bug#37162: ‘guix pack -f docker’ creates an image without /etc/passwd

bug#37162: ‘guix pack -f docker’ creates an image without /etc/passwd

[Ludovic Courtès]

‘guix pack -f docker’ currently creates an image without
/etc/{passwd,group,shadow}.

It’s OK most of the time, but again it looks like a gratuitous annoyance
for those cases where having them around matters (that’s also the reason
why guix-daemon creates them.)

Unless there are objections, I’d like to create these with just the
“root” and “nobody” accounts.  Or should we have a regular unprivileged
account?  But then what should its UID be?

Ludo’.

bug#37162: ‘guix pack -f docker’ creates an image without /etc/passwd

[Ricardo Wurmus]

Ludovic Courtès <ludovic.courtes@inria.fr> writes:

> ‘guix pack -f docker’ currently creates an image without
> /etc/{passwd,group,shadow}.
[…]
> Unless there are objections, I’d like to create these with just the
> “root” and “nobody” accounts.  Or should we have a regular unprivileged
> account?  But then what should its UID be?

Is there perhaps a configuration that we could add to the Docker image
meta-data to have Docker do the right thing?  The right thing might be
to map these files from the host into the container automatically, or to
instruct Docker to create them when starting the container.

I would prefer to accomplish this via configuration “hints” if possible
instead of creating dummy files with specific contents.

(I don’t know if this is at all possible.)

--
Ricardo

bug#37162: ‘guix pack -f docker’ creates an image without /etc/passwd

[Ricardo Wurmus]

Hi Maxim,

> Ludovic Courtès <ludovic.courtes@inria.fr> writes:
>
>> ‘guix pack -f docker’ currently creates an image without
>> /etc/{passwd,group,shadow}.
>>
>> It’s OK most of the time, but again it looks like a gratuitous annoyance
>> for those cases where having them around matters (that’s also the reason
>> why guix-daemon creates them.)
>
> Would that include the files required for PAM authentication to work
> correctly? I remember struggling with this use case: using the Docker
> image with CQFD wrapper, which must be able to create a user and
> sudo'ing (or 'su') to it in the docker container.

I wonder if at this point it wouldn’t be better to build a whole system
container.  Isn’t that outside the scope of “guix pack” and rather a
task for “guix system”?

-- 
Ricardo

bug#37162: ‘guix pack -f docker’ creates an image without /etc/passwd

[Maxim Cournoyer]

Hi Ludovic,

Ludovic Courtès <ludovic.courtes@inria.fr> writes:

> ‘guix pack -f docker’ currently creates an image without
> /etc/{passwd,group,shadow}.
>
> It’s OK most of the time, but again it looks like a gratuitous annoyance
> for those cases where having them around matters (that’s also the reason
> why guix-daemon creates them.)

Would that include the files required for PAM authentication to work
correctly? I remember struggling with this use case: using the Docker
image with CQFD wrapper, which must be able to create a user and
sudo'ing (or 'su') to it in the docker container.  I had started
populating base files such as shadow, passwd, etc. but when confronted
with the PAM configuration (which sudo was complaining about), it
appeared intimidating. I then decided to modify my operating system
declaration so that it'd contain the required Shepherd services that
populate /etc, and devise a hack to call
'/var/guix/profiles/system/boot' when the container would start.

The minimal system configuration (+ python stuff, which was the
requirement) I came up with was:

--8<---------------cut here---------------end--------------->8---
;; This is an operating system configuration template for a bare-bone,
;; containerization-friendly setup, with no X11 display server and
;; no Guix daemon / client.

(use-modules (gnu)
	     (gnu packages bash)
	     (gnu packages python)
	     (gnu packages python-xyz)
	     (gnu packages xml)
	     (guix packages))

(operating-system
  (host-name "robot-framework")
  (timezone "America/Montreal")

  ;; Boot in "legacy" BIOS mode, assuming /dev/sdX is the
  ;; target hard disk, and "my-root" is the label of the target
  ;; root file system.
  (bootloader (bootloader-configuration
               (bootloader grub-bootloader)
               (target "/dev/sda")))
  (file-systems (cons (file-system
                        (device (file-system-label "my-root"))
                        (mount-point "/")
                        (type "ext4"))
                      %base-file-systems))

  (users (cons (user-account
                (name "builder")
                (group "users")
		(supplementary-groups '("wheel"))
		(home-directory "/home/builder"))
	       %base-user-accounts))

  ;; Globally-installed packages.
  (packages (cons* python-wrapper
		   (list python "tk")
		   python-robotframework
		   python-robotframework-sshlibrary
		   python-robotframework-lint
		   python-xmltodict
		   %base-packages))

  (services (list
	     ;; Enable #!/bin/sh and #!/bin/bash shebangs.
	     (service special-files-service-type
		      `(("/bin/bash" ,(file-append (canonical-package bash)
						   "/bin/bash"))))
	     (service special-files-service-type
                      `(("/bin/sh" ,(file-append (canonical-package bash)
						 "/bin/sh"))))
	     ;; The following is a very small subset extracted of
	     ;; %base-services.
	     (service login-service-type)
	     (service udev-service-type (udev-configuration))
	     (syslog-service)))

  ;; When using sudo, by default some environment variables such as
  ;; PYTHONPATH are dropped.  Make it so that any environment
  ;; variables are honored.  This is important so that the Guix system
  ;; profile can work correctly for any user.
  (sudoers-file (plain-file "sudoers" "\
root ALL=(ALL) ALL
%wheel ALL=(ALL) ALL
Defaults !env_reset,!env_delete\n")))

--8<---------------cut here---------------end--------------->8---

Maxim

bug#37162: ‘guix pack -f docker’ creates an image without /etc/passwd

[Ludovic Courtès]

Hi Maxim,

Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:

> Ricardo Wurmus <rekado@elephly.net> writes:
>
>> Hi Maxim,
>>
>>> Ludovic Courtès <ludovic.courtes@inria.fr> writes:
>>>
>>>> ‘guix pack -f docker’ currently creates an image without
>>>> /etc/{passwd,group,shadow}.
>>>>
>>>> It’s OK most of the time, but again it looks like a gratuitous annoyance
>>>> for those cases where having them around matters (that’s also the reason
>>>> why guix-daemon creates them.)
>>>
>>> Would that include the files required for PAM authentication to work
>>> correctly? I remember struggling with this use case: using the Docker
>>> image with CQFD wrapper, which must be able to create a user and
>>> sudo'ing (or 'su') to it in the docker container.
>>
>> I wonder if at this point it wouldn’t be better to build a whole system
>> container.  Isn’t that outside the scope of “guix pack” and rather a
>> task for “guix system”?

I think so.

> Probably! But then one has to wonder if adding some base files to `guix
> pack' is not one of those slippery slopes where users come back
> expecting more stuff to be there?
>
> What use case(s) exactly depend on the presence of the
> /etc/{passwd,group,shadow} files?

Generally, absent these files, getpw(3) and co. won’t give useful
results, and some applications will behave poorly (e.g., the PS1 prompt
in Bash can’t show the user name; ‘id’ fails).

Most of the time it’s just a minor inconvenience.

Ludo’.

bug#37162: ‘guix pack -f docker’ creates an image without /etc/passwd

[Maxim Cournoyer]

Hello Ricardo,

Ricardo Wurmus <rekado@elephly.net> writes:

> Hi Maxim,
>
>> Ludovic Courtès <ludovic.courtes@inria.fr> writes:
>>
>>> ‘guix pack -f docker’ currently creates an image without
>>> /etc/{passwd,group,shadow}.
>>>
>>> It’s OK most of the time, but again it looks like a gratuitous annoyance
>>> for those cases where having them around matters (that’s also the reason
>>> why guix-daemon creates them.)
>>
>> Would that include the files required for PAM authentication to work
>> correctly? I remember struggling with this use case: using the Docker
>> image with CQFD wrapper, which must be able to create a user and
>> sudo'ing (or 'su') to it in the docker container.
>
> I wonder if at this point it wouldn’t be better to build a whole system
> container.  Isn’t that outside the scope of “guix pack” and rather a
> task for “guix system”?

Probably! But then one has to wonder if adding some base files to `guix
pack' is not one of those slippery slopes where users come back
expecting more stuff to be there?

What use case(s) exactly depend on the presence of the
/etc/{passwd,group,shadow} files?

Maxim

bug#37162: ‘guix pack -f docker’ creates an image without /etc/passwd

[Ricardo Wurmus]

Ludovic Courtès <ludovic.courtes@inria.fr> writes:

>> What use case(s) exactly depend on the presence of the
>> /etc/{passwd,group,shadow} files?
>
> Generally, absent these files, getpw(3) and co. won’t give useful
> results, and some applications will behave poorly (e.g., the PS1 prompt
> in Bash can’t show the user name; ‘id’ fails).
>
> Most of the time it’s just a minor inconvenience.

I think it’s fine to add these files to avoid this source of
inconvenience.

Perhaps it would be good to recommend in the manual the use of “guix
system” for those who need more control over the contents of these
files.

And maybe we can make some really simple template system configuration
available to “guix system” without requiring users to fully specify the
operating system configuration.  I’m thinking of something like this
where %simple-os is made available by default:

(operating-system
  (inherit %simple-os)
  (packages (list "a" "b" "c")))

--
Ricardo

bug#37162: ‘guix pack -f docker’ creates an image without /etc/passwd

[Maxim Cournoyer]

Hello! Sorry for the late reply.

Ludovic Courtès <ludovic.courtes@inria.fr> writes:

> Hi Maxim,
>
> Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
>
>> Ricardo Wurmus <rekado@elephly.net> writes:
>>
>>> Hi Maxim,
>>>
>>>> Ludovic Courtès <ludovic.courtes@inria.fr> writes:
>>>>
>>>>> ‘guix pack -f docker’ currently creates an image without
>>>>> /etc/{passwd,group,shadow}.
>>>>>
>>>>> It’s OK most of the time, but again it looks like a gratuitous annoyance
>>>>> for those cases where having them around matters (that’s also the reason
>>>>> why guix-daemon creates them.)
>>>>
>>>> Would that include the files required for PAM authentication to work
>>>> correctly? I remember struggling with this use case: using the Docker
>>>> image with CQFD wrapper, which must be able to create a user and
>>>> sudo'ing (or 'su') to it in the docker container.
>>>
>>> I wonder if at this point it wouldn’t be better to build a whole system
>>> container.  Isn’t that outside the scope of “guix pack” and rather a
>>> task for “guix system”?
>
> I think so.
>
>> Probably! But then one has to wonder if adding some base files to `guix
>> pack' is not one of those slippery slopes where users come back
>> expecting more stuff to be there?
>>
>> What use case(s) exactly depend on the presence of the
>> /etc/{passwd,group,shadow} files?
>
> Generally, absent these files, getpw(3) and co. won’t give useful
> results, and some applications will behave poorly (e.g., the PS1 prompt
> in Bash can’t show the user name; ‘id’ fails).

I see! I understand better the source of the annoyance now, thanks!

> Most of the time it’s just a minor inconvenience.

It seems OK to me to add those small files since make the experience
better.

Maxim