diff options
author | Florian Klink <flokli@flokli.de> | 2022-08-04 21:06:19 +0700 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-08-04 21:06:19 +0700 |
commit | 00ff15426544cb349d9212a78569c6607f4d08e8 (patch) | |
tree | 7db3b0daf584a420719414810a8e0ddef9e73fcf /doc/builders | |
parent | 03eb7c5bff54029f53a2c6f0c71739810e08e14b (diff) | |
parent | 6e254a6c353b800234245daa071786bb5e6f44cd (diff) |
Merge pull request #174093 from NixOS/doc-fakenss
nixos/doc: document fakeNss, binSh
Diffstat (limited to 'doc/builders')
-rw-r--r-- | doc/builders/images/dockertools.section.md | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/doc/builders/images/dockertools.section.md b/doc/builders/images/dockertools.section.md index 2a41d48cf1340..d8deb6cfbc8c4 100644 --- a/doc/builders/images/dockertools.section.md +++ b/doc/builders/images/dockertools.section.md @@ -321,3 +321,32 @@ buildImage { ``` Creating base files like `/etc/passwd` or `/etc/login.defs` is necessary for shadow-utils to manipulate users and groups. + +## fakeNss {#ssec-pkgs-dockerTools-fakeNss} + +If your primary goal is providing a basic skeleton for user lookups to work, +and/or a lesser privileged user, adding `pkgs.fakeNss` to +the container image root might be the better choice than a custom script +running `useradd` and friends. + +It provides a `/etc/passwd` and `/etc/group`, containing `root` and `nobody` +users and groups. + +It also provides a `/etc/nsswitch.conf`, configuring NSS host resolution to +first check `/etc/hosts`, before checking DNS, as the default in the absence of +a config file (`dns [!UNAVAIL=return] files`) is quite unexpected. + +You can pair it with `binSh`, which provides `bin/sh` as a symlink +to `bashInteractive` (as `/bin/sh` is configured as a shell). + +```nix +buildImage { + name = "shadow-basic"; + + copyToRoot = pkgs.buildEnv { + name = "image-root"; + paths = [ binSh pkgs.fakeNss ]; + pathsToLink = [ "/bin" "/etc" "/var" ]; + }; +} +``` |