| blob | 1ffa016159aaab50be26455a8c944a615a1f43f5 |
1 { lib, callPackage }:
3 rec {
4 dockerGen = {
5 version
6 , cliRev, cliHash
7 , mobyRev, mobyHash
8 , runcRev, runcHash
9 , containerdRev, containerdHash
10 , tiniRev, tiniHash
11 , buildxSupport ? true, composeSupport ? true, sbomSupport ? false
12 # package dependencies
13 , stdenv, fetchFromGitHub, fetchpatch, buildGoModule
14 , makeWrapper, installShellFiles, pkg-config, glibc
15 , go-md2man, go, containerd, runc, tini, libtool
16 , sqlite, iproute2, docker-buildx, docker-compose, docker-sbom
17 , iptables, e2fsprogs, xz, util-linux, xfsprogs, gitMinimal
18 , procps, rootlesskit, slirp4netns, fuse-overlayfs, nixosTests
19 , clientOnly ? !stdenv.hostPlatform.isLinux, symlinkJoin
20 , withSystemd ? lib.meta.availableOn stdenv.hostPlatform systemd, systemd
21 , withBtrfs ? stdenv.hostPlatform.isLinux, btrfs-progs
22 , withLvm ? stdenv.hostPlatform.isLinux, lvm2
23 , withSeccomp ? stdenv.hostPlatform.isLinux, libseccomp
24 , knownVulnerabilities ? []
25 }:
26 let
27 docker-runc = runc.overrideAttrs {
28 pname = "docker-runc";
29 inherit version;
31 src = fetchFromGitHub {
32 owner = "opencontainers";
33 repo = "runc";
34 rev = runcRev;
35 hash = runcHash;
36 };
38 # docker/runc already include these patches / are not applicable
39 patches = [];
40 };
42 docker-containerd = containerd.overrideAttrs (oldAttrs: {
43 pname = "docker-containerd";
44 inherit version;
46 src = fetchFromGitHub {
47 owner = "containerd";
48 repo = "containerd";
49 rev = containerdRev;
50 hash = containerdHash;
51 };
53 buildInputs = oldAttrs.buildInputs
54 ++ lib.optionals withSeccomp [ libseccomp ];
55 });
57 docker-tini = tini.overrideAttrs {
58 pname = "docker-init";
59 inherit version;
61 src = fetchFromGitHub {
62 owner = "krallin";
63 repo = "tini";
64 rev = tiniRev;
65 hash = tiniHash;
66 };
68 # Do not remove static from make files as we want a static binary
69 postPatch = "";
71 buildInputs = [ glibc glibc.static ];
73 env.NIX_CFLAGS_COMPILE = "-DMINIMAL=ON";
74 };
76 moby-src = fetchFromGitHub {
77 owner = "moby";
78 repo = "moby";
79 rev = mobyRev;
80 hash = mobyHash;
81 };
83 moby = buildGoModule (lib.optionalAttrs stdenv.hostPlatform.isLinux rec {
84 pname = "moby";
85 inherit version;
87 src = moby-src;
89 vendorHash = null;
91 nativeBuildInputs = [ makeWrapper pkg-config go-md2man go libtool installShellFiles ];
92 buildInputs = [ sqlite ]
93 ++ lib.optional withLvm lvm2
94 ++ lib.optional withBtrfs btrfs-progs
95 ++ lib.optional withSystemd systemd
96 ++ lib.optional withSeccomp libseccomp;
98 extraPath = lib.optionals stdenv.hostPlatform.isLinux (lib.makeBinPath [ iproute2 iptables e2fsprogs xz xfsprogs procps util-linux gitMinimal ]);
100 extraUserPath = lib.optionals (stdenv.hostPlatform.isLinux && !clientOnly) (lib.makeBinPath [ rootlesskit slirp4netns fuse-overlayfs ]);
102 patches = lib.optionals (lib.versionOlder version "23") [
103 # This patch incorporates code from a PR fixing using buildkit with the ZFS graph driver.
104 # It could be removed when a version incorporating this patch is released.
105 (fetchpatch {
106 name = "buildkit-zfs.patch";
107 url = "https://github.com/moby/moby/pull/43136.patch";
108 hash = "sha256-1WZfpVnnqFwLMYqaHLploOodls0gHF8OCp7MrM26iX8=";
109 })
110 ] ++ lib.optionals (lib.versions.major version == "24") [
111 # docker_24 has LimitNOFILE set to "infinity", which causes a wide variety of issues in containers.
112 # Issues range from higher-than-usual ressource usage, to containers not starting at all.
113 # This patch (part of the release candidates for docker_25) simply removes this unit option
114 # making systemd use its default "1024:524288", which is sane. See commit message and/or the PR for
115 # more details: https://github.com/moby/moby/pull/45534
116 (fetchpatch {
117 name = "LimitNOFILE-systemd-default.patch";
118 url = "https://github.com/moby/moby/pull/45534/commits/c8930105bc9fc3c1a8a90886c23535cc6c41e130.patch";
119 hash = "sha256-nyGLxFrJaD0TrDqsAwOD6Iph0aHcFH9sABj1Fy74sec=";
120 })
121 ];
123 postPatch = ''
124 patchShebangs hack/make.sh hack/make/ hack/with-go-mod.sh
125 '';
127 buildPhase = ''
128 export GOCACHE="$TMPDIR/go-cache"
129 # build engine
130 export AUTO_GOPATH=1
131 export DOCKER_GITCOMMIT="${cliRev}"
132 export VERSION="${version}"
133 ./hack/make.sh dynbinary
134 '';
136 installPhase = ''
137 install -Dm755 ./bundles/dynbinary-daemon/dockerd $out/libexec/docker/dockerd
138 install -Dm755 ./bundles/dynbinary-daemon/docker-proxy $out/libexec/docker/docker-proxy
140 makeWrapper $out/libexec/docker/dockerd $out/bin/dockerd \
141 --prefix PATH : "$out/libexec/docker:$extraPath"
143 ln -s ${docker-containerd}/bin/containerd $out/libexec/docker/containerd
144 ln -s ${docker-containerd}/bin/containerd-shim $out/libexec/docker/containerd-shim
145 ln -s ${docker-runc}/bin/runc $out/libexec/docker/runc
146 ln -s ${docker-tini}/bin/tini-static $out/libexec/docker/docker-init
148 # systemd
149 install -Dm644 ./contrib/init/systemd/docker.service $out/etc/systemd/system/docker.service
150 substituteInPlace $out/etc/systemd/system/docker.service --replace-fail /usr/bin/dockerd $out/bin/dockerd
151 install -Dm644 ./contrib/init/systemd/docker.socket $out/etc/systemd/system/docker.socket
153 # rootless Docker
154 install -Dm755 ./contrib/dockerd-rootless.sh $out/libexec/docker/dockerd-rootless.sh
155 makeWrapper $out/libexec/docker/dockerd-rootless.sh $out/bin/dockerd-rootless \
156 --prefix PATH : "$out/libexec/docker:$extraPath:$extraUserPath"
157 '';
159 DOCKER_BUILDTAGS = lib.optional withSystemd "journald"
160 ++ lib.optional (!withBtrfs) "exclude_graphdriver_btrfs"
161 ++ lib.optional (!withLvm) "exclude_graphdriver_devicemapper"
162 ++ lib.optional withSeccomp "seccomp";
163 });
165 plugins = lib.optional buildxSupport docker-buildx
166 ++ lib.optional composeSupport docker-compose
167 ++ lib.optional sbomSupport docker-sbom;
168 pluginsRef = symlinkJoin { name = "docker-plugins"; paths = plugins; };
169 in
170 buildGoModule (lib.optionalAttrs (!clientOnly) {
171 # allow overrides of docker components
172 # TODO: move packages out of the let...in into top-level to allow proper overrides
173 inherit docker-runc docker-containerd docker-tini moby;
174 } // rec {
175 pname = "docker";
176 inherit version;
178 src = fetchFromGitHub {
179 owner = "docker";
180 repo = "cli";
181 rev = cliRev;
182 hash = cliHash;
183 };
185 vendorHash = null;
187 nativeBuildInputs = [
188 makeWrapper pkg-config go-md2man go libtool installShellFiles
189 ];
191 buildInputs = plugins ++ lib.optionals (lib.versionAtLeast version "23" && stdenv.hostPlatform.isLinux) [
192 glibc
193 glibc.static
194 ];
196 postPatch = ''
197 patchShebangs man scripts/build/
198 substituteInPlace ./scripts/build/.variables --replace-fail "set -eu" ""
199 '' + lib.optionalString (plugins != []) ''
200 substituteInPlace ./cli-plugins/manager/manager_unix.go --replace-fail /usr/libexec/docker/cli-plugins \
201 "${pluginsRef}/libexec/docker/cli-plugins"
202 '';
204 # Keep eyes on BUILDTIME format - https://github.com/docker/cli/blob/${version}/scripts/build/.variables
205 buildPhase = ''
206 export GOCACHE="$TMPDIR/go-cache"
208 # Mimic AUTO_GOPATH
209 mkdir -p .gopath/src/github.com/docker/
210 ln -sf $PWD .gopath/src/github.com/docker/cli
211 export GOPATH="$PWD/.gopath:$GOPATH"
212 export GITCOMMIT="${cliRev}"
213 export VERSION="${version}"
214 export BUILDTIME="1970-01-01T00:00:00Z"
215 make dynbinary
217 '';
219 outputs = ["out"] ++ lib.optional (lib.versionOlder version "23") "man";
221 installPhase = ''
222 install -Dm755 ./build/docker $out/libexec/docker/docker
224 makeWrapper $out/libexec/docker/docker $out/bin/docker \
225 --prefix PATH : "$out/libexec/docker:$extraPath"
226 '' + lib.optionalString (!clientOnly) ''
227 # symlink docker daemon to docker cli derivation
228 ln -s ${moby}/bin/dockerd $out/bin/dockerd
229 ln -s ${moby}/bin/dockerd-rootless $out/bin/dockerd-rootless
231 # systemd
232 mkdir -p $out/etc/systemd/system
233 ln -s ${moby}/etc/systemd/system/docker.service $out/etc/systemd/system/docker.service
234 ln -s ${moby}/etc/systemd/system/docker.socket $out/etc/systemd/system/docker.socket
235 '' + ''
236 # completion (cli)
237 installShellCompletion --bash ./contrib/completion/bash/docker
238 installShellCompletion --fish ./contrib/completion/fish/docker.fish
239 installShellCompletion --zsh ./contrib/completion/zsh/_docker
240 '' + lib.optionalString (stdenv.hostPlatform == stdenv.buildPlatform && lib.versionOlder version "23") ''
241 # Generate man pages from cobra commands
242 echo "Generate man pages from cobra"
243 mkdir -p ./man/man1
244 go build -o ./gen-manpages github.com/docker/cli/man
245 ./gen-manpages --root . --target ./man/man1
246 '' + lib.optionalString (lib.versionOlder version "23") ''
247 # Generate legacy pages from markdown
248 echo "Generate legacy manpages"
249 ./man/md2man-all.sh -q
251 installManPage man/*/*.[1-9]
252 '';
254 passthru = {
255 # Exposed for tarsum build on non-linux systems (build-support/docker/default.nix)
256 inherit moby-src;
257 tests = lib.optionals (!clientOnly) { inherit (nixosTests) docker; };
258 };
260 meta = with lib; {
261 homepage = "https://www.docker.com/";
262 description = "Open source project to pack, ship and run any application as a lightweight container";
263 longDescription = ''
264 Docker is a platform designed to help developers build, share, and run modern applications.
266 To enable the docker daemon on NixOS, set the `virtualisation.docker.enable` option to `true`.
267 '';
268 license = licenses.asl20;
269 maintainers = with maintainers; [ offline vdemeester periklis teutat3s ];
270 mainProgram = "docker";
271 inherit knownVulnerabilities;
272 };
273 });
275 # Get revisions from
276 # https://github.com/moby/moby/tree/${version}/hack/dockerfile/install/*
277 docker_24 = callPackage dockerGen rec {
278 version = "24.0.9";
279 cliRev = "v${version}";
280 cliHash = "sha256-nXIZtE0X1OoQT908IGuRhVHb0tiLbqQLP0Md3YWt0/Q=";
281 mobyRev = "v${version}";
282 mobyHash = "sha256-KRS99heyMAPBnjjr7If8TOlJf6v6866S7J3YGkOhFiA=";
283 runcRev = "v1.1.12";
284 runcHash = "sha256-N77CU5XiGYIdwQNPFyluXjseTeaYuNJ//OsEUS0g/v0=";
285 containerdRev = "v1.7.13";
286 containerdHash = "sha256-y3CYDZbA2QjIn1vyq/p1F1pAVxQHi/0a6hGWZCRWzyk=";
287 tiniRev = "v0.19.0";
288 tiniHash = "sha256-ZDKu/8yE5G0RYFJdhgmCdN3obJNyRWv6K/Gd17zc1sI=";
289 knownVulnerabilities = [
290 "CVE-2024-23651"
291 "CVE-2024-23652"
292 "CVE-2024-23653"
293 "CVE-2024-41110"
294 ];
295 };
297 docker_25 = callPackage dockerGen rec {
298 version = "25.0.6";
299 cliRev = "v${version}";
300 cliHash = "sha256-7ZKjlONL5RXEJZrvssrL1PQMNANP0qTw4myGKdtd19U=";
301 mobyRev = "v${version}";
302 mobyHash = "sha256-+zkhUMeVD3HNq8WrWQmLskq+HykvD5kzSACmf67YbJE=";
303 runcRev = "v1.1.12";
304 runcHash = "sha256-N77CU5XiGYIdwQNPFyluXjseTeaYuNJ//OsEUS0g/v0=";
305 containerdRev = "v1.7.20";
306 containerdHash = "sha256-Q9lTzz+G5PSoChy8MZtbOpO81AyNWXC+CgGkdOg14uY=";
307 tiniRev = "v0.19.0";
308 tiniHash = "sha256-ZDKu/8yE5G0RYFJdhgmCdN3obJNyRWv6K/Gd17zc1sI=";
309 };
311 docker_26 = callPackage dockerGen rec {
312 version = "26.1.5";
313 cliRev = "v${version}";
314 cliHash = "sha256-UlN+Uc0YHhLyu14h5oDBXP4K9y2tYKPOIPTGZCe4PVY=";
315 mobyRev = "v${version}";
316 mobyHash = "sha256-6Hx7GnA7P6HqDlnGoc+HpPHSl69XezwAEGbvWYUVQlE=";
317 runcRev = "v1.1.12";
318 runcHash = "sha256-N77CU5XiGYIdwQNPFyluXjseTeaYuNJ//OsEUS0g/v0=";
319 containerdRev = "v1.7.18";
320 containerdHash = "sha256-IlK5IwniaBhqMgxQzV8btQcbdJkNEQeUMoh6aOsBOHQ=";
321 tiniRev = "v0.19.0";
322 tiniHash = "sha256-ZDKu/8yE5G0RYFJdhgmCdN3obJNyRWv6K/Gd17zc1sI=";
323 };
325 docker_27 = callPackage dockerGen rec {
326 version = "27.3.1";
327 cliRev = "v${version}";
328 cliHash = "sha256-Iurud1BwswGZCFgJ04/wl1U9AKcsXDmzFXLFCrjfc0Y=";
329 mobyRev = "v${version}";
330 mobyHash = "sha256-AKl06k2ePWOFhL3oH086HcLLYs2Da+wLOcGjGnQ0SXE=";
331 runcRev = "v1.1.14";
332 runcHash = "sha256-7PYbSZqCQLTaeFppuNz5mxDlwEyLkA5zpdMhWy1tWmc=";
333 containerdRev = "v1.7.22";
334 containerdHash = "sha256-8IHBKai4PvvTuHPDTgx9wFEBzz4MM7Mwo8Q/bzFRzfk=";
335 tiniRev = "v0.19.0";
336 tiniHash = "sha256-ZDKu/8yE5G0RYFJdhgmCdN3obJNyRWv6K/Gd17zc1sI=";
337 };
339 }