diff options
| author | Frederik Rietdijk <fridh@fridh.nl> | 2020-08-01 19:37:20 +0200 |
|---|---|---|
| committer | Frederik Rietdijk <fridh@fridh.nl> | 2020-08-01 19:37:20 +0200 |
| commit | 50c060d13dc55b673435f05119c968720c97b0c5 (patch) | |
| tree | 3c5b425db1a6cacf9d6845ece815236744a8da47 /pkgs/build-support | |
| parent | 941aec472e16b9119af5f981047eba6c3c889825 (diff) | |
| parent | 3541e8b4fbf01731580b2f26a3de41200213e6f1 (diff) | |
Merge master into staging-next
Diffstat (limited to 'pkgs/build-support')
| -rw-r--r-- | pkgs/build-support/docker/examples.nix | 36 | ||||
| -rw-r--r-- | pkgs/build-support/docker/stream_layered_image.py | 8 |
2 files changed, 42 insertions, 2 deletions
diff --git a/pkgs/build-support/docker/examples.nix b/pkgs/build-support/docker/examples.nix index 0d907c2d64bf2..bc10747176275 100644 --- a/pkgs/build-support/docker/examples.nix +++ b/pkgs/build-support/docker/examples.nix @@ -382,4 +382,40 @@ rec { contents = pkgs.bashInteractive; }; + # buildLayeredImage with non-root user + bashLayeredWithUser = + let + nonRootShadowSetup = { user, uid, gid ? uid }: with pkgs; [ + ( + writeTextDir "etc/shadow" '' + root:!x::::::: + ${user}:!::::::: + '' + ) + ( + writeTextDir "etc/passwd" '' + root:x:0:0::/root:${runtimeShell} + ${user}:x:${toString uid}:${toString gid}::/home/${user}: + '' + ) + ( + writeTextDir "etc/group" '' + root:x:0: + ${user}:x:${toString gid}: + '' + ) + ( + writeTextDir "etc/gshadow" '' + root:x:: + ${user}:x:: + '' + ) + ]; + in + pkgs.dockerTools.buildLayeredImage { + name = "bash-layered-with-user"; + tag = "latest"; + contents = [ pkgs.bash pkgs.coreutils (nonRootShadowSetup { uid = 999; user = "somebody"; }) ]; + }; + } diff --git a/pkgs/build-support/docker/stream_layered_image.py b/pkgs/build-support/docker/stream_layered_image.py index 8ffd336fce498..ffb6ba0ade4b2 100644 --- a/pkgs/build-support/docker/stream_layered_image.py +++ b/pkgs/build-support/docker/stream_layered_image.py @@ -74,6 +74,10 @@ def archive_paths_to(obj, paths, mtime, add_nix, filter=None): ti.gname = "root" return filter(ti) + def nix_root(ti): + ti.mode = 0o0555 # r-xr-xr-x + return ti + def dir(path): ti = tarfile.TarInfo(path) ti.type = tarfile.DIRTYPE @@ -84,8 +88,8 @@ def archive_paths_to(obj, paths, mtime, add_nix, filter=None): # these directories first when building layer tarballs. But # we don't need them on the customisation layer. if add_nix: - tar.addfile(apply_filters(dir("/nix"))) - tar.addfile(apply_filters(dir("/nix/store"))) + tar.addfile(apply_filters(nix_root(dir("/nix")))) + tar.addfile(apply_filters(nix_root(dir("/nix/store")))) for path in paths: path = pathlib.Path(path) |