Non-root default user?

[malte-behrendt]

This is a seriously awesome project! :-D

The only thing I'm currently missing is getting/running the images with a non-root default user.

Is this possible/can you help me finding documentation on it?
Or do I have to add another layer myself?

[tazjin]

Hey! This isn't currently possible, and it's not that trivial to implement since alternative users would first have to be created. My take is generally that this sort of stuff is up to the container runtime, but you could also add additional layers to set up users within the image and change the default user setting.

Open to other suggestions, of course :)

[malte-behrendt]

I completely agree on it "is up to the container runtime".

Yet I have a use case were I cannot use something like "runas": Gitlab Jobs/CI with a custom image via Gitlab's Docker Runner.

There, nixery would be absolutely awesome as it clearly states the precise requirements/tool assumptions - I just have to avoid that every custom image is started as root somehow.

[docteurklein]

Just wanted to add that I copied the shadowSetup of nix's docker build support: https://github.com/NixOS/nixpkgs/blob/e237d884326048b139b16268aa14a3c62e125529/pkgs/build-support/docker/default.nix#L129-L151

I used it as an entrypoint to my docker image and now can run postgres in this image:
nixery.dev/shell/sudo/shadow/postgresql_14/postgresql14packages.plpgsql_check

set -exuo pipefail

mkdir -p /etc/pam.d
if [[ ! -f /etc/passwd ]]; then
 echo "root:x:0:0::/root:/bin/bash" > /etc/passwd
 echo "root:!x:::::::" > /etc/shadow
fi
if [[ ! -f /etc/group ]]; then
 echo "root:x:0:" > /etc/group
 echo "root:x::" > /etc/gshadow
fi
if [[ ! -f /etc/pam.d/other ]]; then
 cat > /etc/pam.d/other <<EOF
account sufficient pam_unix.so
auth sufficient pam_rootok.so
password requisite pam_unix.so nullok sha512
session required pam_unix.so
EOF
fi
if [[ ! -f /etc/login.defs ]]; then
 touch /etc/login.defs
fi


# custom stuff

echo 'ALL ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/all.conf

useradd -m app

mkdir -p "$PGDATA" /run/postgresql
chown -R app:app "$PGDATA" /run/postgresql

sudo -E -u app pg_ctl initdb
#sudo -E -u app pg_ctl -w start -o '-c shared_preload_libraries=plpgsql,plpgsql_check'

exec "$@"

Postgres requires non-root to run.
I tried using su, but only got it working with sudo so far.

[docteurklein]

Would it be possible for nixery to include this shadowSetup entrypoint automatically?

[whazor]

it would be nice to have a 'package' like shell that creates a new user under 1000:1000.

Or maybe even a special prefix url where Nixery creates the user under /etc/passwd as a bottom docker layer.