(address . guix-patches@gnu.org)
Hello Guix,
Currently, Guix system containers hosted on machines that run nscd are
configured to use that daemon's socket by bind-mounting /var/run/nscd into
the container's filesystem. As discussed in bug#41575, there are certain
nscd configurations that expose information from the host's /etc files into
the container's processes, and aside from the security implications, this
exposure can lead to anomalous behavior inside the containers, including
failure to boot.
The following patch gives each container a private nscd instance. While
Guix's default nscd configuration caches pretty aggressively (for
hostnames, up to 32MB with a 12h TTL), the per-container nscd uses a
smaller cache size of 256kB, which means that the overhead of this change
should be modest even on systems with many containers.
This patch has been lightly tested by verifying the following:
- `make check` and `guix pull`
- successful boot and operation of a system container
- presence of nscd in the container
- correct cache sizes in nscd.conf
Per my employer's guidelines for OSS contributors, this patch contains:
- My corporate email address in the "From" line
- My employer listed as copyright holder (this has already been cleared
with Ludo')
Thanks!
Jason