Managing users and permissions in a docker build

Hi there - can’t seem to find any info on how to add a user specification to a docker image built with nix. I’d like to add a custom user that will be used to run the container instead of root. Any hints very much appreciated!

edit: I missed this part of the manual :man_facepalming: : NixOS - Nixpkgs 21.05 manual

This does require runAsRoot which means I cannot build a layered image - is there some way to avoid this?

I’m not an expert on using Nix to produce Docker images, but the process is split into two operations, even with the standard Docker tools, i.e. first you create the new user so that you can configure the files to be owned by it, and then you have to configure the containers produced by this image to be run as that particular user by default.

The first setting can be done in a first layer of a multi layered image by using buildImage & shadowSetup then setting the runtime user by setting the corresponding entry into the config attr.

1 Like

indeed I ended up solving it by having a small initial image that does the user configuration and using that as the fromImage for the layered image build. It works quite well and self-optimizes by reusing tons of layers across my images.

Do you all have a code example you could share? I foolishly thought it would be as easy as specifying config.User = "1000:1000" but I can see I was mistaken.

I’m also trying to address this issue in the nix2container project: it is possible to set specific permissions on files without having to rely on a VM (permissions are set in the tar stream only). This buildImage.perms option is documented here and this is a usage example.