From a01ad63893da1f1cf1b35482037382030724716c Mon Sep 17 00:00:00 2001 From: David Thompson Date: Thu, 17 Mar 2016 23:19:25 -0400 Subject: [PATCH] environment: container: Create dummy home directory and /etc/passwd. * guix/scripts/environment.scm (launch-environment/container): Change $HOME to the current user's home directory instead of /homeless-shelter. Create a dummy /etc/passwd with a single entry for the current user. * doc/guix.texi ("invoking guix environment"): Add a note about the dummy home directory and /etc/passwd. --- doc/guix.texi | 15 ++++++++------- guix/scripts/environment.scm | 31 +++++++++++++++++++++---------- 2 files changed, 29 insertions(+), 17 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index b618480353..008a5cf714 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -3292,7 +3292,7 @@ omitted since it will take place implicitly, as we will see later @end example @c See -@c +@c @c for the funny quote. Calling the monadic @code{sh-symlink} has no effect. As someone once said, ``you exit a monad like you exit a building on fire: by running''. @@ -4339,7 +4339,7 @@ So for instance, imagine you want to see the build log of GDB on MIPS, but you are actually on an @code{x86_64} machine: @example -$ guix build --log-file gdb -s mips64el-linux +$ guix build --log-file gdb -s mips64el-linux https://hydra.gnu.org/log/@dots{}-gdb-7.10 @end example @@ -5338,10 +5338,11 @@ Attempt to build for @var{system}---e.g., @code{i686-linux}. @itemx -C @cindex container Run @var{command} within an isolated container. The current working -directory outside the container is mapped inside the -container. Additionally, the spawned process runs as the current user -outside the container, but has root privileges in the context of the -container. +directory outside the container is mapped inside the container. +Additionally, a dummy home directory is created that matches the current +user's home directory, and @file{/etc/passwd} is configured accordingly. +The spawned process runs as the current user outside the container, but +has root privileges in the context of the container. @item --network @itemx -N @@ -8748,7 +8749,7 @@ isn't enough disk space, just skip it. @item fcntl Use this if possible. Works with NFS too if lockd is used. @item flock -May not exist in all systems. Doesn't work with NFS. +May not exist in all systems. Doesn't work with NFS. @item lockf May not exist in all systems. Doesn't work with NFS. @end table diff --git a/guix/scripts/environment.scm b/guix/scripts/environment.scm index b122b4cd40..0d5cab432c 100644 --- a/guix/scripts/environment.scm +++ b/guix/scripts/environment.scm @@ -373,6 +373,7 @@ host file systems to mount inside the container." (list (direct-store-path bash) profile)))) (return (let* ((cwd (getcwd)) + (passwd (getpwuid (getuid))) ;; Bind-mount all requisite store items, user-specified mappings, ;; /bin/sh, the current working directory, and possibly networking ;; configuration files within the container. @@ -417,16 +418,26 @@ host file systems to mount inside the container." ;; The same variables as in Nix's 'build.cc'. '("TMPDIR" "TEMPDIR" "TMP" "TEMP")) - ;; From Nix build.cc: - ;; - ;; Set HOME to a non-existing path to prevent certain - ;; programs from using /etc/passwd (or NIS, or whatever) - ;; to locate the home directory (for example, wget looks - ;; for ~/.wgetrc). I.e., these tools use /etc/passwd if - ;; HOME is not set, but they will just assume that the - ;; settings file they are looking for does not exist if - ;; HOME is set but points to some non-existing path. - (setenv "HOME" "/homeless-shelter") + ;; Create a dummy home directory under the same name as on the + ;; host. + (mkdir-p (passwd:dir passwd)) + (setenv "HOME" (passwd:dir passwd)) + + ;; Create a dummy /etc/passwd to satisfy applications that demand + ;; to read it, such as 'git clone' over SSH, a valid use-case when + ;; sharing the host's network namespace. + (mkdir-p "/etc") + (call-with-output-file "/etc/passwd" + (lambda (port) + (display (string-join (list (passwd:name passwd) + "x" ; but there is no shadow + "0" "0" ; user is now root + (passwd:gecos passwd) + (passwd:dir passwd) + bash) + ":") + port) + (newline port))) ;; For convenience, start in the user's current working ;; directory rather than the root directory.