs.stdenv.isDarwin) strace)
+            bat
+            cairo
+            curl
+            delve
+            dive
+            drpc.defaultPackage.${system}
+            formatter
+            fzf
+            gcc13
+            gdk
+            getopt
+            gh
+            git
+            (lib.optionalDrvAttr stdenv.isLinux glibcLocales)
+            gnumake
+            gnused
+            go_1_22
+            go-migrate
+            (pinnedPkgs.golangci-lint)
+            gopls
+            gotestsum
+            jq
+            kubectl
+            kubectx
+            kubernetes-helm
+            lazygit
+            less
+            mockgen
+            moreutils
+            neovim
+            nfpm
+            nix-prefetch-git
+            nodejs
+            openssh
+            openssl
+            pango
+            pixman
+            pkg-config
+            playwright-driver.browsers
+            pnpm
+            postgresql_16
+            proto_gen_go_1_30
+            protobuf_23
+            ripgrep
+            shellcheck
+            (pinnedPkgs.shfmt)
+            sqlc
+            terraform
+            typos
+            # Needed for many LD system libs!
+            (lib.optional stdenv.isLinux util-linux)
+            vim
+            wget
+            yq-go
+            zip
+            zsh
+            zstd
+          ]
+          ++ frontendPackages;
 
         docker = pkgs.callPackage ./nix/docker.nix { };
 
@@ -144,22 +165,7 @@
 
           src = ./site/.;
           # Required for the `canvas` package!
-          extraBuildInputs =
-            with pkgs;
-            [
-              cairo
-              pango
-              pixman
-              libpng
-              libjpeg
-              giflib
-              librsvg
-              python312Packages.setuptools
-            ]
-            ++ (lib.optionals stdenv.targetPlatform.isDarwin [
-              darwin.apple_sdk.frameworks.Foundation
-              xcbuild
-            ]);
+          extraBuildInputs = frontendPackages;
           installInPlace = true;
           distDir = "out";
         };
@@ -219,6 +225,9 @@
             LOCALE_ARCHIVE =
               with pkgs;
               lib.optionalDrvAttr stdenv.isLinux "${glibcLocales}/lib/locale/locale-archive";
+
+            NODE_OPTIONS = "--max-old-space-size=8192";
+            GOPRIVATE = "coder.com,cdr.dev,go.coder.com,github.com/cdr,github.com/coder";
           };
         };
 
@@ -252,14 +261,20 @@
               drv = devShells.default.overrideAttrs (oldAttrs: {
                 buildInputs =
                   (with pkgs; [
-                    busybox
                     coreutils
                     nix
                     curl.bin # Ensure the actual curl binary is included in the PATH
                     glibc.bin # Ensure the glibc binaries are included in the PATH
                     jq.bin
                     binutils # ld and strings
                     filebrowser # Ensure that we're not redownloading filebrowser on each launch
+                    systemd.out
+                    service-wrapper
+                    docker_26
+                    shadow.out
+                    su
+                    ncurses # clear
+                    unzip
                   ])
                   ++ oldAttrs.buildInputs;
               });
diff --git a/nix/docker.nix b/nix/docker.nix
@@ -13,6 +13,7 @@
   runCommand,
   writeShellScriptBin,
   writeText,
+  writeTextFile,
   cacert,
   storeDir ? builtins.storeDir,
   pigz,
@@ -32,10 +33,18 @@ let
 
   inherit (dockerTools)
     streamLayeredImage
-    binSh
     usrBinEnv
+    caCertificates
     ;
 
+  # This provides /bin/sh, pointing to bashInteractive.
+  # The use of bashInteractive here is intentional to support cases like `docker run -it <image_name>`, so keep these use cases in mind if making any changes to how this works.
+  binSh = runCommand "bin-sh" { } ''
+    mkdir -p $out/bin
+    ln -s ${bashInteractive}/bin/bash $out/bin/sh
+    ln -s ${bashInteractive}/bin/bash $out/bin/bash
+  '';
+
   compressors = {
     none = {
       ext = "";
@@ -157,6 +166,46 @@ let
         chmod 644 $out/etc/pam.d/sudo
       '';
 
+      # Add our Docker init script
+      dockerInit = writeTextFile {
+        name = "initd-docker";
+        destination = "/etc/init.d/docker";
+        executable = true;
+
+        text = ''
+          #!/usr/bin/env sh
+          ### BEGIN INIT INFO
+          # Provides:          docker
+          # Required-Start:    $remote_fs $syslog
+          # Required-Stop:     $remote_fs $syslog
+          # Default-Start:     2 3 4 5
+          # Default-Stop:      0 1 6
+          # Short-Description: Start and stop Docker daemon
+          # Description:       This script starts and stops the Docker daemon.
+          ### END INIT INFO
+
+          case "$1" in
+            start)
+                echo "Starting dockerd"
+                SSL_CERT_FILE="${cacert}/etc/ssl/certs/ca-bundle.crt" dockerd --group=${toString gid} &
+                ;;
+            stop)
+                echo "Stopping dockerd"
+                killall dockerd
+                ;;
+            restart)
+                $0 stop
+                $0 start
+                ;;
+            *)
+                echo "Usage: $0 {start|stop|restart}"
+                exit 1
+                ;;
+          esac
+          exit 0
+        '';
+      };
+
       # https://github.com/NixOS/nix/blob/2.8.0/src/libstore/globals.hh#L464-L465
       sandboxBuildDir = "/build";
 
@@ -194,16 +243,15 @@ let
           LD_LIBRARY_PATH = lib.makeLibraryPath [ stdenv.cc.cc ];
         }
         // drvEnv
-        // {
-
+        // rec {
           # https://github.com/NixOS/nix/blob/2.8.0/src/libstore/build/local-derivation-goal.cc#L1008-L1010
           NIX_BUILD_TOP = sandboxBuildDir;
 
           # https://github.com/NixOS/nix/blob/2.8.0/src/libstore/build/local-derivation-goal.cc#L1012-L1013
-          TMPDIR = sandboxBuildDir;
-          TEMPDIR = sandboxBuildDir;
-          TMP = sandboxBuildDir;
-          TEMP = "/tmp";
+          TMPDIR = TMP;
+          TEMPDIR = TMP;
+          TMP = "/tmp";
+          TEMP = TMP;
 
           # https://github.com/NixOS/nix/blob/2.8.0/src/libstore/build/local-derivation-goal.cc#L1015-L1019
           PWD = homeDirectory;
@@ -222,6 +270,7 @@ let
       contents = [
         binSh
         usrBinEnv
+        caCertificates
         etcNixConf
         etcSudoers
         etcPamSudo
@@ -235,8 +284,10 @@ let
           ];
           extraGroupLines = [
             "${toString uname}:!:${toString gid}:"
+            "docker:!:${toString (builtins.sub gid 1)}:${toString uname}"
           ];
         })
+        dockerInit
       ];
 
       fakeRootCommands = ''
@@ -283,6 +334,11 @@ let
 
         chown root:root ./etc/pam.d/sudo
         chown root:root ./etc/sudoers
+
+        # Create /var/run and chown it so docker command
+        # doesnt encounter permission issues.
+        mkdir -p ./var/run/
+        chown -R ${toString uid}:${toString gid} ./var/run/
       '';
 
       # Run this image as the given uid/gid
