GNU bug report logs -
#37162
‘guix pack -f docker’ creates an image without /etc/passwd
Previous Next
To reply to this bug, email your comments to 37162 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#37162; Package
guix.
(Fri, 23 Aug 2019 15:01:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Ludovic Courtès <ludovic.courtes <at> inria.fr>:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Fri, 23 Aug 2019 15:01:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
‘guix pack -f docker’ currently creates an image without
/etc/{passwd,group,shadow}.
It’s OK most of the time, but again it looks like a gratuitous annoyance
for those cases where having them around matters (that’s also the reason
why guix-daemon creates them.)
Unless there are objections, I’d like to create these with just the
“root” and “nobody” accounts. Or should we have a regular unprivileged
account? But then what should its UID be?
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#37162; Package
guix.
(Fri, 23 Aug 2019 20:17:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 37162 <at> debbugs.gnu.org (full text, mbox):
Ludovic Courtès <ludovic.courtes <at> inria.fr> writes:
> ‘guix pack -f docker’ currently creates an image without
> /etc/{passwd,group,shadow}.
[…]
> Unless there are objections, I’d like to create these with just the
> “root” and “nobody” accounts. Or should we have a regular unprivileged
> account? But then what should its UID be?
Is there perhaps a configuration that we could add to the Docker image
meta-data to have Docker do the right thing? The right thing might be
to map these files from the host into the container automatically, or to
instruct Docker to create them when starting the container.
I would prefer to accomplish this via configuration “hints” if possible
instead of creating dummy files with specific contents.
(I don’t know if this is at all possible.)
--
Ricardo
Information forwarded
to
bug-guix <at> gnu.org:
bug#37162; Package
guix.
(Sun, 25 Aug 2019 12:34:02 GMT)
Full text and
rfc822 format available.
Message #11 received at submit <at> debbugs.gnu.org (full text, mbox):
Hi Ludovic,
Ludovic Courtès <ludovic.courtes <at> inria.fr> writes:
> ‘guix pack -f docker’ currently creates an image without
> /etc/{passwd,group,shadow}.
>
> It’s OK most of the time, but again it looks like a gratuitous annoyance
> for those cases where having them around matters (that’s also the reason
> why guix-daemon creates them.)
Would that include the files required for PAM authentication to work
correctly? I remember struggling with this use case: using the Docker
image with CQFD wrapper, which must be able to create a user and
sudo'ing (or 'su') to it in the docker container. I had started
populating base files such as shadow, passwd, etc. but when confronted
with the PAM configuration (which sudo was complaining about), it
appeared intimidating. I then decided to modify my operating system
declaration so that it'd contain the required Shepherd services that
populate /etc, and devise a hack to call
'/var/guix/profiles/system/boot' when the container would start.
The minimal system configuration (+ python stuff, which was the
requirement) I came up with was:
--8<---------------cut here---------------end--------------->8---
;; This is an operating system configuration template for a bare-bone,
;; containerization-friendly setup, with no X11 display server and
;; no Guix daemon / client.
(use-modules (gnu)
(gnu packages bash)
(gnu packages python)
(gnu packages python-xyz)
(gnu packages xml)
(guix packages))
(operating-system
(host-name "robot-framework")
(timezone "America/Montreal")
;; Boot in "legacy" BIOS mode, assuming /dev/sdX is the
;; target hard disk, and "my-root" is the label of the target
;; root file system.
(bootloader (bootloader-configuration
(bootloader grub-bootloader)
(target "/dev/sda")))
(file-systems (cons (file-system
(device (file-system-label "my-root"))
(mount-point "/")
(type "ext4"))
%base-file-systems))
(users (cons (user-account
(name "builder")
(group "users")
(supplementary-groups '("wheel"))
(home-directory "/home/builder"))
%base-user-accounts))
;; Globally-installed packages.
(packages (cons* python-wrapper
(list python "tk")
python-robotframework
python-robotframework-sshlibrary
python-robotframework-lint
python-xmltodict
%base-packages))
(services (list
;; Enable #!/bin/sh and #!/bin/bash shebangs.
(service special-files-service-type
`(("/bin/bash" ,(file-append (canonical-package bash)
"/bin/bash"))))
(service special-files-service-type
`(("/bin/sh" ,(file-append (canonical-package bash)
"/bin/sh"))))
;; The following is a very small subset extracted of
;; %base-services.
(service login-service-type)
(service udev-service-type (udev-configuration))
(syslog-service)))
;; When using sudo, by default some environment variables such as
;; PYTHONPATH are dropped. Make it so that any environment
;; variables are honored. This is important so that the Guix system
;; profile can work correctly for any user.
(sudoers-file (plain-file "sudoers" "\
root ALL=(ALL) ALL
%wheel ALL=(ALL) ALL
Defaults !env_reset,!env_delete\n")))
--8<---------------cut here---------------end--------------->8---
Maxim
Information forwarded
to
bug-guix <at> gnu.org:
bug#37162; Package
guix.
(Sun, 25 Aug 2019 16:29:01 GMT)
Full text and
rfc822 format available.
Message #14 received at 37162 <at> debbugs.gnu.org (full text, mbox):
Hi Maxim,
> Ludovic Courtès <ludovic.courtes <at> inria.fr> writes:
>
>> ‘guix pack -f docker’ currently creates an image without
>> /etc/{passwd,group,shadow}.
>>
>> It’s OK most of the time, but again it looks like a gratuitous annoyance
>> for those cases where having them around matters (that’s also the reason
>> why guix-daemon creates them.)
>
> Would that include the files required for PAM authentication to work
> correctly? I remember struggling with this use case: using the Docker
> image with CQFD wrapper, which must be able to create a user and
> sudo'ing (or 'su') to it in the docker container.
I wonder if at this point it wouldn’t be better to build a whole system
container. Isn’t that outside the scope of “guix pack” and rather a
task for “guix system”?
--
Ricardo
Information forwarded
to
bug-guix <at> gnu.org:
bug#37162; Package
guix.
(Mon, 26 Aug 2019 00:21:01 GMT)
Full text and
rfc822 format available.
Message #17 received at 37162 <at> debbugs.gnu.org (full text, mbox):
Hello Ricardo,
Ricardo Wurmus <rekado <at> elephly.net> writes:
> Hi Maxim,
>
>> Ludovic Courtès <ludovic.courtes <at> inria.fr> writes:
>>
>>> ‘guix pack -f docker’ currently creates an image without
>>> /etc/{passwd,group,shadow}.
>>>
>>> It’s OK most of the time, but again it looks like a gratuitous annoyance
>>> for those cases where having them around matters (that’s also the reason
>>> why guix-daemon creates them.)
>>
>> Would that include the files required for PAM authentication to work
>> correctly? I remember struggling with this use case: using the Docker
>> image with CQFD wrapper, which must be able to create a user and
>> sudo'ing (or 'su') to it in the docker container.
>
> I wonder if at this point it wouldn’t be better to build a whole system
> container. Isn’t that outside the scope of “guix pack” and rather a
> task for “guix system”?
Probably! But then one has to wonder if adding some base files to `guix
pack' is not one of those slippery slopes where users come back
expecting more stuff to be there?
What use case(s) exactly depend on the presence of the
/etc/{passwd,group,shadow} files?
Maxim
Information forwarded
to
bug-guix <at> gnu.org:
bug#37162; Package
guix.
(Mon, 26 Aug 2019 07:39:01 GMT)
Full text and
rfc822 format available.
Message #20 received at 37162 <at> debbugs.gnu.org (full text, mbox):
Hi Maxim,
Maxim Cournoyer <maxim.cournoyer <at> gmail.com> skribis:
> Ricardo Wurmus <rekado <at> elephly.net> writes:
>
>> Hi Maxim,
>>
>>> Ludovic Courtès <ludovic.courtes <at> inria.fr> writes:
>>>
>>>> ‘guix pack -f docker’ currently creates an image without
>>>> /etc/{passwd,group,shadow}.
>>>>
>>>> It’s OK most of the time, but again it looks like a gratuitous annoyance
>>>> for those cases where having them around matters (that’s also the reason
>>>> why guix-daemon creates them.)
>>>
>>> Would that include the files required for PAM authentication to work
>>> correctly? I remember struggling with this use case: using the Docker
>>> image with CQFD wrapper, which must be able to create a user and
>>> sudo'ing (or 'su') to it in the docker container.
>>
>> I wonder if at this point it wouldn’t be better to build a whole system
>> container. Isn’t that outside the scope of “guix pack” and rather a
>> task for “guix system”?
I think so.
> Probably! But then one has to wonder if adding some base files to `guix
> pack' is not one of those slippery slopes where users come back
> expecting more stuff to be there?
>
> What use case(s) exactly depend on the presence of the
> /etc/{passwd,group,shadow} files?
Generally, absent these files, getpw(3) and co. won’t give useful
results, and some applications will behave poorly (e.g., the PS1 prompt
in Bash can’t show the user name; ‘id’ fails).
Most of the time it’s just a minor inconvenience.
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#37162; Package
guix.
(Mon, 26 Aug 2019 11:40:02 GMT)
Full text and
rfc822 format available.
Message #23 received at 37162 <at> debbugs.gnu.org (full text, mbox):
Ludovic Courtès <ludovic.courtes <at> inria.fr> writes:
>> What use case(s) exactly depend on the presence of the
>> /etc/{passwd,group,shadow} files?
>
> Generally, absent these files, getpw(3) and co. won’t give useful
> results, and some applications will behave poorly (e.g., the PS1 prompt
> in Bash can’t show the user name; ‘id’ fails).
>
> Most of the time it’s just a minor inconvenience.
I think it’s fine to add these files to avoid this source of
inconvenience.
Perhaps it would be good to recommend in the manual the use of “guix
system” for those who need more control over the contents of these
files.
And maybe we can make some really simple template system configuration
available to “guix system” without requiring users to fully specify the
operating system configuration. I’m thinking of something like this
where %simple-os is made available by default:
(operating-system
(inherit %simple-os)
(packages (list "a" "b" "c")))
--
Ricardo
Information forwarded
to
bug-guix <at> gnu.org:
bug#37162; Package
guix.
(Sat, 31 Aug 2019 06:04:02 GMT)
Full text and
rfc822 format available.
Message #26 received at 37162 <at> debbugs.gnu.org (full text, mbox):
Hello! Sorry for the late reply.
Ludovic Courtès <ludovic.courtes <at> inria.fr> writes:
> Hi Maxim,
>
> Maxim Cournoyer <maxim.cournoyer <at> gmail.com> skribis:
>
>> Ricardo Wurmus <rekado <at> elephly.net> writes:
>>
>>> Hi Maxim,
>>>
>>>> Ludovic Courtès <ludovic.courtes <at> inria.fr> writes:
>>>>
>>>>> ‘guix pack -f docker’ currently creates an image without
>>>>> /etc/{passwd,group,shadow}.
>>>>>
>>>>> It’s OK most of the time, but again it looks like a gratuitous annoyance
>>>>> for those cases where having them around matters (that’s also the reason
>>>>> why guix-daemon creates them.)
>>>>
>>>> Would that include the files required for PAM authentication to work
>>>> correctly? I remember struggling with this use case: using the Docker
>>>> image with CQFD wrapper, which must be able to create a user and
>>>> sudo'ing (or 'su') to it in the docker container.
>>>
>>> I wonder if at this point it wouldn’t be better to build a whole system
>>> container. Isn’t that outside the scope of “guix pack” and rather a
>>> task for “guix system”?
>
> I think so.
>
>> Probably! But then one has to wonder if adding some base files to `guix
>> pack' is not one of those slippery slopes where users come back
>> expecting more stuff to be there?
>>
>> What use case(s) exactly depend on the presence of the
>> /etc/{passwd,group,shadow} files?
>
> Generally, absent these files, getpw(3) and co. won’t give useful
> results, and some applications will behave poorly (e.g., the PS1 prompt
> in Bash can’t show the user name; ‘id’ fails).
I see! I understand better the source of the annoyance now, thanks!
> Most of the time it’s just a minor inconvenience.
It seems OK to me to add those small files since make the experience
better.
Maxim
This bug report was last modified 5 years and 285 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.