bug#37162: ‘guix pack -f docker’ creates an image without /etc/passwd

[Maxim Cournoyer]

Hi Ludovic,

Ludovic Courtès <address@hidden> writes:

> ‘guix pack -f docker’ currently creates an image without
> /etc/{passwd,group,shadow}.
>
> It’s OK most of the time, but again it looks like a gratuitous annoyance
> for those cases where having them around matters (that’s also the reason
> why guix-daemon creates them.)

Would that include the files required for PAM authentication to work
correctly? I remember struggling with this use case: using the Docker
image with CQFD wrapper, which must be able to create a user and
sudo'ing (or 'su') to it in the docker container.  I had started
populating base files such as shadow, passwd, etc. but when confronted
with the PAM configuration (which sudo was complaining about), it
appeared intimidating. I then decided to modify my operating system
declaration so that it'd contain the required Shepherd services that
populate /etc, and devise a hack to call
'/var/guix/profiles/system/boot' when the container would start.

The minimal system configuration (+ python stuff, which was the
requirement) I came up with was:

--8<---------------cut here---------------end--------------->8---
;; This is an operating system configuration template for a bare-bone,
;; containerization-friendly setup, with no X11 display server and
;; no Guix daemon / client.

(use-modules (gnu)
             (gnu packages bash)
             (gnu packages python)
             (gnu packages python-xyz)
             (gnu packages xml)
             (guix packages))

(operating-system
  (host-name "robot-framework")
  (timezone "America/Montreal")

  ;; Boot in "legacy" BIOS mode, assuming /dev/sdX is the
  ;; target hard disk, and "my-root" is the label of the target
  ;; root file system.
  (bootloader (bootloader-configuration
               (bootloader grub-bootloader)
               (target "/dev/sda")))
  (file-systems (cons (file-system
                        (device (file-system-label "my-root"))
                        (mount-point "/")
                        (type "ext4"))
                      %base-file-systems))

  (users (cons (user-account
                (name "builder")
                (group "users")
                (supplementary-groups '("wheel"))
                (home-directory "/home/builder"))
               %base-user-accounts))

  ;; Globally-installed packages.
  (packages (cons* python-wrapper
                   (list python "tk")
                   python-robotframework
                   python-robotframework-sshlibrary
                   python-robotframework-lint
                   python-xmltodict
                   %base-packages))

  (services (list
             ;; Enable #!/bin/sh and #!/bin/bash shebangs.
             (service special-files-service-type
                      `(("/bin/bash" ,(file-append (canonical-package bash)
                                                   "/bin/bash"))))
             (service special-files-service-type
                      `(("/bin/sh" ,(file-append (canonical-package bash)
                                                 "/bin/sh"))))
             ;; The following is a very small subset extracted of
             ;; %base-services.
             (service login-service-type)
             (service udev-service-type (udev-configuration))
             (syslog-service)))

  ;; When using sudo, by default some environment variables such as
  ;; PYTHONPATH are dropped.  Make it so that any environment
  ;; variables are honored.  This is important so that the Guix system
  ;; profile can work correctly for any user.
  (sudoers-file (plain-file "sudoers" "\
root ALL=(ALL) ALL
%wheel ALL=(ALL) ALL
Defaults !env_reset,!env_delete\n")))

--8<---------------cut here---------------end--------------->8---

Maxim