Skip to content

fix(dogfood/contents): fix resource metadata under nix #16349

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Feb 4, 2025
Merged

fix(dogfood/contents): fix resource metadata under nix #16349

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c1b4a3b
fix(dogfood/contents): fix shebang in resource metadata scripts
johnstcn Jan 30, 2025
11cccb3
fix(nix/docker.nix): add sudo and jq.bin
ThomasK33 Jan 30, 2025
b1277e9
fix(nix/docker.nix): add init.d and docker cli
ThomasK33 Jan 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
fix(nix/docker.nix): add sudo and jq.bin 
Change-Id: Ie978c62ce4164386e55cedd6d7ceae71b07e217e
Signed-off-by: Thomas Kosiewski <tk@coder.com>
  • Loading branch information
@ThomasK33
ThomasK33 committed Jan 30, 2025
commit 11cccb35c5fed40351f5f97a7b927a00bcfc961c
1 change: 1 addition & 0 deletions flake.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -257,6 +257,7 @@
nix
curl.bin # Ensure the actual curl binary is included in the PATH
glibc.bin # Ensure the glibc binaries are included in the PATH
jq.bin
binutils # ld and strings
filebrowser # Ensure that we're not redownloading filebrowser on each launch
])
Expand Down
48 changes: 45 additions & 3 deletions nix/docker.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
zstd,
stdenv,
glibc,
sudo,
}:
let
inherit (lib)
Expand Down Expand Up @@ -88,10 +89,11 @@ let

staticPath = "${dirOf shell}:${
lib.makeBinPath (
lib.flatten [
(lib.flatten [
builder
drv.buildInputs
]
])
++ [ "/usr" ]
)
}";

Expand Down Expand Up @@ -123,11 +125,38 @@ let
experimental-features = nix-command flakes
'';

etcNixConf = runCommand "etcd-nix-conf" { } ''
etcNixConf = runCommand "etc-nix-conf" { } ''
mkdir -p $out/etc/nix/
ln -s ${nixConfFile} $out/etc/nix/nix.conf
'';

sudoersFile = writeText "sudoers" ''
root ALL=(ALL) ALL
${toString uname} ALL=(ALL) NOPASSWD:ALL
'';

etcSudoers = runCommand "etc-sudoers" { } ''
mkdir -p $out/etc/
cp ${sudoersFile} $out/etc/sudoers
chmod 440 $out/etc/sudoers
'';

pamSudoFile = writeText "pam-sudo" ''
auth sufficient pam_rootok.so
auth required pam_permit.so
account required pam_permit.so
session required pam_permit.so
session optional pam_xauth.so
'';

etcPamSudo = runCommand "etc-pam-sudo" { } ''
mkdir -p $out/etc/pam.d/
cp ${pamSudoFile} $out/etc/pam.d/sudo

# We can’t chown in a sandbox, but that’s okay for Nix store.
chmod 644 $out/etc/pam.d/sudo
'';

# https://github.com/NixOS/nix/blob/2.8.0/src/libstore/globals.hh#L464-L465
sandboxBuildDir = "/build";

Expand Down Expand Up @@ -194,6 +223,8 @@ let
binSh
usrBinEnv
etcNixConf
etcSudoers
etcPamSudo
(fakeNss.override {
# Allows programs to look up the build user's home directory
# https://github.com/NixOS/nix/blob/ffe155abd36366a870482625543f9bf924a58281/src/libstore/build/local-derivation-goal.cc#L906-L910
Expand Down Expand Up @@ -241,6 +272,17 @@ let
mkdir -p ./lib64
ln -s "${glibc}/lib64/ld-linux-x86-64.so.2" ./lib64/ld-linux-x86-64.so.2
fi

# Copy sudo from the Nix store to a "normal" path in the container
mkdir -p ./usr/bin
cp ${sudo}/bin/sudo ./usr/bin/sudo

# Ensure root owns it & set setuid bit
chown 0:0 ./usr/bin/sudo
chmod 4755 ./usr/bin/sudo

chown root:root ./etc/pam.d/sudo
chown root:root ./etc/sudoers
'';

# Run this image as the given uid/gid
Expand Down
Loading