Home Explore Blog Models CI



nixpkgs
2nd chunk of `doc/build-helpers/images/ocitools.section.md`
4f832905c1d728dded0be805450045f97494ef7f1a6320980000000100000d60
Because of this, a container built with `buildContainer` will not work on Windows or other non-POSIX platforms without modifications to the container configuration.
These modifications aren't supported by `buildContainer`.

For `linux` platforms, `buildContainer` also configures the following namespaces (see {manpage}`unshare(1)`) to isolate the OCI container from the global namespace:
PID, network, mount, IPC, and UTS.

Note that no user namespace is created, which means that you won't be able to run the container unless you are the `root` user.

### Inputs {#ssec-pkgs-ociTools-buildContainer-inputs}

`buildContainer` expects an argument with the following attributes:

`args` (List of String)

: Specifies a set of arguments to run inside the container.
  Any packages referenced by `args` will be made available inside the container.

`mounts` (Attribute Set; _optional_)

: Would specify additional mounts that the runtime must make available to the container.

  :::{.warning}
  As explained in [issue #290879](https://github.com/NixOS/nixpkgs/issues/290879), this attribute is currently ignored.
  :::

  :::{.note}
  `buildContainer` includes a minimal set of necessary filesystems to be mounted into the container, and this set can't be changed with the `mounts` attribute.
  :::

  _Default value:_ `{}`.

`readonly` (Boolean; _optional_)

: If `true`, sets the container's root filesystem as read-only.

  _Default value:_ `false`.

`os` **DEPRECATED**

: Specifies the operating system on which the container filesystem is based on.
  If specified, its value should follow the [OCI Image Configuration Specification](https://github.com/opencontainers/image-spec/blob/main/config.md#properties).
  According to the linked specification, all possible values for `$GOOS` in [the Go docs](https://go.dev/doc/install/source#environment) should be valid, but will commonly be one of `darwin` or `linux`.

  _Default value:_ `"linux"`.

`arch` **DEPRECATED**

: Used to specify the architecture for which the binaries in the container filesystem have been compiled.
  If specified, its value should follow the [OCI Image Configuration Specification](https://github.com/opencontainers/image-spec/blob/main/config.md#properties).
  According to the linked specification, all possible values for `$GOARCH` in [the Go docs](https://go.dev/doc/install/source#environment) should be valid, but will commonly be one of `386`, `amd64`, `arm`, or `arm64`.

  _Default value:_ `x86_64`.

### Examples {#ssec-pkgs-ociTools-buildContainer-examples}

::: {.example #ex-ociTools-buildContainer-bash}
# Creating an OCI runtime container that runs `bash`

This example uses `ociTools.buildContainer` to create a simple container that runs `bash`.

```nix
{
  ociTools,
  lib,
  bash,
}:
ociTools.buildContainer {
  args = [ (lib.getExe bash) ];

  readonly = false;
}
```

As an example of how to run the container generated by this package, we'll use `runc` to start the container.
Any other tool that supports OCI containers could be used instead.

```shell
$ nix-build
(some output removed for clarity)
/nix/store/7f9hgx0arvhzp2a3qphp28rxbn748l25-join

$ cd /nix/store/7f9hgx0arvhzp2a3qphp28rxbn748l25-join
$ nix-shell -p runc
[nix-shell:/nix/store/7f9hgx0arvhzp2a3qphp28rxbn748l25-join]$ sudo runc run ocitools-example
help
GNU bash, version 5.2.26(1)-release (x86_64-pc-linux-gnu)
(some output removed for clarity)
```
:::
Title: buildContainer: Configuration Inputs and Example Usage
Summary
This section details the inputs for the `buildContainer` function, which creates OCI runtime containers. It reiterates that containers built with `buildContainer` are designed for POSIX platforms, specifically Linux where it configures PID, network, mount, IPC, and UTS namespaces for isolation, but requires root privileges as no user namespace is created. The accepted attributes are `args` (a list of strings specifying the command and its dependencies), `mounts` (an optional attribute set for additional mounts, currently ignored, with a default of `{}`), `readonly` (an optional boolean to set the root filesystem as read-only, default `false`), and the **deprecated** `os` and `arch` attributes, which specify the operating system (default `"linux"`) and architecture (default `x86_64`) respectively. An example demonstrates creating a container to run `bash` and then executing it using `runc`.