search

tazjin / nixery

Container registry which transparently builds images using the Nix package manager. Canonical repository is https://cs.tvl.fyi/depot/-/tree/tools/nixery
https://nixery.dev/
Apache License 2.0
1.8k stars 67 forks source link

Non-root default user? #136

Open malte-behrendt opened 2 years ago

malte-behrendt commented 2 years ago

This is a seriously awesome project! :-D

The only thing I'm currently missing is getting/running the images with a non-root default user.

Is this possible/can you help me finding documentation on it? Or do I have to add another layer myself?

tazjin commented 2 years ago

Hey! This isn't currently possible, and it's not that trivial to implement since alternative users would first have to be created. My take is generally that this sort of stuff is up to the container runtime, but you could also add additional layers to set up users within the image and change the default user setting.

Open to other suggestions, of course :)

malte-behrendt commented 2 years ago

I completely agree on it "is up to the container runtime".

Yet I have a use case were I cannot use something like "runas": Gitlab Jobs/CI with a custom image via Gitlab's Docker Runner.

There, nixery would be absolutely awesome as it clearly states the precise requirements/tool assumptions - I just have to avoid that every custom image is started as root somehow.

docteurklein commented 2 years ago

Just wanted to add that I copied the shadowSetup of nix's docker build support: https://github.com/NixOS/nixpkgs/blob/e237d884326048b139b16268aa14a3c62e125529/pkgs/build-support/docker/default.nix#L129-L151

I used it as an entrypoint to my docker image and now can run postgres in this image: nixery.dev/shell/sudo/shadow/postgresql_14/postgresql14packages.plpgsql_check

set -exuo pipefail

mkdir -p /etc/pam.d
if [[ ! -f /etc/passwd ]]; then
  echo "root:x:0:0::/root:/bin/bash" > /etc/passwd
  echo "root:!x:::::::" > /etc/shadow
fi
if [[ ! -f /etc/group ]]; then
  echo "root:x:0:" > /etc/group
  echo "root:x::" > /etc/gshadow
fi
if [[ ! -f /etc/pam.d/other ]]; then
  cat > /etc/pam.d/other <<EOF
account sufficient pam_unix.so
auth sufficient pam_rootok.so
password requisite pam_unix.so nullok sha512
session required pam_unix.so
EOF
fi
if [[ ! -f /etc/login.defs ]]; then
  touch /etc/login.defs
fi

# custom stuff

echo 'ALL ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/all.conf

useradd -m app

mkdir -p "$PGDATA" /run/postgresql
chown -R app:app "$PGDATA" /run/postgresql

sudo -E -u app pg_ctl initdb
#sudo -E -u app pg_ctl -w start -o '-c shared_preload_libraries=plpgsql,plpgsql_check'

exec "$@"

Postgres requires non-root to run. I tried using su, but only got it working with sudo so far.

docteurklein commented 2 years ago

Would it be possible for nixery to include this shadowSetup entrypoint automatically?

whazor commented 2 years ago

it would be nice to have a 'package' like shell that creates a new user under 1000:1000.

Or maybe even a special prefix url where Nixery creates the user under /etc/passwd as a bottom docker layer.