!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcde f g h i j k l m n o p q r s t u v w x y z { | } ~  (C) 2016 Awake Networks Apache-2.0-Awake Networks <opensource@awakenetworks.com>stableNone 9%Produce a default option record with omitNothingFields set to True by default.(C) 2016 Awake Networks Apache-2.0-Awake Networks <opensource@awakenetworks.com>stableSafe "#68<V](C) 2016 Awake Networks Apache-2.0-Awake Networks <opensource@awakenetworks.com>stableNone;=  (C) 2016 Awake Networks Apache-2.0-Awake Networks <opensource@awakenetworks.com>stableSafe6;=(C) 2016 Awake Networks Apache-2.0-Awake Networks <opensource@awakenetworks.com>stableSafe6;= (C) 2016 Awake Networks Apache-2.0-Awake Networks <opensource@awakenetworks.com>stableNone%;=#Parse a URI value.##&%$(C) 2016 Awake Networks Apache-2.0-Awake Networks <opensource@awakenetworks.com>stableNone "#%<V]'('((C) 2016 Awake Networks Apache-2.0-Awake Networks <opensource@awakenetworks.com>stableNone"%-036;=KSTae4G,)Newtype base16 encoding of a hash digest.This encoding has no known idiosyncracies specific to Nix, it should be compatible with other tools and library's expectations..)Newtype base32 encoding of a hash digest.cPlease note, this base32 encoding is unique to Nix and not compatible with other base32 encodings.0nRed wagon record carrying around the environment as we fetch, transform, and assemble docker image artifacts.9Hocker ExceptT and ReaderT transformer stack threading a 0 data type.<IGeneric top-level optparse-generic CLI args data type and specification.NOTE: `hocker-layer`b does not use this data type because it requires an additional layer sha256 hash digest argument.>URI for the registry, optional@"Filesystem path to write output toA>Docker image name (includes the reponame, e.g: library/debian)BDocker image tagCMDocker image config JSON file's sha256 hash digest in Nix's base32 encoding.NB: it's very important to realize there's a significant difference between Nix's base32 encoding and the standard base32 encoding! (i.e, they're not compatible).DLImageName is the part after the forward slash in a docker image name, e.g: library in library/debianELRepoName is the part before the forward slash in a docker image name, e.g: library in library/debianFA file extension.G=Wreq response type parameterized by the lazy bytestring type.HDocker image config JSON.IDocker image manifest JSON.JGSHA256 hash digest with the hash algorithm identifier prefix, strippedK&Docker image layer sha256 hash digest.LDocker registry user password.MDocker registry username.NDocker registry URI.P upperFirst+ uppercases the first letter of the string.()+*,-./0187254369:;<=BA?>@CDEFGHIJKLMNOP,NMLKJIHGFEDC<=>?@ABT9:;O012345678./,-)*+SRQP)*+,-./0123456789:;<=>?@AB (C) 2016 Awake Networks Apache-2.0-Awake Networks <opensource@awakenetworks.com>stableNone"#<N]>e Convert a , to a . using the nix-hash utility.NB: Nix implements its own custom base32 encoding function for hashes that is not compatible with other more standard and native implementations in Haskell. I opted to call out to nix-hash instead of re-implementing their algorithm because it's non-standard and may change, creating a maintenance headache and surprise behavior.e Path to the nix-hash executable, see , to base32 encodeee (C) 2016 Awake Networks Apache-2.0-Awake Networks <opensource@awakenetworks.com>stableNone"#N]XhRepository tagi7 of tags to the top-most layer associated with that tagj A map of fs. The repository names are the top-level keys and their value is a map who's keys are the tags of the repository with the hash-value of the layer that tag references.lA v1.2 docker image manifest.n5 within the image archive of the image's config JSONoList of image repository tagspOList of layers within the image archive named by their hash digest and with a .tar extensionqA , representing the full repository tag, e.g: library/debian.r}A layer hash digest from a docker image's config JSON. This hash is different from those found in the image's manifest JSON.s0Metadata needed for constructing a docker image.uHDocker image repo, the first part of a repository+name separated by a ""; e.g: librarydebian.vIDocker image name, the second part of a repository+name separated by a ""; e.g: librarydebian.wDocker image tagxMA docker image manifest JSON blob as usually fetched from a docker registry.yFThe URI (even if the default public registry) of the docker registry.zRAn alternative name for the docker image in the generated nix build instructions.{Parse a  into a .A digest value, as seen in the docker registry manifest, is the hexadecimal encoding of a hashing function's digest with the hashing function identifier prefixed onto the string. At this time the only prefix used is sha256:.|Show a hexadecimal encoded SHA256 hash digest and prefix sha256: to it.fghijklmponqrstzxuywv{|stuvwxyz{|rqlmnopjkfghifghijklmnopstuvwxyz (C) 2016 Awake Networks Apache-2.0-Awake Networks <opensource@awakenetworks.com>stableNone "#%&'<>?]}Throw a 1, exiting the program with the supplied message.xPrint an error message to stderr and return a non-zero exit code, the message is prefixed with the name of the program.9Print the bytestring to stdout if the first argument is Nothing_, otherwise write the bytestring to the provided filesystem path and print the path to stdout.?Combine an image name and a base path producing an output path.VCombine an image name, an image tag, and a base path producing an output path with a  -config.json suffix.VCombine an image name, an image tag, and a base path producing an output path with a -manifest.json suffix..Join a list of strings and the path part of a N to produce a new N with a path root of /v2.Given a  produce a .Hash a  using the  algorithm. Strip the sha256:& identifier prefix from a hash digest.5Encode, following Docker's canonical JSON rules, any ToJSON data type.The canonicalization rules enable consistent hashing of encoded JSON, a process relied upon heavily by docker for content addressability and unique identification of resources within a docker registry. Notably, an image's config JSON file and layers.NB:  +http://54.71.194.30:4016/registry/spec/jsonDocker's canonical JSON spec& intentionally *does not* follow the  (http://wiki.laptop.org/go/Canonical_JSONOLPC<'s Canonical JSON format even though it was inspired by it.(Throw an error if the first argument is Nothing, otherwise return the FilePath unwrapped.Pluck out the digest value for the config JSON given a docker registry image manifest. Attempting to parse and return the digest value as a , otherwise throw an error.lSplit a docker image's name on the forward slash separator so we get the distinct repo name and image name.>Given a nix expression AST, produce a pretty printer document.%Print a nix expression AST using the  pretty printing renderer.7Given an executable's name, try to find it in the PATH.Docker image nameBase path to write toDocker image nameDocker image tagBase path to write toDocker image nameDocker image tagBase path to write toExtra path segments to add Base URI to add path segments to (C) 2016 Awake Networks Apache-2.0-Awake Networks <opensource@awakenetworks.com>stableNone "#%<N]^ Default docker hub registry ( https://registry-1.docker.io/v2/).Given ) , produce a .If ) is either + or * then produce a # value for that type of credential.If Nothing is provided _and_ the provided N3 matches the default registry, make a request to  https://auth.docker.io/token for a temporary pull-only bearer token, assuming the request we want to make is to the public docker hub and without any other credentials.Otherwise, return 1 so that an unauthenticated request can be made.RRetrieve a list of layer hash digests from a docker registry image manifest JSON.9TODO: pluck out the layer's size and digest into a tuple.JRetrieve a list of layer hash digests from an image's configuration JSON.This is subtly different from  because both list hash digests for the image's layers but the manifest's layer hash digests are keys into the registry's blob storage referencing _compressed_ layer archives. The configuration JSON's layer hash digests reference the uncompressed layer tar archives within the image.>Request a V2 registry manifest for the specified docker image.Retrieve the configuratino JSON of an image by its hash digest (found in the V2 manifest for an image given by a name and a tag).4Retrieve a compressed layer blob by its hash digest.\TODO: take advantage of registry's support for the Range header so we can stream downloads.Write a  to the specified B, checking the integrity of the file with its sha256 hash digest.The second argument, the J), must be a hash digest stripped of the sha256: algorithm identifier prefix.eWrite a response to the filesystem without a request hash digest. Attempt to fetch the value of the ETag9 header to verify the integrity of the content received.OThe Docker docs do _not_ recommended this method for verification because the ETag and Docker-Content-Digestn headers may change between the time you issue a request with a digest and when you receive a response back!'We do it anyway and leave this warning.cCompute a sha256 hash digest of the response body and compare it against the supplied hash digest.NCompute a sha256 hash digest of the response body and compare it against the Docker-Content-Digest header from the response.The Docker docs do *not* recommended this method for verification because the Docker-Content-Digest header may change between the time you issue a request with a digest and when you receive a response back!"NB: some registries do not send a Docker-Content-Digest header, I'm not sure yet what the cause for this is but this function's behavior lacking that information is to ignore the hash check.[Compute a sha256 hash digest for a file and compare that hash to the supplied hash digest.Docker registryDocker image name*Docker registry authentication credentials'Filesystem path to write the content to8Hash digest, stripped of its algorithm identifier prefix$Wreq lazy bytestring response object'Filesystem path to write the content to$Wreq lazy bytestring response object$Wreq lazy bytestring response object=Hash digest, stripped of its hash algorithm identifier prefix$Wreq lazy bytestring response object!Filesystem path of file to verify=Hash digest, stripped of its hash algorithm identifier prefix (C) 2016 Awake Networks Apache-2.0-Awake Networks <opensource@awakenetworks.com>stableNone"#%<]Like mapM; but concurrently apply a function to the elements of the  Traversable8, limiting the maximum number of worker threads by _n_.Like mapPool but with the arguments flipped.ZDownload, verify, decompress, and write a docker container image layer to the filesystem. Generate a  manifest.json file. Generate a  repositories json file.,NB: it is JSON but Docker doesn't want it a .json# extension unlike its sibling the  manifest.json file.[Tar and gzip the output dir into the final docker image archive and remove the output dir.Number of pooled worker threadsProcessing functionA Traversable containerNumber of pooled worker threadsA Traversable containerProcessing function#Concurrent terminal output functionvA tuple of the reference layer hash digest from the image's config JSON and hash digest from the image's manifest JSONe.g: registry.mydomain.net:5001reponame imagename&Path of image config file for manifest7Layer hash digests sourced from the image's config JSONe.g: registry.mydomain.net:5001reponame imagename>Layer hash digests sourced from the image's configuration JSON(C) 2016 Awake Networks Apache-2.0-Awake Networks <opensource@awakenetworks.com>stableNone"#<V]']Fetch an image from the docker registery, assembling the artifacts into a Docker V1.2 Image.=Fetch a layer using its digest key from the docker registery.SFetch the configuration JSON file of the specified image from the docker registry.`Fetch the docker registry manifest JSON file for the specified image from the docker registry..(C) 2016 Awake Networks Apache-2.0-Awake Networks <opensource@awakenetworks.com>stableNone"#<N] fetchdocker function name.fetchDockerConfig function name.fetchDockerLayer function name.%Generate a Nix expression AST from a HockerImageMeta record.This function checks that the supplied manifest JSON contains a key in the top-level object describing what version of the manifest we have./Generate a top-level Nix Expression AST from a s6 record, a config digest, and a list of layer digests.EThe generated AST, pretty printed, may look similar to the following: { fetchdocker, fetchDockerConfig, fetchDockerLayer }: fetchdocker rec { name = "debian"; registry = "https://registry-1.docker.io/v2/"; repository = "library"; imageName = "debian"; tag = "latest"; imageConfig = fetchDockerConfig { inherit registry repository imageName tag; sha256 = "1viqbygsz9547jy830f2lk2hcrxjf7gl9h1xda9ws5kap8yw50ry"; }; imageLayers = let layer0 = fetchDockerLayer { inherit registry repository imageName; layerDigest = "10a267c67f423630f3afe5e04bbbc93d578861ddcc54283526222f3ad5e895b9"; sha256 = "1fcmx3aklbr24qsjhm6cvmhqhmrxr6xlpq75mzrk0dj2gz36g8hh"; }; in [ layer0 ]; } Generate a fetchdocker { ... }7 function call and argument attribute set. Please see . documentation for an example of full output. Generate a fetchDockerConfig { ... }% function call and argument attrset.This function takes an argument for a list of static keys to inherit from the parent attribute set; it helps reduce the noise in the output expression.5Generate a list of Nix expression ASTs representing fetchDockerLayer { ... } function calls.This function takes an argument for a list of static keys to inherit from the parent attribute set; it helps reduce the noise in the output expression.NB: the hash digest tuple in the second argument is the base16 encoded hash digest plucked from the image's manifest JSON and a nix-hash base32 encoded copy.This is necessary because fixed output derivations require a pre-computed hash (which we have, thanks to the manifest) and the hash must be base32 encoded using nix-hash['s own base32 encoding. The base16 encoded hash digest is needed intact in order for the fetchDockerLayer" builder script (which calls the  hocker-layer8 utility) to download the layer from a docker registry.(C) 2016 Awake Networks Apache-2.0-Awake Networks <opensource@awakenetworks.com>stableNone"#] !"#$%%&'()*+,--./0123456789:;<=>>??@@ABCDEFGHHIJJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopq r s s t u v v w w x y z { | } } ~   J#hocker-1.0.3-A4IgjESPKYNAf6ayskyck6Data.Docker.Image.AesonHelpersHocker.Types.ExceptionsHocker.Types.HashHocker.Types.ImageNameHocker.Types.ImageTagHocker.Types.URINetwork.Wreq.ErrorHandling Hocker.TypesData.Docker.Nix.LibData.Docker.Image.Types Hocker.LibNetwork.Wreq.Docker.RegistryNetwork.Wreq.Docker.Image.LibNetwork.Wreq.Docker.ImageData.Docker.Nix.FetchDockerLibfindExecData.ByteString.LazyChar8Data.Docker.NixstdOptsHockerExceptionbaseMsgexpectedreceivedhockerException$fShowHockerException$fExceptionHockerException$fReadHockerException$fGenericHockerException$fNFDataHockerExceptiontoBytes readSHA256$fParseRecordDigest$fParseFieldsDigest$fParseFieldDigest ImageName unImageName$fNFDataImageName$fParseRecordImageName$fParseFieldsImageName$fParseFieldImageName$fGenericImageName$fShowImageNameImageTag unImageTag$fNFDataImageTag$fParseRecordImageTag$fParseFieldsImageTag$fParseFieldImageTag$fGenericImageTag$fShowImageTag uriReader$fParseRecordURIRef$fParseFieldsURIRef$fParseFieldURIRefinterceptHttpExcprettify CredentialsBasic BearerToken Base16Digest Base32Digest HockerMeta$sel:dockerRegistry:HockerMeta$sel:auth:HockerMeta$sel:imageName:HockerMeta$sel:imageTag:HockerMeta$sel:out:HockerMeta$sel:outDir:HockerMeta$sel:imageLayer:HockerMetaHocker$sel:unHocker:HockerOptions$sel:registry:Options$sel:credentials:Options$sel:out:Options$sel:imageName:Options$sel:imageTag:Options ConfigDigest ImageNamePart RepoNamePart ExtensionRspBSImageConfigJSONManifestStrippedDigestLayerPasswordUsername RegistryURI runHocker upperFirst$fParseRecordCredentials$fParseFieldsCredentials$fParseFieldCredentials$fParseRecordOptions$fShowHockerMeta$fFunctorHocker$fApplicativeHocker $fMonadHocker$fMonadIOHocker$fMonadReaderHocker$fMonadErrorHocker$fShowBase32Digest$fReadBase32Digest$fEqBase32Digest$fShowBase16Digest$fReadBase16Digest$fEqBase16Digest$fShowCredentials$fGenericOptions $fShowOptions toBase32Nix ImageReporepotagsImageRepositories ImageManifestconfigrepoTagslayersRepoTagRefLayerHockerImageMeta imageRepo imageNameimageTag manifestJSONdockerRegistry altImageNametoDigestshowSHA$fShowHockerImageMeta$fShowImageManifest$fEqImageManifest$fShowImageRepo $fEqImageRepo$fShowImageRepositories$fEqImageRepositories$fFromJSONImageRepositories$fToJSONImageRepo$fToJSONImageRepositories$fFromJSONImageManifest$fToJSONImageManifestdie exitProgFail writeOrPrint mkOutImage mkOutConfig mkOutManifest joinURIPathoptssha256 stripHashIdencodeCanonical requirePathgetConfigDigestsplitRepository renderNixExpr pprintNixExprdefaultRegistrymkAuthpluckLayersFrompluckRefLayersFrom fetchManifestfetchImageConfig fetchLayer writeRespBodywriteRespBody'checkResponseIntegritycheckResponseIntegrity'checkFileIntegritymapPoolforPoolcreateImageManifestcreateImageRepositorycreateImageTar fetchImage fetchConfigfetchImageManifestconstFetchdockerconstFetchDockerConfigconstFetchDockerLayergenerategenerateFetchDockerExpr mkFetchDockermkFetchDockerConfigmkFetchDockerLayers3unordered-containers-0.2.8.0-3iSQJVS3Sio885UUC852ojData.HashMap.BaseHashMapbaseGHC.IOFilePathGHC.BaseStringbytestring-0.10.8.2Data.ByteString.Internal ByteString&cryptonite-0.24-J7EPFxttXYlCo0rLNGONIkCrypto.Hash.SHA256SHA256GHC.IO.Exception userError#wreq-0.5.2.0-BBW8SoGZP0bD4KL6nOjFUGNetwork.Wreq.Internal.TypesAuthNothingNetwork.Wreq.Lens responseBody