Containern with Nix and custom user [determinant installer]?

gabyx · February 27, 2025, 10:39am

I want to base a container on Ubuntu and use the determinant installer but at the same time have a user in the container, not root:

# Dockerfile
FROM ubuntu:latest
RUN apt update -y
RUN apt install curl systemd -y
RUN curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install linux \
  --extra-conf "sandbox = false" \
  --no-start-daemon \
  --no-confirm
ENV PATH="${PATH}:/nix/var/nix/profiles/default/bin"
RUN nix run nixpkgs#hello
CMD [ "/bin/systemd" ]

How would I extend this example, such that a user ci works with nix?

I tried to

FROM ubuntu:latest
RUN apt update -y
RUN apt install curl systemd -y
RUN curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install linux \
  --extra-conf "sandbox = false" \
  --no-start-daemon \
  --no-confirm
ENV PATH="${PATH}:/nix/var/nix/profiles/default/bin"

ARG USER_NAME=ci
ARG USER_UID=1000
ARG USER_GID=1000
RUN userdel ubuntu || true
RUN groupadd -g "$USER_GID" "$USER_NAME"
RUN useradd -p "$(openssl passwd -1 "$USER_NAME")" \
        -m --shell "bash" \
        -u "$USER_UID" -g "$USER_GID" \
        -G sudo "$USER_NAME" && \
        passwd -d "$USER_NAME"

ENV USER="$USER_NAME"
ENV PATH="/nix/var/nix/profiles/per-user/default/bin:$PATH"
CMD ["bash"]

but a podman run -it test nix build nixpkgs#hello
runs in all sort of permission issues?

Whats the correct way to do this?
The answer should be contributed back to the determinant system installer etc.

jakehamilton · February 28, 2025, 10:56am

What is it you are actually trying to do? Is there a reason you need to use Ubuntu? What are you using Nix for in this container?

gabyx · February 28, 2025, 3:45pm

I don need to use ubuntu, but I was more interessted to have both the system pkg manager and nix at the same time and also to learn about what is needed to make this work. (systemd or none etc how + non-root user). There is little documentation what Nix actually need to work. I know I could base the container from nixos etc but that was not the point here.

phanirithvij · February 28, 2025, 4:53pm

add ci to trusted-users maybe.

Edit:

never mind, your exact dockerfile with this minor change, works for me on both docker and podman.

-m --shell "/usr/bin/bash" \ insead of "bash"

$ podman -v
podman version 5.4.0
$ docker -v
Docker version 25.0.6, build v25.0.6
$ docker build -f Dockerfile -t test_nix_ub .
$ docker run -it test_nix_ub:latest nix run nixpkgs#hello
[44.4 MiB DL] unpacking 'github:NixOS/nixpkgs/3a05eebede89661660945da1f151959900903b6a' into the Git cache
Hello, world!
$ podman build -f Dockerfile -t test_nix_ub .
$ podman run -it test_nix_ub:latest nix run nixpkgs#hello
[44.4 MiB DL] copying '«github:NixOS/nixpkgs/3a05eebede89661660945da1f151959900903b6a»/' to the store
Hello, world!