[PATCH] Instantiate nscd in each system container instead of using the container host's service.

Done

Details

2 participants

Jason Conroy
Mathieu Othacehe

Owner: unassigned

Submitted by: Jason Conroy

Severity: normal

Jason Conroy wrote on 21 Sep 2020 00:05

Recipients:(address . guix-patches@gnu.org)

Message-ID:CABWzUjUTyU03=-_-pK98zVSQLW7t1tW1euuBj97C_0UM-DOOPA@mail.gmail.com

Hello Guix,

Currently, Guix system containers hosted on machines that run nscd are

configured to use that daemon's socket by bind-mounting /var/run/nscd into

the container's filesystem. As discussed in bug#41575, there are certain

nscd configurations that expose information from the host's /etc files into

the container's processes, and aside from the security implications, this

exposure can lead to anomalous behavior inside the containers, including

failure to boot.

The following patch gives each container a private nscd instance. While

Guix's default nscd configuration caches pretty aggressively (for

hostnames, up to 32MB with a 12h TTL), the per-container nscd uses a

smaller cache size of 256kB, which means that the overhead of this change

should be modest even on systems with many containers.

This patch has been lightly tested by verifying the following:

- `make check` and `guix pull`

- successful boot and operation of a system container

- presence of nscd in the container

- correct cache sizes in nscd.conf

Per my employer's guidelines for OSS contributors, this patch contains:

- My corporate email address in the "From" line

- My employer listed as copyright holder (this has already been cleared

with Ludo')

Thanks!

Jason

Attachment: file

Attachment: one-nscd-per-container.patch

Mathieu Othacehe wrote on 24 Sep 2020 10:01

Recipients:(name . Jason Conroy)(address . conjaroy@gmail.com)(address . 43540@debbugs.gnu.org)

Message-ID:87ft777gdv.fsf@gnu.org

Hello Jason,

Thanks for this patch. You need to write a commit message that is

compliant with the ChangeLog format, see:

https://guix.gnu.org/manual/en/html_node/Submitting-Patches.html.

Toggle quote (15 lines)> +(define %nscd-container-caches
> +  ;; Similar to %nscd-default-caches but with smaller cache sizes. This allows
> +  ;; many containers to coexist on the same machine without exhausting RAM.
> +  (list (nscd-cache (database 'hosts)
> +                    (positive-time-to-live (* 3600 12))
> +                    (negative-time-to-live 20)
> +                    (persistent? #t)
> +                    (max-database-size (expt 2 18)))
> +        (nscd-cache (database 'services)
> +                    (positive-time-to-live (* 3600 24))
> +                    (negative-time-to-live 3600)
> +                    (check-files? #t)   ;check /etc/services changes
> +                    (persistent? #t)
> +                    (max-database-size (expt 2 18)))))

You can write something like:

Toggle snippet (7 lines)

(map (lambda (cache)

(nscd-cache

(inherit cache)

(max-database-size (expt 2 18)))) ;256KiB

%nscd-default-caches)

to avoid repeating the same values.

Otherwise, looks nice. Could you please send an updated version?

Thanks,

Mathieu

https://othacehe.org

Jason Conroy wrote on 27 Sep 2020 19:44

Recipients:(name . Mathieu Othacehe)(address . othacehe@gnu.org)(address . 43540@debbugs.gnu.org)

Message-ID:CABWzUjVfHTvJK=tO7J2CwZ7gwTKqtAQY+_MKS6bbKM95FFsxYQ@mail.gmail.com

Hi Mathieu, thanks for the feedback. Please find the revised patch and log

attached.

Cheers,

Jason

On Thu, Sep 24, 2020 at 4:01 AM Mathieu Othacehe <othacehe@gnu.org> wrote:

Toggle quote (44 lines)>
> Hello Jason,
>
> Thanks for this patch. You need to write a commit message that is
> compliant with the ChangeLog format, see:
> https://guix.gnu.org/manual/en/html_node/Submitting-Patches.html.
>
> > +(define %nscd-container-caches
> > +  ;; Similar to %nscd-default-caches but with smaller cache sizes. This
> allows
> > +  ;; many containers to coexist on the same machine without exhausting
> RAM.
> > +  (list (nscd-cache (database 'hosts)
> > +                    (positive-time-to-live (* 3600 12))
> > +                    (negative-time-to-live 20)
> > +                    (persistent? #t)
> > +                    (max-database-size (expt 2 18)))
> > +        (nscd-cache (database 'services)
> > +                    (positive-time-to-live (* 3600 24))
> > +                    (negative-time-to-live 3600)
> > +                    (check-files? #t)   ;check /etc/services changes
> > +                    (persistent? #t)
> > +                    (max-database-size (expt 2 18)))))
>
> You can write something like:
>
> --8<---------------cut here---------------start------------->8---
> (map (lambda (cache)
>        (nscd-cache
>         (inherit cache)
>         (max-database-size (expt 2 18)))) ;256KiB
>      %nscd-default-caches)
> --8<---------------cut here---------------end--------------->8---
>
> to avoid repeating the same values.
>
> Otherwise, looks nice. Could you please send an updated version?
>
> Thanks,
>
> Mathieu
> --
> https://othacehe.org
>

Attachment: file

Attachment: one-nscd-per-container-v2.patch

Mathieu Othacehe wrote on 1 Oct 2020 09:29

Recipients:(name . Jason Conroy)(address . conjaroy@gmail.com)(address . 43540-done@debbugs.gnu.org)

Message-ID:871rii1k1c.fsf@gnu.org

Hey Jason,

Toggle quote (2 lines)

> Hi Mathieu, thanks for the feedback. Please find the revised patch and log attached.

Pushed with a slightly adjusted commit message as

5627bfe45ce46f498979b4ad2deab1fdfed22b6c.

Thanks,

Mathieu

Closed

Your comment

This issue is archived.

To comment on this conversation send an email to 43540@debbugs.gnu.org

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date