GNU bug report logs - #70314
[PATCH] guix: scripts: environment: add tls certs to networked containers

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix-patches; Reported by: Richard Sent <richard@HIDDEN>; Keywords: patch; merged with #75917; dated Tue, 9 Apr 2024 19:15:01 UTC; Maintainer for guix-patches is guix-patches@HIDDEN.
Merged 70314 75917. Request was from Ludovic Courtès <ludo@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at 70314 <at> debbugs.gnu.org:


Received: (at 70314) by debbugs.gnu.org; 23 Feb 2025 22:42:06 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Feb 23 17:42:06 2025
Received: from localhost ([127.0.0.1]:37230 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1tmKfm-0003DH-1U
	for submit <at> debbugs.gnu.org; Sun, 23 Feb 2025 17:42:06 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:34396)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1tmKfj-0003Ch-DA
 for 70314 <at> debbugs.gnu.org; Sun, 23 Feb 2025 17:42:04 -0500
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@HIDDEN>)
 id 1tmKfb-0000hh-Dm; Sun, 23 Feb 2025 17:41:55 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To:
 From; bh=H0z80PEq/28xKZ4tjBXALhm9AZ8QKUi2ougZGlq5njw=; b=N2bctx/Qoh3IZvg0PD3X
 8MBonve06PUKIuDe0HufII+bw/jXuLuzrA3FUoT1y8A18JrtnK1ksKHR+R9TJ7fLxNz+6ubjcxJfB
 ZK6H/+mYxSAHMgZJ/tKz4BmH7x7F9u0tFRPSywgZTUdLPQHiZ16zPddY/EmTr38RPBZgVG+w8RM3G
 /2MAF40E7wIWx7NkDhDiKcbw7VXct6L1UG/A9mdMlcsvzXHaWy7KEHQkOPtE2KJkbF4JocVjjttl1
 oNqWTtvEBxBce0HzHBSGD3Fmit5NcniULsGpEVnIWSP6+3IiZc0mGqpTlvU2Q7biDrAlzSv4fSkF6
 Oo12x09KQjFVvA==;
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: Richard Sent <richard@HIDDEN>
Subject: Re: [bug#70314] [PATCH v2] guix: scripts: environment: add tls
 certs to networked containers.
In-Reply-To: <4e1a986e224083876c8386e6efe45512251dd3af.1738098141.git.richard@HIDDEN>
 (Richard Sent's message of "Tue, 28 Jan 2025 16:11:28 -0500")
References: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN>
 <4e1a986e224083876c8386e6efe45512251dd3af.1738098141.git.richard@HIDDEN>
Date: Sun, 23 Feb 2025 23:41:48 +0100
Message-ID: <87plj8uvv7.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 70314
Cc: Josselin Poiret <dev@HIDDEN>, Tobias Geerinckx-Rice <me@HIDDEN>,
 Maxim Cournoyer <maxim.cournoyer@HIDDEN>, zimon.toutoune@HIDDEN,
 Mathieu Othacehe <othacehe@HIDDEN>, rprior@HIDDEN,
 Christopher Baines <guix@HIDDEN>, 70314 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hi Richard,

Richard Sent <richard@HIDDEN> skribis:

> Add the --no-tls flag. By default when starting a container with -N, add =
the
> nss-certs package to the profile and set the SSL_CERT_DIR and SSL_CERT_FI=
LE
> environment variables. When --no-tls is passed, default to the old behavi=
or.
>
> * guix/scripts/environment.scm (%default-tls-certs): New function.
> (show-environment-options-help): Add help for --no-tls.
> (%options): Add --no-tls option.
> (options/resolve-packages): Add %default-tls-certs to profile when networ=
k is
> true and no-tls is false.
> (launch-environment/container): Add set-tls? argument and set
> SSL_CERT_DIR/FILE if #t.
> (guix-environment*): Sanity check no-tls? and pass the negated version to
> launch-environment/container.
> * doc/guix.texi (Invoking guix shell): Document it.
> (Invoking guix environment): Ditto.
> * tests/guix-environment-container.sh: Add tests for behavior with and wi=
thout
> no-tls flag.
>
> Change-Id: I04735024df025740cb7a0e28f39a3bb5c7fcf895
> ---
> Hi all. Been a while but I figured I'd take another crack at this.

Sorry that it takes so long.

I=E2=80=99m happy with this version though I have one question:

> +            (when set-tls?
> +              (setenv "SSL_CERT_DIR" (string-append profile "/etc/ssl/ce=
rts"))
> +              (setenv "SSL_CERT_FILE" (string-append (getenv "SSL_CERT_D=
IR")
> +                                                     "/ca-certificates.c=
rt")))

What about symlinking /etc/ssl/certs in the container instead of setting
these two variables?

The reason I=E2=80=99m suggesting this is that these two variables are not
universal; example:

--8<---------------cut here---------------start------------->8---
$ ./pre-inst-env guix shell -CN wget coreutils
[env]$ echo $SSL_CERT_DIR/
/gnu/store/hbcsqh12n45bxv3r9992jz1vh63l3krf-profile/etc/ssl/certs/
[env]$ echo $SSL_CERT_FILE=20
/gnu/store/hbcsqh12n45bxv3r9992jz1vh63l3krf-profile/etc/ssl/certs/ca-certif=
icates.crt
[env]$ wget -O/dev/null https://guix.gnu.org
--2025-02-23 22:39:48--  https://guix.gnu.org/
Resolving guix.gnu.org (guix.gnu.org)... 2a0c:e300::58, 185.233.100.56
Connecting to guix.gnu.org (guix.gnu.org)|2a0c:e300::58|:443... connected.
ERROR: The certificate of 'guix.gnu.org' is not trusted.
ERROR: The certificate of 'guix.gnu.org' doesn't have a known issuer.
--8<---------------cut here---------------end--------------->8---

The symlink saves us:

--8<---------------cut here---------------start------------->8---
[env]$ ln -s $GUIX_ENVIRONMENT/etc/ssl /etc/ssl
[env]$ wget -O/dev/null https://guix.gnu.org=20=20=20
--2025-02-23 22:41:06--  https://guix.gnu.org/
Resolving guix.gnu.org (guix.gnu.org)... 2a0c:e300::58, 185.233.100.56
Connecting to guix.gnu.org (guix.gnu.org)|2a0c:e300::58|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19897 (19K) [text/html]
Saving to: '/dev/null'

/dev/null              100%[=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D>]  19.43K  --.-KB/s    in 0s=20=20=20=20=
=20=20

2025-02-23 22:41:07 (168 MB/s) - '/dev/null' saved [19897/19897]

--8<---------------cut here---------------end--------------->8---

Thoughts?

We=E2=80=99ve close to completion, very!

Ludo=E2=80=99.




Information forwarded to guix-patches@HIDDEN:
bug#70314; Package guix-patches. Full text available.

Message received at 70314 <at> debbugs.gnu.org:


Received: (at 70314) by debbugs.gnu.org; 29 Jan 2025 01:39:26 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jan 28 20:39:26 2025
Received: from localhost ([127.0.0.1]:39286 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1tcx37-0005j7-M3
	for submit <at> debbugs.gnu.org; Tue, 28 Jan 2025 20:39:26 -0500
Received: from mail-pl1-x634.google.com ([2607:f8b0:4864:20::634]:55799)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.84_2) (envelope-from <maxim.cournoyer@HIDDEN>)
 id 1tcx35-0005ip-8t
 for 70314 <at> debbugs.gnu.org; Tue, 28 Jan 2025 20:39:23 -0500
Received: by mail-pl1-x634.google.com with SMTP id
 d9443c01a7336-21644aca3a0so147261745ad.3
 for <70314 <at> debbugs.gnu.org>; Tue, 28 Jan 2025 17:39:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1738114757; x=1738719557; darn=debbugs.gnu.org;
 h=mime-version:user-agent:message-id:date:references:in-reply-to
 :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to;
 bh=omernCgDsLM9WkCOA4SkH+gP5IYNJvhMmVSNf7phPKE=;
 b=hF36NE/wx2Jak5JTWyCGGpeRm1yuigcwRXiDsswMIxHVi0cIK3pkIfKc2A8G1nkdSx
 7GpfbvLX/LOAiwEApRDAlnUjFgZQEq+OQlrT2k8Q58mkPgXFkNpy3UIsRHLyBXWCyl/b
 CAK/uAlh/8eRZ9amWGpmb6ZbRI/YXaV7Vw7+98HdLtUMN0NNWHHYmF+gJA+3AqfrLE11
 ovvp31cjy0qEf0mLNDRs5dmDphJwyQE3MgdbV4H9bqgbAHPdhqz9BjRnnPe6IEOsGjL7
 pL45OhlNPjrXcdHINwu3+kn1z7LyEbOgX1oDP9mgqWX7+TWYFRtfvhLEbgmaviqRbGNX
 Bn8Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1738114757; x=1738719557;
 h=mime-version:user-agent:message-id:date:references:in-reply-to
 :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date
 :message-id:reply-to;
 bh=omernCgDsLM9WkCOA4SkH+gP5IYNJvhMmVSNf7phPKE=;
 b=WyirJItFyM2sPTAsLRJYFFtNPhBUuCtLkY4e2y+tR1F5Zv87SQvEaz6WWi37FqFJtG
 u3wS1gf816qOmGkc3xqH+JmY2RMtgm6ctSaHeCEZaiP0hCpzjCpVF5fyKssfG5nL8gdE
 mszuwpcuxmlDcIDN4nQbTUdFWTlMx4Dh8/G7FcPiWLHQEZSusho+VYlnz+Dv5E/RGR2O
 1tM27Zeh/YTDb2GA/K9QBnZxw2ILXftl10a2uYR02deQOILjKJRUHhLw3vruWCPWiCMb
 KeJpkFBoNnPdWurD5Xb/YB2dbntGX5l2OxAf/iu8za5DoOpfwFdhT1kemT+d9FlhpdRn
 t3bA==
X-Forwarded-Encrypted: i=1;
 AJvYcCWwUomrX/dD77QaspNyLcqMwlYLe74icCjK7iyw8knc3C35b3rMIHOYnnBHHeC/7Dx08/ZqQw==@debbugs.gnu.org
X-Gm-Message-State: AOJu0YwklDVH0MZZkVCnjnaX6gEkKfdW+N88UqcYJp6iqw+fFMss0f/2
 JtEejGsKyd3p0M48t0KV7oua2fkfsGpaLSuazMKPxsgHcXBGg1xO
X-Gm-Gg: ASbGncvqJ5hnnTGhIcsUt7F4B311X3o7s8O03QNmv3Dr+HPTr+JCNnJADRs7YjYXnXt
 serdCcEoggQo7mj2gQSJ1BWi63qlqIsUpjh/qsulle12TxBKLBZSmcH1pJF61Bxa8145EJQ2OFj
 gayVHPe+cdhrjgDT8Xsi8n+mC3T41DCYbfDA+IdzFvqKdrQNcUovCeEIHqYX/HnpotvsFSobU4U
 SPmkWE5fzMg9kBK74Th9U4S16YRjsTlw3gIqKVa1xXmxH0+/Fd8vZQvYmopFLtHi90b3fsycizS
 1XxrqRkhmrsC
X-Google-Smtp-Source: AGHT+IFuYF19OgIa0LwfOM2s4/1QNfku+lG/OIO3Mff+NiVlDl9AI7IoywPFW2/fbOoQu1qIXApv5g==
X-Received: by 2002:a05:6a20:6a0e:b0:1ed:534e:38b1 with SMTP id
 adf61e73a8af0-1ed7a6e2565mr2334551637.41.1738114757308; 
 Tue, 28 Jan 2025 17:39:17 -0800 (PST)
Received: from terra ([2405:6586:be0:0:c8ff:1707:9b9:af89])
 by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-72f8a6b307fsm9949543b3a.46.2025.01.28.17.39.14
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 28 Jan 2025 17:39:16 -0800 (PST)
From: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
To: Simon Tournier <zimon.toutoune@HIDDEN>
Subject: Re: bug#70314: [PATCH] guix: scripts: environment: add tls certs to
 networked containers
In-Reply-To: <87h6aatlgz.fsf@HIDDEN> (Simon Tournier's message of "Fri, 20
 Sep 2024 17:04:44 +0200")
References: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN>
 <87h6aatlgz.fsf@HIDDEN>
Date: Wed, 29 Jan 2025 10:39:04 +0900
Message-ID: <871pwms8jr.fsf_-_@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 70314
Cc: Josselin Poiret <dev@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>,
 Richard Sent <richard@HIDDEN>,
 Tobias Geerinckx-Rice <me@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>,
 Christopher Baines <guix@HIDDEN>, 70314 <at> debbugs.gnu.org,
 Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi,

Simon Tournier <zimon.toutoune@HIDDEN> writes:

[...]

>> +    (when (and (not network?)
>> +               no-tls?)
>> +      (leave (G_ "'--no-tls' cannot be used without '--networking'~%")))
>> +
>
> Why not a warning instead of leaving with an error?

Is it even worth it?  The in the default case there is networking (not
containerized), and --networking is a no-op.  No big deal?  What's the
rationale for changing this?  It can potentially affect someone's
script.

-- 
Thanks,
Maxim




Information forwarded to guix-patches@HIDDEN:
bug#70314; Package guix-patches. Full text available.

Message received at 70314 <at> debbugs.gnu.org:


Received: (at 70314) by debbugs.gnu.org; 29 Jan 2025 01:33:13 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jan 28 20:33:13 2025
Received: from localhost ([127.0.0.1]:39279 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1tcwx6-0005Sp-TM
	for submit <at> debbugs.gnu.org; Tue, 28 Jan 2025 20:33:13 -0500
Received: from mail-pl1-x631.google.com ([2607:f8b0:4864:20::631]:55454)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.84_2) (envelope-from <maxim.cournoyer@HIDDEN>)
 id 1tcwx4-0005Sa-2D
 for 70314 <at> debbugs.gnu.org; Tue, 28 Jan 2025 20:33:10 -0500
Received: by mail-pl1-x631.google.com with SMTP id
 d9443c01a7336-21636268e43so138028295ad.2
 for <70314 <at> debbugs.gnu.org>; Tue, 28 Jan 2025 17:33:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1738114384; x=1738719184; darn=debbugs.gnu.org;
 h=mime-version:user-agent:message-id:date:references:in-reply-to
 :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to;
 bh=ROduub+o75ikQ5D/yvhcMhaqmyz1gXegOafWyL9Idik=;
 b=MlELz9ywgGYjBgH/eW+0nErhcoDrZOlh215Jggduwo3J1KUp5wFMokiA+KT4mXjB5t
 fvHtzjP6HAH5DeiM2DQy6V7N/wuEB6f3jkXjDmHsXH4MQGua79aHYG5axVGRLnK8Cl4h
 Fy0+DfLNbSsuzLOYKc1N8XhwqTonLa4eTg1eBRe6uKCSTGUYF0N5Pwz/ei2yX9ZHoSm2
 4K8IrG3Lax6oguYguV7E0b3WlrNg7PxM4IAHNLoMjKxCGX5WyjV2+Vv/cOuqP+S5rwzf
 EAAQhy6Qzei3b0OhK4tGLaaAYir/CJKs5goINCcSvGGAldBZypW3XLj5+riX2bPuRZaw
 Hw9A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1738114384; x=1738719184;
 h=mime-version:user-agent:message-id:date:references:in-reply-to
 :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date
 :message-id:reply-to;
 bh=ROduub+o75ikQ5D/yvhcMhaqmyz1gXegOafWyL9Idik=;
 b=VmGVBwlCaY71CtOO2oUc9fxOmnx61lYFJpC2NVzeYEvJ3I0+TZuldVdbMmUf0zCaE6
 g0QBlecgvQNn85jFKI9WG9eKEkkdlb+wX61vMiNkzYlGdwWxpzt/L6/EtIlk2yssGM2W
 sV/iij0Ep7TzxpaXeamgVn6Vn8H9jS2fNOEEiMavALQt9k+EcibdRTBjongeFxbknZLM
 UOorgfGFBC8/IXukvcybasNIB32MCKUU4Ybqu+94Ux3IS8vgFijGrc5MJRMcXiGTk2Kd
 h0lF9ejIQeIS40rmw9zhC29yEsradS2PsE2gOeBD3qnZoXPee6m7SAweYM9UonlzT//J
 Z9qA==
X-Gm-Message-State: AOJu0Yx4xYsJ5+IlFyw7oCV4scu+GysO+dhZ4e5s93G4cVqGNNrPP2aA
 Ip4P2tCLKxAfogJp01Chtg3Rq/jzhJYnnD5/mgPl4hb4+G3geFRF
X-Gm-Gg: ASbGncuJFLAn+nvxcAARQMadLLMdc7ICZ1ZnBka1s0exVnTZ5R+dqtT0nFUr3JPMNeu
 Kf55UQe5QvsaotsAWmGkBEGh4itn9GRnQ4UzDuwplcBRHSEChYR9Q0/dRLOFyGyPs18QO0SbBYf
 nRNyFAEqDS6mA1oDSwwBeM22cGejOLxBWsJzZ4oCso90kzUsksSmwTuuSvQ3tWBDcfgONYH5xv4
 H09pwTiEbhc5F3hRgbaltLgbOqXqKBLNYsMrpGt+sbL4QK8tdKOhvc+hwiK8o1e8IxpkaXydndO
 iBlSfVVNhrUl
X-Google-Smtp-Source: AGHT+IFCf+RQtRkAD08dORcgeQiX0IL2b4cHK7ZSw7CvE+Vh59xFHJoiyGOeBOh9uvdzyQ7g+1EmfQ==
X-Received: by 2002:a17:902:f644:b0:216:2477:e4d3 with SMTP id
 d9443c01a7336-21dd7df6ad3mr19131185ad.51.1738114383942; 
 Tue, 28 Jan 2025 17:33:03 -0800 (PST)
Received: from terra ([2405:6586:be0:0:c8ff:1707:9b9:af89])
 by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-21da4141123sm89523635ad.112.2025.01.28.17.33.00
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 28 Jan 2025 17:33:03 -0800 (PST)
From: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
To: Richard Sent <richard@HIDDEN>
Subject: Re: bug#70314: [PATCH] guix: scripts: environment: add tls certs to
 networked containers
In-Reply-To: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN>
 (Richard Sent's message of "Tue, 9 Apr 2024 15:05:29 -0400")
References: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN>
Date: Wed, 29 Jan 2025 10:32:50 +0900
Message-ID: <875xlys8u5.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: 0.7 (/)
X-Debbugs-Envelope-To: 70314
Cc: Josselin Poiret <dev@HIDDEN>,
 Simon Tournier <zimon.toutoune@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>,
 Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>,
 Tobias Geerinckx-Rice <me@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>,
 Christopher Baines <guix@HIDDEN>, 70314 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.3 (/)

Hi,

Richard Sent <richard@HIDDEN> writes:

> * guix/scripts/environment.scm: Add --no-tls flag. By default when starting a
> container with -N, add nss-certs package and set SSL_CERT_DIR and
> SSL_CERT_FILE environment variables. When --no-tls is passed, default to old
> behavior.
> * doc/guix.texi: Document it.

I just wanted to share that I have a WIP in progress that would address
this differently; by using p11-kit with a trusted path to nss certs by
default:

--8<---------------cut here---------------start------------->8---
gnu: p11-kit: Add nss-certs to default trust path.

* gnu/packages/tls.scm (p11-kit) [native-inputs]: Add nss-certs.
[arguments] <#:configure-flags>: Register its etc/ssl/certs directory as a
trust path.

Change-Id: Iee727edb1f51f8503fcbdd4ec1dee0d47a6bba39

1 file changed, 5 insertions(+), 2 deletions(-)
gnu/packages/tls.scm | 7 +++++--

modified   gnu/packages/tls.scm
@@ -61,6 +61,7 @@ (define-module (gnu packages tls)
   #:use-module (gnu packages base)
   #:use-module (gnu packages bash)
   #:use-module (gnu packages build-tools)
+  #:use-module (gnu packages certs)
   #:use-module (gnu packages check)
   #:use-module (gnu packages curl)
   #:use-module (gnu packages dns)
@@ -160,6 +161,7 @@ (define-public p11-kit
            docbook-xsl
            gettext-minimal
            libxslt
+           nss-certs                    ;default certs
            pkg-config))
     (inputs
      (append (list libffi libtasn1)
@@ -175,9 +177,10 @@ (define-public p11-kit
               (string-append
                "-Dtrust_paths="
                (string-join
-                '("/etc/ssl/certs/ca-certificates.crt" ;guix, debian, gentoo, etc.
+                `("/etc/ssl/certs/ca-certificates.crt" ;guix, debian, gentoo, etc.
                   "/etc/pki/tls/certs/ca-bundle.crt"   ;fedora, centos
-                  "/var/lib/ca-certificates/ca-bundle.pem") ;opensuse
+                  "/var/lib/ca-certificates/ca-bundle.pem"
+                  ,(search-input-directory %build-inputs "etc/ssl/certs"))
                 ":")))))
     (home-page "https://p11-glue.github.io/p11-glue/p11-kit.html")
     (synopsis "PKCS#11 library")
--8<---------------cut here---------------end--------------->8---

And then building gnutls with the
'--with-default-trust-store-pkcs11=pkcs11:' configure flag.  In theory
that would mean that any GnuTLS using application would work out of the
box.  p11-kit also allows users to override certs by user configuration
in XDG directories, should someone want to add their own certs or
override the default trust store (to be documented).

In practice I haven't yet rebuilt the world with this, but encountered a
failing test that suggest it doesn't work as expected (but perhaps it's
just the test) [0].

For OpenSSL, there is supposedly a plugin that can be used to make it
use p11-kit managed certs, though I haven't investigated.

The idea to use p11-kit was suggested to us (via Andreas) in 2015 by the
main GnuTLS developper [1]

It's used on Fedora/Red Hat for example [2].

[0]  https://gitlab.com/gnutls/gnutls/-/issues/1639
[1]  https://lists.gnupg.org/pipermail/gnutls-devel/2015-February/007447.html
[2]  https://src.fedoraproject.org/rpms/gnutls/blob/rawhide/f/gnutls.spec#_320

--
Thanks,
Maxim




Information forwarded to guix-patches@HIDDEN:
bug#70314; Package guix-patches. Full text available.

Message received at 70314 <at> debbugs.gnu.org:


Received: (at 70314) by debbugs.gnu.org; 28 Jan 2025 21:13:17 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jan 28 16:13:17 2025
Received: from localhost ([127.0.0.1]:38888 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1tcstY-0001QD-Gr
	for submit <at> debbugs.gnu.org; Tue, 28 Jan 2025 16:13:17 -0500
Received: from mail-108-mta75.mxroute.com ([136.175.108.75]:45941)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.84_2) (envelope-from <richard@HIDDEN>)
 id 1tcstU-0001Q0-SW
 for 70314 <at> debbugs.gnu.org; Tue, 28 Jan 2025 16:13:14 -0500
Received: from filter006.mxroute.com ([136.175.111.3] filter006.mxroute.com)
 (Authenticated sender: mN4UYu2MZsgR)
 by mail-108-mta75.mxroute.com (ZoneMTA) with ESMTPSA id 194aec2c521000310e.001
 for <70314 <at> debbugs.gnu.org>
 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384);
 Tue, 28 Jan 2025 21:13:07 +0000
X-Zone-Loop: f2b00e0f2e19851749e5d999ffe42aed41ef57107ed8
X-Originating-IP: [136.175.111.3]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=freakingpenguin.com; s=x; h=Content-Transfer-Encoding:Content-Type:
 MIME-Version:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=EVnT23MAOto7dGaHWHfL/EEKWFMc0M5vmna0+fAIi90=; b=AHZ02nUfrrzLYjKvBtXvuTMHlY
 6XNH+/2D3MtT7+pjNMg8B2PY8oZIiGgdEDn49oB7oFIt5HCAh/Owz52BrG3WRN3EY7cLx7WujiAHu
 4KY3W9fIUk5/7+J4bmI6ZCZVckStCCVExHgstM+uMQzxVSBW2tbDMMBfPnloRY8sOQY8cwMIChgEF
 TCowDn+QdJ864LxVAinE7Va4/1MjGM8fpjoMw7e4v5zTe70Rb9v7ueqkFSRNj+roAGUYSwMHUTEIH
 fq9HpSsR0A+v+gDU7vXsxLQjH+rrh91ugYYVti2zoO1JhZHk08bkRSaBX2X5CF5FRYZS4rYZwKohA
 3uGM7xSg==;
From: Richard Sent <richard@HIDDEN>
To: guix-patches@HIDDEN,
	70314 <at> debbugs.gnu.org
Subject: [PATCH v2] guix: scripts: environment: add tls certs to networked
 containers.
Date: Tue, 28 Jan 2025 16:11:28 -0500
Message-ID: <4e1a986e224083876c8386e6efe45512251dd3af.1738098141.git.richard@HIDDEN>
MIME-Version: 1.0
X-Debbugs-Cc: Christopher Baines <guix@HIDDEN>, Josselin Poiret <dev@HIDDEN>, Ludovic Courtès <ludo@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>, Maxim Cournoyer <maxim.cournoyer@HIDDEN>, Simon Tournier <zimon.toutoune@HIDDEN>, Tobias Geerinckx-Rice <me@HIDDEN>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Authenticated-Id: richard@HIDDEN
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 70314
Cc: Richard Sent <richard@HIDDEN>, rprior@HIDDEN,
 ludo@HIDDEN, zimon.toutoune@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Add the --no-tls flag. By default when starting a container with -N, add the
nss-certs package to the profile and set the SSL_CERT_DIR and SSL_CERT_FILE
environment variables. When --no-tls is passed, default to the old behavior.

* guix/scripts/environment.scm (%default-tls-certs): New function.
(show-environment-options-help): Add help for --no-tls.
(%options): Add --no-tls option.
(options/resolve-packages): Add %default-tls-certs to profile when network is
true and no-tls is false.
(launch-environment/container): Add set-tls? argument and set
SSL_CERT_DIR/FILE if #t.
(guix-environment*): Sanity check no-tls? and pass the negated version to
launch-environment/container.
* doc/guix.texi (Invoking guix shell): Document it.
(Invoking guix environment): Ditto.
* tests/guix-environment-container.sh: Add tests for behavior with and without
no-tls flag.

Change-Id: I04735024df025740cb7a0e28f39a3bb5c7fcf895
---
Hi all. Been a while but I figured I'd take another crack at this.

> Ludo:
> This would force all the package modules to be loaded upfront.  Instead you
> should arrange to not refer to ‘nss-certs’ until it’s needed.

Understood, %default-tls-certs is thunked in V2. To my understanding this
should achieve what we want.

> Ludo:
> Internally, I would reverse the logic to have ‘tls?’ instead (as a rule
> of thumb, I always avoid negating Booleans in code).

I choose no-tls? to be consistent with the no-cwd? option,. V2 now uses the
set-tls? option in launch-environment/container and no-tls? everywhere else,
which I think fits better because outside l-e/c, no-tls? is more of a flag for
if the --no-tls option was passed than a control boolean.

> Ludo:
> Can we delay changes to the manifest until after all options have been
> parsed, so we know whether ‘-C’ has been passed?

Possibly, but it would be inconsistent with how nesting? works at present,
which also requires -C. I believe emulate-fhs? also adds packages to the
profile immediately, see parse-args in guix/scripts/shell.scm, which AFAICT
splices a '-e (@@ (gnu packages base) glibc-for-fhs)' in the options.

One way this could be resolved is by creating a internal manifest, then
concatenating it with manifest-from-opts. i.e. have a user manifest containing
explicitly provided packages and an internal manifest containing
glibc-for-fhs, nss-certs and guix depending on emulate-fhs?, no-tls?, and
nesting?. That's probably outside the scope of this patch.

> Ludo:
> Please make sure tests/guix-shell*.sh and tests/guix-environment*.sh
> pass.

For the low low price of free, not only do you get passing tests but now you
get more tests! What a steal.

> Simon:
> I would prefer to not have any short option at all.

Agreed and changed.

> Simon:
> Why not a warning instead of leaving with an error?

I elected to go with an error to be consistent with the sanity checking around
container?. In my opinion, warnings are best for when a user is doing
something technically valid but likely unintended, errors are for the
"technically makes no sense".

 doc/guix.texi                       |  8 +++++++
 guix/scripts/environment.scm        | 35 +++++++++++++++++++++++++++--
 tests/guix-environment-container.sh | 11 +++++++++
 3 files changed, 52 insertions(+), 2 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index b1b6d98e74..d291c15759 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -6289,6 +6289,10 @@ Invoking guix shell
 Containers created without this flag only have access to the loopback
 device.
 
+@item --no-tls
+For containers that share the network namespace, disable automatically
+adding TLS/SSL certificates.
+
 @item --link-profile
 @itemx -P
 For containers, link the environment profile to @file{~/.guix-profile}
@@ -6786,6 +6790,10 @@ Invoking guix environment
 Containers created without this flag only have access to the loopback
 device.
 
+@item --no-tls
+For containers that share the network namespace, disable automatically
+adding TLS/SSL certificates.
+
 @item --link-profile
 @itemx -P
 For containers, link the environment profile to @file{~/.guix-profile}
diff --git a/guix/scripts/environment.scm b/guix/scripts/environment.scm
index 648a497743..174d446635 100644
--- a/guix/scripts/environment.scm
+++ b/guix/scripts/environment.scm
@@ -3,6 +3,7 @@
 ;;; Copyright © 2015-2024 Ludovic Courtès <ludo@HIDDEN>
 ;;; Copyright © 2018 Mike Gerwitz <mtg@HIDDEN>
 ;;; Copyright © 2022, 2023 John Kehayias <john.kehayias@HIDDEN>
+;;; Copyright © 2025 Richard Sent <richard@HIDDEN>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -50,6 +51,7 @@ (define-module (guix scripts environment)
   #:use-module (gnu system file-systems)
   #:autoload   (gnu packages) (specification->package+output)
   #:autoload   (gnu packages bash) (bash)
+  #:autoload   (gnu packages certs) (nss-certs)
   #:autoload   (gnu packages bootstrap) (bootstrap-executable %bootstrap-guile)
   #:autoload   (gnu packages package-management) (guix)
   #:use-module (ice-9 match)
@@ -72,6 +74,10 @@ (define-module (guix scripts environment)
 (define %default-shell
   (or (getenv "SHELL") "/bin/sh"))
 
+(define (%default-tls-certs)
+  ;; Thunk to defer loading (gnu packages certs)
+  (list nss-certs))
+
 (define* (show-search-paths profile manifest #:key pure?)
   "Display the search paths of MANIFEST applied to PROFILE.  When PURE? is #t,
 do not augment existing environment variables with additional search paths."
@@ -108,6 +114,9 @@ (define (show-environment-options-help)
   -C, --container        run command within an isolated container"))
   (display (G_ "
   -N, --network          allow containers to access the network"))
+  (display (G_ "
+      --no-tls            do not add SSL/TLS certificates or set environment
+                          variables for a networked container"))
   (display (G_ "
   -P, --link-profile     link environment profile to ~/.guix-profile within
                          an isolated container"))
@@ -244,6 +253,9 @@ (define %options
          (option '(#\N "network") #f #f
                  (lambda (opt name arg result)
                    (alist-cons 'network? #t result)))
+         (option '("no-tls") #f #f
+                 (lambda (opt name arg result)
+                   (alist-cons 'no-tls? #t result)))
          (option '(#\W "nesting") #f #f
                  (lambda (opt name arg result)
                    (alist-cons 'nesting? #t result)))
@@ -359,6 +371,11 @@ (define (options/resolve-packages store opts)
                      (packages->outputs (load* file module) mode)))
                   (('manifest . file)
                    (manifest-entries (load-manifest file)))
+                  (('network? . #t)
+                   (if (assoc-ref opts 'no-tls?)
+                       '()
+                       (manifest-entries
+                        (packages->manifest (%default-tls-certs)))))
                   (('nesting? . #t)
                    (if (assoc-ref opts 'profile)
                        '()
@@ -732,7 +749,8 @@ (define* (launch-environment/fork command profile manifest
 
 (define* (launch-environment/container #:key command bash user user-mappings
                                        profile manifest link-profile? network?
-                                       map-cwd? emulate-fhs? nesting?
+                                       set-tls? map-cwd? emulate-fhs?
+                                       nesting?
                                        (setup-hook #f)
                                        (symlinks '()) (white-list '()))
   "Run COMMAND within a container that features the software in PROFILE.
@@ -936,6 +954,11 @@ (define* (launch-environment/container #:key command bash user user-mappings
               ;; Allow local AF_INET communications.
               (set-network-interface-up "lo"))
 
+            (when set-tls?
+              (setenv "SSL_CERT_DIR" (string-append profile "/etc/ssl/certs"))
+              (setenv "SSL_CERT_FILE" (string-append (getenv "SSL_CERT_DIR")
+                                                     "/ca-certificates.crt")))
+
             ;; For convenience, start in the user's current working
             ;; directory or, if unmapped, the home directory.
             (chdir (if map-cwd?
@@ -1085,6 +1108,7 @@ (define (guix-environment* opts)
          (link-prof?   (assoc-ref opts 'link-profile?))
          (symlinks     (assoc-ref opts 'symlinks))
          (network?     (assoc-ref opts 'network?))
+         (no-tls?      (assoc-ref opts 'no-tls?))
          (no-cwd?      (assoc-ref opts 'no-cwd?))
          (emulate-fhs? (assoc-ref opts 'emulate-fhs?))
          (nesting?     (assoc-ref opts 'nesting?))
@@ -1138,7 +1162,13 @@ (define (guix-environment* opts)
       (when nesting?
         (leave (G_ "'--nesting' cannot be used without '--container'~%")))
       (when (pair? symlinks)
-        (leave (G_ "'--symlink' cannot be used without '--container'~%"))))
+        (leave (G_ "'--symlink' cannot be used without '--container'~%")))
+      (when network?
+        (leave (G_ "'--network cannot be used without '--container'~%"))))
+
+    (when (and (not network?)
+               no-tls?)
+      (leave (G_ "'--no-tls' cannot be used without '--networking'~%")))
 
     (with-status-verbosity (assoc-ref opts 'verbosity)
       (with-store/maybe store
@@ -1217,6 +1247,7 @@ (define (guix-environment* opts)
                                                   #:white-list white-list
                                                   #:link-profile? link-prof?
                                                   #:network? network?
+                                                  #:set-tls? (not no-tls?)
                                                   #:map-cwd? (not no-cwd?)
                                                   #:emulate-fhs? emulate-fhs?
                                                   #:nesting? nesting?
diff --git a/tests/guix-environment-container.sh b/tests/guix-environment-container.sh
index 09704f751c..7ffc7f8c9f 100644
--- a/tests/guix-environment-container.sh
+++ b/tests/guix-environment-container.sh
@@ -2,6 +2,7 @@
 # Copyright © 2015 David Thompson <davet@HIDDEN>
 # Copyright © 2022, 2023 John Kehayias <john.kehayias@HIDDEN>
 # Copyright © 2023 Ludovic Courtès <ludo@HIDDEN>
+# Copyright © 2025 Richard Sent <richard@HIDDEN>
 #
 # This file is part of GNU Guix.
 #
@@ -272,3 +273,13 @@ guix shell -C -D guix -- "$env" guix build hello -d && false # cannot work
 hello_drv="$(guix build hello -d)"
 hello_drv_nested="$(cd "$(dirname env)" && guix shell --bootstrap -E GUIX_BUILD_OPTIONS -CW -D guix -- "$env" guix build hello -d)"
 test "$hello_drv" = "$hello_drv_nested"
+
+# Test if SSL_CERT_{DIR,FILE} are set and readable in the container.
+#
+# -f does cover the case of a symlink to a file inaccessible within the
+# -container.
+guix shell -CN -- /bin/sh -c 'test -d $SSL_CERT_DIR'
+guix shell -CN -- /bin/sh -c 'test -f $SSL_CERT_FILE'
+# Confirm --no-tls causes SSL_CERT_{DIR,FILE} to be unset.
+guix shell -CN --no-tls -- /bin/sh -c 'test -z $SSL_CERT_DIR'
+guix shell -CN --no-tls -- /bin/sh -c 'test -z $SSL_CERT_FILE'

base-commit: 97fb1887ad10000c067168176c504274e29e4430
-- 
2.47.1





Information forwarded to guix@HIDDEN, dev@HIDDEN, ludo@HIDDEN, othacehe@HIDDEN, maxim.cournoyer@HIDDEN, zimon.toutoune@HIDDEN, me@HIDDEN, guix-patches@HIDDEN:
bug#70314; Package guix-patches. Full text available.

Message received at 70314 <at> debbugs.gnu.org:


Received: (at 70314) by debbugs.gnu.org; 20 Sep 2024 16:11:43 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Sep 20 12:11:43 2024
Received: from localhost ([127.0.0.1]:36146 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1srgER-000411-0O
	for submit <at> debbugs.gnu.org; Fri, 20 Sep 2024 12:11:43 -0400
Received: from mail-wm1-f47.google.com ([209.85.128.47]:60874)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <zimon.toutoune@HIDDEN>) id 1srgED-0003zT-7h
 for 70314 <at> debbugs.gnu.org; Fri, 20 Sep 2024 12:11:29 -0400
Received: by mail-wm1-f47.google.com with SMTP id
 5b1f17b1804b1-4280ca0791bso20303125e9.1
 for <70314 <at> debbugs.gnu.org>; Fri, 20 Sep 2024 09:11:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1726848604; x=1727453404; darn=debbugs.gnu.org;
 h=content-transfer-encoding:mime-version:message-id:date:references
 :in-reply-to:subject:cc:to:from:from:to:cc:subject:date:message-id
 :reply-to; bh=/VOqHNEnw6yMlpedZmoNAP+2UAUzEYZuJSfvXRXHH/0=;
 b=mFKij3nRMteKu4wN+IJAXOLvyKr4gyIeL2QsVKmRe/BQlrmPUehYj8NdVUCJSa4zzP
 DUzWdPMUogtZkiyKLEx7viUpmCwpzUuhn4saItX0IB/RcVi2210U2w1G6tIUr4N32iUN
 4NNq4FF6o7odgvOuUEN9Lo30QSghrLeWdsjExjQz2WSvq2JVDUvmHx4lML3bEPNvI501
 IC83g17pVTFyz+nLytPRA4Q6zsH0kXrzIbAG+1PXjQ8DpYCly63ee5c+oro1YOSDv/mD
 d4+1Q8vkE0I42P5TE+yGNZht6hdICnw7qHpB7GRRcfKdO4VA03nP8JMm1JJCpMxZjT+W
 i7xQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1726848604; x=1727453404;
 h=content-transfer-encoding:mime-version:message-id:date:references
 :in-reply-to:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=/VOqHNEnw6yMlpedZmoNAP+2UAUzEYZuJSfvXRXHH/0=;
 b=Ebudz/jMJj/zkuO+sKxOGBWouK55B9jhtU8L1YG6d2N9btJlzTEu0IZtJs1d+BNCfC
 onhM69AfylaG/9w2ta3um7BQNe6sajxggTzTdJhLvtBB+QHwUdE01tYJsVnG91sQogpy
 EPGkXH/E7JE9EU/K1M7l66DRz5koge+m3DCcMasNP9fBaJQYAUqOMIzyCkSUJCZoRgVD
 z/YtIDQUX9DWmedAz1OHDmDuzFuXzoQTSEZaDdL1oznQrKM0J4FvgCE/8CdN+Jxxp18R
 y0dPt93GCvyW4CTSiN3fh0thYNRvgKTFEHYE2VfXeDvnqvHzTYUTog2IrXMbU5DoS654
 1yJA==
X-Forwarded-Encrypted: i=1;
 AJvYcCWwuRa5Mq8zq+bL7zgH03hpoqrE95AKXiOEyFKQ2iDZtcPfn7Ckfw1S18y3e5+nwaIGHxpt+A==@debbugs.gnu.org
X-Gm-Message-State: AOJu0Yw6LBlLZXYt0mCnaZGEGwTxzZMabb/JdYa9SWQ7Co66GzXNXLG3
 0RV+4j2i/ll7z7+AChlQJMEQx+mzi00QryXeP2e4zbvf3x861i2bl3Urvw==
X-Google-Smtp-Source: AGHT+IEDkMy2BMG03y0YwU8d9UKV2xamVW6d7eBamygke2jNzqIp8d1e60RUl+UysDtkQdLoMt9/Mw==
X-Received: by 2002:a05:600c:358b:b0:42c:b1e1:a45b with SMTP id
 5b1f17b1804b1-42e7c16ed53mr24131445e9.19.1726848604261; 
 Fri, 20 Sep 2024 09:10:04 -0700 (PDT)
Received: from pfiuh07 ([193.48.40.241]) by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-42e7540e4e1sm53202095e9.10.2024.09.20.09.10.03
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 20 Sep 2024 09:10:03 -0700 (PDT)
From: Simon Tournier <zimon.toutoune@HIDDEN>
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>, Richard Sent
 <richard@HIDDEN>
Subject: Re: [bug#70314] [PATCH] guix: scripts: environment: add tls certs
 to networked containers
In-Reply-To: <87o74obna0.fsf@HIDDEN>
References: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN>
 <87o74obna0.fsf@HIDDEN>
Date: Fri, 20 Sep 2024 17:19:59 +0200
Message-ID: <87ed5etkrk.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 70314
Cc: Josselin Poiret <dev@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>,
 Tobias Geerinckx-Rice <me@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>,
 Christopher Baines <guix@HIDDEN>, 70314 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi Ludo,

On dim., 15 sept. 2024 at 23:49, Ludovic Court=C3=A8s <ludo@HIDDEN> wrote:

>> +  #:autoload   (gnu packages certs) (nss-certs)

[...]

>> +(define %default-tls-certs
>> +  (list nss-certs))

>
> This would force all the package modules to be loaded upfront.  Instead
> you should arrange to not refer to =E2=80=98nss-certs=E2=80=99 until it=
=E2=80=99s needed.

This is a question I had but not reported when commenting elsewhere this
patch.  I was thinking to suggest:

    (module-ref (resolve-interface '(gnu packages certs)) 'nss-certs)

which lazily loads, IIUC.  Then I gave a look to Guile manual which
mentions:

     =E2=80=98#:autoload MODULE SYMBOL-LIST=E2=80=99
[...]
          An autoload is a good way to put off loading a big module
          until it=E2=80=99s really needed, for instance for faster startup=
 or
          if it will only be needed in certain circumstances.

Therefore, could you explain the difference if there is one?



Cheers,
simon




Information forwarded to guix-patches@HIDDEN:
bug#70314; Package guix-patches. Full text available.

Message received at 70314 <at> debbugs.gnu.org:


Received: (at 70314) by debbugs.gnu.org; 20 Sep 2024 16:11:31 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Sep 20 12:11:31 2024
Received: from localhost ([127.0.0.1]:36141 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1srgEE-000405-HU
	for submit <at> debbugs.gnu.org; Fri, 20 Sep 2024 12:11:30 -0400
Received: from mail-wm1-f42.google.com ([209.85.128.42]:57389)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <zimon.toutoune@HIDDEN>) id 1srgEC-0003zR-DB
 for 70314 <at> debbugs.gnu.org; Fri, 20 Sep 2024 12:11:29 -0400
Received: by mail-wm1-f42.google.com with SMTP id
 5b1f17b1804b1-42cb5b3c57eso20676775e9.2
 for <70314 <at> debbugs.gnu.org>; Fri, 20 Sep 2024 09:11:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1726848603; x=1727453403; darn=debbugs.gnu.org;
 h=content-transfer-encoding:mime-version:message-id:date:references
 :in-reply-to:subject:cc:to:from:from:to:cc:subject:date:message-id
 :reply-to; bh=8dwz6m40OMA6yOjrgDz1iDVW210nCX1/plsL1lMTMl4=;
 b=e5XJym1aeAGRtI12DZHLKRIUWqDHeI0B0JvYEWuy78hRtRxtWjZ6jldNzLbxpIzrUq
 CzrWdw8Ywp5p44fQ/nxWVqmxLYPR6ac7M3JpU7AZNOnVCt0rDpSjRrsJ8MprKLyiikVh
 pzXBng3qFd7mveJ3ESZuTe2tWsDaWQjPUVGR8BnKwcagiClln0WJh8nD+NLpnUXkMJzs
 XLMT8AwfisdqaiBnSYHS8eI0CXcGfkOUpP3K9NVoNSc2FSSPkiHRcEVpa+/cQyZEy9+l
 oeDUx42JN5sQ2CfOpnPLlXjcRJS5HNWpTG3A+TS8mRu6ziiOtdRe3RZQn4aarCoaFj6u
 756Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1726848603; x=1727453403;
 h=content-transfer-encoding:mime-version:message-id:date:references
 :in-reply-to:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=8dwz6m40OMA6yOjrgDz1iDVW210nCX1/plsL1lMTMl4=;
 b=l4BjwJaj/lh7dKqLTIJ20JeD17hnczAsyXhQCO0bxz6i5G5cQbQNeOHS7HMGyBsgra
 qkc1kfDh2yp2nkozWysoMORquFZZQRgDVdFCPJprs777ha7vIkLgrY6E9TQmWhON5B67
 4rH83KjIa9hCTdSbcuNFvx7P53AxRhqWnz0M29WPjWFmo6rGo4gmFsfCCoV2KCAIY0dt
 W0AYQX7Mvrl505dLraBVzGkT6hTGUIadcUkMMIOCaUjy6LY56Z769Nu4bJjEcsTXbykj
 CHwzLUkqOyuItuR4eSb5yNzXbR6dZlMsCMXkTP8j90NQkdqxemehA/PDY8HKJ3CxegR7
 uGYw==
X-Forwarded-Encrypted: i=1;
 AJvYcCXYRdNExBkhQSvxbCQ58LZioxxdJ1wb4FmZPxnbtSicwBRSEBcr6nm8lqVyCA/QTc5LVsN8eA==@debbugs.gnu.org
X-Gm-Message-State: AOJu0YzukUMtFeBDbua3kwEeleVrUpw7JepmB2jDmAvadWEKisynn4N0
 MVkiJRryQTcu2ostJvDVufk2xnQmrrSH2B9Q2eS1vTMdpEYhj3ce
X-Google-Smtp-Source: AGHT+IFlb47XvbCruMXC3Z004FvXdWXHM4Ns/QvrnEMcNp0DI+Lf2O8MPVkHALpUj4Vhg1eRHT4a8g==
X-Received: by 2002:a05:600c:548e:b0:42c:b1ee:4b04 with SMTP id
 5b1f17b1804b1-42e7c19bb69mr22867305e9.28.1726848603299; 
 Fri, 20 Sep 2024 09:10:03 -0700 (PDT)
Received: from pfiuh07 ([193.48.40.241]) by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-378e78054cesm18175255f8f.108.2024.09.20.09.10.02
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 20 Sep 2024 09:10:02 -0700 (PDT)
From: Simon Tournier <zimon.toutoune@HIDDEN>
To: Richard Sent <richard@HIDDEN>, 70314 <at> debbugs.gnu.org,
 Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Subject: Re: [bug#70314] [PATCH] guix: scripts: environment: add tls certs
 to networked containers
In-Reply-To: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN>
References: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN>
Date: Fri, 20 Sep 2024 17:04:44 +0200
Message-ID: <87h6aatlgz.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 70314
Cc: Josselin Poiret <dev@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>,
 Richard Sent <richard@HIDDEN>,
 Tobias Geerinckx-Rice <me@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>,
 Christopher Baines <guix@HIDDEN>,
 Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi,

On mar., 09 avril 2024 at 15:05, Richard Sent <richard@HIDDEN>=
 wrote:

> This behavior can be reverted with the --no-tls flag. Since presumably
> the majority of shell users want TLS to work out of the box, adding
> TLS by default makes sense to me.

I agree.  I have been annoyed more than once with this.  Then it becomes
something odd that I have forgotten it=E2=80=99s odd. :-)


> +  (display (G_ "
> +      --no-tls           do not add SSL/TLS certificates or set environm=
ent
> +                         variables for a networked container"))

[...]

> +         (option '(#\T "no-tls") #f #f
> +                 (lambda (opt name arg result)
> +                   (alist-cons 'no-tls? #t result)))

There is a discrepancy, no?  Missing the short =E2=80=99-T=E2=80=99 option =
in the help?

Well, that=E2=80=99s said, I would prefer to not have any short option at a=
ll.
Because I think that option would be a rare option.  And if it is not
and many people use =E2=80=9Cguix shell=E2=80=9D without the package =E2=80=
=99nss-tls=E2=80=99, then we
will still be able to add the short option.  The converse is not true


>           (option '(#\W "nesting") #f #f
>                   (lambda (opt name arg result)
>                     (alist-cons 'nesting? #t result)))
> @@ -359,6 +369,11 @@ (define (options/resolve-packages store opts)
>                       (packages->outputs (load* file module) mode)))
>                    (('manifest . file)
>                     (manifest-entries (load-manifest file)))
> +                  (('network? . #t)
> +                   (if (assoc-ref opts 'no-tls?)
> +                       '()
> +                       (manifest-entries
> +                        (packages->manifest %default-tls-certs))))
>                    (('nesting? . #t)
>                     (if (assoc-ref opts 'profile)
>                         '()
> @@ -725,7 +740,7 @@ (define* (launch-environment/fork command profile man=
ifest
>=20=20
>  (define* (launch-environment/container #:key command bash user user-mapp=
ings
>                                         profile manifest link-profile? ne=
twork?
> -                                       map-cwd? emulate-fhs? nesting?
> +                                       no-tls? map-cwd? emulate-fhs? nes=
ting?
>                                         (setup-hook #f)
>                                         (symlinks '()) (white-list '()))
>    "Run COMMAND within a container that features the software in PROFILE.
> @@ -929,6 +944,11 @@ (define* (launch-environment/container #:key command=
 bash user user-mappings
>                ;; Allow local AF_INET communications.
>                (set-network-interface-up "lo"))
>=20=20
> +            (unless no-tls?
> +              (setenv "SSL_CERT_DIR" (string-append profile "/etc/ssl/ce=
rts"))
> +              (setenv "SSL_CERT_FILE" (string-append (getenv "SSL_CERT_D=
IR")
> +                                                     "/ca-certificates.c=
rt")))
> +
>              ;; For convenience, start in the user's current working
>              ;; directory or, if unmapped, the home directory.
>              (chdir (if map-cwd?
> @@ -1078,6 +1098,7 @@ (define (guix-environment* opts)
>           (link-prof?   (assoc-ref opts 'link-profile?))
>           (symlinks     (assoc-ref opts 'symlinks))
>           (network?     (assoc-ref opts 'network?))
> +         (no-tls?      (assoc-ref opts 'no-tls?))
>           (no-cwd?      (assoc-ref opts 'no-cwd?))
>           (emulate-fhs? (assoc-ref opts 'emulate-fhs?))
>           (nesting?     (assoc-ref opts 'nesting?))
> @@ -1133,6 +1154,10 @@ (define (guix-environment* opts)
>        (when (pair? symlinks)
>          (leave (G_ "'--symlink' cannot be used without '--container'~%")=
)))
>=20=20
> +    (when (and (not network?)
> +               no-tls?)
> +      (leave (G_ "'--no-tls' cannot be used without '--networking'~%")))
> +

Why not a warning instead of leaving with an error?


Cheers,
simon




Information forwarded to guix-patches@HIDDEN:
bug#70314; Package guix-patches. Full text available.

Message received at 70314 <at> debbugs.gnu.org:


Received: (at 70314) by debbugs.gnu.org; 16 Sep 2024 15:22:41 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Sep 16 11:22:41 2024
Received: from localhost ([127.0.0.1]:53052 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1sqDYm-0006Oa-Uv
	for submit <at> debbugs.gnu.org; Mon, 16 Sep 2024 11:22:41 -0400
Received: from mail-108-mta228.mxroute.com ([136.175.108.228]:36793)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <richard@HIDDEN>) id 1sqDYk-0006OS-Vf
 for 70314 <at> debbugs.gnu.org; Mon, 16 Sep 2024 11:22:40 -0400
Received: from filter006.mxroute.com ([136.175.111.3] filter006.mxroute.com)
 (Authenticated sender: mN4UYu2MZsgR)
 by mail-108-mta228.mxroute.com (ZoneMTA) with ESMTPSA id
 191fb6d75110013e01.002 for <70314 <at> debbugs.gnu.org>
 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384);
 Mon, 16 Sep 2024 15:22:20 +0000
X-Zone-Loop: d1845798e40e69d6d4a98721eda0343dbf5723b6c2db
X-Originating-IP: [136.175.111.3]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=freakingpenguin.com; s=x; h=Content-Transfer-Encoding:Content-Type:
 MIME-Version:Message-ID:Date:References:In-Reply-To:Subject:Cc:To:From:Sender
 :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:
 Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:
 List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=D3iQ2emaxbbu2Zh4abCa+GXZnlkStdid/BWp5LUE2HM=; b=c6cL+3mnG00FEt3CRlvK5pIWR6
 1pPc8jThBb77fKklLh318a+zhlkehzh5jy49Dv59MXT/0YB7j+QRNkH0NGCzPMXng4a2DMzEyrGZm
 L4Hk9nQjsEiPe5kX4o8g4telHi2geucpuPQXPJfLHApfK1ncCPK6byJjUg9wOI86nvhQX0AiDHqaC
 2xVJJet6fhcxpC8aEKlfQeaHnypyW3L2E7GDieH4pbx1o5AkOeA4OMVnuWqG55LIHLXDrl9pCYM6/
 01O3V6NQV60o3/EJT341GR6N4TqUUeFcFmd8+zXKb55Kr5Rh8gJW1KSggmAtk26At/IFatZGgyUXo
 bSpuO0DA==;
From: Richard Sent <richard@HIDDEN>
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Subject: Re: [bug#70314] [PATCH] guix: scripts: environment: add tls certs
 to networked containers
In-Reply-To: <87o74obna0.fsf@HIDDEN> ("Ludovic =?utf-8?Q?Court=C3=A8s=22'?=
 =?utf-8?Q?s?= message of "Sun, 15 Sep 2024 23:49:27 +0200")
References: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN>
 <87o74obna0.fsf@HIDDEN>
Date: Mon, 16 Sep 2024 11:22:03 -0400
Message-ID: <87ldzrd3ok.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Authenticated-Id: richard@HIDDEN
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 70314
Cc: Josselin Poiret <dev@HIDDEN>,
 Simon Tournier <zimon.toutoune@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>,
 Tobias Geerinckx-Rice <me@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>,
 Christopher Baines <guix@HIDDEN>, 70314 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Ludovic Court=C3=A8s <ludo@HIDDEN> writes:

> Can we delay changes to the manifest until after all options have been
> parsed, so we know whether =E2=80=98-C=E2=80=99 has been passed?
>=20
> That way =E2=80=98guix shell -N --no-tls=E2=80=99 does not add =E2=80=98n=
ss-certs=E2=80=99 to the
> environments.

Is `$ guix shell -N -- true` valid? I know it works at present, but my
understanding is sharing the network only works with containers. From
the manual:

> =E2=80=98--network=E2=80=99
> =E2=80=98-N=E2=80=99
>      For containers, share the network namespace with the host system.
>      Containers created without this flag only have access to the
>      loopback device.

Perhaps instead we should error when -N is passed without -C, ala

--8<---------------cut here---------------start------------->8---
modified   guix/scripts/environment.scm
@@ -1153,7 +1153,9 @@ (define (guix-environment* opts)
       (when nesting?
         (leave (G_ "'--nesting' cannot be used without '--container'~%")))
       (when (pair? symlinks)
-        (leave (G_ "'--symlink' cannot be used without '--container'~%"))))
+        (leave (G_ "'--symlink' cannot be used without '--container'~%")))
+      (when network?
+        (leave (G_ "'--network cannot be used without '--container'~%"))))
=20
     (when (and (not network?)
                no-tls?)
--8<---------------cut here---------------end--------------->8---

--=20
Take it easy,
Richard Sent
Making my computer weirder one commit at a time.




Information forwarded to guix-patches@HIDDEN:
bug#70314; Package guix-patches. Full text available.

Message received at 70314 <at> debbugs.gnu.org:


Received: (at 70314) by debbugs.gnu.org; 16 Sep 2024 00:04:50 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Sep 15 20:04:50 2024
Received: from localhost ([127.0.0.1]:50729 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1spzEY-0006Du-0G
	for submit <at> debbugs.gnu.org; Sun, 15 Sep 2024 20:04:50 -0400
Received: from mail-40131.protonmail.ch ([185.70.40.131]:10517)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rprior@HIDDEN>) id 1spzEV-0006Db-Js
 for 70314 <at> debbugs.gnu.org; Sun, 15 Sep 2024 20:04:48 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
 s=protonmail3; t=1726445068; x=1726704268;
 bh=IZNAB1v6dghE+Yx+bF9h+47HXdIven7FmQpQ/dgQFDM=;
 h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References:
 Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID:
 Message-ID:BIMI-Selector;
 b=uXa8y1ibrp5IiJIytXMVBcHUIMcs51V0jQCfY5EpNaeKeu9uEhm7qgWj9u9H7E6ss
 bRTWkdCguD8cgPO+53D6rRudN6RRAscQpanrozk+iGr1nDnTw/oWBdgriRo9TpsuSO
 P9fgsoGBYBa95UbjQ5XChBtvOPvkNumispcmDrLks9dQirNlIjCntxlPyl8ko8xhdM
 ijGRHi0jPU0h3u0u7hszvjjzJx3PXSHqd5VuMep2cvkagYNJHs8Wx9iHsU+3xlbxQo
 3ykmowiU4gA/oOgYkPJ8uHabxWjqIOC5mBhVa3C0q9NRIOArIDnVtRbcohoGRn47Ij
 RFNA2RL9yLr+Q==
Date: Mon, 16 Sep 2024 00:04:23 +0000
To: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
From: Ryan Prior <rprior@HIDDEN>
Subject: Re: [bug#70314] [PATCH] guix: scripts: environment: add tls certs to
 networked containers
Message-ID: <ub_UIyami0aM1f_ld_Va6H_pNf_f1eJsqs-L3lNq2HXiiB9T57OqAITFdGC4OVrrRshTFvMCuyqGZpRPg0Rg_MtWe_1Cmrj1XaSJZcMOH3c=@protonmail.com>
In-Reply-To: <875xqwd2as.fsf@HIDDEN>
References: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN>
 <87jzfree6t.fsf@HIDDEN> <871q1zsbry.fsf@HIDDEN>
 <875xqwd2as.fsf@HIDDEN>
Feedback-ID: 7396961:user:proton
X-Pm-Message-ID: 080af1fce6a982544a638f46abd071a3d0aa1417
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 70314
Cc: Josselin Poiret <dev@HIDDEN>,
 Simon Tournier <zimon.toutoune@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>,
 Richard Sent <richard@HIDDEN>,
 Tobias Geerinckx-Rice <me@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>,
 guix-devel <guix-devel@HIDDEN>, Christopher Baines <guix@HIDDEN>,
 70314 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)


On Sunday, September 15th, 2024 at 4:39 PM, Ludovic Court=C3=A8s <ludo@gnu.=
org> wrote:

> You=E2=80=99ve convinced me.
>=20
> That it=E2=80=99s opt-out sounds reasonable to me. =E2=80=98--no-tls=
=E2=80=99 sounds reasonable
> too as a name


Agreed on all points. Even though I'm aware of the need, I've forgotten to =
add tls-certs many times. Removing a known footgun for containers is a grea=
t plan.

Thanks!
Ryan




Information forwarded to guix-patches@HIDDEN:
bug#70314; Package guix-patches. Full text available.

Message received at 70314 <at> debbugs.gnu.org:


Received: (at 70314) by debbugs.gnu.org; 15 Sep 2024 21:49:53 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Sep 15 17:49:53 2024
Received: from localhost ([127.0.0.1]:50640 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1spx7x-0007Ja-08
	for submit <at> debbugs.gnu.org; Sun, 15 Sep 2024 17:49:53 -0400
Received: from eggs.gnu.org ([209.51.188.92]:51078)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1spx7v-0007JM-9J
 for 70314 <at> debbugs.gnu.org; Sun, 15 Sep 2024 17:49:51 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@HIDDEN>)
 id 1spx7b-00083s-7g; Sun, 15 Sep 2024 17:49:31 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To:
 From; bh=uAwU9f++y+PAtidbis6EWEpL+lumBElQSlnfMJh9mH4=; b=Flyb58OuaO0/Yx6bVWpF
 WPatEkJt+UuBeHC4p2UjAZxbAbKJV/OcKB/qjFIcmt655TSC4271Lk+TSjue+frsjmJAkmYZKMwEW
 wfttLbGySDEX9ZA3LxaBVP4FemQ3zxbGQYJrYkXyTyA69NYgdl1in3uWKBi73eEExsuM5jnMvgm4Z
 uFToP6jHldj9TcoVuG2RlM0ceT+wdqjMqq6cAnNi8no7CWQSt35yu2Y1O561+c+DxJZpyhfh0c0Bv
 srw04pnjiqW2vLVuxoYGschtPo5vd85BsYBagueF4UeB18d+0rhdpMc+6MT4pnN8c+2ZcjhWjF48A
 QyEAxMqeH5kjLg==;
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: Richard Sent <richard@HIDDEN>
Subject: Re: [bug#70314] [PATCH] guix: scripts: environment: add tls certs
 to networked containers
In-Reply-To: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN>
 (Richard Sent's message of "Tue, 9 Apr 2024 15:05:29 -0400")
References: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN>
Date: Sun, 15 Sep 2024 23:49:27 +0200
Message-ID: <87o74obna0.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 70314
Cc: Josselin Poiret <dev@HIDDEN>,
 Simon Tournier <zimon.toutoune@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>,
 Tobias Geerinckx-Rice <me@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>,
 Christopher Baines <guix@HIDDEN>, 70314 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hi,

Richard Sent <richard@HIDDEN> skribis:

> * guix/scripts/environment.scm: Add --no-tls flag. By default when starti=
ng a
> container with -N, add nss-certs package and set SSL_CERT_DIR and
> SSL_CERT_FILE environment variables. When --no-tls is passed, default to =
old
> behavior.
> * doc/guix.texi: Document it.
>
> Change-Id: I3d222522fa9785fbf589f15efd14e6d6d072bfa7

[...]

> +  #:autoload   (gnu packages certs) (nss-certs)
>    #:autoload   (gnu packages bash) (bash)
>    #:autoload   (gnu packages bootstrap) (bootstrap-executable %bootstrap=
-guile)
>    #:autoload   (gnu packages package-management) (guix)
> @@ -72,6 +73,9 @@ (define-module (guix scripts environment)
>  (define %default-shell
>    (or (getenv "SHELL") "/bin/sh"))
>=20=20
> +(define %default-tls-certs
> +  (list nss-certs))

This would force all the package modules to be loaded upfront.  Instead
you should arrange to not refer to =E2=80=98nss-certs=E2=80=99 until it=E2=
=80=99s needed.

This matters for startup time.  To see how it affects the command, you
can run:

  strace -c guix shell coreutils -- true

The second run should make as few system calls as possible.

> +                 (lambda (opt name arg result)
> +                   (alist-cons 'no-tls? #t result)))

Internally, I would reverse the logic to have =E2=80=98tls?=E2=80=99 instea=
d (as a rule
of thumb, I always avoid negating Booleans in code).

> +                  (('network? . #t)
> +                   (if (assoc-ref opts 'no-tls?)
> +                       '()
> +                       (manifest-entries
> +                        (packages->manifest %default-tls-certs))))

Can we delay changes to the manifest until after all options have been
parsed, so we know whether =E2=80=98-C=E2=80=99 has been passed?

That way =E2=80=98guix shell -N --no-tls=E2=80=99 does not add =E2=80=98nss=
-certs=E2=80=99 to the
environments.

>  (define* (launch-environment/container #:key command bash user user-mapp=
ings
>                                         profile manifest link-profile? ne=
twork?
> -                                       map-cwd? emulate-fhs? nesting?
> +                                       no-tls? map-cwd? emulate-fhs? nes=
ting?

Same as above: =E2=80=98tls?=E2=80=99 rather than =E2=80=98no-tls?=E2=80=99.

Please make sure tests/guix-shell*.sh and tests/guix-environment*.sh
pass.

Thanks,
Ludo=E2=80=99.




Information forwarded to guix-patches@HIDDEN:
bug#70314; Package guix-patches. Full text available.

Message received at 70314 <at> debbugs.gnu.org:


Received: (at 70314) by debbugs.gnu.org; 15 Sep 2024 21:40:08 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Sep 15 17:40:07 2024
Received: from localhost ([127.0.0.1]:50631 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1spwyV-0006mz-C1
	for submit <at> debbugs.gnu.org; Sun, 15 Sep 2024 17:40:07 -0400
Received: from eggs.gnu.org ([209.51.188.92]:54632)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1spwyS-0006mG-C4
 for 70314 <at> debbugs.gnu.org; Sun, 15 Sep 2024 17:40:05 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@HIDDEN>)
 id 1spwy7-0007DX-38; Sun, 15 Sep 2024 17:39:43 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To:
 From; bh=Pzc9tn9Twed4xuo4C7hwVQF6xNvZvIfu4OQWfK/sjUI=; b=eiCSItnXRucQ+1gRvycS
 WhsMrVJUn2ClDOA9YxNQwhKm1HeAV5fYtoXqhU5PQKGd+xSowzVvrBrIUufjvnxrZMbVNE05VPhSS
 BKIVT/f9CUQT05pnLtxMxH5fKfbXVAJjs1QRPqwgc6kQ4FqfUWjG6CnsSGZqBG+xNuJFpJYGDiEoR
 Sk3H4nEamREEOWf4kYi9ikz/TjROp8/T99uj3pBKTsgl1dHHMMf0EytrRSh6Whscij7U6flStmpyt
 IHZpwWL8iM/yfkYgyUorCFUXbBg5e8RIGwdRgYWwOkOyNFBj/+w1tc4YFK/kN1GM4rZPxhnqP7l0G
 rPmVStcGrkhCyw==;
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: Richard Sent <richard@HIDDEN>
Subject: Re: [bug#70314] [PATCH] guix: scripts: environment: add tls certs
 to networked containers
In-Reply-To: <871q1zsbry.fsf@HIDDEN> (Richard Sent's message of
 "Wed, 04 Sep 2024 11:01:53 -0400")
References: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN>
 <87jzfree6t.fsf@HIDDEN> <871q1zsbry.fsf@HIDDEN>
Date: Sun, 15 Sep 2024 23:39:39 +0200
Message-ID: <875xqwd2as.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 70314
Cc: Josselin Poiret <dev@HIDDEN>,
 Simon Tournier <zimon.toutoune@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>,
 Tobias Geerinckx-Rice <me@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>,
 guix-devel <guix-devel@HIDDEN>, Christopher Baines <guix@HIDDEN>,
 70314 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hi Richard,

Cc: guix-devel to get more feedback: this is about adding =E2=80=98nss-cert=
s=E2=80=99 by
default in =E2=80=98guix shell -CN=E2=80=99 containers, along with a =E2=80=
=98--no-tls=E2=80=99 option
to opt out:

  https://issues.guix.gnu.org/70314

Richard Sent <richard@HIDDEN> skribis:

> Ludovic Court=C3=A8s <ludo@HIDDEN> writes:
>
>> Instead of adding the =E2=80=98nss-certs=E2=80=99 package, I would rathe=
r expose
>> /etc/ssl/certs (when it exists), for two reasons: (1) the system-chosen
>> certificates will be used, and (2) it=E2=80=99s less expensive than havi=
ng to
>> compute the derivation of =E2=80=98nss-certs=E2=80=99.
>
> There is an issue with this that's cropped up in the past. The files in
> /etc/ssl/certs/* are symlinks to store items. Because containers only
> see a subset of store items that are in that container's profile, it
> often sees the symlinks to store items but not the target file.

Oh, indeed.

[...]

>> Users who definitely want Guix=E2=80=99s =E2=80=98nss-certs=E2=80=99 can=
 always add it to the
>> shell and it will take precedence over /etc/ssl/certs, assuming
>> SSL_CERT_{FILE,DIR} is defined.
>
> True, although at present anyone who wants to use nss-certs must set
> SSL_CERT_{FILE,DIR} manually (or coincidentally install a package that
> registers the search path).

Right.

[...]

> My thoughts are if we have to decide between
>
> 1. Users who want TLS with standard public endpoints
> 2. Users who want TLS with custom private endpoints
>
> it's better to prioritize a good experience for 1 and let 2 opt-out of
> the "hand holding" defaults. But perhaps it's possible to make everyone
> happy.

You=E2=80=99ve convinced me.

That it=E2=80=99s opt-out sounds reasonable to me.  =E2=80=98--no-tls=E2=80=
=99 sounds reasonable
too as a name (I thought about =E2=80=98--no-x509-certificates=E2=80=99 but=
 that=E2=80=99s
actually less accurate since there are the SSL_* variables in addition
to the certificates themselves).

I have some comments about the patch and I=E2=80=99d like others to weigh i=
n too
before we commit this change.

Thank you!

Ludo=E2=80=99.




Information forwarded to guix-patches@HIDDEN:
bug#70314; Package guix-patches. Full text available.

Message received at 70314 <at> debbugs.gnu.org:


Received: (at 70314) by debbugs.gnu.org; 4 Sep 2024 15:03:18 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Sep 04 11:03:18 2024
Received: from localhost ([127.0.0.1]:35146 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1slrXR-0004Wr-UK
	for submit <at> debbugs.gnu.org; Wed, 04 Sep 2024 11:03:18 -0400
Received: from mail-108-mta19.mxroute.com ([136.175.108.19]:38833)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <richard@HIDDEN>) id 1slrXQ-0004Wi-BF
 for 70314 <at> debbugs.gnu.org; Wed, 04 Sep 2024 11:03:17 -0400
Received: from filter006.mxroute.com ([136.175.111.3] filter006.mxroute.com)
 (Authenticated sender: mN4UYu2MZsgR)
 by mail-108-mta19.mxroute.com (ZoneMTA) with ESMTPSA id 191bd8ea7100003e01.002
 for <70314 <at> debbugs.gnu.org>
 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384);
 Wed, 04 Sep 2024 15:02:08 +0000
X-Zone-Loop: a6495c6d0ecc69cddad9e5f6df9fd783d06814031b07
X-Originating-IP: [136.175.111.3]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=freakingpenguin.com; s=x; h=Content-Transfer-Encoding:Content-Type:
 MIME-Version:Message-ID:Date:References:In-Reply-To:Subject:Cc:To:From:Sender
 :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:
 Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:
 List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=y8ymVquvZ+UXFBRyi0vg5JSfHsoYOtF0vcc5BEDoVsk=; b=ZzjQL0aG33gDGGm1QW6f3Kijah
 wr/w1+l/iZvwmBD2M77dC33wdnU2+QVKlwcGPQj8fGu2qvS+42LhhptmbV6QfBUPmtNXVM70KSt+g
 j0SkRyMnv8qcxxbnyrvQ6+8ZKiFOe+JCzV/Hjb52ZTdMgH/rg3e4+dpwl/qn6CjpE+XNW+3YHj7S5
 b2joccohAPwGWB9/IC80sFkWoTt/wqAz7GaN3NupNY5lyCkySp2Hjwizh1exQbt+OsiD38o+tyg85
 VGt608eiBPTBak+T4vv34XfNMLhGUMDLfrwOCecsl8w0t7Uf5TJ+Ezc4aVTjpjpotl3jDqFQN4w3z
 QUUHNnag==;
From: Richard Sent <richard@HIDDEN>
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Subject: Re: [bug#70314] [PATCH] guix: scripts: environment: add tls certs
 to networked containers
In-Reply-To: <87jzfree6t.fsf@HIDDEN> ("Ludovic =?utf-8?Q?Court=C3=A8s=22'?=
 =?utf-8?Q?s?= message of "Wed, 04 Sep 2024 15:33:30 +0200")
References: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN>
 <87jzfree6t.fsf@HIDDEN>
Date: Wed, 04 Sep 2024 11:01:53 -0400
Message-ID: <871q1zsbry.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Authenticated-Id: richard@HIDDEN
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 70314
Cc: Josselin Poiret <dev@HIDDEN>,
 Simon Tournier <zimon.toutoune@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>,
 Tobias Geerinckx-Rice <me@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>,
 Christopher Baines <guix@HIDDEN>, 70314 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi Ludo!

Thanks for the response!

Ludovic Court=C3=A8s <ludo@HIDDEN> writes:

> Instead of adding the =E2=80=98nss-certs=E2=80=99 package, I would rather=
 expose
> /etc/ssl/certs (when it exists), for two reasons: (1) the system-chosen
> certificates will be used, and (2) it=E2=80=99s less expensive than havin=
g to
> compute the derivation of =E2=80=98nss-certs=E2=80=99.

There is an issue with this that's cropped up in the past. The files in
/etc/ssl/certs/* are symlinks to store items. Because containers only
see a subset of store items that are in that container's profile, it
often sees the symlinks to store items but not the target file.

For example:

--8<---------------cut here---------------start------------->8---
$ guix shell -C bash coreutils --expose=3D/etc/ssl/certs -- bash
[env]$ ls /etc/ssl/certs/ca*
/etc/ssl/certs/ca-certificates.crt  /etc/ssl/certs/ca6e4ad9.0
[env]$ cat /etc/ssl/certs/ca-certificates.crt
cat: /etc/ssl/certs/ca-certificates.crt: No such file or directory
[env]$ ls -l /etc/ssl/certs/ca6e4ad9.0
lrwxrwxrwx 1 65534 overflow 85 Jan  1  1970 /etc/ssl/certs/ca6e4ad9.0 -> /g=
nu/store/5y39gqnvlfrw9gxyxbqqkdr8cxgp1fa1-nss-certs-3.88.1/etc/ssl/certs/ca=
6e4ad9.0
[env]$ cat /etc/ssl/certs/ca6e4ad9.0=20=20
cat: /etc/ssl/certs/ca6e4ad9.0: No such file or directory
--8<---------------cut here---------------end--------------->8---

We can /sort of/ solve this by adding nss-certs to the container, but
only when the nss-certs being added has the same hash as the nss-certs
package.

--8<---------------cut here---------------start------------->8---
# nss-certs w/o version adds v3.99 to the profile, which doesn't match
# the system. Ergo it's still unavailable.
~ $ guix shell -C bash coreutils --expose=3D/etc/ssl/certs -- bash -c 'cat =
/etc/ssl/certs/ca6e4ad9.0'
cat: /etc/ssl/certs/ca6e4ad9.0: No such file or directory
#=20
# If we specify 3.88.1, it does work, but only for various nss-certificates,
# not the ca-certificates.crt bundle file (which isn't a package).
guix shell -C bash coreutils nss-certs@HIDDEN --expose=3D/etc/ssl/certs -- =
bash -c 'cat /etc/ssl/certs/ca6e4ad9.0'
# snip, contents of ca6e4ad9.0
#=20
~ $ guix shell -C bash coreutils nss-certs@HIDDEN --expose=3D/etc/ssl/certs=
 -- bash -c 'cat /etc/ssl/certs/ca-certificates.crt'
cat: /etc/ssl/certs/ca-certificates.crt: No such file or directory
--8<---------------cut here---------------end--------------->8---

This problem becomes impossible to solve in situations where the system
Guix and user Guix have different nss-certs hashes.

Be it by adding nss-certs to the container profile or by exposing
/etc/ssl/certs, we still need to calculate the nss-certs derivation.

(Perhaps a alternative solution is making sure symlink targets to store
items visible to a container are persisted. I don't know how complicated
that would be, but I imagine it's nontrivial.)

> Users who definitely want Guix=E2=80=99s =E2=80=98nss-certs=E2=80=99 can =
always add it to the
> shell and it will take precedence over /etc/ssl/certs, assuming
> SSL_CERT_{FILE,DIR} is defined.

True, although at present anyone who wants to use nss-certs must set
SSL_CERT_{FILE,DIR} manually (or coincidentally install a package that
registers the search path).

--8<---------------cut here---------------start------------->8---
# nss-certs alone doesn't set SSL_CERT_DIR
~ $ guix shell -C bash coreutils nss-certs@HIDDEN -- bash -c 'echo $SSL_CER=
T_DIR'
# blank
#
# curl registers $SSL_CERT_{FILE,DIR}
~ $ guix shell -C bash coreutils nss-certs@HIDDEN curl -- bash -c 'echo $SS=
L_CERT_DIR'
/gnu/store/hxylrsqs5cy87cgkxi5fmlzxvfhczlzj-profile/etc/ssl/certs
--8<---------------cut here---------------end--------------->8---

This is unintuitive. Many packages that make use of nss-certs don't
register the search path, e.g. rust-cargo [1]. I'd rather avoid a
solution that is "edit every package that may possibly use nss-certs now
and in the future to register the search path".

> WDYT?

My thoughts are if we have to decide between

1. Users who want TLS with standard public endpoints
2. Users who want TLS with custom private endpoints

it's better to prioritize a good experience for 1 and let 2 opt-out of
the "hand holding" defaults. But perhaps it's possible to make everyone
happy.

If desired this patch can be reworked as opt-in.

[1]: https://logs.guix.gnu.org/guix/2024-04-08.log

--=20
Take it easy,
Richard Sent
Making my computer weirder one commit at a time.




Information forwarded to guix-patches@HIDDEN:
bug#70314; Package guix-patches. Full text available.

Message received at 70314 <at> debbugs.gnu.org:


Received: (at 70314) by debbugs.gnu.org; 4 Sep 2024 13:34:48 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Sep 04 09:34:48 2024
Received: from localhost ([127.0.0.1]:33894 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1slq9o-0001fs-D8
	for submit <at> debbugs.gnu.org; Wed, 04 Sep 2024 09:34:48 -0400
Received: from eggs.gnu.org ([209.51.188.92]:54876)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1slq9m-0001fU-7Z
 for 70314 <at> debbugs.gnu.org; Wed, 04 Sep 2024 09:34:46 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@HIDDEN>)
 id 1slq8e-0003A4-De; Wed, 04 Sep 2024 09:33:36 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To:
 From; bh=YRO6vWmc+185h2AFgdYqqCAbIg09naLxHAt75B+HK94=; b=NeNc2PiuonM/WSYnqAV3
 V5y41VpMo4JQA/zrw17gXk/u1rzAOi5YuILPuXl5TGr/b3KuM57i2I9CcnjrNdmFgX0xS0v8IoJKi
 qgaai+74CsJbWgmCPvQaf/ZH6lUmNDCIZ1LjqidZEru3xHVU14zZLQE92b+AxY8+K1MK877HCXDOg
 8pZQknFik5nFc/gA27NT1dx3TQ3ot0xBQ0bBcnDP9DZ+51QHuqny0pBOfG50+Jh61XmHv5jmXDE1L
 AIgroVZnE1aS2yzJ9GEluFunlN1W0a36qUrdziCRtY/wUToASBiZtAkWkDa30pT/RWffHA3m3xmXW
 1ljIuzWNCsvMzg==;
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: Richard Sent <richard@HIDDEN>
Subject: Re: [bug#70314] [PATCH] guix: scripts: environment: add tls certs
 to networked containers
In-Reply-To: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN>
 (Richard Sent's message of "Tue, 9 Apr 2024 15:05:29 -0400")
References: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN>
Date: Wed, 04 Sep 2024 15:33:30 +0200
Message-ID: <87jzfree6t.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 1.3 (+)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  Hi Richard,
 Richard Sent <richard@HIDDEN> skribis:
 > * guix/scripts/environment.scm: Add --no-tls flag. By default when starting
 a > container with -N,
 add nss-certs package and set SSL_CERT_DIR and > SSL_CERT_FILE
 environment variables. When --no-tls [...] 
 Content analysis details:   (1.3 points, 10.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -2.3 RCVD_IN_DNSWL_MED      RBL: Sender listed at https://www.dnswl.org/,
 medium trust [209.51.188.92 listed in list.dnswl.org]
 3.6 RCVD_IN_SBL_CSS        RBL: Received via a relay in Spamhaus SBL-CSS
 [209.51.188.92 listed in zen.spamhaus.org]
 -0.0 SPF_PASS               SPF: sender matches SPF record
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
X-Debbugs-Envelope-To: 70314
Cc: Josselin Poiret <dev@HIDDEN>,
 Simon Tournier <zimon.toutoune@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>,
 Tobias Geerinckx-Rice <me@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>,
 Christopher Baines <guix@HIDDEN>, 70314 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 0.3 (/)

Hi Richard,

Richard Sent <richard@HIDDEN> skribis:

> * guix/scripts/environment.scm: Add --no-tls flag. By default when starti=
ng a
> container with -N, add nss-certs package and set SSL_CERT_DIR and
> SSL_CERT_FILE environment variables. When --no-tls is passed, default to =
old
> behavior.
> * doc/guix.texi: Document it.
>
> Change-Id: I3d222522fa9785fbf589f15efd14e6d6d072bfa7

Apparently this patch fell through the cracks, despite the long Cc:
list.

> Given the discussion on IRC and guix-devel [1] recently about making
> nss-certs easier to use, this patch modifies guix environment (and
> thus guix shell) to automatically add nss-certs to the profile when
> sharing the network namespace, as well as setting the
> mostly-standardized SSL_CERT_DIR and SSL_CERT_FILE environment
> variables.
>
> This behavior can be reverted with the --no-tls flag. Since presumably
> the majority of shell users want TLS to work out of the box, adding
> TLS by default makes sense to me.

[...]

> +                  (('network? . #t)
> +                   (if (assoc-ref opts 'no-tls?)
> +                       '()
> +                       (manifest-entries
> +                        (packages->manifest %default-tls-certs))))

Instead of adding the =E2=80=98nss-certs=E2=80=99 package, I would rather e=
xpose
/etc/ssl/certs (when it exists), for two reasons: (1) the system-chosen
certificates will be used, and (2) it=E2=80=99s less expensive than having =
to
compute the derivation of =E2=80=98nss-certs=E2=80=99.

Users who definitely want Guix=E2=80=99s =E2=80=98nss-certs=E2=80=99 can al=
ways add it to the
shell and it will take precedence over /etc/ssl/certs, assuming
SSL_CERT_{FILE,DIR} is defined.

WDYT?

Thanks,
Ludo=E2=80=99.




Information forwarded to guix-patches@HIDDEN:
bug#70314; Package guix-patches. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 9 Apr 2024 19:14:51 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Apr 09 15:14:51 2024
Received: from localhost ([127.0.0.1]:51569 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1ruGvi-00038I-QA
	for submit <at> debbugs.gnu.org; Tue, 09 Apr 2024 15:14:51 -0400
Received: from lists.gnu.org ([2001:470:142::17]:58288)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <richard@HIDDEN>) id 1ruGvf-000382-LS
 for submit <at> debbugs.gnu.org; Tue, 09 Apr 2024 15:14:48 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <richard@HIDDEN>)
 id 1ruGvR-000537-J4
 for guix-patches@HIDDEN; Tue, 09 Apr 2024 15:14:33 -0400
Received: from mail-108-mta156.mxroute.com ([136.175.108.156])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <richard@HIDDEN>)
 id 1ruGvP-0000jl-7a
 for guix-patches@HIDDEN; Tue, 09 Apr 2024 15:14:33 -0400
Received: from filter006.mxroute.com ([136.175.111.2] filter006.mxroute.com)
 (Authenticated sender: mN4UYu2MZsgR)
 by mail-108-mta156.mxroute.com (ZoneMTA) with ESMTPSA id
 18ec44870ca0003bea.001 for <guix-patches@HIDDEN>
 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384);
 Tue, 09 Apr 2024 19:14:25 +0000
X-Zone-Loop: 0445d534395d52d48c97f90279d4132ccfcfd03855ed
X-Originating-IP: [136.175.111.2]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=freakingpenguin.com; s=x; h=Content-Transfer-Encoding:MIME-Version:
 Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=JvWL5kuMyv1uOvO1phcGN2CxkADzdkslXEnuB9xiFZc=; b=SLHl2W8jhw8+En+NPQx/zK+zBo
 J+1rR2Dc2AHjTxD0Jy8AL15bo1rJBlXbHpdbrJJjghLVGjvhA8tzD6rPtKUrzWj8mqM2QagJnrjrY
 0bkRTIGO1bswG9eupQUNoXimdEhLReA8eIqEPJVWexea/XRDKJ5rKwfLaE2IbjWXSgc46nDiaSnWc
 qYca4ISf2nHYPfeA/mWUawrkbq/SwHHt/QLukphO7p66cDM6PlnLiKlhJelYa15v2fd1+o07BI4Ls
 Ly+mVmUs/p8x4jB2pitkztU5+dqI39mHdlPPNdDU8EN3wu6NUbnQK9gZoYonFabfbIkNIoGM3xZK3
 TeEQ3WnA==;
From: Richard Sent <richard@HIDDEN>
To: guix-patches@HIDDEN
Subject: [PATCH] guix: scripts: environment: add tls certs to networked
 containers
Date: Tue,  9 Apr 2024 15:05:29 -0400
Message-ID: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN>
MIME-Version: 1.0
X-Debbugs-Cc: Christopher Baines <guix@HIDDEN>, Josselin Poiret <dev@HIDDEN>, Ludovic Courtès <ludo@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>, Simon Tournier <zimon.toutoune@HIDDEN>, Tobias Geerinckx-Rice <me@HIDDEN>
Content-Transfer-Encoding: 8bit
X-Authenticated-Id: richard@HIDDEN
Received-SPF: pass client-ip=136.175.108.156;
 envelope-from=richard@HIDDEN; helo=mail-108-mta156.mxroute.com
X-Spam_score_int: -16
X-Spam_score: -1.7
X-Spam_bar: -
X-Spam_report: (-1.7 / 5.0 requ) BAYES_00=-1.9, DKIM_INVALID=0.1,
 DKIM_SIGNED=0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 0.9 (/)
X-Debbugs-Envelope-To: submit
Cc: Richard Sent <richard@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.1 (/)

* guix/scripts/environment.scm: Add --no-tls flag. By default when starting a
container with -N, add nss-certs package and set SSL_CERT_DIR and
SSL_CERT_FILE environment variables. When --no-tls is passed, default to old
behavior.
* doc/guix.texi: Document it.

Change-Id: I3d222522fa9785fbf589f15efd14e6d6d072bfa7
---
Hi Guix!

Given the discussion on IRC and guix-devel [1] recently about making
nss-certs easier to use, this patch modifies guix environment (and
thus guix shell) to automatically add nss-certs to the profile when
sharing the network namespace, as well as setting the
mostly-standardized SSL_CERT_DIR and SSL_CERT_FILE environment
variables.

This behavior can be reverted with the --no-tls flag. Since presumably
the majority of shell users want TLS to work out of the box, adding
TLS by default makes sense to me.

Previous workarounds were verbose [2] and prone to failure [3].

[1] https://lists.gnu.org/archive/html/guix-devel/2024-04/msg00020.html

[2] https://lists.gnu.org/archive/html/guix-patches/2020-05/msg00197.html

[3] See tail of https://logs.guix.gnu.org/guix/2024-04-08.log, [2]
works coincidentally since guix system w/ nss-certs happens to have
identical nss-certs hash as the guix building the shell profile.
Otherwise the system version would not be visible inside the
container.

 doc/guix.texi                |  8 ++++++++
 guix/scripts/environment.scm | 28 +++++++++++++++++++++++++++-
 2 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 5827e0de14..912ed79ccd 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -6214,6 +6214,10 @@ Invoking guix shell
 Containers created without this flag only have access to the loopback
 device.
 
+@item --no-tls
+For containers that share the network namespace, disable automatically
+adding TLS/SSL certificates.
+
 @item --link-profile
 @itemx -P
 For containers, link the environment profile to @file{~/.guix-profile}
@@ -6711,6 +6715,10 @@ Invoking guix environment
 Containers created without this flag only have access to the loopback
 device.
 
+@item --no-tls
+For containers that share the network namespace, disable automatically
+adding TLS/SSL certificates.
+
 @item --link-profile
 @itemx -P
 For containers, link the environment profile to @file{~/.guix-profile}
diff --git a/guix/scripts/environment.scm b/guix/scripts/environment.scm
index 1d7a6e198d..b38882a4ca 100644
--- a/guix/scripts/environment.scm
+++ b/guix/scripts/environment.scm
@@ -49,6 +49,7 @@ (define-module (guix scripts environment)
   #:autoload   (guix build syscalls) (set-network-interface-up openpty login-tty)
   #:use-module (gnu system file-systems)
   #:autoload   (gnu packages) (specification->package+output)
+  #:autoload   (gnu packages certs) (nss-certs)
   #:autoload   (gnu packages bash) (bash)
   #:autoload   (gnu packages bootstrap) (bootstrap-executable %bootstrap-guile)
   #:autoload   (gnu packages package-management) (guix)
@@ -72,6 +73,9 @@ (define-module (guix scripts environment)
 (define %default-shell
   (or (getenv "SHELL") "/bin/sh"))
 
+(define %default-tls-certs
+  (list nss-certs))
+
 (define* (show-search-paths profile manifest #:key pure?)
   "Display the search paths of MANIFEST applied to PROFILE.  When PURE? is #t,
 do not augment existing environment variables with additional search paths."
@@ -108,6 +112,9 @@ (define (show-environment-options-help)
   -C, --container        run command within an isolated container"))
   (display (G_ "
   -N, --network          allow containers to access the network"))
+  (display (G_ "
+      --no-tls           do not add SSL/TLS certificates or set environment
+                         variables for a networked container"))
   (display (G_ "
   -P, --link-profile     link environment profile to ~/.guix-profile within
                          an isolated container"))
@@ -244,6 +251,9 @@ (define %options
          (option '(#\N "network") #f #f
                  (lambda (opt name arg result)
                    (alist-cons 'network? #t result)))
+         (option '(#\T "no-tls") #f #f
+                 (lambda (opt name arg result)
+                   (alist-cons 'no-tls? #t result)))
          (option '(#\W "nesting") #f #f
                  (lambda (opt name arg result)
                    (alist-cons 'nesting? #t result)))
@@ -359,6 +369,11 @@ (define (options/resolve-packages store opts)
                      (packages->outputs (load* file module) mode)))
                   (('manifest . file)
                    (manifest-entries (load-manifest file)))
+                  (('network? . #t)
+                   (if (assoc-ref opts 'no-tls?)
+                       '()
+                       (manifest-entries
+                        (packages->manifest %default-tls-certs))))
                   (('nesting? . #t)
                    (if (assoc-ref opts 'profile)
                        '()
@@ -725,7 +740,7 @@ (define* (launch-environment/fork command profile manifest
 
 (define* (launch-environment/container #:key command bash user user-mappings
                                        profile manifest link-profile? network?
-                                       map-cwd? emulate-fhs? nesting?
+                                       no-tls? map-cwd? emulate-fhs? nesting?
                                        (setup-hook #f)
                                        (symlinks '()) (white-list '()))
   "Run COMMAND within a container that features the software in PROFILE.
@@ -929,6 +944,11 @@ (define* (launch-environment/container #:key command bash user user-mappings
               ;; Allow local AF_INET communications.
               (set-network-interface-up "lo"))
 
+            (unless no-tls?
+              (setenv "SSL_CERT_DIR" (string-append profile "/etc/ssl/certs"))
+              (setenv "SSL_CERT_FILE" (string-append (getenv "SSL_CERT_DIR")
+                                                     "/ca-certificates.crt")))
+
             ;; For convenience, start in the user's current working
             ;; directory or, if unmapped, the home directory.
             (chdir (if map-cwd?
@@ -1078,6 +1098,7 @@ (define (guix-environment* opts)
          (link-prof?   (assoc-ref opts 'link-profile?))
          (symlinks     (assoc-ref opts 'symlinks))
          (network?     (assoc-ref opts 'network?))
+         (no-tls?      (assoc-ref opts 'no-tls?))
          (no-cwd?      (assoc-ref opts 'no-cwd?))
          (emulate-fhs? (assoc-ref opts 'emulate-fhs?))
          (nesting?     (assoc-ref opts 'nesting?))
@@ -1133,6 +1154,10 @@ (define (guix-environment* opts)
       (when (pair? symlinks)
         (leave (G_ "'--symlink' cannot be used without '--container'~%"))))
 
+    (when (and (not network?)
+               no-tls?)
+      (leave (G_ "'--no-tls' cannot be used without '--networking'~%")))
+
     (with-store/maybe store
       (with-status-verbosity (assoc-ref opts 'verbosity)
         (define manifest-from-opts
@@ -1212,6 +1237,7 @@ (define (guix-environment* opts)
                                                   #:network? network?
                                                   #:map-cwd? (not no-cwd?)
                                                   #:emulate-fhs? emulate-fhs?
+                                                  #:no-tls? no-tls?
                                                   #:nesting? nesting?
                                                   #:symlinks symlinks
                                                   #:setup-hook

base-commit: 35e1d9247e39f3c91512cf3d9ef1467962389e35
-- 
2.41.0





Acknowledgement sent to Richard Sent <richard@HIDDEN>:
New bug report received and forwarded. Copy sent to guix@HIDDEN, dev@HIDDEN, ludo@HIDDEN, othacehe@HIDDEN, rekado@HIDDEN, zimon.toutoune@HIDDEN, me@HIDDEN, guix-patches@HIDDEN. Full text available.
Report forwarded to guix@HIDDEN, dev@HIDDEN, ludo@HIDDEN, othacehe@HIDDEN, rekado@HIDDEN, zimon.toutoune@HIDDEN, me@HIDDEN, guix-patches@HIDDEN:
bug#70314; Package guix-patches. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Sun, 23 Feb 2025 22:45:01 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.