Received: (at 70314) by debbugs.gnu.org; 20 Sep 2024 16:11:43 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Sep 20 12:11:43 2024
Received: from localhost ([127.0.0.1]:36146 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1srgER-000411-0O
for submit <at> debbugs.gnu.org; Fri, 20 Sep 2024 12:11:43 -0400
Received: from mail-wm1-f47.google.com ([209.85.128.47]:60874)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <zimon.toutoune@HIDDEN>) id 1srgED-0003zT-7h
for 70314 <at> debbugs.gnu.org; Fri, 20 Sep 2024 12:11:29 -0400
Received: by mail-wm1-f47.google.com with SMTP id
5b1f17b1804b1-4280ca0791bso20303125e9.1
for <70314 <at> debbugs.gnu.org>; Fri, 20 Sep 2024 09:11:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1726848604; x=1727453404; darn=debbugs.gnu.org;
h=content-transfer-encoding:mime-version:message-id:date:references
:in-reply-to:subject:cc:to:from:from:to:cc:subject:date:message-id
:reply-to; bh=/VOqHNEnw6yMlpedZmoNAP+2UAUzEYZuJSfvXRXHH/0=;
b=mFKij3nRMteKu4wN+IJAXOLvyKr4gyIeL2QsVKmRe/BQlrmPUehYj8NdVUCJSa4zzP
DUzWdPMUogtZkiyKLEx7viUpmCwpzUuhn4saItX0IB/RcVi2210U2w1G6tIUr4N32iUN
4NNq4FF6o7odgvOuUEN9Lo30QSghrLeWdsjExjQz2WSvq2JVDUvmHx4lML3bEPNvI501
IC83g17pVTFyz+nLytPRA4Q6zsH0kXrzIbAG+1PXjQ8DpYCly63ee5c+oro1YOSDv/mD
d4+1Q8vkE0I42P5TE+yGNZht6hdICnw7qHpB7GRRcfKdO4VA03nP8JMm1JJCpMxZjT+W
i7xQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1726848604; x=1727453404;
h=content-transfer-encoding:mime-version:message-id:date:references
:in-reply-to:subject:cc:to:from:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=/VOqHNEnw6yMlpedZmoNAP+2UAUzEYZuJSfvXRXHH/0=;
b=Ebudz/jMJj/zkuO+sKxOGBWouK55B9jhtU8L1YG6d2N9btJlzTEu0IZtJs1d+BNCfC
onhM69AfylaG/9w2ta3um7BQNe6sajxggTzTdJhLvtBB+QHwUdE01tYJsVnG91sQogpy
EPGkXH/E7JE9EU/K1M7l66DRz5koge+m3DCcMasNP9fBaJQYAUqOMIzyCkSUJCZoRgVD
z/YtIDQUX9DWmedAz1OHDmDuzFuXzoQTSEZaDdL1oznQrKM0J4FvgCE/8CdN+Jxxp18R
y0dPt93GCvyW4CTSiN3fh0thYNRvgKTFEHYE2VfXeDvnqvHzTYUTog2IrXMbU5DoS654
1yJA==
X-Forwarded-Encrypted: i=1;
AJvYcCWwuRa5Mq8zq+bL7zgH03hpoqrE95AKXiOEyFKQ2iDZtcPfn7Ckfw1S18y3e5+nwaIGHxpt+A==@debbugs.gnu.org
X-Gm-Message-State: AOJu0Yw6LBlLZXYt0mCnaZGEGwTxzZMabb/JdYa9SWQ7Co66GzXNXLG3
0RV+4j2i/ll7z7+AChlQJMEQx+mzi00QryXeP2e4zbvf3x861i2bl3Urvw==
X-Google-Smtp-Source: AGHT+IEDkMy2BMG03y0YwU8d9UKV2xamVW6d7eBamygke2jNzqIp8d1e60RUl+UysDtkQdLoMt9/Mw==
X-Received: by 2002:a05:600c:358b:b0:42c:b1e1:a45b with SMTP id
5b1f17b1804b1-42e7c16ed53mr24131445e9.19.1726848604261;
Fri, 20 Sep 2024 09:10:04 -0700 (PDT)
Received: from pfiuh07 ([193.48.40.241]) by smtp.gmail.com with ESMTPSA id
5b1f17b1804b1-42e7540e4e1sm53202095e9.10.2024.09.20.09.10.03
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Fri, 20 Sep 2024 09:10:03 -0700 (PDT)
From: Simon Tournier <zimon.toutoune@HIDDEN>
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>, Richard Sent
<richard@HIDDEN>
Subject: Re: [bug#70314] [PATCH] guix: scripts: environment: add tls certs
to networked containers
In-Reply-To: <87o74obna0.fsf@HIDDEN>
References: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN>
<87o74obna0.fsf@HIDDEN>
Date: Fri, 20 Sep 2024 17:19:59 +0200
Message-ID: <87ed5etkrk.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 70314
Cc: Josselin Poiret <dev@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>,
Tobias Geerinckx-Rice <me@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>,
Christopher Baines <guix@HIDDEN>, 70314 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
Hi Ludo,
On dim., 15 sept. 2024 at 23:49, Ludovic Court=C3=A8s <ludo@HIDDEN> wrote:
>> + #:autoload (gnu packages certs) (nss-certs)
[...]
>> +(define %default-tls-certs
>> + (list nss-certs))
>
> This would force all the package modules to be loaded upfront. Instead
> you should arrange to not refer to =E2=80=98nss-certs=E2=80=99 until it=
=E2=80=99s needed.
This is a question I had but not reported when commenting elsewhere this
patch. I was thinking to suggest:
(module-ref (resolve-interface '(gnu packages certs)) 'nss-certs)
which lazily loads, IIUC. Then I gave a look to Guile manual which
mentions:
=E2=80=98#:autoload MODULE SYMBOL-LIST=E2=80=99
[...]
An autoload is a good way to put off loading a big module
until it=E2=80=99s really needed, for instance for faster startup=
or
if it will only be needed in certain circumstances.
Therefore, could you explain the difference if there is one?
Cheers,
simon
guix-patches@HIDDEN:bug#70314; Package guix-patches.
Full text available.
Received: (at 70314) by debbugs.gnu.org; 20 Sep 2024 16:11:31 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Sep 20 12:11:31 2024
Received: from localhost ([127.0.0.1]:36141 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1srgEE-000405-HU
for submit <at> debbugs.gnu.org; Fri, 20 Sep 2024 12:11:30 -0400
Received: from mail-wm1-f42.google.com ([209.85.128.42]:57389)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <zimon.toutoune@HIDDEN>) id 1srgEC-0003zR-DB
for 70314 <at> debbugs.gnu.org; Fri, 20 Sep 2024 12:11:29 -0400
Received: by mail-wm1-f42.google.com with SMTP id
5b1f17b1804b1-42cb5b3c57eso20676775e9.2
for <70314 <at> debbugs.gnu.org>; Fri, 20 Sep 2024 09:11:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1726848603; x=1727453403; darn=debbugs.gnu.org;
h=content-transfer-encoding:mime-version:message-id:date:references
:in-reply-to:subject:cc:to:from:from:to:cc:subject:date:message-id
:reply-to; bh=8dwz6m40OMA6yOjrgDz1iDVW210nCX1/plsL1lMTMl4=;
b=e5XJym1aeAGRtI12DZHLKRIUWqDHeI0B0JvYEWuy78hRtRxtWjZ6jldNzLbxpIzrUq
CzrWdw8Ywp5p44fQ/nxWVqmxLYPR6ac7M3JpU7AZNOnVCt0rDpSjRrsJ8MprKLyiikVh
pzXBng3qFd7mveJ3ESZuTe2tWsDaWQjPUVGR8BnKwcagiClln0WJh8nD+NLpnUXkMJzs
XLMT8AwfisdqaiBnSYHS8eI0CXcGfkOUpP3K9NVoNSc2FSSPkiHRcEVpa+/cQyZEy9+l
oeDUx42JN5sQ2CfOpnPLlXjcRJS5HNWpTG3A+TS8mRu6ziiOtdRe3RZQn4aarCoaFj6u
756Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1726848603; x=1727453403;
h=content-transfer-encoding:mime-version:message-id:date:references
:in-reply-to:subject:cc:to:from:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=8dwz6m40OMA6yOjrgDz1iDVW210nCX1/plsL1lMTMl4=;
b=l4BjwJaj/lh7dKqLTIJ20JeD17hnczAsyXhQCO0bxz6i5G5cQbQNeOHS7HMGyBsgra
qkc1kfDh2yp2nkozWysoMORquFZZQRgDVdFCPJprs777ha7vIkLgrY6E9TQmWhON5B67
4rH83KjIa9hCTdSbcuNFvx7P53AxRhqWnz0M29WPjWFmo6rGo4gmFsfCCoV2KCAIY0dt
W0AYQX7Mvrl505dLraBVzGkT6hTGUIadcUkMMIOCaUjy6LY56Z769Nu4bJjEcsTXbykj
CHwzLUkqOyuItuR4eSb5yNzXbR6dZlMsCMXkTP8j90NQkdqxemehA/PDY8HKJ3CxegR7
uGYw==
X-Forwarded-Encrypted: i=1;
AJvYcCXYRdNExBkhQSvxbCQ58LZioxxdJ1wb4FmZPxnbtSicwBRSEBcr6nm8lqVyCA/QTc5LVsN8eA==@debbugs.gnu.org
X-Gm-Message-State: AOJu0YzukUMtFeBDbua3kwEeleVrUpw7JepmB2jDmAvadWEKisynn4N0
MVkiJRryQTcu2ostJvDVufk2xnQmrrSH2B9Q2eS1vTMdpEYhj3ce
X-Google-Smtp-Source: AGHT+IFlb47XvbCruMXC3Z004FvXdWXHM4Ns/QvrnEMcNp0DI+Lf2O8MPVkHALpUj4Vhg1eRHT4a8g==
X-Received: by 2002:a05:600c:548e:b0:42c:b1ee:4b04 with SMTP id
5b1f17b1804b1-42e7c19bb69mr22867305e9.28.1726848603299;
Fri, 20 Sep 2024 09:10:03 -0700 (PDT)
Received: from pfiuh07 ([193.48.40.241]) by smtp.gmail.com with ESMTPSA id
ffacd0b85a97d-378e78054cesm18175255f8f.108.2024.09.20.09.10.02
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Fri, 20 Sep 2024 09:10:02 -0700 (PDT)
From: Simon Tournier <zimon.toutoune@HIDDEN>
To: Richard Sent <richard@HIDDEN>, 70314 <at> debbugs.gnu.org,
Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Subject: Re: [bug#70314] [PATCH] guix: scripts: environment: add tls certs
to networked containers
In-Reply-To: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN>
References: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN>
Date: Fri, 20 Sep 2024 17:04:44 +0200
Message-ID: <87h6aatlgz.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 70314
Cc: Josselin Poiret <dev@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>,
Richard Sent <richard@HIDDEN>,
Tobias Geerinckx-Rice <me@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>,
Christopher Baines <guix@HIDDEN>,
Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
Hi,
On mar., 09 avril 2024 at 15:05, Richard Sent <richard@HIDDEN>=
wrote:
> This behavior can be reverted with the --no-tls flag. Since presumably
> the majority of shell users want TLS to work out of the box, adding
> TLS by default makes sense to me.
I agree. I have been annoyed more than once with this. Then it becomes
something odd that I have forgotten it=E2=80=99s odd. :-)
> + (display (G_ "
> + --no-tls do not add SSL/TLS certificates or set environm=
ent
> + variables for a networked container"))
[...]
> + (option '(#\T "no-tls") #f #f
> + (lambda (opt name arg result)
> + (alist-cons 'no-tls? #t result)))
There is a discrepancy, no? Missing the short =E2=80=99-T=E2=80=99 option =
in the help?
Well, that=E2=80=99s said, I would prefer to not have any short option at a=
ll.
Because I think that option would be a rare option. And if it is not
and many people use =E2=80=9Cguix shell=E2=80=9D without the package =E2=80=
=99nss-tls=E2=80=99, then we
will still be able to add the short option. The converse is not true
> (option '(#\W "nesting") #f #f
> (lambda (opt name arg result)
> (alist-cons 'nesting? #t result)))
> @@ -359,6 +369,11 @@ (define (options/resolve-packages store opts)
> (packages->outputs (load* file module) mode)))
> (('manifest . file)
> (manifest-entries (load-manifest file)))
> + (('network? . #t)
> + (if (assoc-ref opts 'no-tls?)
> + '()
> + (manifest-entries
> + (packages->manifest %default-tls-certs))))
> (('nesting? . #t)
> (if (assoc-ref opts 'profile)
> '()
> @@ -725,7 +740,7 @@ (define* (launch-environment/fork command profile man=
ifest
>=20=20
> (define* (launch-environment/container #:key command bash user user-mapp=
ings
> profile manifest link-profile? ne=
twork?
> - map-cwd? emulate-fhs? nesting?
> + no-tls? map-cwd? emulate-fhs? nes=
ting?
> (setup-hook #f)
> (symlinks '()) (white-list '()))
> "Run COMMAND within a container that features the software in PROFILE.
> @@ -929,6 +944,11 @@ (define* (launch-environment/container #:key command=
bash user user-mappings
> ;; Allow local AF_INET communications.
> (set-network-interface-up "lo"))
>=20=20
> + (unless no-tls?
> + (setenv "SSL_CERT_DIR" (string-append profile "/etc/ssl/ce=
rts"))
> + (setenv "SSL_CERT_FILE" (string-append (getenv "SSL_CERT_D=
IR")
> + "/ca-certificates.c=
rt")))
> +
> ;; For convenience, start in the user's current working
> ;; directory or, if unmapped, the home directory.
> (chdir (if map-cwd?
> @@ -1078,6 +1098,7 @@ (define (guix-environment* opts)
> (link-prof? (assoc-ref opts 'link-profile?))
> (symlinks (assoc-ref opts 'symlinks))
> (network? (assoc-ref opts 'network?))
> + (no-tls? (assoc-ref opts 'no-tls?))
> (no-cwd? (assoc-ref opts 'no-cwd?))
> (emulate-fhs? (assoc-ref opts 'emulate-fhs?))
> (nesting? (assoc-ref opts 'nesting?))
> @@ -1133,6 +1154,10 @@ (define (guix-environment* opts)
> (when (pair? symlinks)
> (leave (G_ "'--symlink' cannot be used without '--container'~%")=
)))
>=20=20
> + (when (and (not network?)
> + no-tls?)
> + (leave (G_ "'--no-tls' cannot be used without '--networking'~%")))
> +
Why not a warning instead of leaving with an error?
Cheers,
simon
guix-patches@HIDDEN:bug#70314; Package guix-patches.
Full text available.
Received: (at 70314) by debbugs.gnu.org; 16 Sep 2024 15:22:41 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Sep 16 11:22:41 2024
Received: from localhost ([127.0.0.1]:53052 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1sqDYm-0006Oa-Uv
for submit <at> debbugs.gnu.org; Mon, 16 Sep 2024 11:22:41 -0400
Received: from mail-108-mta228.mxroute.com ([136.175.108.228]:36793)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <richard@HIDDEN>) id 1sqDYk-0006OS-Vf
for 70314 <at> debbugs.gnu.org; Mon, 16 Sep 2024 11:22:40 -0400
Received: from filter006.mxroute.com ([136.175.111.3] filter006.mxroute.com)
(Authenticated sender: mN4UYu2MZsgR)
by mail-108-mta228.mxroute.com (ZoneMTA) with ESMTPSA id
191fb6d75110013e01.002 for <70314 <at> debbugs.gnu.org>
(version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384);
Mon, 16 Sep 2024 15:22:20 +0000
X-Zone-Loop: d1845798e40e69d6d4a98721eda0343dbf5723b6c2db
X-Originating-IP: [136.175.111.3]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=freakingpenguin.com; s=x; h=Content-Transfer-Encoding:Content-Type:
MIME-Version:Message-ID:Date:References:In-Reply-To:Subject:Cc:To:From:Sender
:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:
Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:
List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
bh=D3iQ2emaxbbu2Zh4abCa+GXZnlkStdid/BWp5LUE2HM=; b=c6cL+3mnG00FEt3CRlvK5pIWR6
1pPc8jThBb77fKklLh318a+zhlkehzh5jy49Dv59MXT/0YB7j+QRNkH0NGCzPMXng4a2DMzEyrGZm
L4Hk9nQjsEiPe5kX4o8g4telHi2geucpuPQXPJfLHApfK1ncCPK6byJjUg9wOI86nvhQX0AiDHqaC
2xVJJet6fhcxpC8aEKlfQeaHnypyW3L2E7GDieH4pbx1o5AkOeA4OMVnuWqG55LIHLXDrl9pCYM6/
01O3V6NQV60o3/EJT341GR6N4TqUUeFcFmd8+zXKb55Kr5Rh8gJW1KSggmAtk26At/IFatZGgyUXo
bSpuO0DA==;
From: Richard Sent <richard@HIDDEN>
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Subject: Re: [bug#70314] [PATCH] guix: scripts: environment: add tls certs
to networked containers
In-Reply-To: <87o74obna0.fsf@HIDDEN> ("Ludovic =?utf-8?Q?Court=C3=A8s=22'?=
=?utf-8?Q?s?= message of "Sun, 15 Sep 2024 23:49:27 +0200")
References: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN>
<87o74obna0.fsf@HIDDEN>
Date: Mon, 16 Sep 2024 11:22:03 -0400
Message-ID: <87ldzrd3ok.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Authenticated-Id: richard@HIDDEN
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 70314
Cc: Josselin Poiret <dev@HIDDEN>,
Simon Tournier <zimon.toutoune@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>,
Tobias Geerinckx-Rice <me@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>,
Christopher Baines <guix@HIDDEN>, 70314 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
Ludovic Court=C3=A8s <ludo@HIDDEN> writes:
> Can we delay changes to the manifest until after all options have been
> parsed, so we know whether =E2=80=98-C=E2=80=99 has been passed?
>=20
> That way =E2=80=98guix shell -N --no-tls=E2=80=99 does not add =E2=80=98n=
ss-certs=E2=80=99 to the
> environments.
Is `$ guix shell -N -- true` valid? I know it works at present, but my
understanding is sharing the network only works with containers. From
the manual:
> =E2=80=98--network=E2=80=99
> =E2=80=98-N=E2=80=99
> For containers, share the network namespace with the host system.
> Containers created without this flag only have access to the
> loopback device.
Perhaps instead we should error when -N is passed without -C, ala
--8<---------------cut here---------------start------------->8---
modified guix/scripts/environment.scm
@@ -1153,7 +1153,9 @@ (define (guix-environment* opts)
(when nesting?
(leave (G_ "'--nesting' cannot be used without '--container'~%")))
(when (pair? symlinks)
- (leave (G_ "'--symlink' cannot be used without '--container'~%"))))
+ (leave (G_ "'--symlink' cannot be used without '--container'~%")))
+ (when network?
+ (leave (G_ "'--network cannot be used without '--container'~%"))))
=20
(when (and (not network?)
no-tls?)
--8<---------------cut here---------------end--------------->8---
--=20
Take it easy,
Richard Sent
Making my computer weirder one commit at a time.
guix-patches@HIDDEN:bug#70314; Package guix-patches.
Full text available.Received: (at 70314) by debbugs.gnu.org; 16 Sep 2024 00:04:50 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sun Sep 15 20:04:50 2024 Received: from localhost ([127.0.0.1]:50729 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1spzEY-0006Du-0G for submit <at> debbugs.gnu.org; Sun, 15 Sep 2024 20:04:50 -0400 Received: from mail-40131.protonmail.ch ([185.70.40.131]:10517) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <rprior@HIDDEN>) id 1spzEV-0006Db-Js for 70314 <at> debbugs.gnu.org; Sun, 15 Sep 2024 20:04:48 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1726445068; x=1726704268; bh=IZNAB1v6dghE+Yx+bF9h+47HXdIven7FmQpQ/dgQFDM=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=uXa8y1ibrp5IiJIytXMVBcHUIMcs51V0jQCfY5EpNaeKeu9uEhm7qgWj9u9H7E6ss bRTWkdCguD8cgPO+53D6rRudN6RRAscQpanrozk+iGr1nDnTw/oWBdgriRo9TpsuSO P9fgsoGBYBa95UbjQ5XChBtvOPvkNumispcmDrLks9dQirNlIjCntxlPyl8ko8xhdM ijGRHi0jPU0h3u0u7hszvjjzJx3PXSHqd5VuMep2cvkagYNJHs8Wx9iHsU+3xlbxQo 3ykmowiU4gA/oOgYkPJ8uHabxWjqIOC5mBhVa3C0q9NRIOArIDnVtRbcohoGRn47Ij RFNA2RL9yLr+Q== Date: Mon, 16 Sep 2024 00:04:23 +0000 To: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> From: Ryan Prior <rprior@HIDDEN> Subject: Re: [bug#70314] [PATCH] guix: scripts: environment: add tls certs to networked containers Message-ID: <ub_UIyami0aM1f_ld_Va6H_pNf_f1eJsqs-L3lNq2HXiiB9T57OqAITFdGC4OVrrRshTFvMCuyqGZpRPg0Rg_MtWe_1Cmrj1XaSJZcMOH3c=@protonmail.com> In-Reply-To: <875xqwd2as.fsf@HIDDEN> References: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN> <87jzfree6t.fsf@HIDDEN> <871q1zsbry.fsf@HIDDEN> <875xqwd2as.fsf@HIDDEN> Feedback-ID: 7396961:user:proton X-Pm-Message-ID: 080af1fce6a982544a638f46abd071a3d0aa1417 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 70314 Cc: Josselin Poiret <dev@HIDDEN>, Simon Tournier <zimon.toutoune@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>, Richard Sent <richard@HIDDEN>, Tobias Geerinckx-Rice <me@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>, guix-devel <guix-devel@HIDDEN>, Christopher Baines <guix@HIDDEN>, 70314 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) On Sunday, September 15th, 2024 at 4:39 PM, Ludovic Court=C3=A8s <ludo@gnu.= org> wrote: > You=E2=80=99ve convinced me. >=20 > That it=E2=80=99s opt-out sounds reasonable to me. =E2=80=98--no-tls= =E2=80=99 sounds reasonable > too as a name Agreed on all points. Even though I'm aware of the need, I've forgotten to = add tls-certs many times. Removing a known footgun for containers is a grea= t plan. Thanks! Ryan
guix-patches@HIDDEN:bug#70314; Package guix-patches.
Full text available.
Received: (at 70314) by debbugs.gnu.org; 15 Sep 2024 21:49:53 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Sep 15 17:49:53 2024
Received: from localhost ([127.0.0.1]:50640 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1spx7x-0007Ja-08
for submit <at> debbugs.gnu.org; Sun, 15 Sep 2024 17:49:53 -0400
Received: from eggs.gnu.org ([209.51.188.92]:51078)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <ludo@HIDDEN>) id 1spx7v-0007JM-9J
for 70314 <at> debbugs.gnu.org; Sun, 15 Sep 2024 17:49:51 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <ludo@HIDDEN>)
id 1spx7b-00083s-7g; Sun, 15 Sep 2024 17:49:31 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To:
From; bh=uAwU9f++y+PAtidbis6EWEpL+lumBElQSlnfMJh9mH4=; b=Flyb58OuaO0/Yx6bVWpF
WPatEkJt+UuBeHC4p2UjAZxbAbKJV/OcKB/qjFIcmt655TSC4271Lk+TSjue+frsjmJAkmYZKMwEW
wfttLbGySDEX9ZA3LxaBVP4FemQ3zxbGQYJrYkXyTyA69NYgdl1in3uWKBi73eEExsuM5jnMvgm4Z
uFToP6jHldj9TcoVuG2RlM0ceT+wdqjMqq6cAnNi8no7CWQSt35yu2Y1O561+c+DxJZpyhfh0c0Bv
srw04pnjiqW2vLVuxoYGschtPo5vd85BsYBagueF4UeB18d+0rhdpMc+6MT4pnN8c+2ZcjhWjF48A
QyEAxMqeH5kjLg==;
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: Richard Sent <richard@HIDDEN>
Subject: Re: [bug#70314] [PATCH] guix: scripts: environment: add tls certs
to networked containers
In-Reply-To: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN>
(Richard Sent's message of "Tue, 9 Apr 2024 15:05:29 -0400")
References: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN>
Date: Sun, 15 Sep 2024 23:49:27 +0200
Message-ID: <87o74obna0.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 70314
Cc: Josselin Poiret <dev@HIDDEN>,
Simon Tournier <zimon.toutoune@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>,
Tobias Geerinckx-Rice <me@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>,
Christopher Baines <guix@HIDDEN>, 70314 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)
Hi,
Richard Sent <richard@HIDDEN> skribis:
> * guix/scripts/environment.scm: Add --no-tls flag. By default when starti=
ng a
> container with -N, add nss-certs package and set SSL_CERT_DIR and
> SSL_CERT_FILE environment variables. When --no-tls is passed, default to =
old
> behavior.
> * doc/guix.texi: Document it.
>
> Change-Id: I3d222522fa9785fbf589f15efd14e6d6d072bfa7
[...]
> + #:autoload (gnu packages certs) (nss-certs)
> #:autoload (gnu packages bash) (bash)
> #:autoload (gnu packages bootstrap) (bootstrap-executable %bootstrap=
-guile)
> #:autoload (gnu packages package-management) (guix)
> @@ -72,6 +73,9 @@ (define-module (guix scripts environment)
> (define %default-shell
> (or (getenv "SHELL") "/bin/sh"))
>=20=20
> +(define %default-tls-certs
> + (list nss-certs))
This would force all the package modules to be loaded upfront. Instead
you should arrange to not refer to =E2=80=98nss-certs=E2=80=99 until it=E2=
=80=99s needed.
This matters for startup time. To see how it affects the command, you
can run:
strace -c guix shell coreutils -- true
The second run should make as few system calls as possible.
> + (lambda (opt name arg result)
> + (alist-cons 'no-tls? #t result)))
Internally, I would reverse the logic to have =E2=80=98tls?=E2=80=99 instea=
d (as a rule
of thumb, I always avoid negating Booleans in code).
> + (('network? . #t)
> + (if (assoc-ref opts 'no-tls?)
> + '()
> + (manifest-entries
> + (packages->manifest %default-tls-certs))))
Can we delay changes to the manifest until after all options have been
parsed, so we know whether =E2=80=98-C=E2=80=99 has been passed?
That way =E2=80=98guix shell -N --no-tls=E2=80=99 does not add =E2=80=98nss=
-certs=E2=80=99 to the
environments.
> (define* (launch-environment/container #:key command bash user user-mapp=
ings
> profile manifest link-profile? ne=
twork?
> - map-cwd? emulate-fhs? nesting?
> + no-tls? map-cwd? emulate-fhs? nes=
ting?
Same as above: =E2=80=98tls?=E2=80=99 rather than =E2=80=98no-tls?=E2=80=99.
Please make sure tests/guix-shell*.sh and tests/guix-environment*.sh
pass.
Thanks,
Ludo=E2=80=99.
guix-patches@HIDDEN:bug#70314; Package guix-patches.
Full text available.
Received: (at 70314) by debbugs.gnu.org; 15 Sep 2024 21:40:08 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Sep 15 17:40:07 2024
Received: from localhost ([127.0.0.1]:50631 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1spwyV-0006mz-C1
for submit <at> debbugs.gnu.org; Sun, 15 Sep 2024 17:40:07 -0400
Received: from eggs.gnu.org ([209.51.188.92]:54632)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <ludo@HIDDEN>) id 1spwyS-0006mG-C4
for 70314 <at> debbugs.gnu.org; Sun, 15 Sep 2024 17:40:05 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <ludo@HIDDEN>)
id 1spwy7-0007DX-38; Sun, 15 Sep 2024 17:39:43 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To:
From; bh=Pzc9tn9Twed4xuo4C7hwVQF6xNvZvIfu4OQWfK/sjUI=; b=eiCSItnXRucQ+1gRvycS
WhsMrVJUn2ClDOA9YxNQwhKm1HeAV5fYtoXqhU5PQKGd+xSowzVvrBrIUufjvnxrZMbVNE05VPhSS
BKIVT/f9CUQT05pnLtxMxH5fKfbXVAJjs1QRPqwgc6kQ4FqfUWjG6CnsSGZqBG+xNuJFpJYGDiEoR
Sk3H4nEamREEOWf4kYi9ikz/TjROp8/T99uj3pBKTsgl1dHHMMf0EytrRSh6Whscij7U6flStmpyt
IHZpwWL8iM/yfkYgyUorCFUXbBg5e8RIGwdRgYWwOkOyNFBj/+w1tc4YFK/kN1GM4rZPxhnqP7l0G
rPmVStcGrkhCyw==;
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: Richard Sent <richard@HIDDEN>
Subject: Re: [bug#70314] [PATCH] guix: scripts: environment: add tls certs
to networked containers
In-Reply-To: <871q1zsbry.fsf@HIDDEN> (Richard Sent's message of
"Wed, 04 Sep 2024 11:01:53 -0400")
References: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN>
<87jzfree6t.fsf@HIDDEN> <871q1zsbry.fsf@HIDDEN>
Date: Sun, 15 Sep 2024 23:39:39 +0200
Message-ID: <875xqwd2as.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 70314
Cc: Josselin Poiret <dev@HIDDEN>,
Simon Tournier <zimon.toutoune@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>,
Tobias Geerinckx-Rice <me@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>,
guix-devel <guix-devel@HIDDEN>, Christopher Baines <guix@HIDDEN>,
70314 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)
Hi Richard,
Cc: guix-devel to get more feedback: this is about adding =E2=80=98nss-cert=
s=E2=80=99 by
default in =E2=80=98guix shell -CN=E2=80=99 containers, along with a =E2=80=
=98--no-tls=E2=80=99 option
to opt out:
https://issues.guix.gnu.org/70314
Richard Sent <richard@HIDDEN> skribis:
> Ludovic Court=C3=A8s <ludo@HIDDEN> writes:
>
>> Instead of adding the =E2=80=98nss-certs=E2=80=99 package, I would rathe=
r expose
>> /etc/ssl/certs (when it exists), for two reasons: (1) the system-chosen
>> certificates will be used, and (2) it=E2=80=99s less expensive than havi=
ng to
>> compute the derivation of =E2=80=98nss-certs=E2=80=99.
>
> There is an issue with this that's cropped up in the past. The files in
> /etc/ssl/certs/* are symlinks to store items. Because containers only
> see a subset of store items that are in that container's profile, it
> often sees the symlinks to store items but not the target file.
Oh, indeed.
[...]
>> Users who definitely want Guix=E2=80=99s =E2=80=98nss-certs=E2=80=99 can=
always add it to the
>> shell and it will take precedence over /etc/ssl/certs, assuming
>> SSL_CERT_{FILE,DIR} is defined.
>
> True, although at present anyone who wants to use nss-certs must set
> SSL_CERT_{FILE,DIR} manually (or coincidentally install a package that
> registers the search path).
Right.
[...]
> My thoughts are if we have to decide between
>
> 1. Users who want TLS with standard public endpoints
> 2. Users who want TLS with custom private endpoints
>
> it's better to prioritize a good experience for 1 and let 2 opt-out of
> the "hand holding" defaults. But perhaps it's possible to make everyone
> happy.
You=E2=80=99ve convinced me.
That it=E2=80=99s opt-out sounds reasonable to me. =E2=80=98--no-tls=E2=80=
=99 sounds reasonable
too as a name (I thought about =E2=80=98--no-x509-certificates=E2=80=99 but=
that=E2=80=99s
actually less accurate since there are the SSL_* variables in addition
to the certificates themselves).
I have some comments about the patch and I=E2=80=99d like others to weigh i=
n too
before we commit this change.
Thank you!
Ludo=E2=80=99.
guix-patches@HIDDEN:bug#70314; Package guix-patches.
Full text available.
Received: (at 70314) by debbugs.gnu.org; 4 Sep 2024 15:03:18 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Sep 04 11:03:18 2024
Received: from localhost ([127.0.0.1]:35146 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1slrXR-0004Wr-UK
for submit <at> debbugs.gnu.org; Wed, 04 Sep 2024 11:03:18 -0400
Received: from mail-108-mta19.mxroute.com ([136.175.108.19]:38833)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <richard@HIDDEN>) id 1slrXQ-0004Wi-BF
for 70314 <at> debbugs.gnu.org; Wed, 04 Sep 2024 11:03:17 -0400
Received: from filter006.mxroute.com ([136.175.111.3] filter006.mxroute.com)
(Authenticated sender: mN4UYu2MZsgR)
by mail-108-mta19.mxroute.com (ZoneMTA) with ESMTPSA id 191bd8ea7100003e01.002
for <70314 <at> debbugs.gnu.org>
(version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384);
Wed, 04 Sep 2024 15:02:08 +0000
X-Zone-Loop: a6495c6d0ecc69cddad9e5f6df9fd783d06814031b07
X-Originating-IP: [136.175.111.3]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=freakingpenguin.com; s=x; h=Content-Transfer-Encoding:Content-Type:
MIME-Version:Message-ID:Date:References:In-Reply-To:Subject:Cc:To:From:Sender
:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:
Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:
List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
bh=y8ymVquvZ+UXFBRyi0vg5JSfHsoYOtF0vcc5BEDoVsk=; b=ZzjQL0aG33gDGGm1QW6f3Kijah
wr/w1+l/iZvwmBD2M77dC33wdnU2+QVKlwcGPQj8fGu2qvS+42LhhptmbV6QfBUPmtNXVM70KSt+g
j0SkRyMnv8qcxxbnyrvQ6+8ZKiFOe+JCzV/Hjb52ZTdMgH/rg3e4+dpwl/qn6CjpE+XNW+3YHj7S5
b2joccohAPwGWB9/IC80sFkWoTt/wqAz7GaN3NupNY5lyCkySp2Hjwizh1exQbt+OsiD38o+tyg85
VGt608eiBPTBak+T4vv34XfNMLhGUMDLfrwOCecsl8w0t7Uf5TJ+Ezc4aVTjpjpotl3jDqFQN4w3z
QUUHNnag==;
From: Richard Sent <richard@HIDDEN>
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Subject: Re: [bug#70314] [PATCH] guix: scripts: environment: add tls certs
to networked containers
In-Reply-To: <87jzfree6t.fsf@HIDDEN> ("Ludovic =?utf-8?Q?Court=C3=A8s=22'?=
=?utf-8?Q?s?= message of "Wed, 04 Sep 2024 15:33:30 +0200")
References: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN>
<87jzfree6t.fsf@HIDDEN>
Date: Wed, 04 Sep 2024 11:01:53 -0400
Message-ID: <871q1zsbry.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Authenticated-Id: richard@HIDDEN
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 70314
Cc: Josselin Poiret <dev@HIDDEN>,
Simon Tournier <zimon.toutoune@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>,
Tobias Geerinckx-Rice <me@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>,
Christopher Baines <guix@HIDDEN>, 70314 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
Hi Ludo!
Thanks for the response!
Ludovic Court=C3=A8s <ludo@HIDDEN> writes:
> Instead of adding the =E2=80=98nss-certs=E2=80=99 package, I would rather=
expose
> /etc/ssl/certs (when it exists), for two reasons: (1) the system-chosen
> certificates will be used, and (2) it=E2=80=99s less expensive than havin=
g to
> compute the derivation of =E2=80=98nss-certs=E2=80=99.
There is an issue with this that's cropped up in the past. The files in
/etc/ssl/certs/* are symlinks to store items. Because containers only
see a subset of store items that are in that container's profile, it
often sees the symlinks to store items but not the target file.
For example:
--8<---------------cut here---------------start------------->8---
$ guix shell -C bash coreutils --expose=3D/etc/ssl/certs -- bash
[env]$ ls /etc/ssl/certs/ca*
/etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca6e4ad9.0
[env]$ cat /etc/ssl/certs/ca-certificates.crt
cat: /etc/ssl/certs/ca-certificates.crt: No such file or directory
[env]$ ls -l /etc/ssl/certs/ca6e4ad9.0
lrwxrwxrwx 1 65534 overflow 85 Jan 1 1970 /etc/ssl/certs/ca6e4ad9.0 -> /g=
nu/store/5y39gqnvlfrw9gxyxbqqkdr8cxgp1fa1-nss-certs-3.88.1/etc/ssl/certs/ca=
6e4ad9.0
[env]$ cat /etc/ssl/certs/ca6e4ad9.0=20=20
cat: /etc/ssl/certs/ca6e4ad9.0: No such file or directory
--8<---------------cut here---------------end--------------->8---
We can /sort of/ solve this by adding nss-certs to the container, but
only when the nss-certs being added has the same hash as the nss-certs
package.
--8<---------------cut here---------------start------------->8---
# nss-certs w/o version adds v3.99 to the profile, which doesn't match
# the system. Ergo it's still unavailable.
~ $ guix shell -C bash coreutils --expose=3D/etc/ssl/certs -- bash -c 'cat =
/etc/ssl/certs/ca6e4ad9.0'
cat: /etc/ssl/certs/ca6e4ad9.0: No such file or directory
#=20
# If we specify 3.88.1, it does work, but only for various nss-certificates,
# not the ca-certificates.crt bundle file (which isn't a package).
guix shell -C bash coreutils nss-certs@HIDDEN --expose=3D/etc/ssl/certs -- =
bash -c 'cat /etc/ssl/certs/ca6e4ad9.0'
# snip, contents of ca6e4ad9.0
#=20
~ $ guix shell -C bash coreutils nss-certs@HIDDEN --expose=3D/etc/ssl/certs=
-- bash -c 'cat /etc/ssl/certs/ca-certificates.crt'
cat: /etc/ssl/certs/ca-certificates.crt: No such file or directory
--8<---------------cut here---------------end--------------->8---
This problem becomes impossible to solve in situations where the system
Guix and user Guix have different nss-certs hashes.
Be it by adding nss-certs to the container profile or by exposing
/etc/ssl/certs, we still need to calculate the nss-certs derivation.
(Perhaps a alternative solution is making sure symlink targets to store
items visible to a container are persisted. I don't know how complicated
that would be, but I imagine it's nontrivial.)
> Users who definitely want Guix=E2=80=99s =E2=80=98nss-certs=E2=80=99 can =
always add it to the
> shell and it will take precedence over /etc/ssl/certs, assuming
> SSL_CERT_{FILE,DIR} is defined.
True, although at present anyone who wants to use nss-certs must set
SSL_CERT_{FILE,DIR} manually (or coincidentally install a package that
registers the search path).
--8<---------------cut here---------------start------------->8---
# nss-certs alone doesn't set SSL_CERT_DIR
~ $ guix shell -C bash coreutils nss-certs@HIDDEN -- bash -c 'echo $SSL_CER=
T_DIR'
# blank
#
# curl registers $SSL_CERT_{FILE,DIR}
~ $ guix shell -C bash coreutils nss-certs@HIDDEN curl -- bash -c 'echo $SS=
L_CERT_DIR'
/gnu/store/hxylrsqs5cy87cgkxi5fmlzxvfhczlzj-profile/etc/ssl/certs
--8<---------------cut here---------------end--------------->8---
This is unintuitive. Many packages that make use of nss-certs don't
register the search path, e.g. rust-cargo [1]. I'd rather avoid a
solution that is "edit every package that may possibly use nss-certs now
and in the future to register the search path".
> WDYT?
My thoughts are if we have to decide between
1. Users who want TLS with standard public endpoints
2. Users who want TLS with custom private endpoints
it's better to prioritize a good experience for 1 and let 2 opt-out of
the "hand holding" defaults. But perhaps it's possible to make everyone
happy.
If desired this patch can be reworked as opt-in.
[1]: https://logs.guix.gnu.org/guix/2024-04-08.log
--=20
Take it easy,
Richard Sent
Making my computer weirder one commit at a time.
guix-patches@HIDDEN:bug#70314; Package guix-patches.
Full text available.
Received: (at 70314) by debbugs.gnu.org; 4 Sep 2024 13:34:48 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Sep 04 09:34:48 2024
Received: from localhost ([127.0.0.1]:33894 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1slq9o-0001fs-D8
for submit <at> debbugs.gnu.org; Wed, 04 Sep 2024 09:34:48 -0400
Received: from eggs.gnu.org ([209.51.188.92]:54876)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <ludo@HIDDEN>) id 1slq9m-0001fU-7Z
for 70314 <at> debbugs.gnu.org; Wed, 04 Sep 2024 09:34:46 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <ludo@HIDDEN>)
id 1slq8e-0003A4-De; Wed, 04 Sep 2024 09:33:36 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To:
From; bh=YRO6vWmc+185h2AFgdYqqCAbIg09naLxHAt75B+HK94=; b=NeNc2PiuonM/WSYnqAV3
V5y41VpMo4JQA/zrw17gXk/u1rzAOi5YuILPuXl5TGr/b3KuM57i2I9CcnjrNdmFgX0xS0v8IoJKi
qgaai+74CsJbWgmCPvQaf/ZH6lUmNDCIZ1LjqidZEru3xHVU14zZLQE92b+AxY8+K1MK877HCXDOg
8pZQknFik5nFc/gA27NT1dx3TQ3ot0xBQ0bBcnDP9DZ+51QHuqny0pBOfG50+Jh61XmHv5jmXDE1L
AIgroVZnE1aS2yzJ9GEluFunlN1W0a36qUrdziCRtY/wUToASBiZtAkWkDa30pT/RWffHA3m3xmXW
1ljIuzWNCsvMzg==;
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: Richard Sent <richard@HIDDEN>
Subject: Re: [bug#70314] [PATCH] guix: scripts: environment: add tls certs
to networked containers
In-Reply-To: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN>
(Richard Sent's message of "Tue, 9 Apr 2024 15:05:29 -0400")
References: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN>
Date: Wed, 04 Sep 2024 15:33:30 +0200
Message-ID: <87jzfree6t.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 1.3 (+)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: Hi Richard,
Richard Sent <richard@HIDDEN> skribis:
> * guix/scripts/environment.scm: Add --no-tls flag. By default when starting
a > container with -N,
add nss-certs package and set SSL_CERT_DIR and > SSL_CERT_FILE
environment variables. When --no-tls [...]
Content analysis details: (1.3 points, 10.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/,
medium trust [209.51.188.92 listed in list.dnswl.org]
3.6 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS
[209.51.188.92 listed in zen.spamhaus.org]
-0.0 SPF_PASS SPF: sender matches SPF record
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
X-Debbugs-Envelope-To: 70314
Cc: Josselin Poiret <dev@HIDDEN>,
Simon Tournier <zimon.toutoune@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>,
Tobias Geerinckx-Rice <me@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>,
Christopher Baines <guix@HIDDEN>, 70314 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 0.3 (/)
Hi Richard,
Richard Sent <richard@HIDDEN> skribis:
> * guix/scripts/environment.scm: Add --no-tls flag. By default when starti=
ng a
> container with -N, add nss-certs package and set SSL_CERT_DIR and
> SSL_CERT_FILE environment variables. When --no-tls is passed, default to =
old
> behavior.
> * doc/guix.texi: Document it.
>
> Change-Id: I3d222522fa9785fbf589f15efd14e6d6d072bfa7
Apparently this patch fell through the cracks, despite the long Cc:
list.
> Given the discussion on IRC and guix-devel [1] recently about making
> nss-certs easier to use, this patch modifies guix environment (and
> thus guix shell) to automatically add nss-certs to the profile when
> sharing the network namespace, as well as setting the
> mostly-standardized SSL_CERT_DIR and SSL_CERT_FILE environment
> variables.
>
> This behavior can be reverted with the --no-tls flag. Since presumably
> the majority of shell users want TLS to work out of the box, adding
> TLS by default makes sense to me.
[...]
> + (('network? . #t)
> + (if (assoc-ref opts 'no-tls?)
> + '()
> + (manifest-entries
> + (packages->manifest %default-tls-certs))))
Instead of adding the =E2=80=98nss-certs=E2=80=99 package, I would rather e=
xpose
/etc/ssl/certs (when it exists), for two reasons: (1) the system-chosen
certificates will be used, and (2) it=E2=80=99s less expensive than having =
to
compute the derivation of =E2=80=98nss-certs=E2=80=99.
Users who definitely want Guix=E2=80=99s =E2=80=98nss-certs=E2=80=99 can al=
ways add it to the
shell and it will take precedence over /etc/ssl/certs, assuming
SSL_CERT_{FILE,DIR} is defined.
WDYT?
Thanks,
Ludo=E2=80=99.
guix-patches@HIDDEN:bug#70314; Package guix-patches.
Full text available.
Received: (at submit) by debbugs.gnu.org; 9 Apr 2024 19:14:51 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Apr 09 15:14:51 2024
Received: from localhost ([127.0.0.1]:51569 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1ruGvi-00038I-QA
for submit <at> debbugs.gnu.org; Tue, 09 Apr 2024 15:14:51 -0400
Received: from lists.gnu.org ([2001:470:142::17]:58288)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <richard@HIDDEN>) id 1ruGvf-000382-LS
for submit <at> debbugs.gnu.org; Tue, 09 Apr 2024 15:14:48 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <richard@HIDDEN>)
id 1ruGvR-000537-J4
for guix-patches@HIDDEN; Tue, 09 Apr 2024 15:14:33 -0400
Received: from mail-108-mta156.mxroute.com ([136.175.108.156])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
(Exim 4.90_1) (envelope-from <richard@HIDDEN>)
id 1ruGvP-0000jl-7a
for guix-patches@HIDDEN; Tue, 09 Apr 2024 15:14:33 -0400
Received: from filter006.mxroute.com ([136.175.111.2] filter006.mxroute.com)
(Authenticated sender: mN4UYu2MZsgR)
by mail-108-mta156.mxroute.com (ZoneMTA) with ESMTPSA id
18ec44870ca0003bea.001 for <guix-patches@HIDDEN>
(version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384);
Tue, 09 Apr 2024 19:14:25 +0000
X-Zone-Loop: 0445d534395d52d48c97f90279d4132ccfcfd03855ed
X-Originating-IP: [136.175.111.2]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=freakingpenguin.com; s=x; h=Content-Transfer-Encoding:MIME-Version:
Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=JvWL5kuMyv1uOvO1phcGN2CxkADzdkslXEnuB9xiFZc=; b=SLHl2W8jhw8+En+NPQx/zK+zBo
J+1rR2Dc2AHjTxD0Jy8AL15bo1rJBlXbHpdbrJJjghLVGjvhA8tzD6rPtKUrzWj8mqM2QagJnrjrY
0bkRTIGO1bswG9eupQUNoXimdEhLReA8eIqEPJVWexea/XRDKJ5rKwfLaE2IbjWXSgc46nDiaSnWc
qYca4ISf2nHYPfeA/mWUawrkbq/SwHHt/QLukphO7p66cDM6PlnLiKlhJelYa15v2fd1+o07BI4Ls
Ly+mVmUs/p8x4jB2pitkztU5+dqI39mHdlPPNdDU8EN3wu6NUbnQK9gZoYonFabfbIkNIoGM3xZK3
TeEQ3WnA==;
From: Richard Sent <richard@HIDDEN>
To: guix-patches@HIDDEN
Subject: [PATCH] guix: scripts: environment: add tls certs to networked
containers
Date: Tue, 9 Apr 2024 15:05:29 -0400
Message-ID: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@HIDDEN>
MIME-Version: 1.0
X-Debbugs-Cc: Christopher Baines <guix@HIDDEN>, Josselin Poiret <dev@HIDDEN>, Ludovic Courtès <ludo@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>, Simon Tournier <zimon.toutoune@HIDDEN>, Tobias Geerinckx-Rice <me@HIDDEN>
Content-Transfer-Encoding: 8bit
X-Authenticated-Id: richard@HIDDEN
Received-SPF: pass client-ip=136.175.108.156;
envelope-from=richard@HIDDEN; helo=mail-108-mta156.mxroute.com
X-Spam_score_int: -16
X-Spam_score: -1.7
X-Spam_bar: -
X-Spam_report: (-1.7 / 5.0 requ) BAYES_00=-1.9, DKIM_INVALID=0.1,
DKIM_SIGNED=0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 0.9 (/)
X-Debbugs-Envelope-To: submit
Cc: Richard Sent <richard@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.1 (/)
* guix/scripts/environment.scm: Add --no-tls flag. By default when starting a
container with -N, add nss-certs package and set SSL_CERT_DIR and
SSL_CERT_FILE environment variables. When --no-tls is passed, default to old
behavior.
* doc/guix.texi: Document it.
Change-Id: I3d222522fa9785fbf589f15efd14e6d6d072bfa7
---
Hi Guix!
Given the discussion on IRC and guix-devel [1] recently about making
nss-certs easier to use, this patch modifies guix environment (and
thus guix shell) to automatically add nss-certs to the profile when
sharing the network namespace, as well as setting the
mostly-standardized SSL_CERT_DIR and SSL_CERT_FILE environment
variables.
This behavior can be reverted with the --no-tls flag. Since presumably
the majority of shell users want TLS to work out of the box, adding
TLS by default makes sense to me.
Previous workarounds were verbose [2] and prone to failure [3].
[1] https://lists.gnu.org/archive/html/guix-devel/2024-04/msg00020.html
[2] https://lists.gnu.org/archive/html/guix-patches/2020-05/msg00197.html
[3] See tail of https://logs.guix.gnu.org/guix/2024-04-08.log, [2]
works coincidentally since guix system w/ nss-certs happens to have
identical nss-certs hash as the guix building the shell profile.
Otherwise the system version would not be visible inside the
container.
doc/guix.texi | 8 ++++++++
guix/scripts/environment.scm | 28 +++++++++++++++++++++++++++-
2 files changed, 35 insertions(+), 1 deletion(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 5827e0de14..912ed79ccd 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -6214,6 +6214,10 @@ Invoking guix shell
Containers created without this flag only have access to the loopback
device.
+@item --no-tls
+For containers that share the network namespace, disable automatically
+adding TLS/SSL certificates.
+
@item --link-profile
@itemx -P
For containers, link the environment profile to @file{~/.guix-profile}
@@ -6711,6 +6715,10 @@ Invoking guix environment
Containers created without this flag only have access to the loopback
device.
+@item --no-tls
+For containers that share the network namespace, disable automatically
+adding TLS/SSL certificates.
+
@item --link-profile
@itemx -P
For containers, link the environment profile to @file{~/.guix-profile}
diff --git a/guix/scripts/environment.scm b/guix/scripts/environment.scm
index 1d7a6e198d..b38882a4ca 100644
--- a/guix/scripts/environment.scm
+++ b/guix/scripts/environment.scm
@@ -49,6 +49,7 @@ (define-module (guix scripts environment)
#:autoload (guix build syscalls) (set-network-interface-up openpty login-tty)
#:use-module (gnu system file-systems)
#:autoload (gnu packages) (specification->package+output)
+ #:autoload (gnu packages certs) (nss-certs)
#:autoload (gnu packages bash) (bash)
#:autoload (gnu packages bootstrap) (bootstrap-executable %bootstrap-guile)
#:autoload (gnu packages package-management) (guix)
@@ -72,6 +73,9 @@ (define-module (guix scripts environment)
(define %default-shell
(or (getenv "SHELL") "/bin/sh"))
+(define %default-tls-certs
+ (list nss-certs))
+
(define* (show-search-paths profile manifest #:key pure?)
"Display the search paths of MANIFEST applied to PROFILE. When PURE? is #t,
do not augment existing environment variables with additional search paths."
@@ -108,6 +112,9 @@ (define (show-environment-options-help)
-C, --container run command within an isolated container"))
(display (G_ "
-N, --network allow containers to access the network"))
+ (display (G_ "
+ --no-tls do not add SSL/TLS certificates or set environment
+ variables for a networked container"))
(display (G_ "
-P, --link-profile link environment profile to ~/.guix-profile within
an isolated container"))
@@ -244,6 +251,9 @@ (define %options
(option '(#\N "network") #f #f
(lambda (opt name arg result)
(alist-cons 'network? #t result)))
+ (option '(#\T "no-tls") #f #f
+ (lambda (opt name arg result)
+ (alist-cons 'no-tls? #t result)))
(option '(#\W "nesting") #f #f
(lambda (opt name arg result)
(alist-cons 'nesting? #t result)))
@@ -359,6 +369,11 @@ (define (options/resolve-packages store opts)
(packages->outputs (load* file module) mode)))
(('manifest . file)
(manifest-entries (load-manifest file)))
+ (('network? . #t)
+ (if (assoc-ref opts 'no-tls?)
+ '()
+ (manifest-entries
+ (packages->manifest %default-tls-certs))))
(('nesting? . #t)
(if (assoc-ref opts 'profile)
'()
@@ -725,7 +740,7 @@ (define* (launch-environment/fork command profile manifest
(define* (launch-environment/container #:key command bash user user-mappings
profile manifest link-profile? network?
- map-cwd? emulate-fhs? nesting?
+ no-tls? map-cwd? emulate-fhs? nesting?
(setup-hook #f)
(symlinks '()) (white-list '()))
"Run COMMAND within a container that features the software in PROFILE.
@@ -929,6 +944,11 @@ (define* (launch-environment/container #:key command bash user user-mappings
;; Allow local AF_INET communications.
(set-network-interface-up "lo"))
+ (unless no-tls?
+ (setenv "SSL_CERT_DIR" (string-append profile "/etc/ssl/certs"))
+ (setenv "SSL_CERT_FILE" (string-append (getenv "SSL_CERT_DIR")
+ "/ca-certificates.crt")))
+
;; For convenience, start in the user's current working
;; directory or, if unmapped, the home directory.
(chdir (if map-cwd?
@@ -1078,6 +1098,7 @@ (define (guix-environment* opts)
(link-prof? (assoc-ref opts 'link-profile?))
(symlinks (assoc-ref opts 'symlinks))
(network? (assoc-ref opts 'network?))
+ (no-tls? (assoc-ref opts 'no-tls?))
(no-cwd? (assoc-ref opts 'no-cwd?))
(emulate-fhs? (assoc-ref opts 'emulate-fhs?))
(nesting? (assoc-ref opts 'nesting?))
@@ -1133,6 +1154,10 @@ (define (guix-environment* opts)
(when (pair? symlinks)
(leave (G_ "'--symlink' cannot be used without '--container'~%"))))
+ (when (and (not network?)
+ no-tls?)
+ (leave (G_ "'--no-tls' cannot be used without '--networking'~%")))
+
(with-store/maybe store
(with-status-verbosity (assoc-ref opts 'verbosity)
(define manifest-from-opts
@@ -1212,6 +1237,7 @@ (define (guix-environment* opts)
#:network? network?
#:map-cwd? (not no-cwd?)
#:emulate-fhs? emulate-fhs?
+ #:no-tls? no-tls?
#:nesting? nesting?
#:symlinks symlinks
#:setup-hook
base-commit: 35e1d9247e39f3c91512cf3d9ef1467962389e35
--
2.41.0
Richard Sent <richard@HIDDEN>:guix@HIDDEN, dev@HIDDEN, ludo@HIDDEN, othacehe@HIDDEN, rekado@HIDDEN, zimon.toutoune@HIDDEN, me@HIDDEN, guix-patches@HIDDEN.
Full text available.guix@HIDDEN, dev@HIDDEN, ludo@HIDDEN, othacehe@HIDDEN, rekado@HIDDEN, zimon.toutoune@HIDDEN, me@HIDDEN, guix-patches@HIDDEN:bug#70314; Package guix-patches.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.