pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #174093 from NixOS/doc-fakenss

nixos/doc: document fakeNss, binSh

Florian Klink 00ff1542 03eb7c5b

options
unified split
Changed files
+29
doc
builders
images
dockertools.section.md
+29
doc/builders/images/dockertools.section.md 
···

       
321

       
321

       
 

       
```


     

       
322

       
322

       
 

       



     

       
323

       
323

       
 

       
Creating base files like `/etc/passwd` or `/etc/login.defs` is necessary for shadow-utils to manipulate users and groups.


     

       

       
324

       
+

       



     

       

       
325

       
+

       
## fakeNss {#ssec-pkgs-dockerTools-fakeNss}


     

       

       
326

       
+

       



     

       

       
327

       
+

       
If your primary goal is providing a basic skeleton for user lookups to work,


     

       

       
328

       
+

       
and/or a lesser privileged user, adding `pkgs.fakeNss` to


     

       

       
329

       
+

       
the container image root might be the better choice than a custom script


     

       

       
330

       
+

       
running `useradd` and friends.


     

       

       
331

       
+

       



     

       

       
332

       
+

       
It provides a `/etc/passwd` and `/etc/group`, containing `root` and `nobody`


     

       

       
333

       
+

       
users and groups.


     

       

       
334

       
+

       



     

       

       
335

       
+

       
It also provides a `/etc/nsswitch.conf`, configuring NSS host resolution to


     

       

       
336

       
+

       
first check `/etc/hosts`, before checking DNS, as the default in the absence of


     

       

       
337

       
+

       
a config file (`dns [!UNAVAIL=return] files`) is quite unexpected.


     

       

       
338

       
+

       



     

       

       
339

       
+

       
You can pair it with `binSh`, which provides `bin/sh` as a symlink


     

       

       
340

       
+

       
to `bashInteractive` (as `/bin/sh` is configured as a shell).


     

       

       
341

       
+

       



     

       

       
342

       
+

       
```nix


     

       

       
343

       
+

       
buildImage {


     

       

       
344

       
+

       
  name = "shadow-basic";


     

       

       
345

       
+

       



     

       

       
346

       
+

       
  copyToRoot = pkgs.buildEnv {


     

       

       
347

       
+

       
    name = "image-root";


     

       

       
348

       
+

       
    paths = [ binSh pkgs.fakeNss ];


     

       

       
349

       
+

       
    pathsToLink = [ "/bin" "/etc" "/var" ];


     

       

       
350

       
+

       
  };


     

       

       
351

       
+

       
}


     

       

       
352

       
+

       
```