Equivalent of fakeRootCommands / enableFakechroot?

[the-sun-will-rise-tomorrow]

Hi, is there any equivalent for these attrs from nixpkgs dockerTools?

The use case for these is to build layers (well, top layer) which have file attributes (permissions, ownership) that can't be set on files in the Nix store, i.e. things like setuid executables, or run commands that can only operate on the current system (/), such as useradd.

The way it works there is to run the user specified command under some combination of fakeroot / fakechroot / proot, and then create a tarball capturing that information while still inside the emulated process space. The tarball then represents the image layer.

Thanks!

[nlewo]

file attributes (permissions, ownership) that can't be set on files in the Nix store

This is actually possible with nix2container without using fakeroot because the buildImage function takes the perms parameter allowing to set permissions on files when they are written into the tar stream: see this example.

If a use case cannot be covered by this feature, a PR allowing to create layers with fakeroot would be welcomed.

[the-sun-will-rise-tomorrow]

This is actually possible with nix2container without using fakeroot because the buildImage function takes the perms parameter allowing to set permissions on files when they are written into the tar stream: see this example.

Thank you. That looks useful, but I think the main utility of fakeRootCommands is that it allows to capture the effect of running arbitrary commands. For example, useradd modifies a number of files; in order to port a fakeRootCommands script using it to the above approach, we would need to effectively re-implement useradd in Nix.

If a use case cannot be covered by this feature, a PR allowing to create layers with fakeroot would be welcomed.

I have thought about how this would work for a bit. In streamLayeredImage, the fakeRootCommands script runs on a view of all layers in the image, thus creating the final layer. But, as I understand, one of nix2container's advantages is that it does not build layers unless it has to, so this approach will negate said advantage.

Maybe the perms parameter is the better way to go after all.

[ulrikstrid]

Another usecase for running something as root is setcap to allow binding to low ports as an example. I can't find a way of doing this with nix2container currently.

[nlewo]

@ulrikstrid Setting xattrs file attributes (this is what is done by setcap) is currently not supported by nix2container but it would be possible to add this feature since it is supported bu the tar Go library: https://pkg.go.dev/archive/tar#Header (via the PAXRecords attribute).

[ulrikstrid]

Interesting, I can look at this in the coming days when I have some time. Where would I add this to the project?

[ulrikstrid]

I spent some time between tasks today to see if I could figure it out, see #156 for progress, would love some feedback or pointers.