Nonroot containers (redux)

docs/reference/options.md

@@ -182,6 +182,21 @@ signed integer
 
 
 
+## containers.\<name>.maxLayers
+
+The maximum number of layers created when the container is created.
+
+*Type:*
+int
+
+*Default:*
+` 1 `
+
+*Declared by:*
+ - [https://github.com/cachix/devenv/blob/main/src/modules/containers.nix](https://github.com/cachix/devenv/blob/main/src/modules/containers.nix)
+
+
+
 ## containers.\<name>.name
 
 Name of the container.

src/devenv/cli.py

@@ -179,7 +179,6 @@ def cli(ctx, offline, system, debugger, nix_flags, verbose):
     ctx.obj["gc_root"] = DEVENV_HOME_GC
     ctx.obj["gc_project"] = DEVENV_HOME_GC / str(int(time.time() * 1000))
 
-
 @cli.group()
 def processes():
     pass

src/modules/containers.nix

@@ -21,8 +21,9 @@ let
     attribute = "containers";
   };
   shell = mk-shell-bin.lib.mkShellBin { drv = config.shell; nixpkgs = pkgs; };
+  bash = "${pkgs.bashInteractive}/bin/bash";
   mkEntrypoint = cfg: pkgs.writeScript "entrypoint" ''
-    #!${pkgs.bash}/bin/bash
+    #!${bash}
 
     export PATH=/bin
 
@@ -31,45 +32,128 @@ let
     # expand any envvars before exec
     cmd="`echo "$@"|${pkgs.envsubst}/bin/envsubst`"
 
-    ${pkgs.bash}/bin/bash -c "$cmd"
+    ${bash} -c "$cmd"
   '';
+  user = "user";
+  group = "user";
+  uid = "1000";
+  gid = "1000";
+  homeDir = "/env";
+
+  mkHome = path: (pkgs.runCommand "devenv-container-home" { } ''
+    mkdir -p $out${homeDir}
+    cp -R ${path}/* $out${homeDir}/
+  '');
+
+  mkMultiHome = paths: map mkHome paths;
+
+  homeRoots = cfg: (
+    if (builtins.typeOf cfg.copyToRoot == "list")
+    then cfg.copyToRoot
+    else [ cfg.copyToRoot ]
+  );
+
+  mkTmp = (pkgs.runCommand "devenv-container-tmp" { } ''
+    mkdir -p $out/tmp
+  '');
+
+  mkEtc = (pkgs.runCommand "devenv-container-etc" { } ''
+    mkdir -p $out/etc/pam.d
+
+    echo "root:x:0:0:System administrator:/root:${bash}" > \
+          $out/etc/passwd
+    echo "${user}:x:${uid}:${gid}::${homeDir}:${bash}" >> \
+          $out/etc/passwd
+
+    echo "root:!x:::::::" > $out/etc/shadow
+    echo "${user}:!x:::::::" >> $out/etc/shadow
+
+    echo "root:x:0:" > $out/etc/group
+    echo "${group}:x:${gid}:" >> $out/etc/group
+
+    cat > $out/etc/pam.d/other <<EOF
+    account sufficient pam_unix.so
+    auth sufficient pam_rootok.so
+    password requisite pam_unix.so nullok sha512
+    session required pam_unix.so
+    EOF
+
+    touch $out/etc/login.defs
+  '');
+
+  mkPerm = derivation:
+    {
+      path = derivation;
+      mode = "0744";
+      uid = lib.toInt uid;
+      gid = lib.toInt gid;
+      uname = user;
+      gname = group;
+    };
+
+
   mkDerivation = cfg: nix2container.nix2container.buildImage {
     name = cfg.name;
     tag = cfg.version;
-    maxLayers = cfg.maxLayers;
+    initializeNixDatabase = true;
+    nixUid = lib.toInt uid;
+    nixGid = lib.toInt gid;
+
     copyToRoot = [
-      (pkgs.runCommand "create-paths" { } ''
-        mkdir -p $out/tmp
-        mkdir -p $out/usr/bin
-        ln -s ${pkgs.coreutils-full}/bin/env $out/usr/bin/env
-      '')
       (pkgs.buildEnv {
-        name = "root";
+        name = "devenv-container-root";
         paths = [
           pkgs.coreutils-full
-          pkgs.dockerTools.caCertificates
-          pkgs.bash
-        ] ++ lib.optionals (cfg.copyToRoot != null)
-          (if builtins.typeOf cfg.copyToRoot == "list"
-          then cfg.copyToRoot
-          else [ cfg.copyToRoot ]);
-        pathsToLink = [ "/" "/lib" ];
+          pkgs.bashInteractive
+          pkgs.su
+          pkgs.sudo
+        ];
+        pathsToLink = "/bin";
+      })
+      mkEtc
+      mkTmp
+    ];
+
+    maxLayers = cfg.maxLayers;
+
+    layers = [
+      (nix2container.nix2container.buildLayer {
+        perms = map mkPerm (mkMultiHome (homeRoots cfg));
+        copyToRoot = mkMultiHome (homeRoots cfg);
       })
     ];
+
+    perms = [
+      {
+        path = mkTmp;
+        regex = "/tmp";
+        mode = "1777";
+        uid = 0;
+        gid = 0;
+        uname = "root";
+        gname = "root";
+      }
+    ];
+
     config = {
-      Env = lib.mapAttrsToList (name: value: "${name}=${lib.escapeShellArg (toString value)}") config.env;
-      Cmd = [ cfg.startupCommand ];
       Entrypoint = cfg.entrypoint;
+      User = "${user}";
+      WorkingDir = "${homeDir}";
+      Env = lib.mapAttrsToList
+        (name: value:
+          "${name}=${lib.escapeShellArg (toString value)}"
+        )
+        config.env ++ [ "HOME=${homeDir}" "USER=${user}" ];
+      Cmd = [ cfg.startupCommand ];
     };
   };
 
-  # <container> <registry> <args>
+  # <registry> <args>
   mkCopyScript = cfg: pkgs.writeScript "copy-container" ''
     container=$1
     shift
 
-
-    if [[ "$1" == "" ]]; then
+    if [[ "$1" == false ]]; then
       registry=${cfg.registry}
     else
       registry="$1"
@@ -141,6 +225,12 @@ let
         default = "docker://";
       };
 
+      maxLayers = lib.mkOption {
+        type = types.nullOr types.int;
+        description = "Maximum number of container layers created.";
+        default = 1;
+      };
+
       isBuilding = lib.mkOption {
         type = types.bool;
         default = false;
@@ -163,18 +253,11 @@ let
         type = types.package;
         internal = true;
         default = pkgs.writeScript "docker-run" ''
-          #!${pkgs.bash}/bin/bash
+          #!${bash}
 
           docker run -it ${config.name}:${config.version} "$@"
         '';
       };
-
-      maxLayers = lib.mkOption {
-        type = types.int;
-        description = "the maximum number of layers to create.";
-        defaultText = lib.literalExpression "1";
-        default = 1;
-      };
     };
   });
 in
@@ -201,7 +284,7 @@ in
 
       containers.shell = {
         name = lib.mkDefault "shell";
-        startupCommand = lib.mkDefault "bash";
+        startupCommand = lib.mkDefault bash;
       };
 
       containers.processes = {
@@ -213,7 +296,7 @@ in
       containers.${envContainerName}.isBuilding = true;
     })
     (lib.mkIf config.container.isBuilding {
-      devenv.root = lib.mkForce "/";
+      devenv.root = lib.mkForce "${homeDir}";
     })
   ];
 }