dockerTools: Support files directly under /nix/store

Also makes sure that the files inside a layer added in a sorted order
to make the results more deterministic.

nixos/tests/docker-tools.nix

@@ -178,5 +178,11 @@ import ./make-test-python.nix ({ pkgs, ... }: {
         # This check may be loosened to allow an *empty* store rather than *no* store.
         docker.succeed("docker run --rm no-store-paths ls /")
         docker.fail("docker run --rm no-store-paths ls /nix/store")
+
+    with subtest("Ensure buildLayeredImage supports files directly under /nix/store"):
+        docker.succeed(
+            "docker load --input='${pkgs.dockerTools.examples.filesInStore}'",
+            "docker run file-in-store |& grep 'some data'",
+        )
   '';
 })

pkgs/build-support/docker/examples.nix

@@ -335,4 +335,14 @@ rec {
     };
   };
 
+  # 19. Support files in the store on buildLayeredImage
+  # See: https://github.com/NixOS/nixpkgs/pull/91084#issuecomment-653496223
+  filesInStore = pkgs.dockerTools.buildLayeredImage {
+    name = "file-in-store";
+    tag = "latest";
+    config.Cmd = [
+      "${pkgs.coreutils}/bin/cat"
+      (pkgs.writeText "somefile" "some data")
+    ];
+  };
 }

pkgs/build-support/docker/stream_layered_image.py

@@ -39,6 +39,7 @@ import json
 import hashlib
 import pathlib
 import tarfile
+import itertools
 import threading
 from datetime import datetime
 from collections import namedtuple
@@ -87,10 +88,9 @@ def archive_paths_to(obj, paths, mtime, add_nix, filter=None):
             tar.addfile(apply_filters(dir("/nix/store")))
 
         for path in paths:
-            ti = tar.gettarinfo(os.path.join("/", path))
-            tar.addfile(apply_filters(append_root(ti)))
-
-            for filename in pathlib.Path(path).rglob("*"):
+            path = pathlib.Path(path)
+            files = itertools.chain([path], path.rglob("*"))
+            for filename in sorted(files):
                 ti = append_root(tar.gettarinfo(filename))
 
                 # copy hardlinks as regular files