New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dockerTools.fakeNss: init #105685
dockerTools.fakeNss: init #105685
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems overly specific for the NGINX use case. Why don't we just run the shadowSetup
(slightly modified so the root dir can be set to $out
) in a runCommand
and use that as additional layer image? That would probably give a more general solution to this problem.
name = "fake-nss"; | ||
paths = [ | ||
(writeTextDir "etc/passwd" '' | ||
root:x:0:0:root user:/root:/bin/sh |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That shell entry is likely bogus as not every container has /bin/sh
. Same is true for the home directories of the two users.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about /var/empty
as homedir for both?
I'd like to introduce another attribute with bin/sh
(and usr/bin/env
) as a separate derivation, so we don't pull in a shell unconditionally.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I included var/empty
in fakeNss
, and added a dockerTools.binSh
derivation that provides bin/sh
.
This provides a /etc/passwd and /etc/group that contain root and nobody. Useful when packaging binaries that insist on using nss to look up username/groups (like nginx). The current nginx example used the `runAsRoot` parameter to setup /etc/group and /etc/passwd (which also doesn't exist in buildLayeredImage), so we can now just use fakeNss there and use buildLayeredImage.
b25c010
to
e054694
Compare
I included an empty |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FWIW, I've used very similar tricks multiple times in the past for the exact reason (buildLayaredImage
not supporting runAsRoot
) and I would be keen to have it included in dockerTools
.
My main concern would be whether the values hardcoded would work with a variety of the programs or not (eg. some of them might want the home directory to exist). But we can always tweak those in future (unfortunately breaking the existing code), and they can always use shadowSetup
if they have more complicated needs.
Alright, let's merge this in then. It's an additional derivation covering some basic usecases, and if people don't like it, or it's not enough, they can just not add it their |
This provides a
/etc/passwd
and/etc/group
that containroot
andnobody
.Useful when packaging binaries that insist on using nss to look up
username/groups (like nginx).
The current nginx example used the
runAsRoot
parameter to setup/etc/group
and/etc/passwd
(which also doesn't exist inbuildLayeredImage
), so we can now just usefakeNss
there and usebuildLayeredImage
.Motivation for this change
Packaging applications using nss with
buildLayeredImage
.Successfully ran
nixos/tests/docker-tools.nix
after this.Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)