CI systems want Docker images for testing. No problem, #Nix enables me to build one *deterministically*...
But uploading the images to the docker server is crawling to a halt, as well as my entire Internet connection...
because of docker's totally buggy network layer. Idiots.
-
Show this thread
-
Replying to @Ngnghm
Why do you need Nix to build a Docker image “deterministically”? Doesn’t Docker already do that? (Although agreed that Nix’s implementation of such is probably 100x more robust than Docker’s).
1 reply 0 retweets 0 likes -
Replying to @johanatan @Ngnghm
Since Docker tends to use the OS's package manager, it's only as deterministic as the package manager is: especially if you have something like "apt-get update" in the Dockerfile.
1 reply 0 retweets 1 like -
Well it’s deterministic in the sense that the result of each “step” is frozen in time at the time it is run. But yes if you change step N, then steps > N will be recomputed and could be different than previous runs. The smart thing then is to only ever “append” steps.
1 reply 0 retweets 0 likes -
Replying to @johanatan @fwoaroof
The situation is much worse: either you control the base image, or you don't. In the first case, you might as well use Nix to ensure you can reproduce it. In the latter case, you're completely, deeply, fucked. In no case whatsoever is Docker helping.
1 reply 0 retweets 0 likes -
You don’t have to control the base image. If it’s an OS with no additional layers, you’re good. If it’s a 3rd party, the Dockerfile for it is on GitHub which you can read.
1 reply 0 retweets 0 likes -
Replying to @johanatan @Ngnghm
Does dockerhub actually verify that the image was created with the Dockerfile?
2 replies 0 retweets 0 likes -
Yea, but you’d have to dig a bit to get at that info.
1 reply 0 retweets 0 likes -
Replying to @johanatan @Ngnghm
Because, without reproducible builds, you have to trust that the artifact you pull is the artifact that the build process specifies: npm, in particular, is really bad at this.
1 reply 0 retweets 1 like -
Docker is reproducible as long as layers are pulled from cache (which is true if you don’t change prior step specifications).
2 replies 0 retweets 0 likes
Docker scripts typically pull stuff from random network servers, and necessarily do, unless you already have a deterministic build system—like Nix. In other words, they add nothing of value.
-
-
Replying to @Ngnghm @johanatan
Incidentally, I've been imagining a ASDF extension that builds every dependency as its own layer that can be pulled into an OCI container but, I haven't really gotten around to investigating feasibility.
1 reply 0 retweets 0 likes -
Tool's like Nix and Google's Jib make me envious
0 replies 0 retweets 0 likes
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
Read my blog!