GNU logs - #70933, boring messages

Message sent to guix-patches@HIDDEN:

Subject: [bug#70933] [PATCH] system: Do not add "--disable-chroot" to containers.
Resent-From: Andreas Enge <andreas@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Tue, 14 May 2024 11:56:02 +0000
Resent-Message-ID: <handler.70933.B.171568775515195 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
To: 70933 <at> debbugs.gnu.org
Cc: Andreas Enge <andreas@HIDDEN>
From: Andreas Enge <andreas@HIDDEN>
Date: Tue, 14 May 2024 13:50:34 +0200
Message-ID: <67f49b23cfe3755c6802e2fc3351ef3cf0dcdfda.1715687434.git.andreas@HIDDEN>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=2a0c:e300::1; envelope-from=andreas@HIDDEN;
 helo=hera.aquilenet.fr
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -2.3 (--)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

The rationale for these lines is that they enable non-privileged docker
containers. But I would like to create a privileged container with
chroot (in an openshift environment, where I suppose this environment
does additional encapsulation to enforce security), which these lines
prevent.

Users can still add the option. Alternatively, we could add an additional
field "chroot? (default: #t)" to guix-configuration.

Andreas

* gnu/system/linux-container.scm (containerized-operating-system): Do not
add "--disable-chroot".

Change-Id: I1eff9aa0d02d6e53bd4e42f3aeb07d0ab42616a8
---
 gnu/system/linux-container.scm | 11 -----------
 1 file changed, 11 deletions(-)

diff --git a/gnu/system/linux-container.scm b/gnu/system/linux-container.scm
index c780b68fba..2fc54a8121 100644
--- a/gnu/system/linux-container.scm
+++ b/gnu/system/linux-container.scm
@@ -159,17 +159,6 @@ (define* (containerized-operating-system os mappings
                                              (nscd-configuration
                                               (inherit (service-value s))
                                               (caches %nscd-container-caches))))
-                                   ((eq? guix-service-type (service-kind s))
-                                    ;; Pass '--disable-chroot' so that
-                                    ;; guix-daemon can build thing even in
-                                    ;; Docker without '--privileged'.
-                                    (service guix-service-type
-                                             (guix-configuration
-                                              (inherit (service-value s))
-                                              (extra-options
-                                               (cons "--disable-chroot"
-                                                     (guix-configuration-extra-options
-                                                      (service-value s)))))))
                                    (else s)))
                            (operating-system-user-services os))))
       (file-systems (append (map mapping->fs

base-commit: a682ddd70846d488cfbd82d65e8566ec6739813c
-- 
2.41.0

Message sent:

Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
Content-Type: text/plain; charset=utf-8
X-Loop: help-debbugs@HIDDEN
From: help-debbugs@HIDDEN (GNU bug Tracking System)
To: Andreas Enge <andreas@HIDDEN>
Subject: bug#70933: Acknowledgement ([PATCH] system: Do not add
 "--disable-chroot" to containers.)
Message-ID: <handler.70933.B.171568775515195.ack <at> debbugs.gnu.org>
References: <67f49b23cfe3755c6802e2fc3351ef3cf0dcdfda.1715687434.git.andreas@HIDDEN>
X-Gnu-PR-Message: ack 70933
X-Gnu-PR-Package: guix-patches
X-Gnu-PR-Keywords: patch
Reply-To: 70933 <at> debbugs.gnu.org
Date: Tue, 14 May 2024 11:56:02 +0000

Thank you for filing a new bug report with debbugs.gnu.org.

This is an automatically generated reply to let you know your message
has been received.

Your message is being forwarded to the package maintainers and other
interested parties for their attention; they will reply in due course.

Your message has been sent to the package maintainer(s):
 guix-patches@HIDDEN

If you wish to submit further information on this problem, please
send it to 70933 <at> debbugs.gnu.org.

Please do not send mail to help-debbugs@HIDDEN unless you wish
to report a problem with the Bug-tracking system.

--=20
70933: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D70933
GNU Bug Tracking System
Contact help-debbugs@HIDDEN with problems

Message sent to guix-patches@HIDDEN:

Subject: [bug#70933] [PATCH] system: Do not add "--disable-chroot" to containers.
Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Fri, 31 May 2024 12:03:02 +0000
Resent-Message-ID: <handler.70933.B70933.171715692218014 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
To: Andreas Enge <andreas@HIDDEN>
Cc: 70933 <at> debbugs.gnu.org
From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
In-Reply-To: <67f49b23cfe3755c6802e2fc3351ef3cf0dcdfda.1715687434.git.andreas@HIDDEN>
 (Andreas Enge's message of "Tue, 14 May 2024 13:50:34 +0200")
References: <67f49b23cfe3755c6802e2fc3351ef3cf0dcdfda.1715687434.git.andreas@HIDDEN>
Date: Fri, 31 May 2024 14:01:36 +0200
Message-ID: <87mso6rxzz.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Precedence: list
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>

Hi,

Andreas Enge <andreas@HIDDEN> skribis:

> The rationale for these lines is that they enable non-privileged docker
> containers. But I would like to create a privileged container with
> chroot (in an openshift environment, where I suppose this environment
> does additional encapsulation to enforce security), which these lines
> prevent.
>
> Users can still add the option. Alternatively, we could add an additional
> field "chroot? (default: #t)" to guix-configuration.

[...]

> -                                   ((eq? guix-service-type (service-kind=
 s))
> -                                    ;; Pass '--disable-chroot' so that
> -                                    ;; guix-daemon can build thing even =
in
> -                                    ;; Docker without '--privileged'.

This is tricky, I=E2=80=99m not sure how to provide defaults that works in =
most
common setups while still allowing the use of privileged Docker
containers as in your case.

I think the current default is good because it=E2=80=99s the common case, b=
ut I
agree that we need to find a way to override it.

Thoughts?

Ludo=E2=80=99.

Message sent to guix-patches@HIDDEN:

Subject: [bug#70933] [PATCH] system: Do not add "--disable-chroot" to containers.
Resent-From: Andreas Enge <andreas@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Fri, 31 May 2024 14:28:01 +0000
Resent-Message-ID: <handler.70933.B70933.17171656722071 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
To: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Cc: 70933 <at> debbugs.gnu.org
Date: Fri, 31 May 2024 16:26:58 +0200
From: Andreas Enge <andreas@HIDDEN>
Message-ID: <ZlneMuuPEfakaS47@jurong>
References: <67f49b23cfe3755c6802e2fc3351ef3cf0dcdfda.1715687434.git.andreas@HIDDEN>
 <87mso6rxzz.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <87mso6rxzz.fsf@HIDDEN>
Precedence: list
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>

Am Fri, May 31, 2024 at 02:01:36PM +0200 schrieb Ludovic Courtès:
> Andreas Enge <andreas@HIDDEN> skribis:
> > The rationale for these lines is that they enable non-privileged docker
> > containers. But I would like to create a privileged container with
> > chroot (in an openshift environment, where I suppose this environment
> > does additional encapsulation to enforce security), which these lines
> > prevent.
> > Users can still add the option. Alternatively, we could add an additional
> > field "chroot? (default: #t)" to guix-configuration.
> This is tricky, I’m not sure how to provide defaults that works in most
> common setups while still allowing the use of privileged Docker
> containers as in your case.

The problem with a default is that apparently, for containers we want #f,
for real machines we want #t as the default; and then it should be
overridable. The only solution I see is to use a ternary value,
allowing chroot? to be #f, #t or 'default, with the last one, you guess it,
being the default. It would be replaced by #f or #t depending on whether
we are in a container or not.

I had considered it when suggesting the patch, but found it a bit too much
shepherding; I still think that "chroot? (default: #t)" would be enough.

Andreas

Message sent to guix-patches@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: [bug#70933] [PATCH] system: Do not add "--disable-chroot" to containers.
Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Tue, 25 Jun 2024 15:31:01 +0000
Resent-Message-ID: <handler.70933.B70933.171932943528342 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 70933
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Andreas Enge <andreas@HIDDEN>
Cc: 70933 <at> debbugs.gnu.org
Received: via spool by 70933-submit <at> debbugs.gnu.org id=B70933.171932943528342
          (code B ref 70933); Tue, 25 Jun 2024 15:31:01 +0000
Received: (at 70933) by debbugs.gnu.org; 25 Jun 2024 15:30:35 +0000
Received: from localhost ([127.0.0.1]:37581 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1sM87v-0007N4-Fj
	for submit <at> debbugs.gnu.org; Tue, 25 Jun 2024 11:30:35 -0400
Received: from eggs.gnu.org ([209.51.188.92]:42364)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1sM87s-0007Mr-N2
 for 70933 <at> debbugs.gnu.org; Tue, 25 Jun 2024 11:30:33 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@HIDDEN>)
 id 1sM87l-0002zF-Iz; Tue, 25 Jun 2024 11:30:25 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To:
 From; bh=Q2uRdYso1M6bOgyaarh8tQCFOQRdsbJboqoFVS9mkhA=; b=Trb8bCQZ/c7inyJfBJZ5
 fdBql56p7nensrfkH19GX0n0ZKPlHH1TQE/OqR01YUUHhvbuTmp4h4AoDH1MqCSOJIfQjvYyb9JiA
 uE294tj7I7Iz7x4S9XgD5lKv7uFoPHjA+RxJAayAdfMyTPJ6xohT8Feut1kwL/fhkLujdtN53jU68
 nW9XhZxKfPKo24b9qXDUMD7SxyVHKOTEa2bU+8J5nMK19HoR5CdoFyWyHcLMyp3nLx0UkSPgGGII1
 UwUPfqlerHjzaoouJbTYuoYuYIxCR0oHU0RG9TYpGtNwiRfNEFr8Agi1A66GSqom4X64JRnAcXBX4
 jjgYocwumeHgbw==;
From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
In-Reply-To: <ZlneMuuPEfakaS47@jurong> (Andreas Enge's message of "Fri, 31 May
 2024 16:26:58 +0200")
References: <67f49b23cfe3755c6802e2fc3351ef3cf0dcdfda.1715687434.git.andreas@HIDDEN>
 <87mso6rxzz.fsf@HIDDEN> <ZlneMuuPEfakaS47@jurong>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: Octidi 8 Messidor an 232 de la =?UTF-8?Q?R=C3=A9volution,?= jour de =?UTF-8?Q?l'=C3=89chalotte?=
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Tue, 25 Jun 2024 17:30:23 +0200
Message-ID: <87h6dhca5s.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hi!

Andreas Enge <andreas@HIDDEN> skribis:

> Am Fri, May 31, 2024 at 02:01:36PM +0200 schrieb Ludovic Court=C3=A8s:
>> Andreas Enge <andreas@HIDDEN> skribis:
>> > The rationale for these lines is that they enable non-privileged docker
>> > containers. But I would like to create a privileged container with
>> > chroot (in an openshift environment, where I suppose this environment
>> > does additional encapsulation to enforce security), which these lines
>> > prevent.
>> > Users can still add the option. Alternatively, we could add an additio=
nal
>> > field "chroot? (default: #t)" to guix-configuration.
>> This is tricky, I=E2=80=99m not sure how to provide defaults that works =
in most
>> common setups while still allowing the use of privileged Docker
>> containers as in your case.
>
> The problem with a default is that apparently, for containers we want #f,
> for real machines we want #t as the default; and then it should be
> overridable. The only solution I see is to use a ternary value,
> allowing chroot? to be #f, #t or 'default, with the last one, you guess i=
t,
> being the default. It would be replaced by #f or #t depending on whether
> we are in a container or not.

Making it a ternary value sounds like a good idea, indeed.  #t, #f, and
'default sounds like a good choice to me.

Thanks!

Ludo=E2=80=99.

Message sent to guix-patches@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: [bug#70933] Patch
References: <67f49b23cfe3755c6802e2fc3351ef3cf0dcdfda.1715687434.git.andreas@HIDDEN>
In-Reply-To: <67f49b23cfe3755c6802e2fc3351ef3cf0dcdfda.1715687434.git.andreas@HIDDEN>
Resent-From: Andreas Enge <andreas@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Fri, 05 Jul 2024 14:26:02 +0000
Resent-Message-ID: <handler.70933.B70933.17201895082236 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 70933
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 70933 <at> debbugs.gnu.org
Received: via spool by 70933-submit <at> debbugs.gnu.org id=B70933.17201895082236
          (code B ref 70933); Fri, 05 Jul 2024 14:26:02 +0000
Received: (at 70933) by debbugs.gnu.org; 5 Jul 2024 14:25:08 +0000
Received: from localhost ([127.0.0.1]:44686 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1sPjs3-0000Zz-EH
	for submit <at> debbugs.gnu.org; Fri, 05 Jul 2024 10:25:08 -0400
Received: from hera.aquilenet.fr ([185.233.100.1]:54914)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <andreas@HIDDEN>) id 1sPjry-0000ZO-V4
 for 70933 <at> debbugs.gnu.org; Fri, 05 Jul 2024 10:25:05 -0400
Received: from localhost (localhost [127.0.0.1])
 by hera.aquilenet.fr (Postfix) with ESMTP id 9428B154F;
 Fri,  5 Jul 2024 16:24:53 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at hera.aquilenet.fr
Received: from hera.aquilenet.fr ([127.0.0.1])
 by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id cw-MoDeMlzFm; Fri,  5 Jul 2024 16:24:52 +0200 (CEST)
Received: from jurong (nat-eduroam-36-gw-01-bso.bordeaux.inria.fr
 [194.199.1.36])
 by hera.aquilenet.fr (Postfix) with ESMTPSA id BC2B828B;
 Fri,  5 Jul 2024 16:24:52 +0200 (CEST)
Date: Fri, 5 Jul 2024 16:24:51 +0200
From: Andreas Enge <andreas@HIDDEN>
Message-ID: <ZogCM9xocPs12Y3p@jurong>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="/7Ov7ZJY37K5Xdxl"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
X-Spam-Score: -0.0 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)


--/7Ov7ZJY37K5Xdxl
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Here is a suggestion for a patch implementing the chroot? parameter.
I have tested it by reconfiguring a real machine and still need to
test it in containers.

Andreas


--/7Ov7ZJY37K5Xdxl
Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: attachment;
	filename="0001-gnu-guix-configuration-Add-a-chroot-parameter.patch"
Content-Transfer-Encoding: 8bit

From 8629decf975576447c8662355a35ec0f20e892cf Mon Sep 17 00:00:00 2001
Message-ID: <8629decf975576447c8662355a35ec0f20e892cf.1720189422.git.andreas@HIDDEN>
From: Andreas Enge <andreas@HIDDEN>
Date: Fri, 5 Jul 2024 15:47:13 +0200
Subject: [PATCH] gnu: guix-configuration: Add a chroot? parameter.

The parameter should take the values #t, #f or 'default.
In a container environment, 'default amounts to #f, otherwise it
amounts to #t.

* gnu/services/base.scm (guix-configuration)<chroot?>: New field.
(guix-shepherd-service): If chroot? is #f, add "--disable-chroot".
If it is #t or 'default, do nothing.
* gnu/system/linux-container.scm (containerized-operating-system):
If chroot? is 'default, replace it by #f.
* doc/guix.texi: Document the parameter.

Change-Id: I8b9c3f46ad8650fa6ed4acee947b4ae5d002d03d
---
 doc/guix.texi                  |  7 ++++++
 gnu/services/base.scm          |  9 ++++++-
 gnu/system/linux-container.scm | 43 ++++++++++++++++++----------------
 3 files changed, 38 insertions(+), 21 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 8bfb342253..92db7ddcf5 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -19609,6 +19609,13 @@ Base Services
 @item @code{build-accounts} (default: @code{10})
 Number of build user accounts to create.
 
+@item @code{chroot?} (default: @code{'default})
+The value should be one of @code{#t} or @code{#f}, in which
+case chroot is enabled or disabled, respectively;
+or it should be @code{'default}, which amounts to @code{#f} in
+Docker containers (so that they can be run in non-privileged mode)
+or @code{#t} otherwise.
+
 @item @code{authorize-key?} (default: @code{#t})
 @cindex substitutes, authorization thereof
 Whether to authorize the substitute keys listed in
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 4b5b103cc3..a3e23035ca 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -21,6 +21,7 @@
 ;;; Copyright � 2022 Justin Veilleux <terramorpha@HIDDEN>
 ;;; Copyright � 2022 ( <paren@HIDDEN>
 ;;; Copyright � 2023 Bruno Victal <mirai@HIDDEN>
+;;; Copyright � 2024 Andreas Enge <andreas@HIDDEN>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -213,6 +214,7 @@ (define-module (gnu services base)
             guix-configuration-build-group
             guix-configuration-build-accounts
             guix-configuration-build-machines
+            guix-configuration-chroot?
             guix-configuration-authorize-key?
             guix-configuration-authorized-keys
             guix-configuration-use-substitutes?
@@ -1848,6 +1850,8 @@ (define-record-type* <guix-configuration>
                     (default "guixbuild"))
   (build-accounts   guix-configuration-build-accounts ;integer
                     (default 10))
+  (chroot?          guix-configuration-chroot? ;Boolean | 'default
+                    (default 'default))
   (authorize-key?   guix-configuration-authorize-key? ;Boolean
                     (default #t))
   (authorized-keys  guix-configuration-authorized-keys ;list of gexps
@@ -1942,7 +1946,7 @@ (define (guix-shepherd-service config)
           glibc-utf8-locales)))
 
   (match-record config <guix-configuration>
-    (guix build-group build-accounts authorize-key? authorized-keys
+    (guix build-group build-accounts chroot? authorize-key? authorized-keys
           use-substitutes? substitute-urls max-silent-time timeout
           log-compression discover? extra-options log-file
           http-proxy tmpdir chroot-directories environment)
@@ -1989,6 +1993,9 @@ (define (guix-shepherd-service config)
                           "--substitute-urls" #$(string-join substitute-urls)
                           #$@extra-options
 
+                          #$@(if chroot?
+                                 '()
+                                 '("--disable-chroot"))
                           ;; Add CHROOT-DIRECTORIES and all their dependencies
                           ;; (if these are store items) to the chroot.
                           (append-map
diff --git a/gnu/system/linux-container.scm b/gnu/system/linux-container.scm
index c780b68fba..c1705f491c 100644
--- a/gnu/system/linux-container.scm
+++ b/gnu/system/linux-container.scm
@@ -7,6 +7,7 @@
 ;;; Copyright � 2022 Ricardo Wurmus <rekado@HIDDEN>
 ;;; Copyright � 2023 Pierre Langlois <pierre.langlois@HIDDEN>
 ;;; Copyright � 2024 Leo Nikkil� <hello@HIDDEN>
+;;; Copyright � 2024 Andreas Enge <andreas@HIDDEN>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -151,26 +152,28 @@ (define* (containerized-operating-system os mappings
       (swap-devices '()) ; disable swap
       (services
        (append services-to-add
-               (filter-map (lambda (s)
-                             (cond ((memq (service-kind s) services-to-drop)
-                                    #f)
-                                   ((eq? nscd-service-type (service-kind s))
-                                    (service nscd-service-type
-                                             (nscd-configuration
-                                              (inherit (service-value s))
-                                              (caches %nscd-container-caches))))
-                                   ((eq? guix-service-type (service-kind s))
-                                    ;; Pass '--disable-chroot' so that
-                                    ;; guix-daemon can build thing even in
-                                    ;; Docker without '--privileged'.
-                                    (service guix-service-type
-                                             (guix-configuration
-                                              (inherit (service-value s))
-                                              (extra-options
-                                               (cons "--disable-chroot"
-                                                     (guix-configuration-extra-options
-                                                      (service-value s)))))))
-                                   (else s)))
+               (filter-map
+                 (lambda (s)
+                   (let ((kind (service-kind s))
+                         (value (service-value s)))
+                        (cond ((memq kind services-to-drop)
+                               #f)
+                              ((eq? nscd-service-type kind)
+                               (service nscd-service-type
+                                        (nscd-configuration
+                                         (inherit value)
+                                         (caches %nscd-container-caches))))
+                              ((and (eq? guix-service-type kind)
+                                    (eq? (guix-configuration-chroot? value)
+                                         'default))
+                               ;; If chroot? is 'default, it should become #f
+                               ;; so that guix-daemon can build things even in
+                               ;; Docker without '--privileged'.
+                               (service guix-service-type
+                                        (guix-configuration
+                                         (inherit value)
+                                         (chroot? #f))))
+                              (else s))))
                            (operating-system-user-services os))))
       (file-systems (append (map mapping->fs
                                  (if shared-network?

base-commit: b91685abdecdb42c0ac2e30e5cb5032b11b5d269
-- 
2.45.2


--/7Ov7ZJY37K5Xdxl--

Message sent to guix-patches@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: [bug#70933] [PATCH] system: Do not add "--disable-chroot" to containers.
Resent-From: Andreas Enge <andreas@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Thu, 19 Sep 2024 08:03:02 +0000
Resent-Message-ID: <handler.70933.B70933.172673293924728 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 70933
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Cc: 70933 <at> debbugs.gnu.org
Received: via spool by 70933-submit <at> debbugs.gnu.org id=B70933.172673293924728
          (code B ref 70933); Thu, 19 Sep 2024 08:03:02 +0000
Received: (at 70933) by debbugs.gnu.org; 19 Sep 2024 08:02:19 +0000
Received: from localhost ([127.0.0.1]:59765 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1srC7G-0006Ql-Md
	for submit <at> debbugs.gnu.org; Thu, 19 Sep 2024 04:02:18 -0400
Received: from hera.aquilenet.fr ([185.233.100.1]:44854)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <andreas@HIDDEN>) id 1srC7E-0006QR-Dj
 for 70933 <at> debbugs.gnu.org; Thu, 19 Sep 2024 04:02:17 -0400
Received: from localhost (localhost [127.0.0.1])
 by hera.aquilenet.fr (Postfix) with ESMTP id E3A601AC4;
 Thu, 19 Sep 2024 10:01:52 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at hera.aquilenet.fr
Received: from hera.aquilenet.fr ([127.0.0.1])
 by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id jSX298PmI_DM; Thu, 19 Sep 2024 10:01:52 +0200 (CEST)
Received: from jurong (89-86-73-172.abo.bbox.fr [89.86.73.172])
 by hera.aquilenet.fr (Postfix) with ESMTPSA id 346A8273;
 Thu, 19 Sep 2024 10:01:50 +0200 (CEST)
Date: Thu, 19 Sep 2024 10:01:47 +0200
From: Andreas Enge <andreas@HIDDEN>
Message-ID: <Zuvaa-eQ_5nhZBmE@jurong>
References: <67f49b23cfe3755c6802e2fc3351ef3cf0dcdfda.1715687434.git.andreas@HIDDEN>
 <87mso6rxzz.fsf@HIDDEN> <ZlneMuuPEfakaS47@jurong>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <ZlneMuuPEfakaS47@jurong>
X-Spam-Score: -0.0 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Am Fri, May 31, 2024 at 04:26:58PM +0200 schrieb Andreas Enge:
> The problem with a default is that apparently, for containers we want #f,
> for real machines we want #t as the default; and then it should be
> overridable. The only solution I see is to use a ternary value,
> allowing chroot? to be #f, #t or 'default, with the last one, you guess it,
> being the default. It would be replaced by #f or #t depending on whether
> we are in a container or not.

The patch works in our kubernetes environment (where we create docker
containers with 'chroot? #t'). If there is agreement, I am happy to adapt
the documentation and to push.

Andreas

Last modified: Sun, 12 Jan 2025 05:45:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.