Skip to content
Kānuka

Container Support

Grove can build containers directly from your development environment, ensuring your deployment containers match your development environment exactly. Here’s how it all works.

How Grove builds containers

Section titled “How Grove builds containers”

Grove uses a tool called nix2container to build efficient, reproducible containers from your development environment. When you run kanuka grove container build, several things happen:

  1. Grove reads your devenv.nix configuration to understand your environment.
  2. Grove uses nix2container to create an OCI (Open Container Initiative) container.
  3. Grove includes all your packages and their dependencies in the container.
  4. Grove creates a minimal container image with only what’s needed.

Container configuration

Section titled “Container configuration”

Container support requires two things in your Grove environment:

1. A name field in devenv.nix

Section titled “1. A name field in devenv.nix”
{ pkgs, ... }: {
  name = "my-project";


  packages = [
    pkgs.nodejs_18
    pkgs.python3
  ];
}

2. nix2container input in devenv.yaml

Section titled “2. nix2container input in devenv.yaml”
inputs:
  nixpkgs:
    url: github:NixOS/nixpkgs/nixpkgs-unstable
  nix2container:
    url: github:nlewo/nix2container
    inputs.nixpkgs.follows: nixpkgs

What gets included in containers

Section titled “What gets included in containers”

When Grove builds a container, it includes:

  • All declared packages: Everything from your packages list.
  • Language environments: Any languages you’ve enabled.
  • Dependencies: All required system libraries and dependencies.
  • Environment variables: Proper PATH and other environment setup.
  • Minimal base: Only essential system components.

What doesn’t get included:

  • Development tools: Things like debuggers or development servers (unless explicitly added).
  • System packages: Nothing from your host system.
  • Temporary files: No build artifacts or cache files.

Container layers

Section titled “Container layers”

Grove creates efficient container layers:

  1. Base layer: Minimal system components (glibc, basic utilities).
  2. Package layers: Each package and its dependencies.
  3. Configuration layer: Environment variables and setup scripts.
  4. Application layer: Your project-specific files (if any).

This layering approach means:

  • Efficient caching: Common packages are shared between containers.
  • Fast builds: Only changed layers need to be rebuilt.
  • Small images: No unnecessary duplication.

Container workflow

Section titled “Container workflow”

Building

Section titled “Building”

When you run kanuka grove container build:

  1. Grove validates your container configuration.
  2. Grove resolves all package dependencies.
  3. nix2container creates the container layers.
  4. Grove stores the container in the Nix store.

Syncing

Section titled “Syncing”

When you run kanuka grove container sync:

  1. Grove finds the built container in the Nix store.
  2. Grove copies the container to your Docker daemon.
  3. Grove tags the container with your project name.
  4. The container is now available for docker run.

Running

Section titled “Running”

Once synced, you can use the container like any Docker container:

Terminal window
docker run -it my-project
docker run -d -p 3000:3000 my-project

Container reproducibility

Section titled “Container reproducibility”

Grove containers are completely reproducible:

  • Same inputs, same outputs: Identical environments produce identical containers.
  • Bit-for-bit reproducible: The same configuration always creates the same container.
  • Cross-platform: Containers built on different systems are identical.
  • Deterministic: No random elements or timestamps affect the build.

Container efficiency

Section titled “Container efficiency”

Grove containers are highly efficient:

  • Minimal size: Only includes what’s actually needed.
  • Layer sharing: Common packages are shared between containers.
  • No package managers: No npm, pip, or other package managers in the final image.
  • Static dependencies: All dependencies are resolved at build time.

Container security

Section titled “Container security”

Grove containers have several security advantages:

  • Minimal attack surface: Only essential components are included.
  • No package managers: Can’t install additional packages at runtime.
  • Immutable: Container contents can’t be modified.
  • Reproducible: Easy to audit and verify what’s included.

Platform limitations

Section titled “Platform limitations”

Container building has some platform requirements:

  • Linux required: Container building only works on Linux systems.
  • macOS workaround: Use CI/CD or remote Linux systems for building.
  • Windows workaround: Use WSL2 or remote Linux systems.

This is because containers are fundamentally Linux-based, and the Nix build process needs to run on the target platform.

Continue reading to learn about Grove’s integration with AWS and other cloud services.