[PATCH] Instantiate nscd in each system container instead of using the container host's service.

DoneSubmitted by Jason Conroy.
Details
2 participants
  • Jason Conroy
  • Mathieu Othacehe
Owner
unassigned
Severity
normal
J
J
Jason Conroy wrote on 21 Sep 2020 00:05
(address . guix-patches@gnu.org)
CABWzUjUTyU03=-_-pK98zVSQLW7t1tW1euuBj97C_0UM-DOOPA@mail.gmail.com
Hello Guix,
Currently, Guix system containers hosted on machines that run nscd areconfigured to use that daemon's socket by bind-mounting /var/run/nscd intothe container's filesystem. As discussed in bug#41575, there are certainnscd configurations that expose information from the host's /etc files intothe container's processes, and aside from the security implications, thisexposure can lead to anomalous behavior inside the containers, includingfailure to boot.
The following patch gives each container a private nscd instance. WhileGuix's default nscd configuration caches pretty aggressively (forhostnames, up to 32MB with a 12h TTL), the per-container nscd uses asmaller cache size of 256kB, which means that the overhead of this changeshould be modest even on systems with many containers.
This patch has been lightly tested by verifying the following:
- `make check` and `guix pull`- successful boot and operation of a system container- presence of nscd in the container- correct cache sizes in nscd.conf
Per my employer's guidelines for OSS contributors, this patch contains:
- My corporate email address in the "From" line- My employer listed as copyright holder (this has already been clearedwith Ludo')
Thanks!
Jason
Attachment: file
M
M
Mathieu Othacehe wrote on 24 Sep 2020 10:01
(name . Jason Conroy)(address . conjaroy@gmail.com)(address . 43540@debbugs.gnu.org)
87ft777gdv.fsf@gnu.org
Hello Jason,
Thanks for this patch. You need to write a commit message that iscompliant with the ChangeLog format, see:https://guix.gnu.org/manual/en/html_node/Submitting-Patches.html.
Toggle quote (15 lines)> +(define %nscd-container-caches> + ;; Similar to %nscd-default-caches but with smaller cache sizes. This allows> + ;; many containers to coexist on the same machine without exhausting RAM.> + (list (nscd-cache (database 'hosts)> + (positive-time-to-live (* 3600 12))> + (negative-time-to-live 20)> + (persistent? #t)> + (max-database-size (expt 2 18)))> + (nscd-cache (database 'services)> + (positive-time-to-live (* 3600 24))> + (negative-time-to-live 3600)> + (check-files? #t) ;check /etc/services changes> + (persistent? #t)> + (max-database-size (expt 2 18)))))
You can write something like:
Toggle snippet (7 lines)(map (lambda (cache) (nscd-cache (inherit cache) (max-database-size (expt 2 18)))) ;256KiB %nscd-default-caches)
to avoid repeating the same values.
Otherwise, looks nice. Could you please send an updated version?
Thanks,
Mathieu-- https://othacehe.org
J
J
Jason Conroy wrote on 27 Sep 2020 19:44
(name . Mathieu Othacehe)(address . othacehe@gnu.org)(address . 43540@debbugs.gnu.org)
CABWzUjVfHTvJK=tO7J2CwZ7gwTKqtAQY+_MKS6bbKM95FFsxYQ@mail.gmail.com
Hi Mathieu, thanks for the feedback. Please find the revised patch and logattached.
Cheers,
Jason

On Thu, Sep 24, 2020 at 4:01 AM Mathieu Othacehe <othacehe@gnu.org> wrote:
Toggle quote (44 lines)>> Hello Jason,>> Thanks for this patch. You need to write a commit message that is> compliant with the ChangeLog format, see:> https://guix.gnu.org/manual/en/html_node/Submitting-Patches.html.>> > +(define %nscd-container-caches> > + ;; Similar to %nscd-default-caches but with smaller cache sizes. This> allows> > + ;; many containers to coexist on the same machine without exhausting> RAM.> > + (list (nscd-cache (database 'hosts)> > + (positive-time-to-live (* 3600 12))> > + (negative-time-to-live 20)> > + (persistent? #t)> > + (max-database-size (expt 2 18)))> > + (nscd-cache (database 'services)> > + (positive-time-to-live (* 3600 24))> > + (negative-time-to-live 3600)> > + (check-files? #t) ;check /etc/services changes> > + (persistent? #t)> > + (max-database-size (expt 2 18)))))>> You can write something like:>> --8<---------------cut here---------------start------------->8---> (map (lambda (cache)> (nscd-cache> (inherit cache)> (max-database-size (expt 2 18)))) ;256KiB> %nscd-default-caches)> --8<---------------cut here---------------end--------------->8--->> to avoid repeating the same values.>> Otherwise, looks nice. Could you please send an updated version?>> Thanks,>> Mathieu> --> https://othacehe.org>
Attachment: file
From 0b6c5acb2fe9b4f6fa29e46c521fcfed9a8e69be Mon Sep 17 00:00:00 2001From: Jason Conroy <jconroy@google.com>Date: Sun, 27 Sep 2020 13:16:39 -0400Subject: [PATCH] Instantiate nscd in each system container instead of using the container host's service.
Currently, Guix system containers hosted on machines that run nscd areconfigured to use that daemon's socket by bind-mounting /var/run/nscd into thecontainer's filesystem. As discussed in bug#41575, there are certain nscdconfigurations that expose information from the host's /etc files into thecontainer's processes, and aside from the security implications, this exposurecan lead to anomalous behavior inside the containers, including failure toboot.
The following patch gives each container a private nscd instance. While Guix'sdefault nscd configuration caches pretty aggressively (for hostnames, up to32MB with a 12h TTL), the per-container nscd uses a smaller cache size of256kB, which means that the overhead of this change should be modest even onsystems with many containers.
This patch has been lightly tested by verifying the following:
- `make check` and `guix pull`- successful boot and operation of a system container- presence of nscd in the container- correct cache sizes in nscd.conf
* gnu/system/linux-container.scm (%nscd-container-caches): Add it.(containerized-operating-system): instantiate nscd-service with smaller cachesand add it to the generated operating-system, replacing any nscd-servicespecified by the caller.* gnu/system/file-systems.scm: (%network-file-mappings): remove "/var/run/nscd".--- gnu/system/file-systems.scm | 8 ++--- gnu/system/linux-container.scm | 59 +++++++++++++++++++++++----------- 2 files changed, 43 insertions(+), 24 deletions(-)
Toggle diff (124 lines)diff --git a/gnu/system/file-systems.scm b/gnu/system/file-systems.scmindex 5c02dfac93..464e87cb18 100644--- a/gnu/system/file-systems.scm+++ b/gnu/system/file-systems.scm@@ -1,5 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès <ludo@gnu.org>+;;; Copyright © 2020 Google LLC ;;; Copyright © 2020 Jakub Kądziołka <kuba@kadziolka.net> ;;; Copyright © 2020 Maxim Cournoyer <maxim.cournoyer@gmail.com> ;;;@@ -590,11 +591,8 @@ a bind mount." ;; XXX: On some GNU/Linux systems, /etc/resolv.conf is a ;; symlink to a file in a tmpfs which, for an unknown reason, ;; cannot be bind mounted read-only within the container.- ;; The same goes with /var/run/nscd, as discussed in- ;; <https://bugs.gnu.org/37967>.- (writable? (or (string=? file "/etc/resolv.conf")- (string=? file "/var/run/nscd")))))- (cons "/var/run/nscd" %network-configuration-files)))+ (writable? (string=? file "/etc/resolv.conf"))))+ %network-configuration-files)) (define (file-system-type-predicate type) "Return a predicate that, when passed a file system, returns #t if that filediff --git a/gnu/system/linux-container.scm b/gnu/system/linux-container.scmindex c5e2e4bf9c..4a9cd0efe2 100644--- a/gnu/system/linux-container.scm+++ b/gnu/system/linux-container.scm@@ -3,6 +3,7 @@ ;;; Copyright © 2016, 2017, 2019, 2020 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2019 Arun Isaac <arunisaac@systemreboot.net> ;;; Copyright © 2020 Efraim Flashner <efraim@flashner.co.il>+;;; Copyright © 2020 Google LLC ;;; ;;; This file is part of GNU Guix. ;;;@@ -77,6 +78,15 @@ doing anything.") (start #~(const #t)))) #f)) +(define %nscd-container-caches+ ;; Similar to %nscd-default-caches but with smaller cache sizes. This allows+ ;; many containers to coexist on the same machine without exhausting RAM.+ (map (lambda (cache)+ (nscd-cache+ (inherit cache)+ (max-database-size (expt 2 18)))) ;256KiB+ %nscd-default-caches))+ (define* (containerized-operating-system os mappings #:key shared-network?@@ -100,22 +110,39 @@ containerized OS. EXTRA-FILE-SYSTEMS is a list of file systems to add to OS." (file-system (inherit (file-system-mapping->bind-mount fs)) (needed-for-boot? #t))) - (define useless-services- ;; Services that make no sense in a container. Those that attempt to- ;; access /dev/tty[0-9] in particular cannot work in a container.+ (define services-to-drop+ ;; Service types to filter from the original operating-system. Some of+ ;; these make no sense in a container (e.g., those that access+ ;; /dev/tty[0-9]), while others just need to be reinstantiated with+ ;; different configs that are better suited to containers. (append (list console-font-service-type mingetty-service-type- agetty-service-type)- ;; Remove nscd service if network is shared with the host.+ agetty-service-type+ ;; Reinstantiated below with smaller caches.+ nscd-service-type) (if shared-network?- (list nscd-service-type- static-networking-service-type- dhcp-client-service-type- network-manager-service-type- connman-service-type- wicd-service-type)+ ;; Replace these with dummy-networking-service-type below.+ (list+ static-networking-service-type+ dhcp-client-service-type+ network-manager-service-type+ connman-service-type+ wicd-service-type) (list)))) + (define services-to-add+ (append+ ;; Many Guix services depend on a 'networking' shepherd+ ;; service, so make sure to provide a dummy 'networking'+ ;; service when we are sure that networking is already set up+ ;; in the host and can be used. That prevents double setup.+ (if shared-network?+ (list (service dummy-networking-service-type))+ '())+ (list+ (nscd-service (nscd-configuration+ (caches %nscd-container-caches))))))+ (operating-system (inherit os) (swap-devices '()) ; disable swap@@ -124,15 +151,9 @@ containerized OS. EXTRA-FILE-SYSTEMS is a list of file systems to add to OS." #:shared-network? shared-network?)) (services (append (remove (lambda (service) (memq (service-kind service)- useless-services))+ services-to-drop)) (operating-system-user-services os))- ;; Many Guix services depend on a 'networking' shepherd- ;; service, so make sure to provide a dummy 'networking'- ;; service when we are sure that networking is already set up- ;; in the host and can be used. That prevents double setup.- (if shared-network?- (list (service dummy-networking-service-type))- '())))+ services-to-add)) (file-systems (append (map mapping->fs (if shared-network? (append %network-file-mappings mappings)-- 2.20.1
M
M
Mathieu Othacehe wrote on 1 Oct 2020 09:29
(name . Jason Conroy)(address . conjaroy@gmail.com)(address . 43540-done@debbugs.gnu.org)
871rii1k1c.fsf@gnu.org
Hey Jason,
Toggle quote (2 lines)> Hi Mathieu, thanks for the feedback. Please find the revised patch and log attached.
Pushed with a slightly adjusted commit message as5627bfe45ce46f498979b4ad2deab1fdfed22b6c.
Thanks,
Mathieu
Closed
?