Hi Mathieu, thanks for the feedback. Please find the revised patch and logattached.
Cheers,
Jason
On Thu, Sep 24, 2020 at 4:01 AM Mathieu Othacehe <othacehe@gnu.org> wrote:
Toggle quote (44 lines)
>> Hello Jason,>> Thanks for this patch. You need to write a commit message that is> compliant with the ChangeLog format, see:> https://guix.gnu.org/manual/en/html_node/Submitting-Patches.html.>> > +(define %nscd-container-caches> > + ;; Similar to %nscd-default-caches but with smaller cache sizes. This> allows> > + ;; many containers to coexist on the same machine without exhausting> RAM.> > + (list (nscd-cache (database 'hosts)> > + (positive-time-to-live (* 3600 12))> > + (negative-time-to-live 20)> > + (persistent? #t)> > + (max-database-size (expt 2 18)))> > + (nscd-cache (database 'services)> > + (positive-time-to-live (* 3600 24))> > + (negative-time-to-live 3600)> > + (check-files? #t) ;check /etc/services changes> > + (persistent? #t)> > + (max-database-size (expt 2 18)))))>> You can write something like:>> --8<---------------cut here---------------start------------->8---> (map (lambda (cache)> (nscd-cache> (inherit cache)> (max-database-size (expt 2 18)))) ;256KiB> %nscd-default-caches)> --8<---------------cut here---------------end--------------->8--->> to avoid repeating the same values.>> Otherwise, looks nice. Could you please send an updated version?>> Thanks,>> Mathieu> --> https://othacehe.org>From 0b6c5acb2fe9b4f6fa29e46c521fcfed9a8e69be Mon Sep 17 00:00:00 2001 the container host's service.
Currently, Guix system containers hosted on machines that run nscd areconfigured to use that daemon's socket by bind-mounting /var/run/nscd into thecontainer's filesystem. As discussed in bug#41575, there are certain nscdconfigurations that expose information from the host's /etc files into thecontainer's processes, and aside from the security implications, this exposurecan lead to anomalous behavior inside the containers, including failure toboot.
The following patch gives each container a private nscd instance. While Guix'sdefault nscd configuration caches pretty aggressively (for hostnames, up to32MB with a 12h TTL), the per-container nscd uses a smaller cache size of256kB, which means that the overhead of this change should be modest even onsystems with many containers.
This patch has been lightly tested by verifying the following:
- `make check` and `guix pull`- successful boot and operation of a system container- presence of nscd in the container- correct cache sizes in nscd.conf
* gnu/system/linux-container.scm (%nscd-container-caches): Add it.(containerized-operating-system): instantiate nscd-service with smaller cachesand add it to the generated operating-system, replacing any nscd-servicespecified by the caller.* gnu/system/file-systems.scm: (%network-file-mappings): remove "/var/run/nscd".--- gnu/system/file-systems.scm | 8 ++--- gnu/system/linux-container.scm | 59 +++++++++++++++++++++++----------- 2 files changed, 43 insertions(+), 24 deletions(-)
Toggle diff (124 lines)
diff --git a/gnu/system/file-systems.scm b/gnu/system/file-systems.scmindex 5c02dfac93..464e87cb18 100644--- a/gnu/system/file-systems.scm+++ b/gnu/system/file-systems.scm@@ -1,5 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès <ludo@gnu.org>+;;; Copyright © 2020 Google LLC ;;; Copyright © 2020 Jakub Kądziołka <kuba@kadziolka.net> ;;; Copyright © 2020 Maxim Cournoyer <maxim.cournoyer@gmail.com> ;;;@@ -590,11 +591,8 @@ a bind mount." ;; XXX: On some GNU/Linux systems, /etc/resolv.conf is a ;; symlink to a file in a tmpfs which, for an unknown reason, ;; cannot be bind mounted read-only within the container.- ;; The same goes with /var/run/nscd, as discussed in- ;; <https://bugs.gnu.org/37967>.- (writable? (or (string=? file "/etc/resolv.conf")- (string=? file "/var/run/nscd")))))- (cons "/var/run/nscd" %network-configuration-files)))+ (writable? (string=? file "/etc/resolv.conf"))))+ %network-configuration-files)) (define (file-system-type-predicate type) "Return a predicate that, when passed a file system, returns #t if that filediff --git a/gnu/system/linux-container.scm b/gnu/system/linux-container.scmindex c5e2e4bf9c..4a9cd0efe2 100644--- a/gnu/system/linux-container.scm+++ b/gnu/system/linux-container.scm@@ -3,6 +3,7 @@ ;;; Copyright © 2016, 2017, 2019, 2020 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2019 Arun Isaac <arunisaac@systemreboot.net> ;;; Copyright © 2020 Efraim Flashner <efraim@flashner.co.il>+;;; Copyright © 2020 Google LLC ;;; ;;; This file is part of GNU Guix. ;;;@@ -77,6 +78,15 @@ doing anything.") (start #~(const #t)))) #f)) +(define %nscd-container-caches+ ;; Similar to %nscd-default-caches but with smaller cache sizes. This allows+ ;; many containers to coexist on the same machine without exhausting RAM.+ (map (lambda (cache)+ (nscd-cache+ (inherit cache)+ (max-database-size (expt 2 18)))) ;256KiB+ %nscd-default-caches))+ (define* (containerized-operating-system os mappings #:key shared-network?@@ -100,22 +110,39 @@ containerized OS. EXTRA-FILE-SYSTEMS is a list of file systems to add to OS." (file-system (inherit (file-system-mapping->bind-mount fs)) (needed-for-boot? #t))) - (define useless-services- ;; Services that make no sense in a container. Those that attempt to- ;; access /dev/tty[0-9] in particular cannot work in a container.+ (define services-to-drop+ ;; Service types to filter from the original operating-system. Some of+ ;; these make no sense in a container (e.g., those that access+ ;; /dev/tty[0-9]), while others just need to be reinstantiated with+ ;; different configs that are better suited to containers. (append (list console-font-service-type mingetty-service-type- agetty-service-type)- ;; Remove nscd service if network is shared with the host.+ agetty-service-type+ ;; Reinstantiated below with smaller caches.+ nscd-service-type) (if shared-network?- (list nscd-service-type- static-networking-service-type- dhcp-client-service-type- network-manager-service-type- connman-service-type- wicd-service-type)+ ;; Replace these with dummy-networking-service-type below.+ (list+ static-networking-service-type+ dhcp-client-service-type+ network-manager-service-type+ connman-service-type+ wicd-service-type) (list)))) + (define services-to-add+ (append+ ;; Many Guix services depend on a 'networking' shepherd+ ;; service, so make sure to provide a dummy 'networking'+ ;; service when we are sure that networking is already set up+ ;; in the host and can be used. That prevents double setup.+ (if shared-network?+ (list (service dummy-networking-service-type))+ '())+ (list+ (nscd-service (nscd-configuration+ (caches %nscd-container-caches))))))+ (operating-system (inherit os) (swap-devices '()) ; disable swap@@ -124,15 +151,9 @@ containerized OS. EXTRA-FILE-SYSTEMS is a list of file systems to add to OS." #:shared-network? shared-network?)) (services (append (remove (lambda (service) (memq (service-kind service)- useless-services))+ services-to-drop)) (operating-system-user-services os))- ;; Many Guix services depend on a 'networking' shepherd- ;; service, so make sure to provide a dummy 'networking'- ;; service when we are sure that networking is already set up- ;; in the host and can be used. That prevents double setup.- (if shared-network?- (list (service dummy-networking-service-type))- '())))+ services-to-add)) (file-systems (append (map mapping->fs (if shared-network? (append %network-file-mappings mappings)-- 2.20.1