Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Non-root default user? #136

Open
malte-behrendt opened this issue Oct 17, 2021 · 5 comments
Open

Non-root default user? #136

malte-behrendt opened this issue Oct 17, 2021 · 5 comments

Comments

@malte-behrendt
Copy link

This is a seriously awesome project! :-D

The only thing I'm currently missing is getting/running the images with a non-root default user.

Is this possible/can you help me finding documentation on it?
Or do I have to add another layer myself?
@tazjin
Copy link
Owner

tazjin commented Oct 17, 2021

Hey! This isn't currently possible, and it's not that trivial to implement since alternative users would first have to be created. My take is generally that this sort of stuff is up to the container runtime, but you could also add additional layers to set up users within the image and change the default user setting.

Open to other suggestions, of course :)

@malte-behrendt
Copy link
Author

I completely agree on it "is up to the container runtime".

Yet I have a use case were I cannot use something like "runas": Gitlab Jobs/CI with a custom image via Gitlab's Docker Runner.

There, nixery would be absolutely awesome as it clearly states the precise requirements/tool assumptions - I just have to avoid that every custom image is started as root somehow.

@docteurklein
Copy link

docteurklein commented Dec 1, 2021
edited
Loading

Just wanted to add that I copied the shadowSetup of nix's docker build support: https://github.com/NixOS/nixpkgs/blob/e237d884326048b139b16268aa14a3c62e125529/pkgs/build-support/docker/default.nix#L129-L151

I used it as an entrypoint to my docker image and now can run postgres in this image:
nixery.dev/shell/sudo/shadow/postgresql_14/postgresql14packages.plpgsql_check

set -exuo pipefail

mkdir -p /etc/pam.d
if [[ ! -f /etc/passwd ]]; then
 echo "root:x:0:0::/root:/bin/bash" > /etc/passwd
 echo "root:!x:::::::" > /etc/shadow
fi
if [[ ! -f /etc/group ]]; then
 echo "root:x:0:" > /etc/group
 echo "root:x::" > /etc/gshadow
fi
if [[ ! -f /etc/pam.d/other ]]; then
 cat > /etc/pam.d/other <<EOF
account sufficient pam_unix.so
auth sufficient pam_rootok.so
password requisite pam_unix.so nullok sha512
session required pam_unix.so
EOF
fi
if [[ ! -f /etc/login.defs ]]; then
 touch /etc/login.defs
fi


# custom stuff

echo 'ALL ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/all.conf

useradd -m app

mkdir -p "$PGDATA" /run/postgresql
chown -R app:app "$PGDATA" /run/postgresql

sudo -E -u app pg_ctl initdb
#sudo -E -u app pg_ctl -w start -o '-c shared_preload_libraries=plpgsql,plpgsql_check'

exec "$@"

Postgres requires non-root to run.
I tried using su, but only got it working with sudo so far.

@docteurklein
Copy link

docteurklein commented Dec 1, 2021
edited
Loading

Would it be possible for nixery to include this shadowSetup entrypoint automatically?

@whazor
Copy link

whazor commented Jun 11, 2022

it would be nice to have a 'package' like shell that creates a new user under 1000:1000.

Or maybe even a special prefix url where Nixery creates the user under /etc/passwd as a bottom docker layer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@docteurklein @whazor @tazjin @malte-behrendt