environment: container: Create dummy home directory and /etc/passwd.
* guix/scripts/environment.scm (launch-environment/container): Change
$HOME to the current user's home directory instead of
/homeless-shelter. Create a dummy /etc/passwd with a single entry for
the current user.
* doc/guix.texi ("invoking guix environment"): Add a note about the
dummy home directory and /etc/passwd.
This commit is contained in:
David Thompson
parent
bf9eacd2af
commit
a01ad63893
|
|
@ -3292,7 +3292,7 @@ omitted since it will take place implicitly, as we will see later
|
||||||
@end example
|
@end example
|
||||||
|
|
||||||
@c See
|
@c See
|
||||||
@c <https://syntaxexclamation.wordpress.com/2014/06/26/escaping-continuations/>
|
@c <https://syntaxexclamation.wordpress.com/2014/06/26/escaping-continuations/>
|
||||||
@c for the funny quote.
|
@c for the funny quote.
|
||||||
Calling the monadic @code{sh-symlink} has no effect. As someone once
|
Calling the monadic @code{sh-symlink} has no effect. As someone once
|
||||||
said, ``you exit a monad like you exit a building on fire: by running''.
|
said, ``you exit a monad like you exit a building on fire: by running''.
|
||||||
|
|
@ -4339,7 +4339,7 @@ So for instance, imagine you want to see the build log of GDB on MIPS,
|
||||||
but you are actually on an @code{x86_64} machine:
|
but you are actually on an @code{x86_64} machine:
|
||||||
|
|
||||||
@example
|
@example
|
||||||
$ guix build --log-file gdb -s mips64el-linux
|
$ guix build --log-file gdb -s mips64el-linux
|
||||||
https://hydra.gnu.org/log/@dots{}-gdb-7.10
|
https://hydra.gnu.org/log/@dots{}-gdb-7.10
|
||||||
@end example
|
@end example
|
||||||
|
|
||||||
|
|
@ -5338,10 +5338,11 @@ Attempt to build for @var{system}---e.g., @code{i686-linux}.
|
||||||
@itemx -C
|
@itemx -C
|
||||||
@cindex container
|
@cindex container
|
||||||
Run @var{command} within an isolated container. The current working
|
Run @var{command} within an isolated container. The current working
|
||||||
directory outside the container is mapped inside the
|
directory outside the container is mapped inside the container.
|
||||||
container. Additionally, the spawned process runs as the current user
|
Additionally, a dummy home directory is created that matches the current
|
||||||
outside the container, but has root privileges in the context of the
|
user's home directory, and @file{/etc/passwd} is configured accordingly.
|
||||||
container.
|
The spawned process runs as the current user outside the container, but
|
||||||
|
has root privileges in the context of the container.
|
||||||
|
|
||||||
@item --network
|
@item --network
|
||||||
@itemx -N
|
@itemx -N
|
||||||
|
|
@ -8748,7 +8749,7 @@ isn't enough disk space, just skip it.
|
||||||
@item fcntl
|
@item fcntl
|
||||||
Use this if possible. Works with NFS too if lockd is used.
|
Use this if possible. Works with NFS too if lockd is used.
|
||||||
@item flock
|
@item flock
|
||||||
May not exist in all systems. Doesn't work with NFS.
|
May not exist in all systems. Doesn't work with NFS.
|
||||||
@item lockf
|
@item lockf
|
||||||
May not exist in all systems. Doesn't work with NFS.
|
May not exist in all systems. Doesn't work with NFS.
|
||||||
@end table
|
@end table
|
||||||
|
|
|
||||||
|
|
@ -373,6 +373,7 @@ host file systems to mount inside the container."
|
||||||
(list (direct-store-path bash) profile))))
|
(list (direct-store-path bash) profile))))
|
||||||
(return
|
(return
|
||||||
(let* ((cwd (getcwd))
|
(let* ((cwd (getcwd))
|
||||||
|
(passwd (getpwuid (getuid)))
|
||||||
;; Bind-mount all requisite store items, user-specified mappings,
|
;; Bind-mount all requisite store items, user-specified mappings,
|
||||||
;; /bin/sh, the current working directory, and possibly networking
|
;; /bin/sh, the current working directory, and possibly networking
|
||||||
;; configuration files within the container.
|
;; configuration files within the container.
|
||||||
|
|
@ -417,16 +418,26 @@ host file systems to mount inside the container."
|
||||||
;; The same variables as in Nix's 'build.cc'.
|
;; The same variables as in Nix's 'build.cc'.
|
||||||
'("TMPDIR" "TEMPDIR" "TMP" "TEMP"))
|
'("TMPDIR" "TEMPDIR" "TMP" "TEMP"))
|
||||||
|
|
||||||
;; From Nix build.cc:
|
;; Create a dummy home directory under the same name as on the
|
||||||
;;
|
;; host.
|
||||||
;; Set HOME to a non-existing path to prevent certain
|
(mkdir-p (passwd:dir passwd))
|
||||||
;; programs from using /etc/passwd (or NIS, or whatever)
|
(setenv "HOME" (passwd:dir passwd))
|
||||||
;; to locate the home directory (for example, wget looks
|
|
||||||
;; for ~/.wgetrc). I.e., these tools use /etc/passwd if
|
;; Create a dummy /etc/passwd to satisfy applications that demand
|
||||||
;; HOME is not set, but they will just assume that the
|
;; to read it, such as 'git clone' over SSH, a valid use-case when
|
||||||
;; settings file they are looking for does not exist if
|
;; sharing the host's network namespace.
|
||||||
;; HOME is set but points to some non-existing path.
|
(mkdir-p "/etc")
|
||||||
(setenv "HOME" "/homeless-shelter")
|
(call-with-output-file "/etc/passwd"
|
||||||
|
(lambda (port)
|
||||||
|
(display (string-join (list (passwd:name passwd)
|
||||||
|
"x" ; but there is no shadow
|
||||||
|
"0" "0" ; user is now root
|
||||||
|
(passwd:gecos passwd)
|
||||||
|
(passwd:dir passwd)
|
||||||
|
bash)
|
||||||
|
":")
|
||||||
|
port)
|
||||||
|
(newline port)))
|
||||||
|
|
||||||
;; For convenience, start in the user's current working
|
;; For convenience, start in the user's current working
|
||||||
;; directory rather than the root directory.
|
;; directory rather than the root directory.
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue