environment: container: Create dummy home directory and /etc/passwd.

* guix/scripts/environment.scm (launch-environment/container): Change
$HOME to the current user's home directory instead of
/homeless-shelter.  Create a dummy /etc/passwd with a single entry for
the current user.
* doc/guix.texi ("invoking guix environment"): Add a note about the
dummy home directory and /etc/passwd.
This commit is contained in:
David Thompson 2016-03-17 23:19:25 -04:00
parent bf9eacd2af
commit a01ad63893
2 changed files with 29 additions and 17 deletions

View file

@ -3292,7 +3292,7 @@ omitted since it will take place implicitly, as we will see later
@end example
@c See
@c <https://syntaxexclamation.wordpress.com/2014/06/26/escaping-continuations/>
@c <https://syntaxexclamation.wordpress.com/2014/06/26/escaping-continuations/>
@c for the funny quote.
Calling the monadic @code{sh-symlink} has no effect. As someone once
said, ``you exit a monad like you exit a building on fire: by running''.
@ -4339,7 +4339,7 @@ So for instance, imagine you want to see the build log of GDB on MIPS,
but you are actually on an @code{x86_64} machine:
@example
$ guix build --log-file gdb -s mips64el-linux
$ guix build --log-file gdb -s mips64el-linux
https://hydra.gnu.org/log/@dots{}-gdb-7.10
@end example
@ -5338,10 +5338,11 @@ Attempt to build for @var{system}---e.g., @code{i686-linux}.
@itemx -C
@cindex container
Run @var{command} within an isolated container. The current working
directory outside the container is mapped inside the
container. Additionally, the spawned process runs as the current user
outside the container, but has root privileges in the context of the
container.
directory outside the container is mapped inside the container.
Additionally, a dummy home directory is created that matches the current
user's home directory, and @file{/etc/passwd} is configured accordingly.
The spawned process runs as the current user outside the container, but
has root privileges in the context of the container.
@item --network
@itemx -N
@ -8748,7 +8749,7 @@ isn't enough disk space, just skip it.
@item fcntl
Use this if possible. Works with NFS too if lockd is used.
@item flock
May not exist in all systems. Doesn't work with NFS.
May not exist in all systems. Doesn't work with NFS.
@item lockf
May not exist in all systems. Doesn't work with NFS.
@end table

View file

@ -373,6 +373,7 @@ (define* (launch-environment/container #:key command bash user-mappings
(list (direct-store-path bash) profile))))
(return
(let* ((cwd (getcwd))
(passwd (getpwuid (getuid)))
;; Bind-mount all requisite store items, user-specified mappings,
;; /bin/sh, the current working directory, and possibly networking
;; configuration files within the container.
@ -417,16 +418,26 @@ (define* (launch-environment/container #:key command bash user-mappings
;; The same variables as in Nix's 'build.cc'.
'("TMPDIR" "TEMPDIR" "TMP" "TEMP"))
;; From Nix build.cc:
;;
;; Set HOME to a non-existing path to prevent certain
;; programs from using /etc/passwd (or NIS, or whatever)
;; to locate the home directory (for example, wget looks
;; for ~/.wgetrc). I.e., these tools use /etc/passwd if
;; HOME is not set, but they will just assume that the
;; settings file they are looking for does not exist if
;; HOME is set but points to some non-existing path.
(setenv "HOME" "/homeless-shelter")
;; Create a dummy home directory under the same name as on the
;; host.
(mkdir-p (passwd:dir passwd))
(setenv "HOME" (passwd:dir passwd))
;; Create a dummy /etc/passwd to satisfy applications that demand
;; to read it, such as 'git clone' over SSH, a valid use-case when
;; sharing the host's network namespace.
(mkdir-p "/etc")
(call-with-output-file "/etc/passwd"
(lambda (port)
(display (string-join (list (passwd:name passwd)
"x" ; but there is no shadow
"0" "0" ; user is now root
(passwd:gecos passwd)
(passwd:dir passwd)
bash)
":")
port)
(newline port)))
;; For convenience, start in the user's current working
;; directory rather than the root directory.