Ludovic Courtès <ludo@HIDDEN>
to control <at> debbugs.gnu.org
.
Full text available.Received: (at 70314) by debbugs.gnu.org; 23 Feb 2025 22:42:06 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sun Feb 23 17:42:06 2025 Received: from localhost ([127.0.0.1]:37230 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1tmKfm-0003DH-1U for submit <at> debbugs.gnu.org; Sun, 23 Feb 2025 17:42:06 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:34396) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1tmKfj-0003Ch-DA for 70314 <at> debbugs.gnu.org; Sun, 23 Feb 2025 17:42:04 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <ludo@HIDDEN>) id 1tmKfb-0000hh-Dm; Sun, 23 Feb 2025 17:41:55 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=H0z80PEq/28xKZ4tjBXALhm9AZ8QKUi2ougZGlq5njw=; b=N2bctx/Qoh3IZvg0PD3X 8MBonve06PUKIuDe0HufII+bw/jXuLuzrA3FUoT1y8A18JrtnK1ksKHR+R9TJ7fLxNz+6ubjcxJfB ZK6H/+mYxSAHMgZJ/tKz4BmH7x7F9u0tFRPSywgZTUdLPQHiZ16zPddY/EmTr38RPBZgVG+w8RM3G /2MAF40E7wIWx7NkDhDiKcbw7VXct6L1UG/A9mdMlcsvzXHaWy7KEHQkOPtE2KJkbF4JocVjjttl1 oNqWTtvEBxBce0HzHBSGD3Fmit5NcniULsGpEVnIWSP6+3IiZc0mGqpTlvU2Q7biDrAlzSv4fSkF6 Oo12x09KQjFVvA==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> To: Richard Sent <richard@HIDDEN> Subject: Re: [bug#70314] [PATCH v2] guix: scripts: environment: add tls certs to networked containers. In-Reply-To: <4e1a986e224083876c8386e6efe45512251dd3af.1738098141.git.richard@HIDDEN> (Richard Sent's message of "Tue, 28 Jan 2025 16:11:28 -0500") References: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN> <4e1a986e224083876c8386e6efe45512251dd3af.1738098141.git.richard@HIDDEN> Date: Sun, 23 Feb 2025 23:41:48 +0100 Message-ID: <87plj8uvv7.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 70314 Cc: Josselin Poiret <dev@HIDDEN>, Tobias Geerinckx-Rice <me@HIDDEN>, Maxim Cournoyer <maxim.cournoyer@HIDDEN>, zimon.toutoune@HIDDEN, Mathieu Othacehe <othacehe@HIDDEN>, rprior@HIDDEN, Christopher Baines <guix@HIDDEN>, 70314 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) Hi Richard, Richard Sent <richard@HIDDEN> skribis: > Add the --no-tls flag. By default when starting a container with -N, add = the > nss-certs package to the profile and set the SSL_CERT_DIR and SSL_CERT_FI= LE > environment variables. When --no-tls is passed, default to the old behavi= or. > > * guix/scripts/environment.scm (%default-tls-certs): New function. > (show-environment-options-help): Add help for --no-tls. > (%options): Add --no-tls option. > (options/resolve-packages): Add %default-tls-certs to profile when networ= k is > true and no-tls is false. > (launch-environment/container): Add set-tls? argument and set > SSL_CERT_DIR/FILE if #t. > (guix-environment*): Sanity check no-tls? and pass the negated version to > launch-environment/container. > * doc/guix.texi (Invoking guix shell): Document it. > (Invoking guix environment): Ditto. > * tests/guix-environment-container.sh: Add tests for behavior with and wi= thout > no-tls flag. > > Change-Id: I04735024df025740cb7a0e28f39a3bb5c7fcf895 > --- > Hi all. Been a while but I figured I'd take another crack at this. Sorry that it takes so long. I=E2=80=99m happy with this version though I have one question: > + (when set-tls? > + (setenv "SSL_CERT_DIR" (string-append profile "/etc/ssl/ce= rts")) > + (setenv "SSL_CERT_FILE" (string-append (getenv "SSL_CERT_D= IR") > + "/ca-certificates.c= rt"))) What about symlinking /etc/ssl/certs in the container instead of setting these two variables? The reason I=E2=80=99m suggesting this is that these two variables are not universal; example: --8<---------------cut here---------------start------------->8--- $ ./pre-inst-env guix shell -CN wget coreutils [env]$ echo $SSL_CERT_DIR/ /gnu/store/hbcsqh12n45bxv3r9992jz1vh63l3krf-profile/etc/ssl/certs/ [env]$ echo $SSL_CERT_FILE=20 /gnu/store/hbcsqh12n45bxv3r9992jz1vh63l3krf-profile/etc/ssl/certs/ca-certif= icates.crt [env]$ wget -O/dev/null https://guix.gnu.org --2025-02-23 22:39:48-- https://guix.gnu.org/ Resolving guix.gnu.org (guix.gnu.org)... 2a0c:e300::58, 185.233.100.56 Connecting to guix.gnu.org (guix.gnu.org)|2a0c:e300::58|:443... connected. ERROR: The certificate of 'guix.gnu.org' is not trusted. ERROR: The certificate of 'guix.gnu.org' doesn't have a known issuer. --8<---------------cut here---------------end--------------->8--- The symlink saves us: --8<---------------cut here---------------start------------->8--- [env]$ ln -s $GUIX_ENVIRONMENT/etc/ssl /etc/ssl [env]$ wget -O/dev/null https://guix.gnu.org=20=20=20 --2025-02-23 22:41:06-- https://guix.gnu.org/ Resolving guix.gnu.org (guix.gnu.org)... 2a0c:e300::58, 185.233.100.56 Connecting to guix.gnu.org (guix.gnu.org)|2a0c:e300::58|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 19897 (19K) [text/html] Saving to: '/dev/null' /dev/null 100%[=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D>] 19.43K --.-KB/s in 0s=20=20=20=20= =20=20 2025-02-23 22:41:07 (168 MB/s) - '/dev/null' saved [19897/19897] --8<---------------cut here---------------end--------------->8--- Thoughts? We=E2=80=99ve close to completion, very! Ludo=E2=80=99.
guix-patches@HIDDEN
:bug#70314
; Package guix-patches
.
Full text available.Received: (at 70314) by debbugs.gnu.org; 29 Jan 2025 01:39:26 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jan 28 20:39:26 2025 Received: from localhost ([127.0.0.1]:39286 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1tcx37-0005j7-M3 for submit <at> debbugs.gnu.org; Tue, 28 Jan 2025 20:39:26 -0500 Received: from mail-pl1-x634.google.com ([2607:f8b0:4864:20::634]:55799) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from <maxim.cournoyer@HIDDEN>) id 1tcx35-0005ip-8t for 70314 <at> debbugs.gnu.org; Tue, 28 Jan 2025 20:39:23 -0500 Received: by mail-pl1-x634.google.com with SMTP id d9443c01a7336-21644aca3a0so147261745ad.3 for <70314 <at> debbugs.gnu.org>; Tue, 28 Jan 2025 17:39:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1738114757; x=1738719557; darn=debbugs.gnu.org; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to; bh=omernCgDsLM9WkCOA4SkH+gP5IYNJvhMmVSNf7phPKE=; b=hF36NE/wx2Jak5JTWyCGGpeRm1yuigcwRXiDsswMIxHVi0cIK3pkIfKc2A8G1nkdSx 7GpfbvLX/LOAiwEApRDAlnUjFgZQEq+OQlrT2k8Q58mkPgXFkNpy3UIsRHLyBXWCyl/b CAK/uAlh/8eRZ9amWGpmb6ZbRI/YXaV7Vw7+98HdLtUMN0NNWHHYmF+gJA+3AqfrLE11 ovvp31cjy0qEf0mLNDRs5dmDphJwyQE3MgdbV4H9bqgbAHPdhqz9BjRnnPe6IEOsGjL7 pL45OhlNPjrXcdHINwu3+kn1z7LyEbOgX1oDP9mgqWX7+TWYFRtfvhLEbgmaviqRbGNX Bn8Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738114757; x=1738719557; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=omernCgDsLM9WkCOA4SkH+gP5IYNJvhMmVSNf7phPKE=; b=WyirJItFyM2sPTAsLRJYFFtNPhBUuCtLkY4e2y+tR1F5Zv87SQvEaz6WWi37FqFJtG u3wS1gf816qOmGkc3xqH+JmY2RMtgm6ctSaHeCEZaiP0hCpzjCpVF5fyKssfG5nL8gdE mszuwpcuxmlDcIDN4nQbTUdFWTlMx4Dh8/G7FcPiWLHQEZSusho+VYlnz+Dv5E/RGR2O 1tM27Zeh/YTDb2GA/K9QBnZxw2ILXftl10a2uYR02deQOILjKJRUHhLw3vruWCPWiCMb KeJpkFBoNnPdWurD5Xb/YB2dbntGX5l2OxAf/iu8za5DoOpfwFdhT1kemT+d9FlhpdRn t3bA== X-Forwarded-Encrypted: i=1; AJvYcCWwUomrX/dD77QaspNyLcqMwlYLe74icCjK7iyw8knc3C35b3rMIHOYnnBHHeC/7Dx08/ZqQw==@debbugs.gnu.org X-Gm-Message-State: AOJu0YwklDVH0MZZkVCnjnaX6gEkKfdW+N88UqcYJp6iqw+fFMss0f/2 JtEejGsKyd3p0M48t0KV7oua2fkfsGpaLSuazMKPxsgHcXBGg1xO X-Gm-Gg: ASbGncvqJ5hnnTGhIcsUt7F4B311X3o7s8O03QNmv3Dr+HPTr+JCNnJADRs7YjYXnXt serdCcEoggQo7mj2gQSJ1BWi63qlqIsUpjh/qsulle12TxBKLBZSmcH1pJF61Bxa8145EJQ2OFj gayVHPe+cdhrjgDT8Xsi8n+mC3T41DCYbfDA+IdzFvqKdrQNcUovCeEIHqYX/HnpotvsFSobU4U SPmkWE5fzMg9kBK74Th9U4S16YRjsTlw3gIqKVa1xXmxH0+/Fd8vZQvYmopFLtHi90b3fsycizS 1XxrqRkhmrsC X-Google-Smtp-Source: AGHT+IFuYF19OgIa0LwfOM2s4/1QNfku+lG/OIO3Mff+NiVlDl9AI7IoywPFW2/fbOoQu1qIXApv5g== X-Received: by 2002:a05:6a20:6a0e:b0:1ed:534e:38b1 with SMTP id adf61e73a8af0-1ed7a6e2565mr2334551637.41.1738114757308; Tue, 28 Jan 2025 17:39:17 -0800 (PST) Received: from terra ([2405:6586:be0:0:c8ff:1707:9b9:af89]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-72f8a6b307fsm9949543b3a.46.2025.01.28.17.39.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Jan 2025 17:39:16 -0800 (PST) From: Maxim Cournoyer <maxim.cournoyer@HIDDEN> To: Simon Tournier <zimon.toutoune@HIDDEN> Subject: Re: bug#70314: [PATCH] guix: scripts: environment: add tls certs to networked containers In-Reply-To: <87h6aatlgz.fsf@HIDDEN> (Simon Tournier's message of "Fri, 20 Sep 2024 17:04:44 +0200") References: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN> <87h6aatlgz.fsf@HIDDEN> Date: Wed, 29 Jan 2025 10:39:04 +0900 Message-ID: <871pwms8jr.fsf_-_@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 70314 Cc: Josselin Poiret <dev@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>, Richard Sent <richard@HIDDEN>, Tobias Geerinckx-Rice <me@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>, Christopher Baines <guix@HIDDEN>, 70314 <at> debbugs.gnu.org, Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Hi, Simon Tournier <zimon.toutoune@HIDDEN> writes: [...] >> + (when (and (not network?) >> + no-tls?) >> + (leave (G_ "'--no-tls' cannot be used without '--networking'~%"))) >> + > > Why not a warning instead of leaving with an error? Is it even worth it? The in the default case there is networking (not containerized), and --networking is a no-op. No big deal? What's the rationale for changing this? It can potentially affect someone's script. -- Thanks, Maxim
guix-patches@HIDDEN
:bug#70314
; Package guix-patches
.
Full text available.Received: (at 70314) by debbugs.gnu.org; 29 Jan 2025 01:33:13 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jan 28 20:33:13 2025 Received: from localhost ([127.0.0.1]:39279 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1tcwx6-0005Sp-TM for submit <at> debbugs.gnu.org; Tue, 28 Jan 2025 20:33:13 -0500 Received: from mail-pl1-x631.google.com ([2607:f8b0:4864:20::631]:55454) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from <maxim.cournoyer@HIDDEN>) id 1tcwx4-0005Sa-2D for 70314 <at> debbugs.gnu.org; Tue, 28 Jan 2025 20:33:10 -0500 Received: by mail-pl1-x631.google.com with SMTP id d9443c01a7336-21636268e43so138028295ad.2 for <70314 <at> debbugs.gnu.org>; Tue, 28 Jan 2025 17:33:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1738114384; x=1738719184; darn=debbugs.gnu.org; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to; bh=ROduub+o75ikQ5D/yvhcMhaqmyz1gXegOafWyL9Idik=; b=MlELz9ywgGYjBgH/eW+0nErhcoDrZOlh215Jggduwo3J1KUp5wFMokiA+KT4mXjB5t fvHtzjP6HAH5DeiM2DQy6V7N/wuEB6f3jkXjDmHsXH4MQGua79aHYG5axVGRLnK8Cl4h Fy0+DfLNbSsuzLOYKc1N8XhwqTonLa4eTg1eBRe6uKCSTGUYF0N5Pwz/ei2yX9ZHoSm2 4K8IrG3Lax6oguYguV7E0b3WlrNg7PxM4IAHNLoMjKxCGX5WyjV2+Vv/cOuqP+S5rwzf EAAQhy6Qzei3b0OhK4tGLaaAYir/CJKs5goINCcSvGGAldBZypW3XLj5+riX2bPuRZaw Hw9A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738114384; x=1738719184; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=ROduub+o75ikQ5D/yvhcMhaqmyz1gXegOafWyL9Idik=; b=VmGVBwlCaY71CtOO2oUc9fxOmnx61lYFJpC2NVzeYEvJ3I0+TZuldVdbMmUf0zCaE6 g0QBlecgvQNn85jFKI9WG9eKEkkdlb+wX61vMiNkzYlGdwWxpzt/L6/EtIlk2yssGM2W sV/iij0Ep7TzxpaXeamgVn6Vn8H9jS2fNOEEiMavALQt9k+EcibdRTBjongeFxbknZLM UOorgfGFBC8/IXukvcybasNIB32MCKUU4Ybqu+94Ux3IS8vgFijGrc5MJRMcXiGTk2Kd h0lF9ejIQeIS40rmw9zhC29yEsradS2PsE2gOeBD3qnZoXPee6m7SAweYM9UonlzT//J Z9qA== X-Gm-Message-State: AOJu0Yx4xYsJ5+IlFyw7oCV4scu+GysO+dhZ4e5s93G4cVqGNNrPP2aA Ip4P2tCLKxAfogJp01Chtg3Rq/jzhJYnnD5/mgPl4hb4+G3geFRF X-Gm-Gg: ASbGncuJFLAn+nvxcAARQMadLLMdc7ICZ1ZnBka1s0exVnTZ5R+dqtT0nFUr3JPMNeu Kf55UQe5QvsaotsAWmGkBEGh4itn9GRnQ4UzDuwplcBRHSEChYR9Q0/dRLOFyGyPs18QO0SbBYf nRNyFAEqDS6mA1oDSwwBeM22cGejOLxBWsJzZ4oCso90kzUsksSmwTuuSvQ3tWBDcfgONYH5xv4 H09pwTiEbhc5F3hRgbaltLgbOqXqKBLNYsMrpGt+sbL4QK8tdKOhvc+hwiK8o1e8IxpkaXydndO iBlSfVVNhrUl X-Google-Smtp-Source: AGHT+IFCf+RQtRkAD08dORcgeQiX0IL2b4cHK7ZSw7CvE+Vh59xFHJoiyGOeBOh9uvdzyQ7g+1EmfQ== X-Received: by 2002:a17:902:f644:b0:216:2477:e4d3 with SMTP id d9443c01a7336-21dd7df6ad3mr19131185ad.51.1738114383942; Tue, 28 Jan 2025 17:33:03 -0800 (PST) Received: from terra ([2405:6586:be0:0:c8ff:1707:9b9:af89]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-21da4141123sm89523635ad.112.2025.01.28.17.33.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Jan 2025 17:33:03 -0800 (PST) From: Maxim Cournoyer <maxim.cournoyer@HIDDEN> To: Richard Sent <richard@HIDDEN> Subject: Re: bug#70314: [PATCH] guix: scripts: environment: add tls certs to networked containers In-Reply-To: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN> (Richard Sent's message of "Tue, 9 Apr 2024 15:05:29 -0400") References: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN> Date: Wed, 29 Jan 2025 10:32:50 +0900 Message-ID: <875xlys8u5.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.7 (/) X-Debbugs-Envelope-To: 70314 Cc: Josselin Poiret <dev@HIDDEN>, Simon Tournier <zimon.toutoune@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>, Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>, Tobias Geerinckx-Rice <me@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>, Christopher Baines <guix@HIDDEN>, 70314 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -0.3 (/) Hi, Richard Sent <richard@HIDDEN> writes: > * guix/scripts/environment.scm: Add --no-tls flag. By default when starting a > container with -N, add nss-certs package and set SSL_CERT_DIR and > SSL_CERT_FILE environment variables. When --no-tls is passed, default to old > behavior. > * doc/guix.texi: Document it. I just wanted to share that I have a WIP in progress that would address this differently; by using p11-kit with a trusted path to nss certs by default: --8<---------------cut here---------------start------------->8--- gnu: p11-kit: Add nss-certs to default trust path. * gnu/packages/tls.scm (p11-kit) [native-inputs]: Add nss-certs. [arguments] <#:configure-flags>: Register its etc/ssl/certs directory as a trust path. Change-Id: Iee727edb1f51f8503fcbdd4ec1dee0d47a6bba39 1 file changed, 5 insertions(+), 2 deletions(-) gnu/packages/tls.scm | 7 +++++-- modified gnu/packages/tls.scm @@ -61,6 +61,7 @@ (define-module (gnu packages tls) #:use-module (gnu packages base) #:use-module (gnu packages bash) #:use-module (gnu packages build-tools) + #:use-module (gnu packages certs) #:use-module (gnu packages check) #:use-module (gnu packages curl) #:use-module (gnu packages dns) @@ -160,6 +161,7 @@ (define-public p11-kit docbook-xsl gettext-minimal libxslt + nss-certs ;default certs pkg-config)) (inputs (append (list libffi libtasn1) @@ -175,9 +177,10 @@ (define-public p11-kit (string-append "-Dtrust_paths=" (string-join - '("/etc/ssl/certs/ca-certificates.crt" ;guix, debian, gentoo, etc. + `("/etc/ssl/certs/ca-certificates.crt" ;guix, debian, gentoo, etc. "/etc/pki/tls/certs/ca-bundle.crt" ;fedora, centos - "/var/lib/ca-certificates/ca-bundle.pem") ;opensuse + "/var/lib/ca-certificates/ca-bundle.pem" + ,(search-input-directory %build-inputs "etc/ssl/certs")) ":"))))) (home-page "https://p11-glue.github.io/p11-glue/p11-kit.html") (synopsis "PKCS#11 library") --8<---------------cut here---------------end--------------->8--- And then building gnutls with the '--with-default-trust-store-pkcs11=pkcs11:' configure flag. In theory that would mean that any GnuTLS using application would work out of the box. p11-kit also allows users to override certs by user configuration in XDG directories, should someone want to add their own certs or override the default trust store (to be documented). In practice I haven't yet rebuilt the world with this, but encountered a failing test that suggest it doesn't work as expected (but perhaps it's just the test) [0]. For OpenSSL, there is supposedly a plugin that can be used to make it use p11-kit managed certs, though I haven't investigated. The idea to use p11-kit was suggested to us (via Andreas) in 2015 by the main GnuTLS developper [1] It's used on Fedora/Red Hat for example [2]. [0] https://gitlab.com/gnutls/gnutls/-/issues/1639 [1] https://lists.gnupg.org/pipermail/gnutls-devel/2015-February/007447.html [2] https://src.fedoraproject.org/rpms/gnutls/blob/rawhide/f/gnutls.spec#_320 -- Thanks, Maxim
guix-patches@HIDDEN
:bug#70314
; Package guix-patches
.
Full text available.Received: (at 70314) by debbugs.gnu.org; 28 Jan 2025 21:13:17 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jan 28 16:13:17 2025 Received: from localhost ([127.0.0.1]:38888 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1tcstY-0001QD-Gr for submit <at> debbugs.gnu.org; Tue, 28 Jan 2025 16:13:17 -0500 Received: from mail-108-mta75.mxroute.com ([136.175.108.75]:45941) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from <richard@HIDDEN>) id 1tcstU-0001Q0-SW for 70314 <at> debbugs.gnu.org; Tue, 28 Jan 2025 16:13:14 -0500 Received: from filter006.mxroute.com ([136.175.111.3] filter006.mxroute.com) (Authenticated sender: mN4UYu2MZsgR) by mail-108-mta75.mxroute.com (ZoneMTA) with ESMTPSA id 194aec2c521000310e.001 for <70314 <at> debbugs.gnu.org> (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Tue, 28 Jan 2025 21:13:07 +0000 X-Zone-Loop: f2b00e0f2e19851749e5d999ffe42aed41ef57107ed8 X-Originating-IP: [136.175.111.3] DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=freakingpenguin.com; s=x; h=Content-Transfer-Encoding:Content-Type: MIME-Version:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=EVnT23MAOto7dGaHWHfL/EEKWFMc0M5vmna0+fAIi90=; b=AHZ02nUfrrzLYjKvBtXvuTMHlY 6XNH+/2D3MtT7+pjNMg8B2PY8oZIiGgdEDn49oB7oFIt5HCAh/Owz52BrG3WRN3EY7cLx7WujiAHu 4KY3W9fIUk5/7+J4bmI6ZCZVckStCCVExHgstM+uMQzxVSBW2tbDMMBfPnloRY8sOQY8cwMIChgEF TCowDn+QdJ864LxVAinE7Va4/1MjGM8fpjoMw7e4v5zTe70Rb9v7ueqkFSRNj+roAGUYSwMHUTEIH fq9HpSsR0A+v+gDU7vXsxLQjH+rrh91ugYYVti2zoO1JhZHk08bkRSaBX2X5CF5FRYZS4rYZwKohA 3uGM7xSg==; From: Richard Sent <richard@HIDDEN> To: guix-patches@HIDDEN, 70314 <at> debbugs.gnu.org Subject: [PATCH v2] guix: scripts: environment: add tls certs to networked containers. Date: Tue, 28 Jan 2025 16:11:28 -0500 Message-ID: <4e1a986e224083876c8386e6efe45512251dd3af.1738098141.git.richard@HIDDEN> MIME-Version: 1.0 X-Debbugs-Cc: Christopher Baines <guix@HIDDEN>, Josselin Poiret <dev@HIDDEN>, Ludovic Courtès <ludo@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>, Maxim Cournoyer <maxim.cournoyer@HIDDEN>, Simon Tournier <zimon.toutoune@HIDDEN>, Tobias Geerinckx-Rice <me@HIDDEN> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Authenticated-Id: richard@HIDDEN X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 70314 Cc: Richard Sent <richard@HIDDEN>, rprior@HIDDEN, ludo@HIDDEN, zimon.toutoune@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Add the --no-tls flag. By default when starting a container with -N, add the nss-certs package to the profile and set the SSL_CERT_DIR and SSL_CERT_FILE environment variables. When --no-tls is passed, default to the old behavior. * guix/scripts/environment.scm (%default-tls-certs): New function. (show-environment-options-help): Add help for --no-tls. (%options): Add --no-tls option. (options/resolve-packages): Add %default-tls-certs to profile when network is true and no-tls is false. (launch-environment/container): Add set-tls? argument and set SSL_CERT_DIR/FILE if #t. (guix-environment*): Sanity check no-tls? and pass the negated version to launch-environment/container. * doc/guix.texi (Invoking guix shell): Document it. (Invoking guix environment): Ditto. * tests/guix-environment-container.sh: Add tests for behavior with and without no-tls flag. Change-Id: I04735024df025740cb7a0e28f39a3bb5c7fcf895 --- Hi all. Been a while but I figured I'd take another crack at this. > Ludo: > This would force all the package modules to be loaded upfront. Instead you > should arrange to not refer to ‘nss-certs’ until it’s needed. Understood, %default-tls-certs is thunked in V2. To my understanding this should achieve what we want. > Ludo: > Internally, I would reverse the logic to have ‘tls?’ instead (as a rule > of thumb, I always avoid negating Booleans in code). I choose no-tls? to be consistent with the no-cwd? option,. V2 now uses the set-tls? option in launch-environment/container and no-tls? everywhere else, which I think fits better because outside l-e/c, no-tls? is more of a flag for if the --no-tls option was passed than a control boolean. > Ludo: > Can we delay changes to the manifest until after all options have been > parsed, so we know whether ‘-C’ has been passed? Possibly, but it would be inconsistent with how nesting? works at present, which also requires -C. I believe emulate-fhs? also adds packages to the profile immediately, see parse-args in guix/scripts/shell.scm, which AFAICT splices a '-e (@@ (gnu packages base) glibc-for-fhs)' in the options. One way this could be resolved is by creating a internal manifest, then concatenating it with manifest-from-opts. i.e. have a user manifest containing explicitly provided packages and an internal manifest containing glibc-for-fhs, nss-certs and guix depending on emulate-fhs?, no-tls?, and nesting?. That's probably outside the scope of this patch. > Ludo: > Please make sure tests/guix-shell*.sh and tests/guix-environment*.sh > pass. For the low low price of free, not only do you get passing tests but now you get more tests! What a steal. > Simon: > I would prefer to not have any short option at all. Agreed and changed. > Simon: > Why not a warning instead of leaving with an error? I elected to go with an error to be consistent with the sanity checking around container?. In my opinion, warnings are best for when a user is doing something technically valid but likely unintended, errors are for the "technically makes no sense". doc/guix.texi | 8 +++++++ guix/scripts/environment.scm | 35 +++++++++++++++++++++++++++-- tests/guix-environment-container.sh | 11 +++++++++ 3 files changed, 52 insertions(+), 2 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index b1b6d98e74..d291c15759 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -6289,6 +6289,10 @@ Invoking guix shell Containers created without this flag only have access to the loopback device. +@item --no-tls +For containers that share the network namespace, disable automatically +adding TLS/SSL certificates. + @item --link-profile @itemx -P For containers, link the environment profile to @file{~/.guix-profile} @@ -6786,6 +6790,10 @@ Invoking guix environment Containers created without this flag only have access to the loopback device. +@item --no-tls +For containers that share the network namespace, disable automatically +adding TLS/SSL certificates. + @item --link-profile @itemx -P For containers, link the environment profile to @file{~/.guix-profile} diff --git a/guix/scripts/environment.scm b/guix/scripts/environment.scm index 648a497743..174d446635 100644 --- a/guix/scripts/environment.scm +++ b/guix/scripts/environment.scm @@ -3,6 +3,7 @@ ;;; Copyright © 2015-2024 Ludovic Courtès <ludo@HIDDEN> ;;; Copyright © 2018 Mike Gerwitz <mtg@HIDDEN> ;;; Copyright © 2022, 2023 John Kehayias <john.kehayias@HIDDEN> +;;; Copyright © 2025 Richard Sent <richard@HIDDEN> ;;; ;;; This file is part of GNU Guix. ;;; @@ -50,6 +51,7 @@ (define-module (guix scripts environment) #:use-module (gnu system file-systems) #:autoload (gnu packages) (specification->package+output) #:autoload (gnu packages bash) (bash) + #:autoload (gnu packages certs) (nss-certs) #:autoload (gnu packages bootstrap) (bootstrap-executable %bootstrap-guile) #:autoload (gnu packages package-management) (guix) #:use-module (ice-9 match) @@ -72,6 +74,10 @@ (define-module (guix scripts environment) (define %default-shell (or (getenv "SHELL") "/bin/sh")) +(define (%default-tls-certs) + ;; Thunk to defer loading (gnu packages certs) + (list nss-certs)) + (define* (show-search-paths profile manifest #:key pure?) "Display the search paths of MANIFEST applied to PROFILE. When PURE? is #t, do not augment existing environment variables with additional search paths." @@ -108,6 +114,9 @@ (define (show-environment-options-help) -C, --container run command within an isolated container")) (display (G_ " -N, --network allow containers to access the network")) + (display (G_ " + --no-tls do not add SSL/TLS certificates or set environment + variables for a networked container")) (display (G_ " -P, --link-profile link environment profile to ~/.guix-profile within an isolated container")) @@ -244,6 +253,9 @@ (define %options (option '(#\N "network") #f #f (lambda (opt name arg result) (alist-cons 'network? #t result))) + (option '("no-tls") #f #f + (lambda (opt name arg result) + (alist-cons 'no-tls? #t result))) (option '(#\W "nesting") #f #f (lambda (opt name arg result) (alist-cons 'nesting? #t result))) @@ -359,6 +371,11 @@ (define (options/resolve-packages store opts) (packages->outputs (load* file module) mode))) (('manifest . file) (manifest-entries (load-manifest file))) + (('network? . #t) + (if (assoc-ref opts 'no-tls?) + '() + (manifest-entries + (packages->manifest (%default-tls-certs))))) (('nesting? . #t) (if (assoc-ref opts 'profile) '() @@ -732,7 +749,8 @@ (define* (launch-environment/fork command profile manifest (define* (launch-environment/container #:key command bash user user-mappings profile manifest link-profile? network? - map-cwd? emulate-fhs? nesting? + set-tls? map-cwd? emulate-fhs? + nesting? (setup-hook #f) (symlinks '()) (white-list '())) "Run COMMAND within a container that features the software in PROFILE. @@ -936,6 +954,11 @@ (define* (launch-environment/container #:key command bash user user-mappings ;; Allow local AF_INET communications. (set-network-interface-up "lo")) + (when set-tls? + (setenv "SSL_CERT_DIR" (string-append profile "/etc/ssl/certs")) + (setenv "SSL_CERT_FILE" (string-append (getenv "SSL_CERT_DIR") + "/ca-certificates.crt"))) + ;; For convenience, start in the user's current working ;; directory or, if unmapped, the home directory. (chdir (if map-cwd? @@ -1085,6 +1108,7 @@ (define (guix-environment* opts) (link-prof? (assoc-ref opts 'link-profile?)) (symlinks (assoc-ref opts 'symlinks)) (network? (assoc-ref opts 'network?)) + (no-tls? (assoc-ref opts 'no-tls?)) (no-cwd? (assoc-ref opts 'no-cwd?)) (emulate-fhs? (assoc-ref opts 'emulate-fhs?)) (nesting? (assoc-ref opts 'nesting?)) @@ -1138,7 +1162,13 @@ (define (guix-environment* opts) (when nesting? (leave (G_ "'--nesting' cannot be used without '--container'~%"))) (when (pair? symlinks) - (leave (G_ "'--symlink' cannot be used without '--container'~%")))) + (leave (G_ "'--symlink' cannot be used without '--container'~%"))) + (when network? + (leave (G_ "'--network cannot be used without '--container'~%")))) + + (when (and (not network?) + no-tls?) + (leave (G_ "'--no-tls' cannot be used without '--networking'~%"))) (with-status-verbosity (assoc-ref opts 'verbosity) (with-store/maybe store @@ -1217,6 +1247,7 @@ (define (guix-environment* opts) #:white-list white-list #:link-profile? link-prof? #:network? network? + #:set-tls? (not no-tls?) #:map-cwd? (not no-cwd?) #:emulate-fhs? emulate-fhs? #:nesting? nesting? diff --git a/tests/guix-environment-container.sh b/tests/guix-environment-container.sh index 09704f751c..7ffc7f8c9f 100644 --- a/tests/guix-environment-container.sh +++ b/tests/guix-environment-container.sh @@ -2,6 +2,7 @@ # Copyright © 2015 David Thompson <davet@HIDDEN> # Copyright © 2022, 2023 John Kehayias <john.kehayias@HIDDEN> # Copyright © 2023 Ludovic Courtès <ludo@HIDDEN> +# Copyright © 2025 Richard Sent <richard@HIDDEN> # # This file is part of GNU Guix. # @@ -272,3 +273,13 @@ guix shell -C -D guix -- "$env" guix build hello -d && false # cannot work hello_drv="$(guix build hello -d)" hello_drv_nested="$(cd "$(dirname env)" && guix shell --bootstrap -E GUIX_BUILD_OPTIONS -CW -D guix -- "$env" guix build hello -d)" test "$hello_drv" = "$hello_drv_nested" + +# Test if SSL_CERT_{DIR,FILE} are set and readable in the container. +# +# -f does cover the case of a symlink to a file inaccessible within the +# -container. +guix shell -CN -- /bin/sh -c 'test -d $SSL_CERT_DIR' +guix shell -CN -- /bin/sh -c 'test -f $SSL_CERT_FILE' +# Confirm --no-tls causes SSL_CERT_{DIR,FILE} to be unset. +guix shell -CN --no-tls -- /bin/sh -c 'test -z $SSL_CERT_DIR' +guix shell -CN --no-tls -- /bin/sh -c 'test -z $SSL_CERT_FILE' base-commit: 97fb1887ad10000c067168176c504274e29e4430 -- 2.47.1
guix@HIDDEN, dev@HIDDEN, ludo@HIDDEN, othacehe@HIDDEN, maxim.cournoyer@HIDDEN, zimon.toutoune@HIDDEN, me@HIDDEN, guix-patches@HIDDEN
:bug#70314
; Package guix-patches
.
Full text available.Received: (at 70314) by debbugs.gnu.org; 20 Sep 2024 16:11:43 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Fri Sep 20 12:11:43 2024 Received: from localhost ([127.0.0.1]:36146 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1srgER-000411-0O for submit <at> debbugs.gnu.org; Fri, 20 Sep 2024 12:11:43 -0400 Received: from mail-wm1-f47.google.com ([209.85.128.47]:60874) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <zimon.toutoune@HIDDEN>) id 1srgED-0003zT-7h for 70314 <at> debbugs.gnu.org; Fri, 20 Sep 2024 12:11:29 -0400 Received: by mail-wm1-f47.google.com with SMTP id 5b1f17b1804b1-4280ca0791bso20303125e9.1 for <70314 <at> debbugs.gnu.org>; Fri, 20 Sep 2024 09:11:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1726848604; x=1727453404; darn=debbugs.gnu.org; h=content-transfer-encoding:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from:from:to:cc:subject:date:message-id :reply-to; bh=/VOqHNEnw6yMlpedZmoNAP+2UAUzEYZuJSfvXRXHH/0=; b=mFKij3nRMteKu4wN+IJAXOLvyKr4gyIeL2QsVKmRe/BQlrmPUehYj8NdVUCJSa4zzP DUzWdPMUogtZkiyKLEx7viUpmCwpzUuhn4saItX0IB/RcVi2210U2w1G6tIUr4N32iUN 4NNq4FF6o7odgvOuUEN9Lo30QSghrLeWdsjExjQz2WSvq2JVDUvmHx4lML3bEPNvI501 IC83g17pVTFyz+nLytPRA4Q6zsH0kXrzIbAG+1PXjQ8DpYCly63ee5c+oro1YOSDv/mD d4+1Q8vkE0I42P5TE+yGNZht6hdICnw7qHpB7GRRcfKdO4VA03nP8JMm1JJCpMxZjT+W i7xQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726848604; x=1727453404; h=content-transfer-encoding:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=/VOqHNEnw6yMlpedZmoNAP+2UAUzEYZuJSfvXRXHH/0=; b=Ebudz/jMJj/zkuO+sKxOGBWouK55B9jhtU8L1YG6d2N9btJlzTEu0IZtJs1d+BNCfC onhM69AfylaG/9w2ta3um7BQNe6sajxggTzTdJhLvtBB+QHwUdE01tYJsVnG91sQogpy EPGkXH/E7JE9EU/K1M7l66DRz5koge+m3DCcMasNP9fBaJQYAUqOMIzyCkSUJCZoRgVD z/YtIDQUX9DWmedAz1OHDmDuzFuXzoQTSEZaDdL1oznQrKM0J4FvgCE/8CdN+Jxxp18R y0dPt93GCvyW4CTSiN3fh0thYNRvgKTFEHYE2VfXeDvnqvHzTYUTog2IrXMbU5DoS654 1yJA== X-Forwarded-Encrypted: i=1; AJvYcCWwuRa5Mq8zq+bL7zgH03hpoqrE95AKXiOEyFKQ2iDZtcPfn7Ckfw1S18y3e5+nwaIGHxpt+A==@debbugs.gnu.org X-Gm-Message-State: AOJu0Yw6LBlLZXYt0mCnaZGEGwTxzZMabb/JdYa9SWQ7Co66GzXNXLG3 0RV+4j2i/ll7z7+AChlQJMEQx+mzi00QryXeP2e4zbvf3x861i2bl3Urvw== X-Google-Smtp-Source: AGHT+IEDkMy2BMG03y0YwU8d9UKV2xamVW6d7eBamygke2jNzqIp8d1e60RUl+UysDtkQdLoMt9/Mw== X-Received: by 2002:a05:600c:358b:b0:42c:b1e1:a45b with SMTP id 5b1f17b1804b1-42e7c16ed53mr24131445e9.19.1726848604261; Fri, 20 Sep 2024 09:10:04 -0700 (PDT) Received: from pfiuh07 ([193.48.40.241]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-42e7540e4e1sm53202095e9.10.2024.09.20.09.10.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 20 Sep 2024 09:10:03 -0700 (PDT) From: Simon Tournier <zimon.toutoune@HIDDEN> To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>, Richard Sent <richard@HIDDEN> Subject: Re: [bug#70314] [PATCH] guix: scripts: environment: add tls certs to networked containers In-Reply-To: <87o74obna0.fsf@HIDDEN> References: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN> <87o74obna0.fsf@HIDDEN> Date: Fri, 20 Sep 2024 17:19:59 +0200 Message-ID: <87ed5etkrk.fsf@HIDDEN> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 70314 Cc: Josselin Poiret <dev@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>, Tobias Geerinckx-Rice <me@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>, Christopher Baines <guix@HIDDEN>, 70314 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Hi Ludo, On dim., 15 sept. 2024 at 23:49, Ludovic Court=C3=A8s <ludo@HIDDEN> wrote: >> + #:autoload (gnu packages certs) (nss-certs) [...] >> +(define %default-tls-certs >> + (list nss-certs)) > > This would force all the package modules to be loaded upfront. Instead > you should arrange to not refer to =E2=80=98nss-certs=E2=80=99 until it= =E2=80=99s needed. This is a question I had but not reported when commenting elsewhere this patch. I was thinking to suggest: (module-ref (resolve-interface '(gnu packages certs)) 'nss-certs) which lazily loads, IIUC. Then I gave a look to Guile manual which mentions: =E2=80=98#:autoload MODULE SYMBOL-LIST=E2=80=99 [...] An autoload is a good way to put off loading a big module until it=E2=80=99s really needed, for instance for faster startup= or if it will only be needed in certain circumstances. Therefore, could you explain the difference if there is one? Cheers, simon
guix-patches@HIDDEN
:bug#70314
; Package guix-patches
.
Full text available.Received: (at 70314) by debbugs.gnu.org; 20 Sep 2024 16:11:31 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Fri Sep 20 12:11:31 2024 Received: from localhost ([127.0.0.1]:36141 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1srgEE-000405-HU for submit <at> debbugs.gnu.org; Fri, 20 Sep 2024 12:11:30 -0400 Received: from mail-wm1-f42.google.com ([209.85.128.42]:57389) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <zimon.toutoune@HIDDEN>) id 1srgEC-0003zR-DB for 70314 <at> debbugs.gnu.org; Fri, 20 Sep 2024 12:11:29 -0400 Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-42cb5b3c57eso20676775e9.2 for <70314 <at> debbugs.gnu.org>; Fri, 20 Sep 2024 09:11:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1726848603; x=1727453403; darn=debbugs.gnu.org; h=content-transfer-encoding:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from:from:to:cc:subject:date:message-id :reply-to; bh=8dwz6m40OMA6yOjrgDz1iDVW210nCX1/plsL1lMTMl4=; b=e5XJym1aeAGRtI12DZHLKRIUWqDHeI0B0JvYEWuy78hRtRxtWjZ6jldNzLbxpIzrUq CzrWdw8Ywp5p44fQ/nxWVqmxLYPR6ac7M3JpU7AZNOnVCt0rDpSjRrsJ8MprKLyiikVh pzXBng3qFd7mveJ3ESZuTe2tWsDaWQjPUVGR8BnKwcagiClln0WJh8nD+NLpnUXkMJzs XLMT8AwfisdqaiBnSYHS8eI0CXcGfkOUpP3K9NVoNSc2FSSPkiHRcEVpa+/cQyZEy9+l oeDUx42JN5sQ2CfOpnPLlXjcRJS5HNWpTG3A+TS8mRu6ziiOtdRe3RZQn4aarCoaFj6u 756Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726848603; x=1727453403; h=content-transfer-encoding:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=8dwz6m40OMA6yOjrgDz1iDVW210nCX1/plsL1lMTMl4=; b=l4BjwJaj/lh7dKqLTIJ20JeD17hnczAsyXhQCO0bxz6i5G5cQbQNeOHS7HMGyBsgra qkc1kfDh2yp2nkozWysoMORquFZZQRgDVdFCPJprs777ha7vIkLgrY6E9TQmWhON5B67 4rH83KjIa9hCTdSbcuNFvx7P53AxRhqWnz0M29WPjWFmo6rGo4gmFsfCCoV2KCAIY0dt W0AYQX7Mvrl505dLraBVzGkT6hTGUIadcUkMMIOCaUjy6LY56Z769Nu4bJjEcsTXbykj CHwzLUkqOyuItuR4eSb5yNzXbR6dZlMsCMXkTP8j90NQkdqxemehA/PDY8HKJ3CxegR7 uGYw== X-Forwarded-Encrypted: i=1; AJvYcCXYRdNExBkhQSvxbCQ58LZioxxdJ1wb4FmZPxnbtSicwBRSEBcr6nm8lqVyCA/QTc5LVsN8eA==@debbugs.gnu.org X-Gm-Message-State: AOJu0YzukUMtFeBDbua3kwEeleVrUpw7JepmB2jDmAvadWEKisynn4N0 MVkiJRryQTcu2ostJvDVufk2xnQmrrSH2B9Q2eS1vTMdpEYhj3ce X-Google-Smtp-Source: AGHT+IFlb47XvbCruMXC3Z004FvXdWXHM4Ns/QvrnEMcNp0DI+Lf2O8MPVkHALpUj4Vhg1eRHT4a8g== X-Received: by 2002:a05:600c:548e:b0:42c:b1ee:4b04 with SMTP id 5b1f17b1804b1-42e7c19bb69mr22867305e9.28.1726848603299; Fri, 20 Sep 2024 09:10:03 -0700 (PDT) Received: from pfiuh07 ([193.48.40.241]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-378e78054cesm18175255f8f.108.2024.09.20.09.10.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 20 Sep 2024 09:10:02 -0700 (PDT) From: Simon Tournier <zimon.toutoune@HIDDEN> To: Richard Sent <richard@HIDDEN>, 70314 <at> debbugs.gnu.org, Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN> Subject: Re: [bug#70314] [PATCH] guix: scripts: environment: add tls certs to networked containers In-Reply-To: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN> References: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN> Date: Fri, 20 Sep 2024 17:04:44 +0200 Message-ID: <87h6aatlgz.fsf@HIDDEN> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 70314 Cc: Josselin Poiret <dev@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>, Richard Sent <richard@HIDDEN>, Tobias Geerinckx-Rice <me@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>, Christopher Baines <guix@HIDDEN>, Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Hi, On mar., 09 avril 2024 at 15:05, Richard Sent <richard@HIDDEN>= wrote: > This behavior can be reverted with the --no-tls flag. Since presumably > the majority of shell users want TLS to work out of the box, adding > TLS by default makes sense to me. I agree. I have been annoyed more than once with this. Then it becomes something odd that I have forgotten it=E2=80=99s odd. :-) > + (display (G_ " > + --no-tls do not add SSL/TLS certificates or set environm= ent > + variables for a networked container")) [...] > + (option '(#\T "no-tls") #f #f > + (lambda (opt name arg result) > + (alist-cons 'no-tls? #t result))) There is a discrepancy, no? Missing the short =E2=80=99-T=E2=80=99 option = in the help? Well, that=E2=80=99s said, I would prefer to not have any short option at a= ll. Because I think that option would be a rare option. And if it is not and many people use =E2=80=9Cguix shell=E2=80=9D without the package =E2=80= =99nss-tls=E2=80=99, then we will still be able to add the short option. The converse is not true > (option '(#\W "nesting") #f #f > (lambda (opt name arg result) > (alist-cons 'nesting? #t result))) > @@ -359,6 +369,11 @@ (define (options/resolve-packages store opts) > (packages->outputs (load* file module) mode))) > (('manifest . file) > (manifest-entries (load-manifest file))) > + (('network? . #t) > + (if (assoc-ref opts 'no-tls?) > + '() > + (manifest-entries > + (packages->manifest %default-tls-certs)))) > (('nesting? . #t) > (if (assoc-ref opts 'profile) > '() > @@ -725,7 +740,7 @@ (define* (launch-environment/fork command profile man= ifest >=20=20 > (define* (launch-environment/container #:key command bash user user-mapp= ings > profile manifest link-profile? ne= twork? > - map-cwd? emulate-fhs? nesting? > + no-tls? map-cwd? emulate-fhs? nes= ting? > (setup-hook #f) > (symlinks '()) (white-list '())) > "Run COMMAND within a container that features the software in PROFILE. > @@ -929,6 +944,11 @@ (define* (launch-environment/container #:key command= bash user user-mappings > ;; Allow local AF_INET communications. > (set-network-interface-up "lo")) >=20=20 > + (unless no-tls? > + (setenv "SSL_CERT_DIR" (string-append profile "/etc/ssl/ce= rts")) > + (setenv "SSL_CERT_FILE" (string-append (getenv "SSL_CERT_D= IR") > + "/ca-certificates.c= rt"))) > + > ;; For convenience, start in the user's current working > ;; directory or, if unmapped, the home directory. > (chdir (if map-cwd? > @@ -1078,6 +1098,7 @@ (define (guix-environment* opts) > (link-prof? (assoc-ref opts 'link-profile?)) > (symlinks (assoc-ref opts 'symlinks)) > (network? (assoc-ref opts 'network?)) > + (no-tls? (assoc-ref opts 'no-tls?)) > (no-cwd? (assoc-ref opts 'no-cwd?)) > (emulate-fhs? (assoc-ref opts 'emulate-fhs?)) > (nesting? (assoc-ref opts 'nesting?)) > @@ -1133,6 +1154,10 @@ (define (guix-environment* opts) > (when (pair? symlinks) > (leave (G_ "'--symlink' cannot be used without '--container'~%")= ))) >=20=20 > + (when (and (not network?) > + no-tls?) > + (leave (G_ "'--no-tls' cannot be used without '--networking'~%"))) > + Why not a warning instead of leaving with an error? Cheers, simon
guix-patches@HIDDEN
:bug#70314
; Package guix-patches
.
Full text available.Received: (at 70314) by debbugs.gnu.org; 16 Sep 2024 15:22:41 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Mon Sep 16 11:22:41 2024 Received: from localhost ([127.0.0.1]:53052 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1sqDYm-0006Oa-Uv for submit <at> debbugs.gnu.org; Mon, 16 Sep 2024 11:22:41 -0400 Received: from mail-108-mta228.mxroute.com ([136.175.108.228]:36793) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <richard@HIDDEN>) id 1sqDYk-0006OS-Vf for 70314 <at> debbugs.gnu.org; Mon, 16 Sep 2024 11:22:40 -0400 Received: from filter006.mxroute.com ([136.175.111.3] filter006.mxroute.com) (Authenticated sender: mN4UYu2MZsgR) by mail-108-mta228.mxroute.com (ZoneMTA) with ESMTPSA id 191fb6d75110013e01.002 for <70314 <at> debbugs.gnu.org> (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Mon, 16 Sep 2024 15:22:20 +0000 X-Zone-Loop: d1845798e40e69d6d4a98721eda0343dbf5723b6c2db X-Originating-IP: [136.175.111.3] DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=freakingpenguin.com; s=x; h=Content-Transfer-Encoding:Content-Type: MIME-Version:Message-ID:Date:References:In-Reply-To:Subject:Cc:To:From:Sender :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=D3iQ2emaxbbu2Zh4abCa+GXZnlkStdid/BWp5LUE2HM=; b=c6cL+3mnG00FEt3CRlvK5pIWR6 1pPc8jThBb77fKklLh318a+zhlkehzh5jy49Dv59MXT/0YB7j+QRNkH0NGCzPMXng4a2DMzEyrGZm L4Hk9nQjsEiPe5kX4o8g4telHi2geucpuPQXPJfLHApfK1ncCPK6byJjUg9wOI86nvhQX0AiDHqaC 2xVJJet6fhcxpC8aEKlfQeaHnypyW3L2E7GDieH4pbx1o5AkOeA4OMVnuWqG55LIHLXDrl9pCYM6/ 01O3V6NQV60o3/EJT341GR6N4TqUUeFcFmd8+zXKb55Kr5Rh8gJW1KSggmAtk26At/IFatZGgyUXo bSpuO0DA==; From: Richard Sent <richard@HIDDEN> To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN> Subject: Re: [bug#70314] [PATCH] guix: scripts: environment: add tls certs to networked containers In-Reply-To: <87o74obna0.fsf@HIDDEN> ("Ludovic =?utf-8?Q?Court=C3=A8s=22'?= =?utf-8?Q?s?= message of "Sun, 15 Sep 2024 23:49:27 +0200") References: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN> <87o74obna0.fsf@HIDDEN> Date: Mon, 16 Sep 2024 11:22:03 -0400 Message-ID: <87ldzrd3ok.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Authenticated-Id: richard@HIDDEN X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 70314 Cc: Josselin Poiret <dev@HIDDEN>, Simon Tournier <zimon.toutoune@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>, Tobias Geerinckx-Rice <me@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>, Christopher Baines <guix@HIDDEN>, 70314 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Ludovic Court=C3=A8s <ludo@HIDDEN> writes: > Can we delay changes to the manifest until after all options have been > parsed, so we know whether =E2=80=98-C=E2=80=99 has been passed? >=20 > That way =E2=80=98guix shell -N --no-tls=E2=80=99 does not add =E2=80=98n= ss-certs=E2=80=99 to the > environments. Is `$ guix shell -N -- true` valid? I know it works at present, but my understanding is sharing the network only works with containers. From the manual: > =E2=80=98--network=E2=80=99 > =E2=80=98-N=E2=80=99 > For containers, share the network namespace with the host system. > Containers created without this flag only have access to the > loopback device. Perhaps instead we should error when -N is passed without -C, ala --8<---------------cut here---------------start------------->8--- modified guix/scripts/environment.scm @@ -1153,7 +1153,9 @@ (define (guix-environment* opts) (when nesting? (leave (G_ "'--nesting' cannot be used without '--container'~%"))) (when (pair? symlinks) - (leave (G_ "'--symlink' cannot be used without '--container'~%")))) + (leave (G_ "'--symlink' cannot be used without '--container'~%"))) + (when network? + (leave (G_ "'--network cannot be used without '--container'~%")))) =20 (when (and (not network?) no-tls?) --8<---------------cut here---------------end--------------->8--- --=20 Take it easy, Richard Sent Making my computer weirder one commit at a time.
guix-patches@HIDDEN
:bug#70314
; Package guix-patches
.
Full text available.Received: (at 70314) by debbugs.gnu.org; 16 Sep 2024 00:04:50 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sun Sep 15 20:04:50 2024 Received: from localhost ([127.0.0.1]:50729 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1spzEY-0006Du-0G for submit <at> debbugs.gnu.org; Sun, 15 Sep 2024 20:04:50 -0400 Received: from mail-40131.protonmail.ch ([185.70.40.131]:10517) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <rprior@HIDDEN>) id 1spzEV-0006Db-Js for 70314 <at> debbugs.gnu.org; Sun, 15 Sep 2024 20:04:48 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1726445068; x=1726704268; bh=IZNAB1v6dghE+Yx+bF9h+47HXdIven7FmQpQ/dgQFDM=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=uXa8y1ibrp5IiJIytXMVBcHUIMcs51V0jQCfY5EpNaeKeu9uEhm7qgWj9u9H7E6ss bRTWkdCguD8cgPO+53D6rRudN6RRAscQpanrozk+iGr1nDnTw/oWBdgriRo9TpsuSO P9fgsoGBYBa95UbjQ5XChBtvOPvkNumispcmDrLks9dQirNlIjCntxlPyl8ko8xhdM ijGRHi0jPU0h3u0u7hszvjjzJx3PXSHqd5VuMep2cvkagYNJHs8Wx9iHsU+3xlbxQo 3ykmowiU4gA/oOgYkPJ8uHabxWjqIOC5mBhVa3C0q9NRIOArIDnVtRbcohoGRn47Ij RFNA2RL9yLr+Q== Date: Mon, 16 Sep 2024 00:04:23 +0000 To: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> From: Ryan Prior <rprior@HIDDEN> Subject: Re: [bug#70314] [PATCH] guix: scripts: environment: add tls certs to networked containers Message-ID: <ub_UIyami0aM1f_ld_Va6H_pNf_f1eJsqs-L3lNq2HXiiB9T57OqAITFdGC4OVrrRshTFvMCuyqGZpRPg0Rg_MtWe_1Cmrj1XaSJZcMOH3c=@protonmail.com> In-Reply-To: <875xqwd2as.fsf@HIDDEN> References: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN> <87jzfree6t.fsf@HIDDEN> <871q1zsbry.fsf@HIDDEN> <875xqwd2as.fsf@HIDDEN> Feedback-ID: 7396961:user:proton X-Pm-Message-ID: 080af1fce6a982544a638f46abd071a3d0aa1417 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 70314 Cc: Josselin Poiret <dev@HIDDEN>, Simon Tournier <zimon.toutoune@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>, Richard Sent <richard@HIDDEN>, Tobias Geerinckx-Rice <me@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>, guix-devel <guix-devel@HIDDEN>, Christopher Baines <guix@HIDDEN>, 70314 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) On Sunday, September 15th, 2024 at 4:39 PM, Ludovic Court=C3=A8s <ludo@gnu.= org> wrote: > You=E2=80=99ve convinced me. >=20 > That it=E2=80=99s opt-out sounds reasonable to me. =E2=80=98--no-tls= =E2=80=99 sounds reasonable > too as a name Agreed on all points. Even though I'm aware of the need, I've forgotten to = add tls-certs many times. Removing a known footgun for containers is a grea= t plan. Thanks! Ryan
guix-patches@HIDDEN
:bug#70314
; Package guix-patches
.
Full text available.Received: (at 70314) by debbugs.gnu.org; 15 Sep 2024 21:49:53 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sun Sep 15 17:49:53 2024 Received: from localhost ([127.0.0.1]:50640 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1spx7x-0007Ja-08 for submit <at> debbugs.gnu.org; Sun, 15 Sep 2024 17:49:53 -0400 Received: from eggs.gnu.org ([209.51.188.92]:51078) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1spx7v-0007JM-9J for 70314 <at> debbugs.gnu.org; Sun, 15 Sep 2024 17:49:51 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <ludo@HIDDEN>) id 1spx7b-00083s-7g; Sun, 15 Sep 2024 17:49:31 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=uAwU9f++y+PAtidbis6EWEpL+lumBElQSlnfMJh9mH4=; b=Flyb58OuaO0/Yx6bVWpF WPatEkJt+UuBeHC4p2UjAZxbAbKJV/OcKB/qjFIcmt655TSC4271Lk+TSjue+frsjmJAkmYZKMwEW wfttLbGySDEX9ZA3LxaBVP4FemQ3zxbGQYJrYkXyTyA69NYgdl1in3uWKBi73eEExsuM5jnMvgm4Z uFToP6jHldj9TcoVuG2RlM0ceT+wdqjMqq6cAnNi8no7CWQSt35yu2Y1O561+c+DxJZpyhfh0c0Bv srw04pnjiqW2vLVuxoYGschtPo5vd85BsYBagueF4UeB18d+0rhdpMc+6MT4pnN8c+2ZcjhWjF48A QyEAxMqeH5kjLg==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> To: Richard Sent <richard@HIDDEN> Subject: Re: [bug#70314] [PATCH] guix: scripts: environment: add tls certs to networked containers In-Reply-To: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN> (Richard Sent's message of "Tue, 9 Apr 2024 15:05:29 -0400") References: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN> Date: Sun, 15 Sep 2024 23:49:27 +0200 Message-ID: <87o74obna0.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 70314 Cc: Josselin Poiret <dev@HIDDEN>, Simon Tournier <zimon.toutoune@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>, Tobias Geerinckx-Rice <me@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>, Christopher Baines <guix@HIDDEN>, 70314 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) Hi, Richard Sent <richard@HIDDEN> skribis: > * guix/scripts/environment.scm: Add --no-tls flag. By default when starti= ng a > container with -N, add nss-certs package and set SSL_CERT_DIR and > SSL_CERT_FILE environment variables. When --no-tls is passed, default to = old > behavior. > * doc/guix.texi: Document it. > > Change-Id: I3d222522fa9785fbf589f15efd14e6d6d072bfa7 [...] > + #:autoload (gnu packages certs) (nss-certs) > #:autoload (gnu packages bash) (bash) > #:autoload (gnu packages bootstrap) (bootstrap-executable %bootstrap= -guile) > #:autoload (gnu packages package-management) (guix) > @@ -72,6 +73,9 @@ (define-module (guix scripts environment) > (define %default-shell > (or (getenv "SHELL") "/bin/sh")) >=20=20 > +(define %default-tls-certs > + (list nss-certs)) This would force all the package modules to be loaded upfront. Instead you should arrange to not refer to =E2=80=98nss-certs=E2=80=99 until it=E2= =80=99s needed. This matters for startup time. To see how it affects the command, you can run: strace -c guix shell coreutils -- true The second run should make as few system calls as possible. > + (lambda (opt name arg result) > + (alist-cons 'no-tls? #t result))) Internally, I would reverse the logic to have =E2=80=98tls?=E2=80=99 instea= d (as a rule of thumb, I always avoid negating Booleans in code). > + (('network? . #t) > + (if (assoc-ref opts 'no-tls?) > + '() > + (manifest-entries > + (packages->manifest %default-tls-certs)))) Can we delay changes to the manifest until after all options have been parsed, so we know whether =E2=80=98-C=E2=80=99 has been passed? That way =E2=80=98guix shell -N --no-tls=E2=80=99 does not add =E2=80=98nss= -certs=E2=80=99 to the environments. > (define* (launch-environment/container #:key command bash user user-mapp= ings > profile manifest link-profile? ne= twork? > - map-cwd? emulate-fhs? nesting? > + no-tls? map-cwd? emulate-fhs? nes= ting? Same as above: =E2=80=98tls?=E2=80=99 rather than =E2=80=98no-tls?=E2=80=99. Please make sure tests/guix-shell*.sh and tests/guix-environment*.sh pass. Thanks, Ludo=E2=80=99.
guix-patches@HIDDEN
:bug#70314
; Package guix-patches
.
Full text available.Received: (at 70314) by debbugs.gnu.org; 15 Sep 2024 21:40:08 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sun Sep 15 17:40:07 2024 Received: from localhost ([127.0.0.1]:50631 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1spwyV-0006mz-C1 for submit <at> debbugs.gnu.org; Sun, 15 Sep 2024 17:40:07 -0400 Received: from eggs.gnu.org ([209.51.188.92]:54632) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1spwyS-0006mG-C4 for 70314 <at> debbugs.gnu.org; Sun, 15 Sep 2024 17:40:05 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <ludo@HIDDEN>) id 1spwy7-0007DX-38; Sun, 15 Sep 2024 17:39:43 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=Pzc9tn9Twed4xuo4C7hwVQF6xNvZvIfu4OQWfK/sjUI=; b=eiCSItnXRucQ+1gRvycS WhsMrVJUn2ClDOA9YxNQwhKm1HeAV5fYtoXqhU5PQKGd+xSowzVvrBrIUufjvnxrZMbVNE05VPhSS BKIVT/f9CUQT05pnLtxMxH5fKfbXVAJjs1QRPqwgc6kQ4FqfUWjG6CnsSGZqBG+xNuJFpJYGDiEoR Sk3H4nEamREEOWf4kYi9ikz/TjROp8/T99uj3pBKTsgl1dHHMMf0EytrRSh6Whscij7U6flStmpyt IHZpwWL8iM/yfkYgyUorCFUXbBg5e8RIGwdRgYWwOkOyNFBj/+w1tc4YFK/kN1GM4rZPxhnqP7l0G rPmVStcGrkhCyw==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> To: Richard Sent <richard@HIDDEN> Subject: Re: [bug#70314] [PATCH] guix: scripts: environment: add tls certs to networked containers In-Reply-To: <871q1zsbry.fsf@HIDDEN> (Richard Sent's message of "Wed, 04 Sep 2024 11:01:53 -0400") References: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN> <87jzfree6t.fsf@HIDDEN> <871q1zsbry.fsf@HIDDEN> Date: Sun, 15 Sep 2024 23:39:39 +0200 Message-ID: <875xqwd2as.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 70314 Cc: Josselin Poiret <dev@HIDDEN>, Simon Tournier <zimon.toutoune@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>, Tobias Geerinckx-Rice <me@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>, guix-devel <guix-devel@HIDDEN>, Christopher Baines <guix@HIDDEN>, 70314 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) Hi Richard, Cc: guix-devel to get more feedback: this is about adding =E2=80=98nss-cert= s=E2=80=99 by default in =E2=80=98guix shell -CN=E2=80=99 containers, along with a =E2=80= =98--no-tls=E2=80=99 option to opt out: https://issues.guix.gnu.org/70314 Richard Sent <richard@HIDDEN> skribis: > Ludovic Court=C3=A8s <ludo@HIDDEN> writes: > >> Instead of adding the =E2=80=98nss-certs=E2=80=99 package, I would rathe= r expose >> /etc/ssl/certs (when it exists), for two reasons: (1) the system-chosen >> certificates will be used, and (2) it=E2=80=99s less expensive than havi= ng to >> compute the derivation of =E2=80=98nss-certs=E2=80=99. > > There is an issue with this that's cropped up in the past. The files in > /etc/ssl/certs/* are symlinks to store items. Because containers only > see a subset of store items that are in that container's profile, it > often sees the symlinks to store items but not the target file. Oh, indeed. [...] >> Users who definitely want Guix=E2=80=99s =E2=80=98nss-certs=E2=80=99 can= always add it to the >> shell and it will take precedence over /etc/ssl/certs, assuming >> SSL_CERT_{FILE,DIR} is defined. > > True, although at present anyone who wants to use nss-certs must set > SSL_CERT_{FILE,DIR} manually (or coincidentally install a package that > registers the search path). Right. [...] > My thoughts are if we have to decide between > > 1. Users who want TLS with standard public endpoints > 2. Users who want TLS with custom private endpoints > > it's better to prioritize a good experience for 1 and let 2 opt-out of > the "hand holding" defaults. But perhaps it's possible to make everyone > happy. You=E2=80=99ve convinced me. That it=E2=80=99s opt-out sounds reasonable to me. =E2=80=98--no-tls=E2=80= =99 sounds reasonable too as a name (I thought about =E2=80=98--no-x509-certificates=E2=80=99 but= that=E2=80=99s actually less accurate since there are the SSL_* variables in addition to the certificates themselves). I have some comments about the patch and I=E2=80=99d like others to weigh i= n too before we commit this change. Thank you! Ludo=E2=80=99.
guix-patches@HIDDEN
:bug#70314
; Package guix-patches
.
Full text available.Received: (at 70314) by debbugs.gnu.org; 4 Sep 2024 15:03:18 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Wed Sep 04 11:03:18 2024 Received: from localhost ([127.0.0.1]:35146 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1slrXR-0004Wr-UK for submit <at> debbugs.gnu.org; Wed, 04 Sep 2024 11:03:18 -0400 Received: from mail-108-mta19.mxroute.com ([136.175.108.19]:38833) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <richard@HIDDEN>) id 1slrXQ-0004Wi-BF for 70314 <at> debbugs.gnu.org; Wed, 04 Sep 2024 11:03:17 -0400 Received: from filter006.mxroute.com ([136.175.111.3] filter006.mxroute.com) (Authenticated sender: mN4UYu2MZsgR) by mail-108-mta19.mxroute.com (ZoneMTA) with ESMTPSA id 191bd8ea7100003e01.002 for <70314 <at> debbugs.gnu.org> (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Wed, 04 Sep 2024 15:02:08 +0000 X-Zone-Loop: a6495c6d0ecc69cddad9e5f6df9fd783d06814031b07 X-Originating-IP: [136.175.111.3] DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=freakingpenguin.com; s=x; h=Content-Transfer-Encoding:Content-Type: MIME-Version:Message-ID:Date:References:In-Reply-To:Subject:Cc:To:From:Sender :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=y8ymVquvZ+UXFBRyi0vg5JSfHsoYOtF0vcc5BEDoVsk=; b=ZzjQL0aG33gDGGm1QW6f3Kijah wr/w1+l/iZvwmBD2M77dC33wdnU2+QVKlwcGPQj8fGu2qvS+42LhhptmbV6QfBUPmtNXVM70KSt+g j0SkRyMnv8qcxxbnyrvQ6+8ZKiFOe+JCzV/Hjb52ZTdMgH/rg3e4+dpwl/qn6CjpE+XNW+3YHj7S5 b2joccohAPwGWB9/IC80sFkWoTt/wqAz7GaN3NupNY5lyCkySp2Hjwizh1exQbt+OsiD38o+tyg85 VGt608eiBPTBak+T4vv34XfNMLhGUMDLfrwOCecsl8w0t7Uf5TJ+Ezc4aVTjpjpotl3jDqFQN4w3z QUUHNnag==; From: Richard Sent <richard@HIDDEN> To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN> Subject: Re: [bug#70314] [PATCH] guix: scripts: environment: add tls certs to networked containers In-Reply-To: <87jzfree6t.fsf@HIDDEN> ("Ludovic =?utf-8?Q?Court=C3=A8s=22'?= =?utf-8?Q?s?= message of "Wed, 04 Sep 2024 15:33:30 +0200") References: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN> <87jzfree6t.fsf@HIDDEN> Date: Wed, 04 Sep 2024 11:01:53 -0400 Message-ID: <871q1zsbry.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Authenticated-Id: richard@HIDDEN X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 70314 Cc: Josselin Poiret <dev@HIDDEN>, Simon Tournier <zimon.toutoune@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>, Tobias Geerinckx-Rice <me@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>, Christopher Baines <guix@HIDDEN>, 70314 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Hi Ludo! Thanks for the response! Ludovic Court=C3=A8s <ludo@HIDDEN> writes: > Instead of adding the =E2=80=98nss-certs=E2=80=99 package, I would rather= expose > /etc/ssl/certs (when it exists), for two reasons: (1) the system-chosen > certificates will be used, and (2) it=E2=80=99s less expensive than havin= g to > compute the derivation of =E2=80=98nss-certs=E2=80=99. There is an issue with this that's cropped up in the past. The files in /etc/ssl/certs/* are symlinks to store items. Because containers only see a subset of store items that are in that container's profile, it often sees the symlinks to store items but not the target file. For example: --8<---------------cut here---------------start------------->8--- $ guix shell -C bash coreutils --expose=3D/etc/ssl/certs -- bash [env]$ ls /etc/ssl/certs/ca* /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca6e4ad9.0 [env]$ cat /etc/ssl/certs/ca-certificates.crt cat: /etc/ssl/certs/ca-certificates.crt: No such file or directory [env]$ ls -l /etc/ssl/certs/ca6e4ad9.0 lrwxrwxrwx 1 65534 overflow 85 Jan 1 1970 /etc/ssl/certs/ca6e4ad9.0 -> /g= nu/store/5y39gqnvlfrw9gxyxbqqkdr8cxgp1fa1-nss-certs-3.88.1/etc/ssl/certs/ca= 6e4ad9.0 [env]$ cat /etc/ssl/certs/ca6e4ad9.0=20=20 cat: /etc/ssl/certs/ca6e4ad9.0: No such file or directory --8<---------------cut here---------------end--------------->8--- We can /sort of/ solve this by adding nss-certs to the container, but only when the nss-certs being added has the same hash as the nss-certs package. --8<---------------cut here---------------start------------->8--- # nss-certs w/o version adds v3.99 to the profile, which doesn't match # the system. Ergo it's still unavailable. ~ $ guix shell -C bash coreutils --expose=3D/etc/ssl/certs -- bash -c 'cat = /etc/ssl/certs/ca6e4ad9.0' cat: /etc/ssl/certs/ca6e4ad9.0: No such file or directory #=20 # If we specify 3.88.1, it does work, but only for various nss-certificates, # not the ca-certificates.crt bundle file (which isn't a package). guix shell -C bash coreutils nss-certs@HIDDEN --expose=3D/etc/ssl/certs -- = bash -c 'cat /etc/ssl/certs/ca6e4ad9.0' # snip, contents of ca6e4ad9.0 #=20 ~ $ guix shell -C bash coreutils nss-certs@HIDDEN --expose=3D/etc/ssl/certs= -- bash -c 'cat /etc/ssl/certs/ca-certificates.crt' cat: /etc/ssl/certs/ca-certificates.crt: No such file or directory --8<---------------cut here---------------end--------------->8--- This problem becomes impossible to solve in situations where the system Guix and user Guix have different nss-certs hashes. Be it by adding nss-certs to the container profile or by exposing /etc/ssl/certs, we still need to calculate the nss-certs derivation. (Perhaps a alternative solution is making sure symlink targets to store items visible to a container are persisted. I don't know how complicated that would be, but I imagine it's nontrivial.) > Users who definitely want Guix=E2=80=99s =E2=80=98nss-certs=E2=80=99 can = always add it to the > shell and it will take precedence over /etc/ssl/certs, assuming > SSL_CERT_{FILE,DIR} is defined. True, although at present anyone who wants to use nss-certs must set SSL_CERT_{FILE,DIR} manually (or coincidentally install a package that registers the search path). --8<---------------cut here---------------start------------->8--- # nss-certs alone doesn't set SSL_CERT_DIR ~ $ guix shell -C bash coreutils nss-certs@HIDDEN -- bash -c 'echo $SSL_CER= T_DIR' # blank # # curl registers $SSL_CERT_{FILE,DIR} ~ $ guix shell -C bash coreutils nss-certs@HIDDEN curl -- bash -c 'echo $SS= L_CERT_DIR' /gnu/store/hxylrsqs5cy87cgkxi5fmlzxvfhczlzj-profile/etc/ssl/certs --8<---------------cut here---------------end--------------->8--- This is unintuitive. Many packages that make use of nss-certs don't register the search path, e.g. rust-cargo [1]. I'd rather avoid a solution that is "edit every package that may possibly use nss-certs now and in the future to register the search path". > WDYT? My thoughts are if we have to decide between 1. Users who want TLS with standard public endpoints 2. Users who want TLS with custom private endpoints it's better to prioritize a good experience for 1 and let 2 opt-out of the "hand holding" defaults. But perhaps it's possible to make everyone happy. If desired this patch can be reworked as opt-in. [1]: https://logs.guix.gnu.org/guix/2024-04-08.log --=20 Take it easy, Richard Sent Making my computer weirder one commit at a time.
guix-patches@HIDDEN
:bug#70314
; Package guix-patches
.
Full text available.Received: (at 70314) by debbugs.gnu.org; 4 Sep 2024 13:34:48 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Wed Sep 04 09:34:48 2024 Received: from localhost ([127.0.0.1]:33894 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1slq9o-0001fs-D8 for submit <at> debbugs.gnu.org; Wed, 04 Sep 2024 09:34:48 -0400 Received: from eggs.gnu.org ([209.51.188.92]:54876) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1slq9m-0001fU-7Z for 70314 <at> debbugs.gnu.org; Wed, 04 Sep 2024 09:34:46 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <ludo@HIDDEN>) id 1slq8e-0003A4-De; Wed, 04 Sep 2024 09:33:36 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=YRO6vWmc+185h2AFgdYqqCAbIg09naLxHAt75B+HK94=; b=NeNc2PiuonM/WSYnqAV3 V5y41VpMo4JQA/zrw17gXk/u1rzAOi5YuILPuXl5TGr/b3KuM57i2I9CcnjrNdmFgX0xS0v8IoJKi qgaai+74CsJbWgmCPvQaf/ZH6lUmNDCIZ1LjqidZEru3xHVU14zZLQE92b+AxY8+K1MK877HCXDOg 8pZQknFik5nFc/gA27NT1dx3TQ3ot0xBQ0bBcnDP9DZ+51QHuqny0pBOfG50+Jh61XmHv5jmXDE1L AIgroVZnE1aS2yzJ9GEluFunlN1W0a36qUrdziCRtY/wUToASBiZtAkWkDa30pT/RWffHA3m3xmXW 1ljIuzWNCsvMzg==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> To: Richard Sent <richard@HIDDEN> Subject: Re: [bug#70314] [PATCH] guix: scripts: environment: add tls certs to networked containers In-Reply-To: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN> (Richard Sent's message of "Tue, 9 Apr 2024 15:05:29 -0400") References: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN> Date: Wed, 04 Sep 2024 15:33:30 +0200 Message-ID: <87jzfree6t.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hi Richard, Richard Sent <richard@HIDDEN> skribis: > * guix/scripts/environment.scm: Add --no-tls flag. By default when starting a > container with -N, add nss-certs package and set SSL_CERT_DIR and > SSL_CERT_FILE environment variables. When --no-tls [...] Content analysis details: (1.3 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [209.51.188.92 listed in list.dnswl.org] 3.6 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS [209.51.188.92 listed in zen.spamhaus.org] -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record X-Debbugs-Envelope-To: 70314 Cc: Josselin Poiret <dev@HIDDEN>, Simon Tournier <zimon.toutoune@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>, Tobias Geerinckx-Rice <me@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>, Christopher Baines <guix@HIDDEN>, 70314 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: 0.3 (/) Hi Richard, Richard Sent <richard@HIDDEN> skribis: > * guix/scripts/environment.scm: Add --no-tls flag. By default when starti= ng a > container with -N, add nss-certs package and set SSL_CERT_DIR and > SSL_CERT_FILE environment variables. When --no-tls is passed, default to = old > behavior. > * doc/guix.texi: Document it. > > Change-Id: I3d222522fa9785fbf589f15efd14e6d6d072bfa7 Apparently this patch fell through the cracks, despite the long Cc: list. > Given the discussion on IRC and guix-devel [1] recently about making > nss-certs easier to use, this patch modifies guix environment (and > thus guix shell) to automatically add nss-certs to the profile when > sharing the network namespace, as well as setting the > mostly-standardized SSL_CERT_DIR and SSL_CERT_FILE environment > variables. > > This behavior can be reverted with the --no-tls flag. Since presumably > the majority of shell users want TLS to work out of the box, adding > TLS by default makes sense to me. [...] > + (('network? . #t) > + (if (assoc-ref opts 'no-tls?) > + '() > + (manifest-entries > + (packages->manifest %default-tls-certs)))) Instead of adding the =E2=80=98nss-certs=E2=80=99 package, I would rather e= xpose /etc/ssl/certs (when it exists), for two reasons: (1) the system-chosen certificates will be used, and (2) it=E2=80=99s less expensive than having = to compute the derivation of =E2=80=98nss-certs=E2=80=99. Users who definitely want Guix=E2=80=99s =E2=80=98nss-certs=E2=80=99 can al= ways add it to the shell and it will take precedence over /etc/ssl/certs, assuming SSL_CERT_{FILE,DIR} is defined. WDYT? Thanks, Ludo=E2=80=99.
guix-patches@HIDDEN
:bug#70314
; Package guix-patches
.
Full text available.Received: (at submit) by debbugs.gnu.org; 9 Apr 2024 19:14:51 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Apr 09 15:14:51 2024 Received: from localhost ([127.0.0.1]:51569 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1ruGvi-00038I-QA for submit <at> debbugs.gnu.org; Tue, 09 Apr 2024 15:14:51 -0400 Received: from lists.gnu.org ([2001:470:142::17]:58288) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <richard@HIDDEN>) id 1ruGvf-000382-LS for submit <at> debbugs.gnu.org; Tue, 09 Apr 2024 15:14:48 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <richard@HIDDEN>) id 1ruGvR-000537-J4 for guix-patches@HIDDEN; Tue, 09 Apr 2024 15:14:33 -0400 Received: from mail-108-mta156.mxroute.com ([136.175.108.156]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <richard@HIDDEN>) id 1ruGvP-0000jl-7a for guix-patches@HIDDEN; Tue, 09 Apr 2024 15:14:33 -0400 Received: from filter006.mxroute.com ([136.175.111.2] filter006.mxroute.com) (Authenticated sender: mN4UYu2MZsgR) by mail-108-mta156.mxroute.com (ZoneMTA) with ESMTPSA id 18ec44870ca0003bea.001 for <guix-patches@HIDDEN> (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Tue, 09 Apr 2024 19:14:25 +0000 X-Zone-Loop: 0445d534395d52d48c97f90279d4132ccfcfd03855ed X-Originating-IP: [136.175.111.2] DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=freakingpenguin.com; s=x; h=Content-Transfer-Encoding:MIME-Version: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=JvWL5kuMyv1uOvO1phcGN2CxkADzdkslXEnuB9xiFZc=; b=SLHl2W8jhw8+En+NPQx/zK+zBo J+1rR2Dc2AHjTxD0Jy8AL15bo1rJBlXbHpdbrJJjghLVGjvhA8tzD6rPtKUrzWj8mqM2QagJnrjrY 0bkRTIGO1bswG9eupQUNoXimdEhLReA8eIqEPJVWexea/XRDKJ5rKwfLaE2IbjWXSgc46nDiaSnWc qYca4ISf2nHYPfeA/mWUawrkbq/SwHHt/QLukphO7p66cDM6PlnLiKlhJelYa15v2fd1+o07BI4Ls Ly+mVmUs/p8x4jB2pitkztU5+dqI39mHdlPPNdDU8EN3wu6NUbnQK9gZoYonFabfbIkNIoGM3xZK3 TeEQ3WnA==; From: Richard Sent <richard@HIDDEN> To: guix-patches@HIDDEN Subject: [PATCH] guix: scripts: environment: add tls certs to networked containers Date: Tue, 9 Apr 2024 15:05:29 -0400 Message-ID: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN> MIME-Version: 1.0 X-Debbugs-Cc: Christopher Baines <guix@HIDDEN>, Josselin Poiret <dev@HIDDEN>, Ludovic Courtès <ludo@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>, Simon Tournier <zimon.toutoune@HIDDEN>, Tobias Geerinckx-Rice <me@HIDDEN> Content-Transfer-Encoding: 8bit X-Authenticated-Id: richard@HIDDEN Received-SPF: pass client-ip=136.175.108.156; envelope-from=richard@HIDDEN; helo=mail-108-mta156.mxroute.com X-Spam_score_int: -16 X-Spam_score: -1.7 X-Spam_bar: - X-Spam_report: (-1.7 / 5.0 requ) BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-Spam-Score: 0.9 (/) X-Debbugs-Envelope-To: submit Cc: Richard Sent <richard@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -0.1 (/) * guix/scripts/environment.scm: Add --no-tls flag. By default when starting a container with -N, add nss-certs package and set SSL_CERT_DIR and SSL_CERT_FILE environment variables. When --no-tls is passed, default to old behavior. * doc/guix.texi: Document it. Change-Id: I3d222522fa9785fbf589f15efd14e6d6d072bfa7 --- Hi Guix! Given the discussion on IRC and guix-devel [1] recently about making nss-certs easier to use, this patch modifies guix environment (and thus guix shell) to automatically add nss-certs to the profile when sharing the network namespace, as well as setting the mostly-standardized SSL_CERT_DIR and SSL_CERT_FILE environment variables. This behavior can be reverted with the --no-tls flag. Since presumably the majority of shell users want TLS to work out of the box, adding TLS by default makes sense to me. Previous workarounds were verbose [2] and prone to failure [3]. [1] https://lists.gnu.org/archive/html/guix-devel/2024-04/msg00020.html [2] https://lists.gnu.org/archive/html/guix-patches/2020-05/msg00197.html [3] See tail of https://logs.guix.gnu.org/guix/2024-04-08.log, [2] works coincidentally since guix system w/ nss-certs happens to have identical nss-certs hash as the guix building the shell profile. Otherwise the system version would not be visible inside the container. doc/guix.texi | 8 ++++++++ guix/scripts/environment.scm | 28 +++++++++++++++++++++++++++- 2 files changed, 35 insertions(+), 1 deletion(-) diff --git a/doc/guix.texi b/doc/guix.texi index 5827e0de14..912ed79ccd 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -6214,6 +6214,10 @@ Invoking guix shell Containers created without this flag only have access to the loopback device. +@item --no-tls +For containers that share the network namespace, disable automatically +adding TLS/SSL certificates. + @item --link-profile @itemx -P For containers, link the environment profile to @file{~/.guix-profile} @@ -6711,6 +6715,10 @@ Invoking guix environment Containers created without this flag only have access to the loopback device. +@item --no-tls +For containers that share the network namespace, disable automatically +adding TLS/SSL certificates. + @item --link-profile @itemx -P For containers, link the environment profile to @file{~/.guix-profile} diff --git a/guix/scripts/environment.scm b/guix/scripts/environment.scm index 1d7a6e198d..b38882a4ca 100644 --- a/guix/scripts/environment.scm +++ b/guix/scripts/environment.scm @@ -49,6 +49,7 @@ (define-module (guix scripts environment) #:autoload (guix build syscalls) (set-network-interface-up openpty login-tty) #:use-module (gnu system file-systems) #:autoload (gnu packages) (specification->package+output) + #:autoload (gnu packages certs) (nss-certs) #:autoload (gnu packages bash) (bash) #:autoload (gnu packages bootstrap) (bootstrap-executable %bootstrap-guile) #:autoload (gnu packages package-management) (guix) @@ -72,6 +73,9 @@ (define-module (guix scripts environment) (define %default-shell (or (getenv "SHELL") "/bin/sh")) +(define %default-tls-certs + (list nss-certs)) + (define* (show-search-paths profile manifest #:key pure?) "Display the search paths of MANIFEST applied to PROFILE. When PURE? is #t, do not augment existing environment variables with additional search paths." @@ -108,6 +112,9 @@ (define (show-environment-options-help) -C, --container run command within an isolated container")) (display (G_ " -N, --network allow containers to access the network")) + (display (G_ " + --no-tls do not add SSL/TLS certificates or set environment + variables for a networked container")) (display (G_ " -P, --link-profile link environment profile to ~/.guix-profile within an isolated container")) @@ -244,6 +251,9 @@ (define %options (option '(#\N "network") #f #f (lambda (opt name arg result) (alist-cons 'network? #t result))) + (option '(#\T "no-tls") #f #f + (lambda (opt name arg result) + (alist-cons 'no-tls? #t result))) (option '(#\W "nesting") #f #f (lambda (opt name arg result) (alist-cons 'nesting? #t result))) @@ -359,6 +369,11 @@ (define (options/resolve-packages store opts) (packages->outputs (load* file module) mode))) (('manifest . file) (manifest-entries (load-manifest file))) + (('network? . #t) + (if (assoc-ref opts 'no-tls?) + '() + (manifest-entries + (packages->manifest %default-tls-certs)))) (('nesting? . #t) (if (assoc-ref opts 'profile) '() @@ -725,7 +740,7 @@ (define* (launch-environment/fork command profile manifest (define* (launch-environment/container #:key command bash user user-mappings profile manifest link-profile? network? - map-cwd? emulate-fhs? nesting? + no-tls? map-cwd? emulate-fhs? nesting? (setup-hook #f) (symlinks '()) (white-list '())) "Run COMMAND within a container that features the software in PROFILE. @@ -929,6 +944,11 @@ (define* (launch-environment/container #:key command bash user user-mappings ;; Allow local AF_INET communications. (set-network-interface-up "lo")) + (unless no-tls? + (setenv "SSL_CERT_DIR" (string-append profile "/etc/ssl/certs")) + (setenv "SSL_CERT_FILE" (string-append (getenv "SSL_CERT_DIR") + "/ca-certificates.crt"))) + ;; For convenience, start in the user's current working ;; directory or, if unmapped, the home directory. (chdir (if map-cwd? @@ -1078,6 +1098,7 @@ (define (guix-environment* opts) (link-prof? (assoc-ref opts 'link-profile?)) (symlinks (assoc-ref opts 'symlinks)) (network? (assoc-ref opts 'network?)) + (no-tls? (assoc-ref opts 'no-tls?)) (no-cwd? (assoc-ref opts 'no-cwd?)) (emulate-fhs? (assoc-ref opts 'emulate-fhs?)) (nesting? (assoc-ref opts 'nesting?)) @@ -1133,6 +1154,10 @@ (define (guix-environment* opts) (when (pair? symlinks) (leave (G_ "'--symlink' cannot be used without '--container'~%")))) + (when (and (not network?) + no-tls?) + (leave (G_ "'--no-tls' cannot be used without '--networking'~%"))) + (with-store/maybe store (with-status-verbosity (assoc-ref opts 'verbosity) (define manifest-from-opts @@ -1212,6 +1237,7 @@ (define (guix-environment* opts) #:network? network? #:map-cwd? (not no-cwd?) #:emulate-fhs? emulate-fhs? + #:no-tls? no-tls? #:nesting? nesting? #:symlinks symlinks #:setup-hook base-commit: 35e1d9247e39f3c91512cf3d9ef1467962389e35 -- 2.41.0
Richard Sent <richard@HIDDEN>
:guix@HIDDEN, dev@HIDDEN, ludo@HIDDEN, othacehe@HIDDEN, rekado@HIDDEN, zimon.toutoune@HIDDEN, me@HIDDEN, guix-patches@HIDDEN
.
Full text available.guix@HIDDEN, dev@HIDDEN, ludo@HIDDEN, othacehe@HIDDEN, rekado@HIDDEN, zimon.toutoune@HIDDEN, me@HIDDEN, guix-patches@HIDDEN
:bug#70314
; Package guix-patches
.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.