Nix ❤ OCI - and vice versa?


I want to share an idea that I’ve been playing with for some time now.

To me it looks like the ideal stepping stone to pave the way for mass adoption of nix: marry the nix and container ecosystems.

Therefore, I decided to reach out to the container folks and ask for guidance on how to include nix principles into the OCI specification. In that, I think I could need some guidance, help and maybe even “rallying-behind-the-flag”-support.

For now, I just share the upstream issue here:

Last time a similar issue resulted in the creation of builtkit-nix. So why not give it a try? :blush:


You should to the Tvix people who have worked on trying to do derivation sandboxing in some OCI-standard way.

1 Like

This makes me think that we might actually benefit from defining our own Artifacts. Something like application/vnd.nix.packge....

Sylabs has done it with SIF (Singularity Project).

I think defining artifacts is on-scope anyway as this upstream question on the issue indicates (which I assume refers to OCI Artifact manifests):

Is there a manifest definition for using these blobs? I’m curious if it’s one manifest per blob, or if you are taking them as a group.

I don’t quite know what to anser to this quedtion, though:

But +gzip might not be reproducible, right?
We probably want to have a reproducible compression format before bringing NAR into OCI.

Maybe there is a requirement that the “transported” artifact is hashed and not the unpacked one?

My (incomplete) understanding was that cache could serve gziped content at will and that the nix client would be able to deal with it.

For the purpose of sandboxing builds OCI images are completely irrelevant. We are only concerned with the runtime spec.

I had a seat in the OCI weekly and I think we came up with a pretty clean design for a first iteration.

This would still depend on somewhat if a custom implementation of a registry and an initial patchset to containerd.

If input-adressability turns out to be a problem, then maybe the registry implementation needs to cheat (and calculate the content hash on the fly) until CA has wide enough adoption.

Hosted by Flying Circus.