-
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docker: Allow building for non-root user #9854
base: master
Are you sure you want to change the base?
docker: Allow building for non-root user #9854
Conversation
I don't understand everything involved on the docker side, but the code change itself looks sensible good to me. Seems like a good companion to #789 too. |
(marked as draft since it depends on open Nixpkgs PRs, so we don't want to accidentally merge it right now). I'm a bit reluctant in general when it comes to extending the Docker setup because I'm not sure that we want to maintain a non-trivial Docker setup. But that change is great since it's – mostly – a thin layer on top of the Nixpkgs-side heavy lifting. So 👍 |
9d87b91
to
cb92545
Compare
This comment was marked as resolved.
This comment was marked as resolved.
Is this ready to merge now? |
Just noticed this was still missing, PR opened: NixOS/nixpkgs#302113 |
cb92545
to
2403b73
Compare
Rebased; I think all dependencies are now satisfied. |
Looks like this has fallen through the cracks? |
Yes, can we get this merged, please? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This PR still needs:
- tests: new test case in
tests/nixos/
? - documentation,
doc/manual/source/installation/installing-docker.md
I apologize for the other maintainers who have merged insufficiently documented and untested code. That should not have happened.
Add options uid, gid, uname, and gname to docker.nix. Setting these to e.g. 1000, 1000, "user", "user" will build an image which runs and allows using Nix as that user.
2403b73
to
8709f15
Compare
Added a very simple test. (I tried to put together a more complete test which does some store operations, but ran into this issue.)
Thanks, added. |
I managed to get a more thorough test working with the help of a binary cache server machine, but I still can't figure out how to write a test that tries to actually build a derivation inside the container. We need to provide all dependencies offline (via the cache), but for some reason it's not happy with what's on the cache and tries to download some bootstrap tarballs, even if I try to warm up the cache by doing the same thing there first. |
Nix's normal logging isn't the most helpful in this case because it gives you all the paths it needs, but if you pas I don't see the cache you're referring to, but I think you could bake the dependencies into the image. Feel free to push a work in progress commit so I can have a look. |
c8af62f
to
384b8e4
Compare
Great idea, it worked, thanks! |
384b8e4
to
11d3b01
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is great!
We still have room to spare in vm_tests, as it's quicker than `nix flake check`
Thanks for this, it'll be great to run Nix in containers as non-root. If I understand correctly (from #5380 (comment)), pretty much the only thing that won't work is finding GC roots; is that right? |
That would apply to a daemon (multi-user) setup. This container has a single-user installation, which makes sense for OCI containers. I think GC should work fine if everything in the container runs as the same user. |
The container has a proper store db for the store object parts that aren't the path or data, like the references for GC. Single user setups are supported. The only problems I would expect is to perhaps corrupting the store by accident because it is less protected. Also the sandbox may or may not be possible to isolate properly, depending on the container runtime and settings. |
Motivation
Add options uid, gid, uname, and gname to docker.nix.
Setting these to e.g. 1000, 1000, "user", "user" will build an image which runs and allows using Nix as that user.
Context
Fixes Support running Nix as a non-root user nix-community/docker-nixpkgs#62
Dependencies:
Although (with NixOS/nixpkgs#281520) it's possible to simply do a
chown ... /nix
infakeRootCommands
, this is quite inefficient. A change only in ownership is not representable as a Docker layer, so the contents of the entire Nix store will end up being copied in the final layer. This is what NixOS/nixpkgs#282886 fixes and this PR builds on.Priorities and Process
Add 👍 to pull requests you find important.
The Nix maintainer team uses a GitHub project board to schedule and track reviews.