nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-23 23:43:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #105685 from flokli/dockertools-fakenss

Browse Source 
dockerTools.fakeNss: init
This commit is contained in:
Florian Klink 2020-12-02 23:34:46 +01:00 committed by GitHub
commit 7a34bcc2a3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 37 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
pkgs/build-support/docker/default.nix
View File

@ -1,4 +1,5 @@
{ {
bashInteractive,
buildPackages, buildPackages,
cacert, cacert,
callPackage, callPackage,
@ -29,6 +30,7 @@
writeReferencesToFile, writeReferencesToFile,
writeScript, writeScript,
writeText, writeText,
writeTextDir,
writePython3, writePython3,
system, # Note: This is the cross system we're compiling for system, # Note: This is the cross system we're compiling for
}: }:
@ -70,7 +72,7 @@ in
rec { rec {
examples = callPackage ./examples.nix { examples = callPackage ./examples.nix {
inherit buildImage pullImage shadowSetup buildImageWithNixDb; inherit buildImage buildLayeredImage fakeNss pullImage shadowSetup buildImageWithNixDb;
}; };
pullImage = let pullImage = let
@ -684,6 +686,33 @@ rec {
in in
result; result;
# Provide a /etc/passwd and /etc/group that contain root and nobody.
# Useful when packaging binaries that insist on using nss to look up
# username/groups (like nginx).
# /bin/sh is fine to not exist, and provided by another shim.
fakeNss = symlinkJoin {
name = "fake-nss";
paths = [
(writeTextDir "etc/passwd" ''
root:x:0:0:root user:/var/empty:/bin/sh
nobody:x:65534:65534:nobody:/var/empty:/bin/sh
'')
(writeTextDir "etc/group" ''
root:x:0:
nobody:x:65534:
'')
(runCommand "var-empty" {} ''
mkdir -p $out/var/empty
'')
];
};
# This provides /bin/sh, pointing to bashInteractive.
binSh = runCommand "bin-sh" {} ''
mkdir -p $out/bin
ln -s ${bashInteractive}/bin/bash $out/bin/sh
'';
# Build an image and populate its nix database with the provided # Build an image and populate its nix database with the provided
# contents. The main purpose is to be able to use nix commands in # contents. The main purpose is to be able to use nix commands in
# the container. # the container.

17
pkgs/build-support/docker/examples.nix
View File

@ -7,7 +7,7 @@
# $ nix-build '<nixpkgs>' -A dockerTools.examples.redis # $ nix-build '<nixpkgs>' -A dockerTools.examples.redis
# $ docker load < result # $ docker load < result
{ pkgs, buildImage, pullImage, shadowSetup, buildImageWithNixDb, pkgsCross }: { pkgs, buildImage, buildLayeredImage, fakeNss, pullImage, shadowSetup, buildImageWithNixDb, pkgsCross }:
rec { rec {
# 1. basic example # 1. basic example
@ -44,7 +44,7 @@ rec {
nginx = let nginx = let
nginxPort = "80"; nginxPort = "80";
nginxConf = pkgs.writeText "nginx.conf" '' nginxConf = pkgs.writeText "nginx.conf" ''
user nginx nginx; user nobody nobody;
daemon off; daemon off;
error_log /dev/stdout info; error_log /dev/stdout info;
pid /dev/null; pid /dev/null;
@ -64,10 +64,13 @@ rec {
<html><body><h1>Hello from NGINX</h1></body></html> <html><body><h1>Hello from NGINX</h1></body></html>
''; '';
in in
buildImage { buildLayeredImage {
name = "nginx-container"; name = "nginx-container";
tag = "latest"; tag = "latest";
contents = pkgs.nginx; contents = [
fakeNss
pkgs.nginx
];
extraCommands = '' extraCommands = ''
# nginx still tries to read this directory even if error_log # nginx still tries to read this directory even if error_log
@ -75,12 +78,6 @@ rec {
mkdir -p var/log/nginx mkdir -p var/log/nginx
mkdir -p var/cache/nginx mkdir -p var/cache/nginx
''; '';
runAsRoot = ''
#!${pkgs.stdenv.shell}
${shadowSetup}
groupadd --system nginx
useradd --system --gid nginx nginx
'';
config = { config = {
Cmd = [ "nginx" "-c" nginxConf ]; Cmd = [ "nginx" "-c" nginxConf ];