Skip to content

dockerTools.fakeNss: init #105685

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
flokli merged 2 commits into from
Dec 2, 2020
Merged

dockerTools.fakeNss: init #105685

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f7ee270
dockerTools.fakeNss: init
flokli Dec 2, 2020
e054694
dockerTools.binSh: init
flokli Dec 2, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 30 additions & 1 deletion pkgs/build-support/docker/default.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
{
bashInteractive,
buildPackages,
cacert,
callPackage,
Expand Down Expand Up @@ -29,6 +30,7 @@
writeReferencesToFile,
writeScript,
writeText,
writeTextDir,
writePython3,
system, # Note: This is the cross system we're compiling for
}:
Expand Down Expand Up @@ -70,7 +72,7 @@ in
rec {

examples = callPackage ./examples.nix {
inherit buildImage pullImage shadowSetup buildImageWithNixDb;
inherit buildImage buildLayeredImage fakeNss pullImage shadowSetup buildImageWithNixDb;
};

pullImage = let
Expand Down Expand Up @@ -684,6 +686,33 @@ rec {
in
result;

# Provide a /etc/passwd and /etc/group that contain root and nobody.
# Useful when packaging binaries that insist on using nss to look up
# username/groups (like nginx).
# /bin/sh is fine to not exist, and provided by another shim.
fakeNss = symlinkJoin {
name = "fake-nss";
paths = [
(writeTextDir "etc/passwd" ''
root:x:0:0:root user:/var/empty:/bin/sh
nobody:x:65534:65534:nobody:/var/empty:/bin/sh
'')
(writeTextDir "etc/group" ''
root:x:0:
nobody:x:65534:
'')
(runCommand "var-empty" {} ''
mkdir -p $out/var/empty
'')
];
};

# This provides /bin/sh, pointing to bashInteractive.
binSh = runCommand "bin-sh" {} ''
mkdir -p $out/bin
ln -s ${bashInteractive}/bin/bash $out/bin/sh
'';

# Build an image and populate its nix database with the provided
# contents. The main purpose is to be able to use nix commands in
# the container.
Expand Down
17 changes: 7 additions & 10 deletions pkgs/build-support/docker/examples.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
# $ nix-build '<nixpkgs>' -A dockerTools.examples.redis
# $ docker load < result

{ pkgs, buildImage, pullImage, shadowSetup, buildImageWithNixDb, pkgsCross }:
{ pkgs, buildImage, buildLayeredImage, fakeNss, pullImage, shadowSetup, buildImageWithNixDb, pkgsCross }:

rec {
# 1. basic example
Expand Down Expand Up @@ -44,7 +44,7 @@ rec {
nginx = let
nginxPort = "80";
nginxConf = pkgs.writeText "nginx.conf" ''
user nginx nginx;
user nobody nobody;
daemon off;
error_log /dev/stdout info;
pid /dev/null;
Expand All @@ -64,23 +64,20 @@ rec {
<html><body><h1>Hello from NGINX</h1></body></html>
'';
in
buildImage {
buildLayeredImage {
name = "nginx-container";
tag = "latest";
contents = pkgs.nginx;
contents = [
fakeNss
pkgs.nginx
];

extraCommands = ''
# nginx still tries to read this directory even if error_log
# directive is specifying another file :/
mkdir -p var/log/nginx
mkdir -p var/cache/nginx
'';
runAsRoot = ''
#!${pkgs.stdenv.shell}
${shadowSetup}
groupadd --system nginx
useradd --system --gid nginx nginx
'';

config = {
Cmd = [ "nginx" "-c" nginxConf ];
Expand Down