Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Equivalent of fakeRootCommands / enableFakechroot? #134

Open
the-sun-will-rise-tomorrow opened this issue Apr 29, 2024 · 6 comments
Open

Equivalent of fakeRootCommands / enableFakechroot? #134

the-sun-will-rise-tomorrow opened this issue Apr 29, 2024 · 6 comments

Comments

@the-sun-will-rise-tomorrow
Copy link

Hi, is there any equivalent for these attrs from nixpkgs dockerTools?

The use case for these is to build layers (well, top layer) which have file attributes (permissions, ownership) that can't be set on files in the Nix store, i.e. things like setuid executables, or run commands that can only operate on the current system (/), such as useradd.

The way it works there is to run the user specified command under some combination of fakeroot / fakechroot / proot, and then create a tarball capturing that information while still inside the emulated process space. The tarball then represents the image layer.

Thanks!
@nlewo
Copy link
Owner

nlewo commented Apr 29, 2024

file attributes (permissions, ownership) that can't be set on files in the Nix store

This is actually possible with nix2container without using fakeroot because the buildImage function takes the perms parameter allowing to set permissions on files when they are written into the tar stream: see this example.

If a use case cannot be covered by this feature, a PR allowing to create layers with fakeroot would be welcomed.

@the-sun-will-rise-tomorrow
Copy link
Author

This is actually possible with nix2container without using fakeroot because the buildImage function takes the perms parameter allowing to set permissions on files when they are written into the tar stream: see this example.

Thank you. That looks useful, but I think the main utility of fakeRootCommands is that it allows to capture the effect of running arbitrary commands. For example, useradd modifies a number of files; in order to port a fakeRootCommands script using it to the above approach, we would need to effectively re-implement useradd in Nix.

If a use case cannot be covered by this feature, a PR allowing to create layers with fakeroot would be welcomed.

I have thought about how this would work for a bit. In streamLayeredImage, the fakeRootCommands script runs on a view of all layers in the image, thus creating the final layer. But, as I understand, one of nix2container's advantages is that it does not build layers unless it has to, so this approach will negate said advantage.

Maybe the perms parameter is the better way to go after all.

@ulrikstrid
Copy link

Another usecase for running something as root is setcap to allow binding to low ports as an example. I can't find a way of doing this with nix2container currently.

@nlewo
Copy link
Owner

nlewo commented Nov 12, 2024

@ulrikstrid Setting xattrs file attributes (this is what is done by setcap) is currently not supported by nix2container but it would be possible to add this feature since it is supported bu the tar Go library: https://pkg.go.dev/archive/tar#Header (via the PAXRecords attribute).

@ulrikstrid
Copy link

Interesting, I can look at this in the coming days when I have some time. Where would I add this to the project?

@ulrikstrid
Copy link

I spent some time between tasks today to see if I could figure it out, see #156 for progress, would love some feedback or pointers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ulrikstrid @nlewo @the-sun-will-rise-tomorrow