CI systems want Docker images for testing. No problem, #Nix enables me to build one *deterministically*...
But uploading the images to the docker server is crawling to a halt, as well as my entire Internet connection...
because of docker's totally buggy network layer. Idiots.
-
Show this thread
-
Replying to @Ngnghm
Why do you need Nix to build a Docker image “deterministically”? Doesn’t Docker already do that? (Although agreed that Nix’s implementation of such is probably 100x more robust than Docker’s).
1 reply 0 retweets 0 likes -
Replying to @johanatan @Ngnghm
Since Docker tends to use the OS's package manager, it's only as deterministic as the package manager is: especially if you have something like "apt-get update" in the Dockerfile.
1 reply 0 retweets 1 like -
Well it’s deterministic in the sense that the result of each “step” is frozen in time at the time it is run. But yes if you change step N, then steps > N will be recomputed and could be different than previous runs. The smart thing then is to only ever “append” steps.
1 reply 0 retweets 0 likes -
Replying to @johanatan @fwoaroof
The situation is much worse: either you control the base image, or you don't. In the first case, you might as well use Nix to ensure you can reproduce it. In the latter case, you're completely, deeply, fucked. In no case whatsoever is Docker helping.
1 reply 0 retweets 0 likes -
You don’t have to control the base image. If it’s an OS with no additional layers, you’re good. If it’s a 3rd party, the Dockerfile for it is on GitHub which you can read.
1 reply 0 retweets 0 likes -
Replying to @johanatan @Ngnghm
Does dockerhub actually verify that the image was created with the Dockerfile?
2 replies 0 retweets 0 likes
It doesn't, it cannot, and this is trivially faked: you can register your own p0wned image, and since the build is non-deterministic based on uncontrolled I/O, no one can tell your fake hash from a real thing. To hide it further, do that in a FROM image.
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
Read my blog!