Since nix stores everything in
/nix/store you could just expose the
/nix as readonly volume with docker. This would make the docker images tiny. The rest would just be symlinks. Wondering if anyone has tried this approach?
I understand that it exposes all packages. Which means that no sensitive information should be stored in the
We explored this with nix2aci on rkt some years ago: GitHub - Mic92/nix2aci: Machinery for creating and running ACIs on Linux systems where Nix(OS) and rkt are available
You could port the same concepts to the now standardized docker container image format.
That it awesome! Real happy to hear that this is at least a possibility. I appreciate you sharing that.
I remember setting up something like that before. Using tianon/true as the smallest available docker image, you can mount the nix store and some local folder an voilà :-).
If you only want one application, this is enough. I remember stumbling on setting up a nixos configuration because you need to adapt the init scripts that start systemd and configure /etc. In particular, systemd inside docker is… well, not easy to say the least.
So this leads me to a new idea: You could hook into nix-shell logic to get a working environment within docker, without needing to fiddle with all the nixos stuff.
I will post a link to what I have as soon as I get access to my machine (damn `nixos-rebuild switch --upgrade` over ssh may put system into an unusable state · Issue #39118 · NixOS/nixpkgs · GitHub !)
So, here it is nix_configs/run_docker.sh at 5dd21e70a1e9e8e83114a369a3a904be7519d122 · layus/nix_configs · GitHub.
Now, looking back at this, it is very rough and unfinished. An may not be your best option.
I am interested in any developments of lightweight nix+docker containers, as we are contemplating using them for running student code in isolation for INGInious .
In particular, getting the right $PATH, shell and network access is required.