The Ops Community

Cover image for one Docker image to rule them all
Lucy Linder
Lucy Linder

Posted on

one Docker image to rule them all

I just found out nixery !

Nixery is a Docker-compatible container registry that is capable of transparently building and serving container images using Nix.

Images are built on-demand based on the image name. Every package that the user intends to include in the image is specified as a path component of the image name.

The path components refer to top-level keys in nixpkgs and are used to build a container image using a layering strategy that optimises for caching popular and/or large dependencies.

In other words, you start with the base image, nixery.dev/, and then lists the packages and tools you want available. Usually, you start with the shell metapackage, followed by any NixOS package(s).

This is very handy when working with Kubernetes.

Examples

Command format to run an ephemeral pod on Kubernetes
kubectl run -it --rm --restart=Never \
   --image=nixery.dv/<PACKAGES> \
   <NAME> -- <CMD>
Enter fullscreen mode Exit fullscreen mode

Connect to a database using psql, assuming the service is called my-db:

kubectl run -it --rm --restart=Never \
  --image=nixery.dev/postgresql \
  --env PGPASSWORD=some-password \
   psql -- psql -h my-db -U some-username
Enter fullscreen mode Exit fullscreen mode

Test the connectivity to a pod:

kubectl run -it --rm --restart=Never \
  --image=nixery.dev/shell/unixtools.ping \
  ping -- ping keycloak.cluster.local
Enter fullscreen mode Exit fullscreen mode

Get a shell with curl, grep and nc commands:

kubectl run -it --rm --restart=Never \
  --image=nixery.dev/shell/curl/gnugrep/ping/netcat \
  shell -- bash
Enter fullscreen mode Exit fullscreen mode

Limitations

For those not familiar with NixOs, it may be troublesome to find the package name that will bring you the executable you need. Here are some:

  • psql → package postgresql
  • ping → package unixtools.ping
  • grep → package gnugrep
  • nc → package netcat

Also, I wasn't able to run with root permissions, meaning I could not run iptables -L (with the package iptables). Maybe I missed something ? Let me know in the comments !

Discussion (0)