Ludovic Courtès <ludo@HIDDEN>
to control <at> debbugs.gnu.org.
Full text available.
Received: (at submit) by debbugs.gnu.org; 28 Jan 2025 21:13:29 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jan 28 16:13:29 2025
Received: from localhost ([127.0.0.1]:38891 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1tcstk-0001Qi-GT
for submit <at> debbugs.gnu.org; Tue, 28 Jan 2025 16:13:29 -0500
Received: from lists.gnu.org ([2001:470:142::17]:56018)
by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.84_2) (envelope-from <richard@HIDDEN>)
id 1tcsti-0001QP-7i
for submit <at> debbugs.gnu.org; Tue, 28 Jan 2025 16:13:27 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <richard@HIDDEN>)
id 1tcstX-0002yN-T5
for guix-patches@HIDDEN; Tue, 28 Jan 2025 16:13:17 -0500
Received: from mail-108-mta179.mxroute.com ([136.175.108.179])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
(Exim 4.90_1) (envelope-from <richard@HIDDEN>)
id 1tcstV-0003lw-MU
for guix-patches@HIDDEN; Tue, 28 Jan 2025 16:13:15 -0500
Received: from filter006.mxroute.com ([136.175.111.3] filter006.mxroute.com)
(Authenticated sender: mN4UYu2MZsgR)
by mail-108-mta179.mxroute.com (ZoneMTA) with ESMTPSA id
194aec2c521000310e.003 for <guix-patches@HIDDEN>
(version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384);
Tue, 28 Jan 2025 21:13:07 +0000
X-Zone-Loop: d9bbbcf7fbc3a3b31eefa8c6d6e973d64e9be9bae1d8
X-Originating-IP: [136.175.111.3]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=freakingpenguin.com; s=x; h=Content-Transfer-Encoding:Content-Type:
MIME-Version:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=EVnT23MAOto7dGaHWHfL/EEKWFMc0M5vmna0+fAIi90=; b=AHZ02nUfrrzLYjKvBtXvuTMHlY
6XNH+/2D3MtT7+pjNMg8B2PY8oZIiGgdEDn49oB7oFIt5HCAh/Owz52BrG3WRN3EY7cLx7WujiAHu
4KY3W9fIUk5/7+J4bmI6ZCZVckStCCVExHgstM+uMQzxVSBW2tbDMMBfPnloRY8sOQY8cwMIChgEF
TCowDn+QdJ864LxVAinE7Va4/1MjGM8fpjoMw7e4v5zTe70Rb9v7ueqkFSRNj+roAGUYSwMHUTEIH
fq9HpSsR0A+v+gDU7vXsxLQjH+rrh91ugYYVti2zoO1JhZHk08bkRSaBX2X5CF5FRYZS4rYZwKohA
3uGM7xSg==;
From: Richard Sent <richard@HIDDEN>
To: guix-patches@HIDDEN,
70314 <at> debbugs.gnu.org
Subject: [PATCH v2] guix: scripts: environment: add tls certs to networked
containers.
Date: Tue, 28 Jan 2025 16:11:28 -0500
Message-ID: <4e1a986e224083876c8386e6efe45512251dd3af.1738098141.git.richard@HIDDEN>
MIME-Version: 1.0
X-Debbugs-Cc: Christopher Baines <guix@HIDDEN>, Josselin Poiret <dev@HIDDEN>, Ludovic Courtès <ludo@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>, Maxim Cournoyer <maxim.cournoyer@HIDDEN>, Simon Tournier <zimon.toutoune@HIDDEN>, Tobias Geerinckx-Rice <me@HIDDEN>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Authenticated-Id: richard@HIDDEN
Received-SPF: pass client-ip=136.175.108.179;
envelope-from=richard@HIDDEN; helo=mail-108-mta179.mxroute.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001,
SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 0.9 (/)
X-Debbugs-Envelope-To: submit
Cc: Richard Sent <richard@HIDDEN>, rprior@HIDDEN,
ludo@HIDDEN, zimon.toutoune@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.1 (/)
Add the --no-tls flag. By default when starting a container with -N, add the
nss-certs package to the profile and set the SSL_CERT_DIR and SSL_CERT_FILE
environment variables. When --no-tls is passed, default to the old behavior.
* guix/scripts/environment.scm (%default-tls-certs): New function.
(show-environment-options-help): Add help for --no-tls.
(%options): Add --no-tls option.
(options/resolve-packages): Add %default-tls-certs to profile when network is
true and no-tls is false.
(launch-environment/container): Add set-tls? argument and set
SSL_CERT_DIR/FILE if #t.
(guix-environment*): Sanity check no-tls? and pass the negated version to
launch-environment/container.
* doc/guix.texi (Invoking guix shell): Document it.
(Invoking guix environment): Ditto.
* tests/guix-environment-container.sh: Add tests for behavior with and without
no-tls flag.
Change-Id: I04735024df025740cb7a0e28f39a3bb5c7fcf895
---
Hi all. Been a while but I figured I'd take another crack at this.
> Ludo:
> This would force all the package modules to be loaded upfront. Instead you
> should arrange to not refer to ‘nss-certs’ until it’s needed.
Understood, %default-tls-certs is thunked in V2. To my understanding this
should achieve what we want.
> Ludo:
> Internally, I would reverse the logic to have ‘tls?’ instead (as a rule
> of thumb, I always avoid negating Booleans in code).
I choose no-tls? to be consistent with the no-cwd? option,. V2 now uses the
set-tls? option in launch-environment/container and no-tls? everywhere else,
which I think fits better because outside l-e/c, no-tls? is more of a flag for
if the --no-tls option was passed than a control boolean.
> Ludo:
> Can we delay changes to the manifest until after all options have been
> parsed, so we know whether ‘-C’ has been passed?
Possibly, but it would be inconsistent with how nesting? works at present,
which also requires -C. I believe emulate-fhs? also adds packages to the
profile immediately, see parse-args in guix/scripts/shell.scm, which AFAICT
splices a '-e (@@ (gnu packages base) glibc-for-fhs)' in the options.
One way this could be resolved is by creating a internal manifest, then
concatenating it with manifest-from-opts. i.e. have a user manifest containing
explicitly provided packages and an internal manifest containing
glibc-for-fhs, nss-certs and guix depending on emulate-fhs?, no-tls?, and
nesting?. That's probably outside the scope of this patch.
> Ludo:
> Please make sure tests/guix-shell*.sh and tests/guix-environment*.sh
> pass.
For the low low price of free, not only do you get passing tests but now you
get more tests! What a steal.
> Simon:
> I would prefer to not have any short option at all.
Agreed and changed.
> Simon:
> Why not a warning instead of leaving with an error?
I elected to go with an error to be consistent with the sanity checking around
container?. In my opinion, warnings are best for when a user is doing
something technically valid but likely unintended, errors are for the
"technically makes no sense".
doc/guix.texi | 8 +++++++
guix/scripts/environment.scm | 35 +++++++++++++++++++++++++++--
tests/guix-environment-container.sh | 11 +++++++++
3 files changed, 52 insertions(+), 2 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index b1b6d98e74..d291c15759 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -6289,6 +6289,10 @@ Invoking guix shell
Containers created without this flag only have access to the loopback
device.
+@item --no-tls
+For containers that share the network namespace, disable automatically
+adding TLS/SSL certificates.
+
@item --link-profile
@itemx -P
For containers, link the environment profile to @file{~/.guix-profile}
@@ -6786,6 +6790,10 @@ Invoking guix environment
Containers created without this flag only have access to the loopback
device.
+@item --no-tls
+For containers that share the network namespace, disable automatically
+adding TLS/SSL certificates.
+
@item --link-profile
@itemx -P
For containers, link the environment profile to @file{~/.guix-profile}
diff --git a/guix/scripts/environment.scm b/guix/scripts/environment.scm
index 648a497743..174d446635 100644
--- a/guix/scripts/environment.scm
+++ b/guix/scripts/environment.scm
@@ -3,6 +3,7 @@
;;; Copyright © 2015-2024 Ludovic Courtès <ludo@HIDDEN>
;;; Copyright © 2018 Mike Gerwitz <mtg@HIDDEN>
;;; Copyright © 2022, 2023 John Kehayias <john.kehayias@HIDDEN>
+;;; Copyright © 2025 Richard Sent <richard@HIDDEN>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -50,6 +51,7 @@ (define-module (guix scripts environment)
#:use-module (gnu system file-systems)
#:autoload (gnu packages) (specification->package+output)
#:autoload (gnu packages bash) (bash)
+ #:autoload (gnu packages certs) (nss-certs)
#:autoload (gnu packages bootstrap) (bootstrap-executable %bootstrap-guile)
#:autoload (gnu packages package-management) (guix)
#:use-module (ice-9 match)
@@ -72,6 +74,10 @@ (define-module (guix scripts environment)
(define %default-shell
(or (getenv "SHELL") "/bin/sh"))
+(define (%default-tls-certs)
+ ;; Thunk to defer loading (gnu packages certs)
+ (list nss-certs))
+
(define* (show-search-paths profile manifest #:key pure?)
"Display the search paths of MANIFEST applied to PROFILE. When PURE? is #t,
do not augment existing environment variables with additional search paths."
@@ -108,6 +114,9 @@ (define (show-environment-options-help)
-C, --container run command within an isolated container"))
(display (G_ "
-N, --network allow containers to access the network"))
+ (display (G_ "
+ --no-tls do not add SSL/TLS certificates or set environment
+ variables for a networked container"))
(display (G_ "
-P, --link-profile link environment profile to ~/.guix-profile within
an isolated container"))
@@ -244,6 +253,9 @@ (define %options
(option '(#\N "network") #f #f
(lambda (opt name arg result)
(alist-cons 'network? #t result)))
+ (option '("no-tls") #f #f
+ (lambda (opt name arg result)
+ (alist-cons 'no-tls? #t result)))
(option '(#\W "nesting") #f #f
(lambda (opt name arg result)
(alist-cons 'nesting? #t result)))
@@ -359,6 +371,11 @@ (define (options/resolve-packages store opts)
(packages->outputs (load* file module) mode)))
(('manifest . file)
(manifest-entries (load-manifest file)))
+ (('network? . #t)
+ (if (assoc-ref opts 'no-tls?)
+ '()
+ (manifest-entries
+ (packages->manifest (%default-tls-certs)))))
(('nesting? . #t)
(if (assoc-ref opts 'profile)
'()
@@ -732,7 +749,8 @@ (define* (launch-environment/fork command profile manifest
(define* (launch-environment/container #:key command bash user user-mappings
profile manifest link-profile? network?
- map-cwd? emulate-fhs? nesting?
+ set-tls? map-cwd? emulate-fhs?
+ nesting?
(setup-hook #f)
(symlinks '()) (white-list '()))
"Run COMMAND within a container that features the software in PROFILE.
@@ -936,6 +954,11 @@ (define* (launch-environment/container #:key command bash user user-mappings
;; Allow local AF_INET communications.
(set-network-interface-up "lo"))
+ (when set-tls?
+ (setenv "SSL_CERT_DIR" (string-append profile "/etc/ssl/certs"))
+ (setenv "SSL_CERT_FILE" (string-append (getenv "SSL_CERT_DIR")
+ "/ca-certificates.crt")))
+
;; For convenience, start in the user's current working
;; directory or, if unmapped, the home directory.
(chdir (if map-cwd?
@@ -1085,6 +1108,7 @@ (define (guix-environment* opts)
(link-prof? (assoc-ref opts 'link-profile?))
(symlinks (assoc-ref opts 'symlinks))
(network? (assoc-ref opts 'network?))
+ (no-tls? (assoc-ref opts 'no-tls?))
(no-cwd? (assoc-ref opts 'no-cwd?))
(emulate-fhs? (assoc-ref opts 'emulate-fhs?))
(nesting? (assoc-ref opts 'nesting?))
@@ -1138,7 +1162,13 @@ (define (guix-environment* opts)
(when nesting?
(leave (G_ "'--nesting' cannot be used without '--container'~%")))
(when (pair? symlinks)
- (leave (G_ "'--symlink' cannot be used without '--container'~%"))))
+ (leave (G_ "'--symlink' cannot be used without '--container'~%")))
+ (when network?
+ (leave (G_ "'--network cannot be used without '--container'~%"))))
+
+ (when (and (not network?)
+ no-tls?)
+ (leave (G_ "'--no-tls' cannot be used without '--networking'~%")))
(with-status-verbosity (assoc-ref opts 'verbosity)
(with-store/maybe store
@@ -1217,6 +1247,7 @@ (define (guix-environment* opts)
#:white-list white-list
#:link-profile? link-prof?
#:network? network?
+ #:set-tls? (not no-tls?)
#:map-cwd? (not no-cwd?)
#:emulate-fhs? emulate-fhs?
#:nesting? nesting?
diff --git a/tests/guix-environment-container.sh b/tests/guix-environment-container.sh
index 09704f751c..7ffc7f8c9f 100644
--- a/tests/guix-environment-container.sh
+++ b/tests/guix-environment-container.sh
@@ -2,6 +2,7 @@
# Copyright © 2015 David Thompson <davet@HIDDEN>
# Copyright © 2022, 2023 John Kehayias <john.kehayias@HIDDEN>
# Copyright © 2023 Ludovic Courtès <ludo@HIDDEN>
+# Copyright © 2025 Richard Sent <richard@HIDDEN>
#
# This file is part of GNU Guix.
#
@@ -272,3 +273,13 @@ guix shell -C -D guix -- "$env" guix build hello -d && false # cannot work
hello_drv="$(guix build hello -d)"
hello_drv_nested="$(cd "$(dirname env)" && guix shell --bootstrap -E GUIX_BUILD_OPTIONS -CW -D guix -- "$env" guix build hello -d)"
test "$hello_drv" = "$hello_drv_nested"
+
+# Test if SSL_CERT_{DIR,FILE} are set and readable in the container.
+#
+# -f does cover the case of a symlink to a file inaccessible within the
+# -container.
+guix shell -CN -- /bin/sh -c 'test -d $SSL_CERT_DIR'
+guix shell -CN -- /bin/sh -c 'test -f $SSL_CERT_FILE'
+# Confirm --no-tls causes SSL_CERT_{DIR,FILE} to be unset.
+guix shell -CN --no-tls -- /bin/sh -c 'test -z $SSL_CERT_DIR'
+guix shell -CN --no-tls -- /bin/sh -c 'test -z $SSL_CERT_FILE'
base-commit: 97fb1887ad10000c067168176c504274e29e4430
--
2.47.1
Richard Sent <richard@HIDDEN>:guix@HIDDEN, dev@HIDDEN, ludo@HIDDEN, othacehe@HIDDEN, maxim.cournoyer@HIDDEN, zimon.toutoune@HIDDEN, me@HIDDEN, guix-patches@HIDDEN.
Full text available.guix@HIDDEN, dev@HIDDEN, ludo@HIDDEN, othacehe@HIDDEN, maxim.cournoyer@HIDDEN, zimon.toutoune@HIDDEN, me@HIDDEN, guix-patches@HIDDEN:bug#75917; Package guix-patches.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.