summary refs log tree commit diff
path: root/pkgs/build-support/docker/default.nix
diff options
context:
space:
mode:
authorViktor Kronvall <viktor.kronvall@gmail.com>2023-08-17 00:50:10 +0900
committerViktor Kronvall <viktor.kronvall@gmail.com>2023-08-19 23:34:21 +0900
commitca072c08a2543b4a7a107ebbfbb03ab23426f6ed (patch)
tree9e3d69be7fc0fe55ab25e22ba886509b9165b2ca /pkgs/build-support/docker/default.nix
parentb35440bfcf536d1043dc04356c9f021bddc68256 (diff)
downloadnixpkgs-ca072c08a2543b4a7a107ebbfbb03ab23426f6ed.tar
nixpkgs-ca072c08a2543b4a7a107ebbfbb03ab23426f6ed.tar.gz
nixpkgs-ca072c08a2543b4a7a107ebbfbb03ab23426f6ed.tar.bz2
nixpkgs-ca072c08a2543b4a7a107ebbfbb03ab23426f6ed.tar.lz
nixpkgs-ca072c08a2543b4a7a107ebbfbb03ab23426f6ed.tar.xz
nixpkgs-ca072c08a2543b4a7a107ebbfbb03ab23426f6ed.tar.zst
nixpkgs-ca072c08a2543b4a7a107ebbfbb03ab23426f6ed.zip
dockerTools: replace fakechroot with proot
The command `fakechroot` errored with buffer overflows. The `proot`
command doesn't seem to suffer from the same problem. The tar command
creating the layer errors with "permission denied" on a bunch of paths
in /proc but the layer seems to get built anyway.
Diffstat (limited to 'pkgs/build-support/docker/default.nix')
-rw-r--r--pkgs/build-support/docker/default.nix20
1 files changed, 10 insertions, 10 deletions
diff --git a/pkgs/build-support/docker/default.nix b/pkgs/build-support/docker/default.nix
index f6416c81cc0..9f57804e957 100644
--- a/pkgs/build-support/docker/default.nix
+++ b/pkgs/build-support/docker/default.nix
@@ -5,7 +5,7 @@
 , closureInfo
 , coreutils
 , e2fsprogs
-, fakechroot
+, proot
 , fakeNss
 , fakeroot
 , go
@@ -887,6 +887,13 @@ rec {
         });
 
         contentsList = if builtins.isList contents then contents else [ contents ];
+        bind-paths = builtins.toString (builtins.map (path: "--bind=${path}:${path}!") [
+          "/dev/"
+          "/proc/"
+          "/sys/"
+          "${builtins.storeDir}/"
+          "$out/layer.tar"
+        ]);
 
         # We store the customisation layer as a tarball, to make sure that
         # things like permissions set on 'extraCommands' are not overridden
@@ -898,21 +905,14 @@ rec {
           nativeBuildInputs = [
             fakeroot
           ] ++ optionals enableFakechroot [
-            fakechroot
-            # for chroot
-            coreutils
-            # fakechroot needs getopt, which is provided by util-linux
-            util-linux
+            proot
           ];
           postBuild = ''
             mv $out old_out
             (cd old_out; eval "$extraCommands" )
 
             mkdir $out
-            ${optionalString enableFakechroot ''
-              export FAKECHROOT_EXCLUDE_PATH=/dev:/proc:/sys:${builtins.storeDir}:$out/layer.tar
-            ''}
-            ${optionalString enableFakechroot ''fakechroot chroot $PWD/old_out ''}fakeroot bash -c '
+            ${optionalString enableFakechroot ''proot -r $PWD/old_out ${bind-paths} --pwd=/ ''}fakeroot bash -c '
               source $stdenv/setup
               ${optionalString (!enableFakechroot) ''cd old_out''}
               eval "$fakeRootCommands"
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-15 05:26:02 +0000