mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-12-24 21:38:07 -05:00
environment: container: Create dummy home directory and /etc/passwd.
* guix/scripts/environment.scm (launch-environment/container): Change $HOME to the current user's home directory instead of /homeless-shelter. Create a dummy /etc/passwd with a single entry for the current user. * doc/guix.texi ("invoking guix environment"): Add a note about the dummy home directory and /etc/passwd.
This commit is contained in:
parent
bf9eacd2af
commit
a01ad63893
2 changed files with 29 additions and 17 deletions
|
@ -3292,7 +3292,7 @@ omitted since it will take place implicitly, as we will see later
|
|||
@end example
|
||||
|
||||
@c See
|
||||
@c <https://syntaxexclamation.wordpress.com/2014/06/26/escaping-continuations/>
|
||||
@c <https://syntaxexclamation.wordpress.com/2014/06/26/escaping-continuations/>
|
||||
@c for the funny quote.
|
||||
Calling the monadic @code{sh-symlink} has no effect. As someone once
|
||||
said, ``you exit a monad like you exit a building on fire: by running''.
|
||||
|
@ -4339,7 +4339,7 @@ So for instance, imagine you want to see the build log of GDB on MIPS,
|
|||
but you are actually on an @code{x86_64} machine:
|
||||
|
||||
@example
|
||||
$ guix build --log-file gdb -s mips64el-linux
|
||||
$ guix build --log-file gdb -s mips64el-linux
|
||||
https://hydra.gnu.org/log/@dots{}-gdb-7.10
|
||||
@end example
|
||||
|
||||
|
@ -5338,10 +5338,11 @@ Attempt to build for @var{system}---e.g., @code{i686-linux}.
|
|||
@itemx -C
|
||||
@cindex container
|
||||
Run @var{command} within an isolated container. The current working
|
||||
directory outside the container is mapped inside the
|
||||
container. Additionally, the spawned process runs as the current user
|
||||
outside the container, but has root privileges in the context of the
|
||||
container.
|
||||
directory outside the container is mapped inside the container.
|
||||
Additionally, a dummy home directory is created that matches the current
|
||||
user's home directory, and @file{/etc/passwd} is configured accordingly.
|
||||
The spawned process runs as the current user outside the container, but
|
||||
has root privileges in the context of the container.
|
||||
|
||||
@item --network
|
||||
@itemx -N
|
||||
|
@ -8748,7 +8749,7 @@ isn't enough disk space, just skip it.
|
|||
@item fcntl
|
||||
Use this if possible. Works with NFS too if lockd is used.
|
||||
@item flock
|
||||
May not exist in all systems. Doesn't work with NFS.
|
||||
May not exist in all systems. Doesn't work with NFS.
|
||||
@item lockf
|
||||
May not exist in all systems. Doesn't work with NFS.
|
||||
@end table
|
||||
|
|
|
@ -373,6 +373,7 @@ (define* (launch-environment/container #:key command bash user-mappings
|
|||
(list (direct-store-path bash) profile))))
|
||||
(return
|
||||
(let* ((cwd (getcwd))
|
||||
(passwd (getpwuid (getuid)))
|
||||
;; Bind-mount all requisite store items, user-specified mappings,
|
||||
;; /bin/sh, the current working directory, and possibly networking
|
||||
;; configuration files within the container.
|
||||
|
@ -417,16 +418,26 @@ (define* (launch-environment/container #:key command bash user-mappings
|
|||
;; The same variables as in Nix's 'build.cc'.
|
||||
'("TMPDIR" "TEMPDIR" "TMP" "TEMP"))
|
||||
|
||||
;; From Nix build.cc:
|
||||
;;
|
||||
;; Set HOME to a non-existing path to prevent certain
|
||||
;; programs from using /etc/passwd (or NIS, or whatever)
|
||||
;; to locate the home directory (for example, wget looks
|
||||
;; for ~/.wgetrc). I.e., these tools use /etc/passwd if
|
||||
;; HOME is not set, but they will just assume that the
|
||||
;; settings file they are looking for does not exist if
|
||||
;; HOME is set but points to some non-existing path.
|
||||
(setenv "HOME" "/homeless-shelter")
|
||||
;; Create a dummy home directory under the same name as on the
|
||||
;; host.
|
||||
(mkdir-p (passwd:dir passwd))
|
||||
(setenv "HOME" (passwd:dir passwd))
|
||||
|
||||
;; Create a dummy /etc/passwd to satisfy applications that demand
|
||||
;; to read it, such as 'git clone' over SSH, a valid use-case when
|
||||
;; sharing the host's network namespace.
|
||||
(mkdir-p "/etc")
|
||||
(call-with-output-file "/etc/passwd"
|
||||
(lambda (port)
|
||||
(display (string-join (list (passwd:name passwd)
|
||||
"x" ; but there is no shadow
|
||||
"0" "0" ; user is now root
|
||||
(passwd:gecos passwd)
|
||||
(passwd:dir passwd)
|
||||
bash)
|
||||
":")
|
||||
port)
|
||||
(newline port)))
|
||||
|
||||
;; For convenience, start in the user's current working
|
||||
;; directory rather than the root directory.
|
||||
|
|
Loading…
Reference in a new issue