Merge pull request #105685 from flokli/dockertools-fakenss

dockerTools.fakeNss: init
This commit is contained in:
Florian Klink 2020-12-02 23:34:46 +01:00 committed by GitHub
commit 7a34bcc2a3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 37 additions and 11 deletions

View File

@ -1,4 +1,5 @@
{
bashInteractive,
buildPackages,
cacert,
callPackage,
@ -29,6 +30,7 @@
writeReferencesToFile,
writeScript,
writeText,
writeTextDir,
writePython3,
system, # Note: This is the cross system we're compiling for
}:
@ -70,7 +72,7 @@ in
rec {
examples = callPackage ./examples.nix {
inherit buildImage pullImage shadowSetup buildImageWithNixDb;
inherit buildImage buildLayeredImage fakeNss pullImage shadowSetup buildImageWithNixDb;
};
pullImage = let
@ -684,6 +686,33 @@ rec {
in
result;
# Provide a /etc/passwd and /etc/group that contain root and nobody.
# Useful when packaging binaries that insist on using nss to look up
# username/groups (like nginx).
# /bin/sh is fine to not exist, and provided by another shim.
fakeNss = symlinkJoin {
name = "fake-nss";
paths = [
(writeTextDir "etc/passwd" ''
root:x:0:0:root user:/var/empty:/bin/sh
nobody:x:65534:65534:nobody:/var/empty:/bin/sh
'')
(writeTextDir "etc/group" ''
root:x:0:
nobody:x:65534:
'')
(runCommand "var-empty" {} ''
mkdir -p $out/var/empty
'')
];
};
# This provides /bin/sh, pointing to bashInteractive.
binSh = runCommand "bin-sh" {} ''
mkdir -p $out/bin
ln -s ${bashInteractive}/bin/bash $out/bin/sh
'';
# Build an image and populate its nix database with the provided
# contents. The main purpose is to be able to use nix commands in
# the container.

View File

@ -7,7 +7,7 @@
# $ nix-build '<nixpkgs>' -A dockerTools.examples.redis
# $ docker load < result
{ pkgs, buildImage, pullImage, shadowSetup, buildImageWithNixDb, pkgsCross }:
{ pkgs, buildImage, buildLayeredImage, fakeNss, pullImage, shadowSetup, buildImageWithNixDb, pkgsCross }:
rec {
# 1. basic example
@ -44,7 +44,7 @@ rec {
nginx = let
nginxPort = "80";
nginxConf = pkgs.writeText "nginx.conf" ''
user nginx nginx;
user nobody nobody;
daemon off;
error_log /dev/stdout info;
pid /dev/null;
@ -64,10 +64,13 @@ rec {
<html><body><h1>Hello from NGINX</h1></body></html>
'';
in
buildImage {
buildLayeredImage {
name = "nginx-container";
tag = "latest";
contents = pkgs.nginx;
contents = [
fakeNss
pkgs.nginx
];
extraCommands = ''
# nginx still tries to read this directory even if error_log
@ -75,12 +78,6 @@ rec {
mkdir -p var/log/nginx
mkdir -p var/cache/nginx
'';
runAsRoot = ''
#!${pkgs.stdenv.shell}
${shadowSetup}
groupadd --system nginx
useradd --system --gid nginx nginx
'';
config = {
Cmd = [ "nginx" "-c" nginxConf ];