Received: (at 70933) by debbugs.gnu.org; 19 Sep 2024 08:02:19 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Thu Sep 19 04:02:19 2024 Received: from localhost ([127.0.0.1]:59765 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1srC7G-0006Ql-Md for submit <at> debbugs.gnu.org; Thu, 19 Sep 2024 04:02:18 -0400 Received: from hera.aquilenet.fr ([185.233.100.1]:44854) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <andreas@HIDDEN>) id 1srC7E-0006QR-Dj for 70933 <at> debbugs.gnu.org; Thu, 19 Sep 2024 04:02:17 -0400 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id E3A601AC4; Thu, 19 Sep 2024 10:01:52 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at hera.aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jSX298PmI_DM; Thu, 19 Sep 2024 10:01:52 +0200 (CEST) Received: from jurong (89-86-73-172.abo.bbox.fr [89.86.73.172]) by hera.aquilenet.fr (Postfix) with ESMTPSA id 346A8273; Thu, 19 Sep 2024 10:01:50 +0200 (CEST) Date: Thu, 19 Sep 2024 10:01:47 +0200 From: Andreas Enge <andreas@HIDDEN> To: Ludovic =?iso-8859-15?Q?Court=E8s?= <ludo@HIDDEN> Subject: Re: [bug#70933] [PATCH] system: Do not add "--disable-chroot" to containers. Message-ID: <Zuvaa-eQ_5nhZBmE@jurong> References: <67f49b23cfe3755c6802e2fc3351ef3cf0dcdfda.1715687434.git.andreas@HIDDEN> <87mso6rxzz.fsf@HIDDEN> <ZlneMuuPEfakaS47@jurong> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <ZlneMuuPEfakaS47@jurong> X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 70933 Cc: 70933 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Am Fri, May 31, 2024 at 04:26:58PM +0200 schrieb Andreas Enge: > The problem with a default is that apparently, for containers we want #f, > for real machines we want #t as the default; and then it should be > overridable. The only solution I see is to use a ternary value, > allowing chroot? to be #f, #t or 'default, with the last one, you guess it, > being the default. It would be replaced by #f or #t depending on whether > we are in a container or not. The patch works in our kubernetes environment (where we create docker containers with 'chroot? #t'). If there is agreement, I am happy to adapt the documentation and to push. Andreas
guix-patches@HIDDEN:bug#70933; Package guix-patches.
Full text available.
Received: (at 70933) by debbugs.gnu.org; 5 Jul 2024 14:25:08 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Jul 05 10:25:08 2024
Received: from localhost ([127.0.0.1]:44686 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1sPjs3-0000Zz-EH
for submit <at> debbugs.gnu.org; Fri, 05 Jul 2024 10:25:08 -0400
Received: from hera.aquilenet.fr ([185.233.100.1]:54914)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <andreas@HIDDEN>) id 1sPjry-0000ZO-V4
for 70933 <at> debbugs.gnu.org; Fri, 05 Jul 2024 10:25:05 -0400
Received: from localhost (localhost [127.0.0.1])
by hera.aquilenet.fr (Postfix) with ESMTP id 9428B154F;
Fri, 5 Jul 2024 16:24:53 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at hera.aquilenet.fr
Received: from hera.aquilenet.fr ([127.0.0.1])
by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id cw-MoDeMlzFm; Fri, 5 Jul 2024 16:24:52 +0200 (CEST)
Received: from jurong (nat-eduroam-36-gw-01-bso.bordeaux.inria.fr
[194.199.1.36])
by hera.aquilenet.fr (Postfix) with ESMTPSA id BC2B828B;
Fri, 5 Jul 2024 16:24:52 +0200 (CEST)
Date: Fri, 5 Jul 2024 16:24:51 +0200
From: Andreas Enge <andreas@HIDDEN>
To: 70933 <at> debbugs.gnu.org
Subject: Patch
Message-ID: <ZogCM9xocPs12Y3p@jurong>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="/7Ov7ZJY37K5Xdxl"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 70933
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
--/7Ov7ZJY37K5Xdxl
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Here is a suggestion for a patch implementing the chroot? parameter.
I have tested it by reconfiguring a real machine and still need to
test it in containers.
Andreas
--/7Ov7ZJY37K5Xdxl
Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: attachment;
filename="0001-gnu-guix-configuration-Add-a-chroot-parameter.patch"
Content-Transfer-Encoding: 8bit
From 8629decf975576447c8662355a35ec0f20e892cf Mon Sep 17 00:00:00 2001
Message-ID: <8629decf975576447c8662355a35ec0f20e892cf.1720189422.git.andreas@HIDDEN>
From: Andreas Enge <andreas@HIDDEN>
Date: Fri, 5 Jul 2024 15:47:13 +0200
Subject: [PATCH] gnu: guix-configuration: Add a chroot? parameter.
The parameter should take the values #t, #f or 'default.
In a container environment, 'default amounts to #f, otherwise it
amounts to #t.
* gnu/services/base.scm (guix-configuration)<chroot?>: New field.
(guix-shepherd-service): If chroot? is #f, add "--disable-chroot".
If it is #t or 'default, do nothing.
* gnu/system/linux-container.scm (containerized-operating-system):
If chroot? is 'default, replace it by #f.
* doc/guix.texi: Document the parameter.
Change-Id: I8b9c3f46ad8650fa6ed4acee947b4ae5d002d03d
---
doc/guix.texi | 7 ++++++
gnu/services/base.scm | 9 ++++++-
gnu/system/linux-container.scm | 43 ++++++++++++++++++----------------
3 files changed, 38 insertions(+), 21 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 8bfb342253..92db7ddcf5 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -19609,6 +19609,13 @@ Base Services
@item @code{build-accounts} (default: @code{10})
Number of build user accounts to create.
+@item @code{chroot?} (default: @code{'default})
+The value should be one of @code{#t} or @code{#f}, in which
+case chroot is enabled or disabled, respectively;
+or it should be @code{'default}, which amounts to @code{#f} in
+Docker containers (so that they can be run in non-privileged mode)
+or @code{#t} otherwise.
+
@item @code{authorize-key?} (default: @code{#t})
@cindex substitutes, authorization thereof
Whether to authorize the substitute keys listed in
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 4b5b103cc3..a3e23035ca 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -21,6 +21,7 @@
;;; Copyright © 2022 Justin Veilleux <terramorpha@HIDDEN>
;;; Copyright © 2022 ( <paren@HIDDEN>
;;; Copyright © 2023 Bruno Victal <mirai@HIDDEN>
+;;; Copyright © 2024 Andreas Enge <andreas@HIDDEN>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -213,6 +214,7 @@ (define-module (gnu services base)
guix-configuration-build-group
guix-configuration-build-accounts
guix-configuration-build-machines
+ guix-configuration-chroot?
guix-configuration-authorize-key?
guix-configuration-authorized-keys
guix-configuration-use-substitutes?
@@ -1848,6 +1850,8 @@ (define-record-type* <guix-configuration>
(default "guixbuild"))
(build-accounts guix-configuration-build-accounts ;integer
(default 10))
+ (chroot? guix-configuration-chroot? ;Boolean | 'default
+ (default 'default))
(authorize-key? guix-configuration-authorize-key? ;Boolean
(default #t))
(authorized-keys guix-configuration-authorized-keys ;list of gexps
@@ -1942,7 +1946,7 @@ (define (guix-shepherd-service config)
glibc-utf8-locales)))
(match-record config <guix-configuration>
- (guix build-group build-accounts authorize-key? authorized-keys
+ (guix build-group build-accounts chroot? authorize-key? authorized-keys
use-substitutes? substitute-urls max-silent-time timeout
log-compression discover? extra-options log-file
http-proxy tmpdir chroot-directories environment)
@@ -1989,6 +1993,9 @@ (define (guix-shepherd-service config)
"--substitute-urls" #$(string-join substitute-urls)
#$@extra-options
+ #$@(if chroot?
+ '()
+ '("--disable-chroot"))
;; Add CHROOT-DIRECTORIES and all their dependencies
;; (if these are store items) to the chroot.
(append-map
diff --git a/gnu/system/linux-container.scm b/gnu/system/linux-container.scm
index c780b68fba..c1705f491c 100644
--- a/gnu/system/linux-container.scm
+++ b/gnu/system/linux-container.scm
@@ -7,6 +7,7 @@
;;; Copyright © 2022 Ricardo Wurmus <rekado@HIDDEN>
;;; Copyright © 2023 Pierre Langlois <pierre.langlois@HIDDEN>
;;; Copyright © 2024 Leo Nikkilä <hello@HIDDEN>
+;;; Copyright © 2024 Andreas Enge <andreas@HIDDEN>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -151,26 +152,28 @@ (define* (containerized-operating-system os mappings
(swap-devices '()) ; disable swap
(services
(append services-to-add
- (filter-map (lambda (s)
- (cond ((memq (service-kind s) services-to-drop)
- #f)
- ((eq? nscd-service-type (service-kind s))
- (service nscd-service-type
- (nscd-configuration
- (inherit (service-value s))
- (caches %nscd-container-caches))))
- ((eq? guix-service-type (service-kind s))
- ;; Pass '--disable-chroot' so that
- ;; guix-daemon can build thing even in
- ;; Docker without '--privileged'.
- (service guix-service-type
- (guix-configuration
- (inherit (service-value s))
- (extra-options
- (cons "--disable-chroot"
- (guix-configuration-extra-options
- (service-value s)))))))
- (else s)))
+ (filter-map
+ (lambda (s)
+ (let ((kind (service-kind s))
+ (value (service-value s)))
+ (cond ((memq kind services-to-drop)
+ #f)
+ ((eq? nscd-service-type kind)
+ (service nscd-service-type
+ (nscd-configuration
+ (inherit value)
+ (caches %nscd-container-caches))))
+ ((and (eq? guix-service-type kind)
+ (eq? (guix-configuration-chroot? value)
+ 'default))
+ ;; If chroot? is 'default, it should become #f
+ ;; so that guix-daemon can build things even in
+ ;; Docker without '--privileged'.
+ (service guix-service-type
+ (guix-configuration
+ (inherit value)
+ (chroot? #f))))
+ (else s))))
(operating-system-user-services os))))
(file-systems (append (map mapping->fs
(if shared-network?
base-commit: b91685abdecdb42c0ac2e30e5cb5032b11b5d269
--
2.45.2
--/7Ov7ZJY37K5Xdxl--
guix-patches@HIDDEN:bug#70933; Package guix-patches.
Full text available.Received: (at 70933) by debbugs.gnu.org; 25 Jun 2024 15:30:35 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jun 25 11:30:35 2024 Received: from localhost ([127.0.0.1]:37581 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1sM87v-0007N4-Fj for submit <at> debbugs.gnu.org; Tue, 25 Jun 2024 11:30:35 -0400 Received: from eggs.gnu.org ([209.51.188.92]:42364) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1sM87s-0007Mr-N2 for 70933 <at> debbugs.gnu.org; Tue, 25 Jun 2024 11:30:33 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <ludo@HIDDEN>) id 1sM87l-0002zF-Iz; Tue, 25 Jun 2024 11:30:25 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=Q2uRdYso1M6bOgyaarh8tQCFOQRdsbJboqoFVS9mkhA=; b=Trb8bCQZ/c7inyJfBJZ5 fdBql56p7nensrfkH19GX0n0ZKPlHH1TQE/OqR01YUUHhvbuTmp4h4AoDH1MqCSOJIfQjvYyb9JiA uE294tj7I7Iz7x4S9XgD5lKv7uFoPHjA+RxJAayAdfMyTPJ6xohT8Feut1kwL/fhkLujdtN53jU68 nW9XhZxKfPKo24b9qXDUMD7SxyVHKOTEa2bU+8J5nMK19HoR5CdoFyWyHcLMyp3nLx0UkSPgGGII1 UwUPfqlerHjzaoouJbTYuoYuYIxCR0oHU0RG9TYpGtNwiRfNEFr8Agi1A66GSqom4X64JRnAcXBX4 jjgYocwumeHgbw==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> To: Andreas Enge <andreas@HIDDEN> Subject: Re: [bug#70933] [PATCH] system: Do not add "--disable-chroot" to containers. In-Reply-To: <ZlneMuuPEfakaS47@jurong> (Andreas Enge's message of "Fri, 31 May 2024 16:26:58 +0200") References: <67f49b23cfe3755c6802e2fc3351ef3cf0dcdfda.1715687434.git.andreas@HIDDEN> <87mso6rxzz.fsf@HIDDEN> <ZlneMuuPEfakaS47@jurong> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: Octidi 8 Messidor an 232 de la =?utf-8?Q?R=C3=A9volu?= =?utf-8?Q?tion=2C?= jour de =?utf-8?Q?l'=C3=89chalotte?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Tue, 25 Jun 2024 17:30:23 +0200 Message-ID: <87h6dhca5s.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 70933 Cc: 70933 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) Hi! Andreas Enge <andreas@HIDDEN> skribis: > Am Fri, May 31, 2024 at 02:01:36PM +0200 schrieb Ludovic Court=C3=A8s: >> Andreas Enge <andreas@HIDDEN> skribis: >> > The rationale for these lines is that they enable non-privileged docker >> > containers. But I would like to create a privileged container with >> > chroot (in an openshift environment, where I suppose this environment >> > does additional encapsulation to enforce security), which these lines >> > prevent. >> > Users can still add the option. Alternatively, we could add an additio= nal >> > field "chroot? (default: #t)" to guix-configuration. >> This is tricky, I=E2=80=99m not sure how to provide defaults that works = in most >> common setups while still allowing the use of privileged Docker >> containers as in your case. > > The problem with a default is that apparently, for containers we want #f, > for real machines we want #t as the default; and then it should be > overridable. The only solution I see is to use a ternary value, > allowing chroot? to be #f, #t or 'default, with the last one, you guess i= t, > being the default. It would be replaced by #f or #t depending on whether > we are in a container or not. Making it a ternary value sounds like a good idea, indeed. #t, #f, and 'default sounds like a good choice to me. Thanks! Ludo=E2=80=99.
guix-patches@HIDDEN:bug#70933; Package guix-patches.
Full text available.Received: (at 70933) by debbugs.gnu.org; 31 May 2024 14:27:52 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Fri May 31 10:27:51 2024 Received: from localhost ([127.0.0.1]:55131 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1sD3EV-0000XL-KD for submit <at> debbugs.gnu.org; Fri, 31 May 2024 10:27:51 -0400 Received: from hera.aquilenet.fr ([185.233.100.1]:57908) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <andreas@HIDDEN>) id 1sD3ET-0000X4-M4 for 70933 <at> debbugs.gnu.org; Fri, 31 May 2024 10:27:50 -0400 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 1605DA2A; Fri, 31 May 2024 16:27:03 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at hera.aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qbpMUOQFakGh; Fri, 31 May 2024 16:27:02 +0200 (CEST) Received: from jurong (sauterelle.math.u-bordeaux1.fr [147.210.16.128]) by hera.aquilenet.fr (Postfix) with ESMTPSA id 8FC19960; Fri, 31 May 2024 16:27:02 +0200 (CEST) Date: Fri, 31 May 2024 16:26:58 +0200 From: Andreas Enge <andreas@HIDDEN> To: Ludovic =?iso-8859-15?Q?Court=E8s?= <ludo@HIDDEN> Subject: Re: [bug#70933] [PATCH] system: Do not add "--disable-chroot" to containers. Message-ID: <ZlneMuuPEfakaS47@jurong> References: <67f49b23cfe3755c6802e2fc3351ef3cf0dcdfda.1715687434.git.andreas@HIDDEN> <87mso6rxzz.fsf@HIDDEN> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <87mso6rxzz.fsf@HIDDEN> X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 70933 Cc: 70933 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Am Fri, May 31, 2024 at 02:01:36PM +0200 schrieb Ludovic Courtès: > Andreas Enge <andreas@HIDDEN> skribis: > > The rationale for these lines is that they enable non-privileged docker > > containers. But I would like to create a privileged container with > > chroot (in an openshift environment, where I suppose this environment > > does additional encapsulation to enforce security), which these lines > > prevent. > > Users can still add the option. Alternatively, we could add an additional > > field "chroot? (default: #t)" to guix-configuration. > This is tricky, I’m not sure how to provide defaults that works in most > common setups while still allowing the use of privileged Docker > containers as in your case. The problem with a default is that apparently, for containers we want #f, for real machines we want #t as the default; and then it should be overridable. The only solution I see is to use a ternary value, allowing chroot? to be #f, #t or 'default, with the last one, you guess it, being the default. It would be replaced by #f or #t depending on whether we are in a container or not. I had considered it when suggesting the patch, but found it a bit too much shepherding; I still think that "chroot? (default: #t)" would be enough. Andreas
guix-patches@HIDDEN:bug#70933; Package guix-patches.
Full text available.Received: (at 70933) by debbugs.gnu.org; 31 May 2024 12:02:02 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Fri May 31 08:02:02 2024 Received: from localhost ([127.0.0.1]:53461 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1sD0xO-0004gT-FY for submit <at> debbugs.gnu.org; Fri, 31 May 2024 08:02:02 -0400 Received: from eggs.gnu.org ([209.51.188.92]:37190) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1sD0xM-0004g0-Kj for 70933 <at> debbugs.gnu.org; Fri, 31 May 2024 08:02:01 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <ludo@HIDDEN>) id 1sD0x1-0002wd-O1; Fri, 31 May 2024 08:01:44 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=dUm7PPx2zj/cONWkJBwwAKzfJuHNuXjRWV8vrITOAk8=; b=Gq+pp0T91SjDxCr/3W7R 3VdQP4xIJPoeppOcQAMGNjYz4wgl+6F++ybs8A+2FQVJq9q3eW7UGjR/y/ZwHe73rbNSV+A8BkVy9 nx7w8RvFK6Zd0Y4UXubaF1fnirTO0d4IwzfwmBz2hDgeBrooK2oqJREdK0Kjv44ZOlftvlUo1pLmX xkiFsZSz7WAfJg1g38I5t4bRzjnFwecAP8o2iQc0mmTEnkxwwS51T8QIze4gr7tkgZ9xbzbJYw/h6 ov/sKs2GHJiETxGR4ZooysOg3uuauvPbGxtzf2wPiy59qIdhIqFzHK8rquLkVqkDwbisGiNygu6Dm oyUjA3lkuELr7w==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> To: Andreas Enge <andreas@HIDDEN> Subject: Re: [bug#70933] [PATCH] system: Do not add "--disable-chroot" to containers. In-Reply-To: <67f49b23cfe3755c6802e2fc3351ef3cf0dcdfda.1715687434.git.andreas@HIDDEN> (Andreas Enge's message of "Tue, 14 May 2024 13:50:34 +0200") References: <67f49b23cfe3755c6802e2fc3351ef3cf0dcdfda.1715687434.git.andreas@HIDDEN> Date: Fri, 31 May 2024 14:01:36 +0200 Message-ID: <87mso6rxzz.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 70933 Cc: 70933 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) Hi, Andreas Enge <andreas@HIDDEN> skribis: > The rationale for these lines is that they enable non-privileged docker > containers. But I would like to create a privileged container with > chroot (in an openshift environment, where I suppose this environment > does additional encapsulation to enforce security), which these lines > prevent. > > Users can still add the option. Alternatively, we could add an additional > field "chroot? (default: #t)" to guix-configuration. [...] > - ((eq? guix-service-type (service-kind= s)) > - ;; Pass '--disable-chroot' so that > - ;; guix-daemon can build thing even = in > - ;; Docker without '--privileged'. This is tricky, I=E2=80=99m not sure how to provide defaults that works in = most common setups while still allowing the use of privileged Docker containers as in your case. I think the current default is good because it=E2=80=99s the common case, b= ut I agree that we need to find a way to override it. Thoughts? Ludo=E2=80=99.
guix-patches@HIDDEN:bug#70933; Package guix-patches.
Full text available.
Received: (at submit) by debbugs.gnu.org; 14 May 2024 11:55:55 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue May 14 07:55:55 2024
Received: from localhost ([127.0.0.1]:38910 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1s6ql8-0003x1-L4
for submit <at> debbugs.gnu.org; Tue, 14 May 2024 07:55:54 -0400
Received: from lists.gnu.org ([209.51.188.17]:37642)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <andreas@HIDDEN>) id 1s6ql4-0003wv-2e
for submit <at> debbugs.gnu.org; Tue, 14 May 2024 07:55:53 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <andreas@HIDDEN>) id 1s6ql2-0007NL-LK
for guix-patches@HIDDEN; Tue, 14 May 2024 07:55:48 -0400
Received: from hera.aquilenet.fr ([2a0c:e300::1])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <andreas@HIDDEN>) id 1s6qky-000833-1i
for guix-patches@HIDDEN; Tue, 14 May 2024 07:55:48 -0400
Received: from localhost (localhost [127.0.0.1])
by hera.aquilenet.fr (Postfix) with ESMTP id 486381AF1;
Tue, 14 May 2024 13:55:38 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at hera.aquilenet.fr
Received: from hera.aquilenet.fr ([127.0.0.1])
by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id mwXudKHg1Mbc; Tue, 14 May 2024 13:55:37 +0200 (CEST)
Received: from jurong.as207910.net (unknown
[IPv6:2001:678:984:800:7aea:3b12:7efa:b1bc])
by hera.aquilenet.fr (Postfix) with ESMTPSA id 893C715D;
Tue, 14 May 2024 13:55:37 +0200 (CEST)
From: Andreas Enge <andreas@HIDDEN>
To: guix-patches@HIDDEN
Subject: [PATCH] system: Do not add "--disable-chroot" to containers.
Date: Tue, 14 May 2024 13:50:34 +0200
Message-ID: <67f49b23cfe3755c6802e2fc3351ef3cf0dcdfda.1715687434.git.andreas@HIDDEN>
X-Mailer: git-send-email 2.41.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=2a0c:e300::1; envelope-from=andreas@HIDDEN;
helo=hera.aquilenet.fr
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001,
SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: submit
Cc: Andreas Enge <andreas@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)
The rationale for these lines is that they enable non-privileged docker
containers. But I would like to create a privileged container with
chroot (in an openshift environment, where I suppose this environment
does additional encapsulation to enforce security), which these lines
prevent.
Users can still add the option. Alternatively, we could add an additional
field "chroot? (default: #t)" to guix-configuration.
Andreas
* gnu/system/linux-container.scm (containerized-operating-system): Do not
add "--disable-chroot".
Change-Id: I1eff9aa0d02d6e53bd4e42f3aeb07d0ab42616a8
---
gnu/system/linux-container.scm | 11 -----------
1 file changed, 11 deletions(-)
diff --git a/gnu/system/linux-container.scm b/gnu/system/linux-container.scm
index c780b68fba..2fc54a8121 100644
--- a/gnu/system/linux-container.scm
+++ b/gnu/system/linux-container.scm
@@ -159,17 +159,6 @@ (define* (containerized-operating-system os mappings
(nscd-configuration
(inherit (service-value s))
(caches %nscd-container-caches))))
- ((eq? guix-service-type (service-kind s))
- ;; Pass '--disable-chroot' so that
- ;; guix-daemon can build thing even in
- ;; Docker without '--privileged'.
- (service guix-service-type
- (guix-configuration
- (inherit (service-value s))
- (extra-options
- (cons "--disable-chroot"
- (guix-configuration-extra-options
- (service-value s)))))))
(else s)))
(operating-system-user-services os))))
(file-systems (append (map mapping->fs
base-commit: a682ddd70846d488cfbd82d65e8566ec6739813c
--
2.41.0
Andreas Enge <andreas@HIDDEN>:guix-patches@HIDDEN.
Full text available.guix-patches@HIDDEN:bug#70933; Package guix-patches.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.