From 368496f4a55e66bad5a12156accaa764c0d6ba6e Mon Sep 17 00:00:00 2001 From: Sander van der Burg Date: Tue, 23 Mar 2021 22:26:53 +0100 Subject: [PATCH] Use chainload trick to make sure an initialize script runs as root --- .../backends/docker/generate-docker-container.nix | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/nixproc/backends/docker/generate-docker-container.nix b/nixproc/backends/docker/generate-docker-container.nix index 662362b..2295eba 100644 --- a/nixproc/backends/docker/generate-docker-container.nix +++ b/nixproc/backends/docker/generate-docker-container.nix @@ -21,6 +21,7 @@ , postInstall }: +# TODO: # umask unsupported # nice unsupported @@ -35,15 +36,20 @@ let inherit stdenv lib writeTextFile; }; + _user = util.determineUser { + inherit user forceDisableUserChange; + }; + cmd = if foregroundProcess != null then - if initialize == null + if initialize == "" then [ foregroundProcess ] ++ foregroundProcessArgs else let wrapper = generateForegroundProxy ({ wrapDaemon = false; executable = foregroundProcess; + user = _user; inherit name initialize runtimeDir stdenv; } // lib.optionalAttrs (instanceName != null) { inherit instanceName; @@ -57,6 +63,7 @@ let wrapper = generateForegroundProxy ({ wrapDaemon = true; executable = daemon; + user = _user; inherit name runtimeDir initialize stdenv; } // lib.optionalAttrs (instanceName != null) { inherit instanceName; @@ -77,10 +84,6 @@ let credentialsSpec = createCredentials credentials; - _user = util.determineUser { - inherit user forceDisableUserChange; - }; - generatedDockerImageArgs = { inherit name; tag = "latest"; @@ -95,7 +98,7 @@ let Env = map (varName: "${varName}=${toString (builtins.getAttr varName _environment)}") (builtins.attrNames _environment); } // lib.optionalAttrs (directory != null) { WorkingDir = directory; - } // lib.optionalAttrs (_user != null) { + } // lib.optionalAttrs (_user != null && initialize == "") { User = _user; }; };