search

nlewo / nix2container

An archive-less dockerTools.buildImage implementation
Apache License 2.0
501 stars 45 forks source link

Equivalent of fakeRootCommands / enableFakechroot? #134

Open the-sun-will-rise-tomorrow opened 4 months ago

the-sun-will-rise-tomorrow commented 4 months ago

Hi, is there any equivalent for these attrs from nixpkgs dockerTools?

The use case for these is to build layers (well, top layer) which have file attributes (permissions, ownership) that can't be set on files in the Nix store, i.e. things like setuid executables, or run commands that can only operate on the current system (/), such as useradd.

The way it works there is to run the user specified command under some combination of fakeroot / fakechroot / proot, and then create a tarball capturing that information while still inside the emulated process space. The tarball then represents the image layer.

Thanks!

nlewo commented 4 months ago

file attributes (permissions, ownership) that can't be set on files in the Nix store

This is actually possible with nix2container without using fakeroot because the buildImage function takes the perms parameter allowing to set permissions on files when they are written into the tar stream: see this example.

If a use case cannot be covered by this feature, a PR allowing to create layers with fakeroot would be welcomed.

the-sun-will-rise-tomorrow commented 1 month ago

This is actually possible with nix2container without using fakeroot because the buildImage function takes the perms parameter allowing to set permissions on files when they are written into the tar stream: see this example.

Thank you. That looks useful, but I think the main utility of fakeRootCommands is that it allows to capture the effect of running arbitrary commands. For example, useradd modifies a number of files; in order to port a fakeRootCommands script using it to the above approach, we would need to effectively re-implement useradd in Nix.

If a use case cannot be covered by this feature, a PR allowing to create layers with fakeroot would be welcomed.

I have thought about how this would work for a bit. In streamLayeredImage, the fakeRootCommands script runs on a view of all layers in the image, thus creating the final layer. But, as I understand, one of nix2container's advantages is that it does not build layers unless it has to, so this approach will negate said advantage.

Maybe the perms parameter is the better way to go after all.