Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Nonroot containers #963

Merged
merged 7 commits into from
Feb 17, 2024
Merged

Conversation

mcdonc
Copy link
Contributor

@mcdonc mcdonc commented Jan 28, 2024

  • Container environments will now have a "user" user.
  • The "user" user will have a home dir at /env.
  • All devenv files (the files referenced by containers.<name>.copyToRoot) will now end up in /env and will be owned by "user".
  • The /nix/store will now be owned by the user user.
  • /env is now the DEVENV_ROOT when within a container.
  • the shell in a container environment is now bashInteractive, which respects up arrow, down arrow, search, etc.
  • The default user in a container environment shell is now the "user" user.
  • The "user" user will now run all processes and services.
  • The max number of layers (a nix2container feature) is now an option.

I'm still a bit unsure whether the permissions of the resulting /env files are the best we can do, but I think so. They are 744 to the user user.

It would also be nice to not have container gen take so long. My usage of layers here was to try to speed things up after first gen, but it seems the practical max number of layers is around 100 at least if it is to be a Docker image, and that doesn't help much because it's doing a layer per derivation I think.

…v doesnt get installed and we ignore the copyToRoot option
@domenkozar
Copy link
Member

domenkozar commented Jan 30, 2024

+ nix build --impure --accept-flake-config .#container-processes
trace: warning: `vendorSha256` is deprecated. Use `vendorHash` instead
error:
       … while calling the 'derivationStrict' builtin

         at /builtin/derivation.nix:9:12: (source not available)

       … while evaluating derivation 'image-processes.json'
         whose name attribute is located at /nix/store/gsydlhd8sya1wf5prv1p8sg4dd91gna4-source/pkgs/stdenv/generic/make-derivation.nix:352:7

       … while evaluating attribute 'buildCommand' of derivation 'image-processes.json'

         at /nix/store/gsydlhd8sya1wf5prv1p8sg4dd91gna4-source/pkgs/build-support/trivial-builders/default.nix:98:16:

           97|         enableParallelBuilding = true;
           98|         inherit buildCommand name;
             |                ^
           99|         passAsFile = [ "buildCommand" ]

       (stack trace truncated; use '--show-trace' to show the full trace)

I wonder what we should do about the tests on macOS.

@domenkozar
Copy link
Member

This is extremely cool 🚀

@domenkozar domenkozar merged commit 82dfff1 into cachix:python-rewrite Feb 17, 2024
7 of 8 checks passed
This was referenced Feb 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants