nixos/doc: document fakeNss, binSh

2022-05-23 12:04:04 +02:00 · 2022-05-23 12:04:04 +02:00 · d84e7842a5
parent 886d2294d2
commit d84e7842a5
1 changed files with 28 additions and 0 deletions
--- a/doc/builders/images/dockertools.section.md
+++ b/doc/builders/images/dockertools.section.md
@ -321,3 +321,31 @@ buildImage {
 ```

 Creating base files like `/etc/passwd` or `/etc/login.defs` is necessary for shadow-utils to manipulate users and groups.
+
+## fakeNss {#ssec-pkgs-dockerTools-fakeNss}
+
+If your primary goal is providing a basic skeleton for user lookups to work,
+and/or a lesser privileged user, adding `pkgs.fakeNss` to
+`build*Image.contents` might be the better choice than a custom script running
+`useradd` and friends.
+
+It provides a `/etc/passwd` and `/etc/group`, containing `root` and `nobody`
+users and groups.
+
+It also provides a `/etc/nsswitch.conf`, configuring NSS host resolution to
+first check `/etc/hosts`, before checking DNS, as the default in the absence of
+a config file (`dns [!UNAVAIL=return] files`) is quite unexpected.
+
+You usually might to pair it with binSh, which provides `bin/sh` as a symlink
+to `bashInteractive` (as `/bin/sh` is configured as a shell).
+
+```nix
+buildImage {
+  name = "shadow-basic";
+
+  contents = [
+    binSh
+    fakeNss
+  ]
+}
+```