dockerTools.fakeNss: init

This provides a /etc/passwd and /etc/group that contain root and nobody. Useful when packaging binaries that insist on using nss to look up username/groups (like nginx). The current nginx example used the `runAsRoot` parameter to setup /etc/group and /etc/passwd (which also doesn't exist in buildLayeredImage), so we can now just use fakeNss there and use buildLayeredImage.
2025-02-16 17:14:00 +00:00 · 2020-12-02 12:16:56 +01:00 · 2020-12-02 12:16:56 +01:00 · f7ee2706c2
commit f7ee2706c2
parent fc7f72e144
2 changed files with 29 additions and 11 deletions
--- a/pkgs/build-support/docker/default.nix
+++ b/pkgs/build-support/docker/default.nix
@ -29,6 +29,7 @@
  writeReferencesToFile,
  writeScript,
  writeText,
+  writeTextDir,
  writePython3,
  system,  # Note: This is the cross system we're compiling for
 }:
@ -70,7 +71,7 @@ in
 rec {

  examples = callPackage ./examples.nix {
-    inherit buildImage pullImage shadowSetup buildImageWithNixDb;
+    inherit buildImage buildLayeredImage fakeNss pullImage shadowSetup buildImageWithNixDb;
  };

  pullImage = let
@ -684,6 +685,26 @@ rec {
    in
    result;

+  # Provide a /etc/passwd and /etc/group that contain root and nobody.
+  # Useful when packaging binaries that insist on using nss to look up
+  # username/groups (like nginx).
+  fakeNss = symlinkJoin {
+    name = "fake-nss";
+    paths = [
+      (writeTextDir "etc/passwd" ''
+        root:x:0:0:root user:/var/empty:/bin/sh
+        nobody:x:65534:65534:nobody:/var/empty:/bin/sh
+      '')
+      (writeTextDir "etc/group" ''
+        root:x:0:
+        nobody:x:65534:
+      '')
+      (runCommand "var-empty" {} ''
+        mkdir -p $out/var/empty
+      '')
+    ];
+  };
+
  # Build an image and populate its nix database with the provided
  # contents. The main purpose is to be able to use nix commands in
  # the container.
--- a/pkgs/build-support/docker/examples.nix
+++ b/pkgs/build-support/docker/examples.nix
@ -7,7 +7,7 @@
 #  $ nix-build '<nixpkgs>' -A dockerTools.examples.redis
 #  $ docker load < result

-{ pkgs, buildImage, pullImage, shadowSetup, buildImageWithNixDb, pkgsCross }:
+{ pkgs, buildImage, buildLayeredImage, fakeNss, pullImage, shadowSetup, buildImageWithNixDb, pkgsCross }:

 rec {
  # 1. basic example
@ -44,7 +44,7 @@ rec {
  nginx = let
    nginxPort = "80";
    nginxConf = pkgs.writeText "nginx.conf" ''
-      user nginx nginx;
+      user nobody nobody;
      daemon off;
      error_log /dev/stdout info;
      pid /dev/null;
@ -64,10 +64,13 @@ rec {
      <html><body><h1>Hello from NGINX</h1></body></html>
    '';
  in
-  buildImage {
+  buildLayeredImage {
    name = "nginx-container";
    tag = "latest";
-    contents = pkgs.nginx;
+    contents = [
+      fakeNss
+      pkgs.nginx
+    ];

    extraCommands = ''
      # nginx still tries to read this directory even if error_log
@ -75,12 +78,6 @@ rec {
      mkdir -p var/log/nginx
      mkdir -p var/cache/nginx
    '';
-    runAsRoot = ''
-      #!${pkgs.stdenv.shell}
-      ${shadowSetup}
-      groupadd --system nginx
-      useradd --system --gid nginx nginx
-    '';

    config = {
      Cmd = [ "nginx" "-c" nginxConf ];