compose2nix icon indicating copy to clipboard operation
compose2nix copied to clipboard
verified publisher icon aksiksi

Support for rootless mode

Open 0n1cOn3 opened this issue 1 year ago • 10 comments

Add support for running service with a user specified in a flag.

For example:

-rootless 1500:1500

Theres also a potential blocker which may need further investigations for this feature request :

https://github.com/NixOS/nixpkgs/issues/207050

0n1cOn3 avatar Jun 17 '24 12:06 0n1cOn3

Thanks for reporting!

Do you mean --user? If so, it is already supported.

As far as rootless support goes in general, yes, there does seem to be a blocker on the NixOS side. Not much I can do about that unfortunately.

aksiksi avatar Jun 17 '24 12:06 aksiksi

Not much I can do about that unfortunately.

Do you may know a workaround or is there nothing we can do about?

0n1cOn3 avatar Jun 17 '24 13:06 0n1cOn3

Last I checked, it needs changes on the NixOS/nixpkgs side. I don’t use rootless containers personally.

aksiksi avatar Jun 17 '24 18:06 aksiksi

@L-Acacia Thanks for the pointer. It's not yet clear how to expose this via compose2nix. A few ideas:

  1. Pass in a --rootless-user flag that is applied to all containers
  2. Set a rootless-user Compose label on each service
  3. A combination of the two
  4. User the existing Compose “user” setting plus a flag to enable rootless mode
  5. ???

It's also possible to manually override the setting from your Nix config. For example:

virtualisation.oci-containers.containers.nginx.podman.user = "myuser";

aksiksi avatar Mar 13 '25 22:03 aksiksi

Thanks for the feedback. I don’t think it makes sense for compose2nix to create users.

Here is what we can add:

  1. a rootless-user flag that will set the user for all generated containers
  2. enable lingering for the specified user

aksiksi avatar Mar 14 '25 22:03 aksiksi

@L-Acacia Could you share the simple config you used? I hit the same error (failing to write to storage) when trying to setup the integration test for PR #84.

aksiksi avatar Mar 16 '25 04:03 aksiksi

nixpkgs seems to be doing this in the default service created for each container, handling user, runtimedir, and the sdnotify things i dont understand. maybe it helps? https://github.com/NixOS/nixpkgs/blob/59e6a84a7b5469c17db5b13a55f646453672c69a/nixos/modules/virtualisation/oci-containers.nix#L553

repparw avatar Mar 21 '25 22:03 repparw

Apologies since this part is not exactly about the implementation, but how did you fix the setuid issues? I keep bumping into either

Error: command required for rootless mode with multiple IDs: exec: "newuidmap": executable file not found in $PATH

Or

Error: cannot set up namespace using "/nix/store/65nmj2ri15h5vrg35c495n40i2dzz9zr-shadow-4.16.0/bin/newuidmap": should have setuid or have filecaps setuid: exit status 1

As for the implementation, I see that on the tests @aksiksi sets the subuid and subgid range manually but I found this option to auto-set the range. The full user setup works like this:

  # Create user
  users.groups.<service> = {};
  users.users.<service> = {
    autoSubUidGidRange = true;
    group = "<service>";
    isSystemUser = true;
    linger = true;

    createHome = true;
    home = "/home/<service>";
  };

And it automatically handles setting the range in both /etc/subuid and /etc/subgid (Allocated range is currently always of size 65536). Perhaps compose2nix can append this with the service name on top of the generated docker-compose.nix file if its running rootless?

Also, thanks for the package, been using it a lot since I migrated from docker-compose to podman containers managed by nix!

biscanli avatar Apr 28 '25 12:04 biscanli