How to include binaries in PATH for images built with Nix?

winston0410 · December 29, 2021, 7:44pm

Hi, how can I introduce new binary to the $PATH in container built with Nix?

I have the following code, and I have to run a shell script to fix playwright in Nix/Scratch environment. It is using which, and I tried to put pkgs.which into the image, but the command is not found right now:

{ pkgs, package, fix-playwright-browsers, ... }:
pkgs.dockerTools.buildLayeredImage {
  name = "portfolio_pdf";
  tag = "latest";
  contents = with pkgs; [ nodejs-16_x google-chrome-dev firefox-bin which ];
  extraCommands = ''
    which node
    # ${fix-playwright-browsers.outPath}/fix-playwright-chromium
  '';
  config = { Cmd = [ "node" "${package}/dist/index.js" ]; };
}

How can I fix this? This is the link to the shell-script I am referring to:

github.com

ludiosarchive/nixos-playwright/blob/709dea82afd2cb937f2dc3f61bb7dc99a581a08b/fix-playwright-chromium

#!/bin/sh

# This requires that you have the google-chrome-dev package installed on NixOS
# (note that the executable name is google-chrome-unstable).

set -eu -o pipefail

chrome_wrapper=$(which google-chrome-unstable)
chrome_binary=$(cat "$chrome_wrapper" | grep '^exec ' | grep -o -P '/nix/store/[^"]+' | head -n 1)
chrome_dir=$(dirname "$chrome_binary")
chrome_rpath=$(patchelf --print-rpath "$chrome_dir/chrome")
chrome_interpreter=$(patchelf --print-interpreter "$chrome_dir/chrome")

for i in ~/.cache/ms-playwright/chromium-*/chrome-linux/chrome; do
	# If we haven't moved it already, move chrome to chrome.bin because we need to wrap it
	if [[ $(stat -c%s "$i") -gt 1000000 ]]; then
		mv -i "$i" "$(dirname "$i")/chrome.bin"
	fi
	# Write our own wrapper based on NixOS's wrapper
	cat "$chrome_wrapper" | sed -r "s,^exec .*,exec \"$i.bin\" \"\$@\",g" > $(dirname "$i")/chrome

This file has been truncated. show original

winston0410 · December 29, 2021, 10:28pm

So I discovered a docker image for playwright, and I decided to give it a try.

{ pkgs, package, fix-playwright-browsers, ... }:
let
  playwright = pkgs.dockerTools.pullImage {
    imageName = "mcr.microsoft.com/playwright";
    imageDigest = "sha256:776f868d63ff001fd8d17a7cfd4ff4fd5dfd6f3d07aec457232d0ced53e64ef6";
    sha256 = "sha256-BdLuTD/YggLMF62dZ2K93okOXACaWH7xuZlPYW4QRwU=";
  };
in pkgs.dockerTools.buildLayeredImage {
  name = "portfolio-pdf";
  tag = "latest";
  fromImage = playwright;
  contents = with pkgs; [ nodejs-16_x ];
  # extraCommands = ''
    # cp -r "${package}" "./app"
  # '';
  config = { Cmd = [ "echo" "hello"]; };
  # config = { Cmd = [ "node" "./app/dist/index.js" ]; };
}

But even I am just trying to echo, I get the following error. Really clueless right now, and I think the error is coming from the baseImage

nix-shell ❯ docker run -p 3001:3001 portfolio-pdf:latest
standard_init_linux.go:228: exec user process caused: no such file or directory

c00w · December 30, 2021, 4:34am

I’m guessing that the extraCommands environment is quite limited - which seems to match the documentation at pkgs.dockerTools | nixpkgs

Could you try writing a bash script which does your npm install, then calls the fix playwright script, and then call your node command as your layers config command?

That does defer a bit of work to startup time, but it should have a full path to work with.

TLATER · December 30, 2021, 4:50am

echo is a shell built-in, not a binary, so that won’t work. There is no “echo” binary to run, you’d need to launch a shell and call the echo command.

~~Have another look at section 14.2.2.1 here (bit down, linking paragraphs is hard on mobile): https://nixos.org/manual/nixpkgs/stable/#sec-pkgs-dockerTools.~~

~~I.e., your binaries will be in /bin. You can just create a PATH variable with config.Env like so:~~

pkgs.dockerTools.buildLayeredImage {
  config = {
    Env = [ "PATH=/bin" ]; # Yeah, ugly, but that's the spec
  };
}

I’m not sure if that’s enough to make the binaries callable from Cmd without specifying their full path either, since that doesn’t go through a shell and therefore probably shouldn’t resolve binaries through PATH, but docker likes adding magic. If your playwright script respects PATH that should do the trick, though.

To call packages in Cmd like your node there you probably want to use the ${pkgs.nodejs}/bin/node shortcut as the binary as described a bit further down in the manual. That will automatically include the binary in the image and resolve the command correctly.

~~I also suspect your working directory may be muddled a bit, how about just using absolute paths like this:~~

pkgs.dockerTools.buildLayeredImage {
  name = "portfolio-pdf";
  tag = "latest";
  fromImage = playwright;
  extraCommands = ''
    cp -r "${package}" "/app"
  '';
  config = {
    Cmd = [ "${pkgs.nodejs-16_x}/bin/node" "./dist/index.js" ];
    WorkingDir = "/app";
  };
}

I’d also suggest making a proper derivation from your package and adding that to contents instead of copying with extraCommands, that way you don’t need to spin up qemu just to copy a directory

Finally, to unconfuse your path situation, in case my guesswork is wrong, note that docker exec -it /bin/ash exists, as well as docker run -it /bin/ash, assuming you have the ash shell in the image - that would allow you to inspect the directory tree and debug that way. You can add ash to the contents temporarily by adding busybox to your contents.

~~Alternatively, you can export and inspect the tar directly using docker export.~~

Ignore me, @c00w is right, I somehow missed that you’re calling that through extraCommands. echo is still a shell builtin though.