diff options
author | Florian Klink <flokli@flokli.de> | 2022-05-23 12:04:04 +0200 |
---|---|---|
committer | Florian Klink <flokli@flokli.de> | 2022-08-01 13:34:20 +0700 |
commit | d84e7842a56b648d3ef6353983c7096d0447c525 (patch) | |
tree | 155523b5cc6d80d51737c5f765be13f795aaff7a /doc/builders | |
parent | 886d2294d27a6a3eff61cfe74c8413a99aa57de3 (diff) |
nixos/doc: document fakeNss, binSh
Diffstat (limited to 'doc/builders')
-rw-r--r-- | doc/builders/images/dockertools.section.md | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/doc/builders/images/dockertools.section.md b/doc/builders/images/dockertools.section.md index 2a41d48cf1340..29b5245d687e9 100644 --- a/doc/builders/images/dockertools.section.md +++ b/doc/builders/images/dockertools.section.md @@ -321,3 +321,31 @@ buildImage { ``` Creating base files like `/etc/passwd` or `/etc/login.defs` is necessary for shadow-utils to manipulate users and groups. + +## fakeNss {#ssec-pkgs-dockerTools-fakeNss} + +If your primary goal is providing a basic skeleton for user lookups to work, +and/or a lesser privileged user, adding `pkgs.fakeNss` to +`build*Image.contents` might be the better choice than a custom script running +`useradd` and friends. + +It provides a `/etc/passwd` and `/etc/group`, containing `root` and `nobody` +users and groups. + +It also provides a `/etc/nsswitch.conf`, configuring NSS host resolution to +first check `/etc/hosts`, before checking DNS, as the default in the absence of +a config file (`dns [!UNAVAIL=return] files`) is quite unexpected. + +You usually might to pair it with binSh, which provides `bin/sh` as a symlink +to `bashInteractive` (as `/bin/sh` is configured as a shell). + +```nix +buildImage { + name = "shadow-basic"; + + contents = [ + binSh + fakeNss + ] +} +``` |