Context
I already have a docker container image built using dockerTools.buildImage
that I use for work. This allows me to keep my work files completely separate from personal ones including .gitconfig
, ssh keys and other dotfiles and gives my system extra security while at it (no NPM supply chain attack can get to my personal files!). Some of my colleagues are taking interest in this setup but unfortunately, some of them work on other projects and require different software so I can’t just share my container image in its current form.
Goal
So far, I concluded that the best solution to current and even future problems is to build a new image that only includes:
- things that are required for basic operation (toybox, CA certificates),
- things that we use across all teams (bash, git, ssh),
- and Nix, so we can use
nix develop
to get our dependencies.
On top of that, I would like to keep some features of the current setup, namely:
- a
/home/nobody
directory with some dotfiles, - no way to become root.
- no unused files or unexplained dependencies.
The problem
Unfortunately, I am unable to get Nix to work in a container, which prevents the whole idea from working.
My image definition looks something like this:
packages.default = pkgs.dockerTools.buildImage {
# ...
copyToRoot = pkgs.buildEnv {
name = "image-root";
paths = with pkgs; [
bashInteractive
nix
(pkgs.writeTextDir "etc/nix/nix.conf" "experimental-features = nix-command flakes")
# ...
];
pathsToLink = [ "/bin" "/etc" ];
};
# ...
config = {
User = "nobody";
Cmd = [ "/bin/sh" "-l" ];
};
}
This seems to be completely broken. I am unable to execute nix develop
without errors (see below) and I am even unable to run nix --help
(error: executing '': No such file or directory
)
error: builder for '/nix/store/8mvprq5spsl0z3b620gkyz971yk317if-nix-shell-env.drv' failed with exit code 1;
last 1 log lines:
> error: executing '/nix/store/rhvbjmcfnkg8i2dxpzr114cp1ws7f667-bash-5.2-p15/bin/bash': No such file or directory
For full logs, run 'nix log /nix/store/8mvprq5spsl0z3b620gkyz971yk317if-nix-shell-env.drv'.
rhvbjmcfnkg8i2dxpzr114cp1ws7f667-bash-5.2-p15/bin/bash
can be found in ~/.local/share/nix/root/nix/store
but for some reason Nix is looking in /nix/store
. This error remains the same if I specify --store
manually.
This error specifically changes when running as root, it is complaining about the lack of nixbld
users, but I did not investigate this because one of my goals is to run completely unprivileged.
I tried replacing dockerTools.buildImage
with dockerTools.buildImageWithNixDb
but this only affected the non-root behavior when executing nix develop
replacing the error with error: could not set permissions on '/nix/var/nix/profiles/per-user' to 755: Operation not permitted
.
Alternative solution?
I am aware of the nixos/nix image on DockerHub and I am expecting something related to this to become the solution but I am not sure how to execute this approach and I am concerned about how big the source code of that image is.
I looked at the source code and expected to find maybe 200 lines to bootstrap Nix but instead I found almost 800 lines and too many things happening for how seemingly simple the end goal is. I understand that we need some nixbld
users but there is a lot more code than just the setup of those.
That image also seems to expect that the user will be root, which I would really like to avoid. I don’t really see why this should not be possible with --store
in an owned location.
If you are able to give me any clues on how I can progress on any of the mentioned direction or know a completely different way of solving this please let me know. I really hope I can put Nix into more people’s hands and I don’t want to let my colleagues down that I preemptively got quite excited. I hope you can learn something from this too.