Skip to content

Commit 2403b73

Browse files
the-sun-will-rise-tomorrowthe-sun-will-rise-tomorrow
committed
docker: Allow building for non-root user
Add options uid, gid, uname, and gname to docker.nix. Setting these to e.g. 1000, 1000, "user", "user" will build an image which runs and allows using Nix as that user.
1 parent 4161f3c commit 2403b73

File tree

1 file changed

+35
-15
lines changed

1 file changed

+35
-15
lines changed

docker.nix

Lines changed: 35 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,10 @@
99
, maxLayers ? 100
1010
, nixConf ? {}
1111
, flake-registry ? null
12+
, uid ? 0
13+
, gid ? 0
14+
, uname ? "root"
15+
, gname ? "root"
1216
}:
1317
let
1418
defaultPkgs = with pkgs; [
@@ -50,6 +54,15 @@ let
5054
description = "Unprivileged account (don't use!)";
5155
};
5256

57+
} // lib.optionalAttrs (uid != 0) {
58+
"${uname}" = {
59+
uid = uid;
60+
shell = "${pkgs.bashInteractive}/bin/bash";
61+
home = "/home/${uname}";
62+
gid = gid;
63+
groups = [ "${gname}" ];
64+
description = "Nix user";
65+
};
5366
} // lib.listToAttrs (
5467
map
5568
(
@@ -70,6 +83,8 @@ let
7083
root.gid = 0;
7184
nixbld.gid = 30000;
7285
nobody.gid = 65534;
86+
} // lib.optionalAttrs (gid != 0) {
87+
"${gname}".gid = gid;
7388
};
7489

7590
userToPasswd = (
@@ -150,6 +165,8 @@ let
150165
in
151166
"${n} = ${vStr}") (defaultNixConf // nixConf))) + "\n";
152167

168+
userHome = if uid == 0 then "/root" else "/home/${uname}";
169+
153170
baseSystem =
154171
let
155172
nixpkgs = pkgs.path;
@@ -237,26 +254,26 @@ let
237254
mkdir -p $out/etc/nix
238255
cat $nixConfContentsPath > $out/etc/nix/nix.conf
239256
240-
mkdir -p $out/root
241-
mkdir -p $out/nix/var/nix/profiles/per-user/root
257+
mkdir -p $out${userHome}
258+
mkdir -p $out/nix/var/nix/profiles/per-user/${uname}
242259
243260
ln -s ${profile} $out/nix/var/nix/profiles/default-1-link
244261
ln -s $out/nix/var/nix/profiles/default-1-link $out/nix/var/nix/profiles/default
245-
ln -s /nix/var/nix/profiles/default $out/root/.nix-profile
262+
ln -s /nix/var/nix/profiles/default $out${userHome}/.nix-profile
246263
247-
ln -s ${channel} $out/nix/var/nix/profiles/per-user/root/channels-1-link
248-
ln -s $out/nix/var/nix/profiles/per-user/root/channels-1-link $out/nix/var/nix/profiles/per-user/root/channels
264+
ln -s ${channel} $out/nix/var/nix/profiles/per-user/${uname}/channels-1-link
265+
ln -s $out/nix/var/nix/profiles/per-user/${uname}/channels-1-link $out/nix/var/nix/profiles/per-user/${uname}/channels
249266
250-
mkdir -p $out/root/.nix-defexpr
251-
ln -s $out/nix/var/nix/profiles/per-user/root/channels $out/root/.nix-defexpr/channels
252-
echo "${channelURL} ${channelName}" > $out/root/.nix-channels
267+
mkdir -p $out${userHome}/.nix-defexpr
268+
ln -s $out/nix/var/nix/profiles/per-user/${uname}/channels $out${userHome}/.nix-defexpr/channels
269+
echo "${channelURL} ${channelName}" > $out${userHome}/.nix-channels
253270
254271
mkdir -p $out/bin $out/usr/bin
255272
ln -s ${pkgs.coreutils}/bin/env $out/usr/bin/env
256273
ln -s ${pkgs.bashInteractive}/bin/bash $out/bin/sh
257274
258275
'' + (lib.optionalString (flake-registry-path != null) ''
259-
nixCacheDir="/root/.cache/nix"
276+
nixCacheDir="${userHome}/.cache/nix"
260277
mkdir -p $out$nixCacheDir
261278
globalFlakeRegistryPath="$nixCacheDir/flake-registry.json"
262279
ln -s ${flake-registry-path} $out$globalFlakeRegistryPath
@@ -268,7 +285,7 @@ let
268285
in
269286
pkgs.dockerTools.buildLayeredImageWithNixDb {
270287

271-
inherit name tag maxLayers;
288+
inherit name tag maxLayers uid gid uname gname;
272289

273290
contents = [ baseSystem ];
274291

@@ -279,25 +296,28 @@ pkgs.dockerTools.buildLayeredImageWithNixDb {
279296
fakeRootCommands = ''
280297
chmod 1777 tmp
281298
chmod 1777 var/tmp
299+
chown -R ${toString uid}:${toString gid} .${userHome}
300+
chown -R ${toString uid}:${toString gid} nix
282301
'';
283302

284303
config = {
285-
Cmd = [ "/root/.nix-profile/bin/bash" ];
304+
Cmd = [ "${userHome}/.nix-profile/bin/bash" ];
305+
User = "${toString uid}:${toString gid}";
286306
Env = [
287-
"USER=root"
307+
"USER=${uname}"
288308
"PATH=${lib.concatStringsSep ":" [
289-
"/root/.nix-profile/bin"
309+
"${userHome}/.nix-profile/bin"
290310
"/nix/var/nix/profiles/default/bin"
291311
"/nix/var/nix/profiles/default/sbin"
292312
]}"
293313
"MANPATH=${lib.concatStringsSep ":" [
294-
"/root/.nix-profile/share/man"
314+
"${userHome}/.nix-profile/share/man"
295315
"/nix/var/nix/profiles/default/share/man"
296316
]}"
297317
"SSL_CERT_FILE=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
298318
"GIT_SSL_CAINFO=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
299319
"NIX_SSL_CERT_FILE=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
300-
"NIX_PATH=/nix/var/nix/profiles/per-user/root/channels:/root/.nix-defexpr/channels"
320+
"NIX_PATH=/nix/var/nix/profiles/per-user/${uname}/channels:${userHome}/.nix-defexpr/channels"
301321
];
302322
};
303323

0 commit comments

Comments
 (0)