Hi ! Ludovic Courtès writes: > Hi, > > edk@beaver-labs.com skribis: > >> doc/guix.texi: (Name Service Switch) add a workaround for bug #41575 >> --- >> doc/guix.texi | 16 +++++++++++++++- >> 1 file changed, 15 insertions(+), 1 deletion(-) >> >> diff --git a/doc/guix.texi b/doc/guix.texi >> index a6e14ea177..a9472e680e 100644 >> --- a/doc/guix.texi >> +++ b/doc/guix.texi >> @@ -1706,6 +1706,20 @@ this binary incompatibility problem because those @code{libnss_*.so} >> files are loaded in the @command{nscd} process, not in applications >> themselves. >> >> +For applications running in containers (@pxref{Invokin guix container}), >> +however, @code{nscd} may leak information from the host to the container. >> +If there is a configuration mismatch between the two ---e.g., the host >> +has no @code{sshd} user while the container needs one--- then it may be > > I find the example is hard to understand. How about: “applications in > the container could end up looking users in the host”? > >> +worthwhile to limit which kind of information the host's @code{nscd} >> +daemon may give to the container by adding the following to >> +@code{/etc/nscd.conf}. >> + >> +@example >> + enable-cache passwd no >> + enable-cache group no >> + enable-cache netgroup no >> +@end example > > Actually, perhaps the better fix is to never use the host’s nscd? We > could change ‘containerized-operating-system’ accordingly. > I think this would be best, but I did not know where to make this change, so I just edited the doc instead. I don't know if containers need the host's nscd to avoid the libc issues mentionned in the doc, but if they dont, then prevening them from accessing the host's nscd seems logical and would solve the problem. And we wouldn't need to amend the doc at all. > That would allow guest OSes to work correctly regardless of the host’s > nscd config, which seems like an improvement. > > Thoughts? > > Ludo’.