[PATCH] system: Do not add "--disable-chroot" to containers.

Done

Details

2 participants

Andreas Enge
Ludovic Courtès

Owner: unassigned

Submitted by: Andreas Enge

Severity: normal

Debbugs page

Andreas Enge wrote 10 months ago

Recipients:(address . guix-patches@gnu.org)(name . Andreas Enge)(address . andreas@enge.fr)

Message-ID:67f49b23cfe3755c6802e2fc3351ef3cf0dcdfda.1715687434.git.andreas@enge.fr

The rationale for these lines is that they enable non-privileged docker

containers. But I would like to create a privileged container with

chroot (in an openshift environment, where I suppose this environment

does additional encapsulation to enforce security), which these lines

prevent.

Users can still add the option. Alternatively, we could add an additional

field "chroot? (default: #t)" to guix-configuration.

Andreas

* gnu/system/linux-container.scm (containerized-operating-system): Do not

add "--disable-chroot".

Change-Id: I1eff9aa0d02d6e53bd4e42f3aeb07d0ab42616a8

---

gnu/system/linux-container.scm | 11 -----------

1 file changed, 11 deletions(-)

Toggle diff (26 lines)diff --git a/gnu/system/linux-container.scm b/gnu/system/linux-container.scm
index c780b68fba..2fc54a8121 100644
--- a/gnu/system/linux-container.scm
+++ b/gnu/system/linux-container.scm
@@ -159,17 +159,6 @@ (define* (containerized-operating-system os mappings
                                              (nscd-configuration
                                               (inherit (service-value s))
                                               (caches %nscd-container-caches))))
-                                   ((eq? guix-service-type (service-kind s))
-                                    ;; Pass '--disable-chroot' so that
-                                    ;; guix-daemon can build thing even in
-                                    ;; Docker without '--privileged'.
-                                    (service guix-service-type
-                                             (guix-configuration
-                                              (inherit (service-value s))
-                                              (extra-options
-                                               (cons "--disable-chroot"
-                                                     (guix-configuration-extra-options
-                                                      (service-value s)))))))
                                    (else s)))
                            (operating-system-user-services os))))
       (file-systems (append (map mapping->fs

base-commit: a682ddd70846d488cfbd82d65e8566ec6739813c
-- 
2.41.0

Ludovic Courtès wrote 9 months ago

Recipients:(name . Andreas Enge)(address . andreas@enge.fr)(address . 70933@debbugs.gnu.org)

Message-ID:87mso6rxzz.fsf@gnu.org

Hi,

Andreas Enge <andreas@enge.fr> skribis:

Toggle quote (9 lines)

> The rationale for these lines is that they enable non-privileged docker

> containers. But I would like to create a privileged container with

> chroot (in an openshift environment, where I suppose this environment

> does additional encapsulation to enforce security), which these lines

> prevent.

> Users can still add the option. Alternatively, we could add an additional

> field "chroot? (default: #t)" to guix-configuration.

[...]

Toggle quote (5 lines)

> - ((eq? guix-service-type (service-kind s))

> - ;; Pass '--disable-chroot' so that

> - ;; guix-daemon can build thing even in

> - ;; Docker without '--privileged'.

This is tricky, I’m not sure how to provide defaults that works in most

common setups while still allowing the use of privileged Docker

containers as in your case.

I think the current default is good because it’s the common case, but I

agree that we need to find a way to override it.

Thoughts?

Ludo’.

Andreas Enge wrote 9 months ago

Recipients:(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 70933@debbugs.gnu.org)

Message-ID:ZlneMuuPEfakaS47@jurong

Am Fri, May 31, 2024 at 02:01:36PM +0200 schrieb Ludovic Courtès:

Toggle quote (12 lines)> Andreas Enge <andreas@enge.fr> skribis:
> > The rationale for these lines is that they enable non-privileged docker
> > containers. But I would like to create a privileged container with
> > chroot (in an openshift environment, where I suppose this environment
> > does additional encapsulation to enforce security), which these lines
> > prevent.
> > Users can still add the option. Alternatively, we could add an additional
> > field "chroot? (default: #t)" to guix-configuration.
> This is tricky, I’m not sure how to provide defaults that works in most
> common setups while still allowing the use of privileged Docker
> containers as in your case.

The problem with a default is that apparently, for containers we want #f,
for real machines we want #t as the default; and then it should be
overridable. The only solution I see is to use a ternary value,
allowing chroot? to be #f, #t or 'default, with the last one, you guess it,
being the default. It would be replaced by #f or #t depending on whether
we are in a container or not.

I had considered it when suggesting the patch, but found it a bit too much
shepherding; I still think that "chroot? (default: #t)" would be enough.

Andreas

Ludovic Courtès wrote 9 months ago

Recipients:(name . Andreas Enge)(address . andreas@enge.fr)(address . 70933@debbugs.gnu.org)

Message-ID:87h6dhca5s.fsf@gnu.org

Hi!

Andreas Enge <andreas@enge.fr> skribis:

Toggle quote (20 lines)> Am Fri, May 31, 2024 at 02:01:36PM +0200 schrieb Ludovic Courtès:
>> Andreas Enge <andreas@enge.fr> skribis:
>> > The rationale for these lines is that they enable non-privileged docker
>> > containers. But I would like to create a privileged container with
>> > chroot (in an openshift environment, where I suppose this environment
>> > does additional encapsulation to enforce security), which these lines
>> > prevent.
>> > Users can still add the option. Alternatively, we could add an additional
>> > field "chroot? (default: #t)" to guix-configuration.
>> This is tricky, I’m not sure how to provide defaults that works in most
>> common setups while still allowing the use of privileged Docker
>> containers as in your case.
>
> The problem with a default is that apparently, for containers we want #f,
> for real machines we want #t as the default; and then it should be
> overridable. The only solution I see is to use a ternary value,
> allowing chroot? to be #f, #t or 'default, with the last one, you guess it,
> being the default. It would be replaced by #f or #t depending on whether
> we are in a container or not.

Making it a ternary value sounds like a good idea, indeed. #t, #f, and

'default sounds like a good choice to me.

Thanks!

Ludo’.

Andreas Enge wrote 8 months ago

Patch

Recipients:(address . 70933@debbugs.gnu.org)

Message-ID:ZogCM9xocPs12Y3p@jurong

Here is a suggestion for a patch implementing the chroot? parameter.

I have tested it by reconfiguring a real machine and still need to

test it in containers.

Andreas

Attachment: 0001-gnu-guix-configuration-Add-a-chroot-parameter.patch

Andreas Enge wrote 6 months ago

Re: [bug#70933] [PATCH] system: Do not add "--disable-chroot" to containers.

Recipients:(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 70933@debbugs.gnu.org)

Message-ID:Zuvaa-eQ_5nhZBmE@jurong

Am Fri, May 31, 2024 at 04:26:58PM +0200 schrieb Andreas Enge:

Toggle quote (7 lines)

> The problem with a default is that apparently, for containers we want #f,

> for real machines we want #t as the default; and then it should be

> overridable. The only solution I see is to use a ternary value,

> allowing chroot? to be #f, #t or 'default, with the last one, you guess it,

> being the default. It would be replaced by #f or #t depending on whether

> we are in a container or not.

The patch works in our kubernetes environment (where we create docker

containers with 'chroot? #t'). If there is agreement, I am happy to adapt

the documentation and to push.

Andreas

Andreas Enge wrote 1 months ago

Push?

Recipients:(address . 70933@debbugs.gnu.org)(address . ludo@gnu.org)

Message-ID:Z6OAAcisuy1s6DDc@jurong

Okay to push? If I do not hear back in a week, I will do so.

The patch is available in the wip-plmshift branch as well.

Andreas

Andreas Enge wrote 3 weeks ago

Recipients:(address . 70933-done@debbugs.gnu.org)(address . ludo@gnu.org)

Message-ID:Z7NApMqeT14b8pYt@jurong

Pushed!

Andreas

Closed

Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 70933@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 70933

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

You may also tag this issue. See list of standard tags. For example, to set the confirmed and easy tags

mumi command -t +confirmed -t +easy

Or, remove the moreinfo tag and set the help tag

mumi command -t -moreinfo -t +help

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date