From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id +CxRKiw+7l8DEQAA0tVLHw (envelope-from ) for ; Thu, 31 Dec 2020 21:10:04 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id QOdIJiw+7l8IbgAAbx9fmQ (envelope-from ) for ; Thu, 31 Dec 2020 21:10:04 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 08366940149 for ; Thu, 31 Dec 2020 21:10:04 +0000 (UTC) Received: from localhost ([::1]:53894 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kv5Cs-0000XB-U4 for larch@yhetil.org; Thu, 31 Dec 2020 16:10:02 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:59256) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kv2YM-0004Ae-0I for bug-guix@gnu.org; Thu, 31 Dec 2020 13:20:02 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:58212) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kv2YL-0004Qp-PN for bug-guix@gnu.org; Thu, 31 Dec 2020 13:20:01 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1kv2YL-0004Yt-M5 for bug-guix@gnu.org; Thu, 31 Dec 2020 13:20:01 -0500 X-Loop: help-debbugs@gnu.org Subject: bug#45571: Support stable uids and gids for system accounts in a container Resent-From: Jason Conroy Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 31 Dec 2020 18:20:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 45571 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 45571@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.160943875717476 (code B ref -1); Thu, 31 Dec 2020 18:20:01 +0000 Received: (at submit) by debbugs.gnu.org; 31 Dec 2020 18:19:17 +0000 Received: from localhost ([127.0.0.1]:41525 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kv2Xd-0004Xo-Az for submit@debbugs.gnu.org; Thu, 31 Dec 2020 13:19:17 -0500 Received: from lists.gnu.org ([209.51.188.17]:60580) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kv2Xb-0004Xg-TM for submit@debbugs.gnu.org; Thu, 31 Dec 2020 13:19:16 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:59110) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kv2Xb-0003yr-ND for bug-guix@gnu.org; Thu, 31 Dec 2020 13:19:15 -0500 Received: from mail-ej1-x62e.google.com ([2a00:1450:4864:20::62e]:36821) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kv2XZ-0004CN-EO for bug-guix@gnu.org; Thu, 31 Dec 2020 13:19:15 -0500 Received: by mail-ej1-x62e.google.com with SMTP id lt17so26168522ejb.3 for ; Thu, 31 Dec 2020 10:19:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=LtBLNe1u7Po84ipNzLXPJ2PnK8rKI3/3E1wWolvxL/I=; b=fPJ1GNG1Qi+VVhORWhtSiB5HM/B7HtFQ/D3JI/LF77C6LcpCG101OGp07MfbMzJliI xcFLWcpElYceOO9+bDLi4qwld9QkXo/EM6ck1wqwG8cT+QSXmTwi+lLriXvJyewFqCsX y3V65xhRRmLExdJitPOeKCidsqoR2m+zJjRyXKIfcT5BpEZT7t64FrQvxILOlLiWQEio q4ZOZJHJLrD7Sw6iVepug6R4O37gg8JEWSSq7iUfyFXs9UAtSq7X2QOLip/X3a/Q98an vD6xpWCo429AlwBeqmiAh19WywdcEmQH5m65qerL0vg1B1Cqe5r3nBK5EyaIl+XO24V6 SMFw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=LtBLNe1u7Po84ipNzLXPJ2PnK8rKI3/3E1wWolvxL/I=; b=Fbii54S3whnhFxbkrqLG4LfhXd6BZwb3OFPf5/k+dqFwqk78mbWIPmd0EuCFFdhOb7 +lNviICRJtjBf9NVhOxzYzO/rB9DMwO216wRvZ5iK9qf4PjuURPgBnAVWA9Me8o9yL6t ZD8NHGlVtUNncdYhA8UVKIedoPlCxs5m0YsgADy6nwTVHmWAHbUgUcZSGRk8BPr9DKLt KgGe3VK/cy4uOS/FRTluw0cYXVvJxzCfYqA6Jo+5VKJ6lHor/NiEgA+jlYWZMt3jLDgG bHSGVcq3jxUebL9Qq/p5Ma06BLdv+GGEToqQ7Ta23vmCTDjWhdl6Lkz71QcyC8/5d6+k IoJw== X-Gm-Message-State: AOAM532ZgWy5F3cLMiNxhR7MMylrcPp8jp9JSF2R0J4/oY5vHakmJwnk BnKzRAZy47oq2p7Zngw3sEF0/tVvRXN/CiLfvsD+4Zy2e+w= X-Google-Smtp-Source: ABdhPJyi5hovR+02AUPUY/EhSYYT7HJTHssQwnzi0n3RRFLZCl8mbV36Q0OArCXfuH+6r52DrN0KWY3w7HRr1z/g0FA= X-Received: by 2002:a17:907:435c:: with SMTP id oc20mr55408939ejb.286.1609438751801; Thu, 31 Dec 2020 10:19:11 -0800 (PST) MIME-Version: 1.0 From: Jason Conroy Date: Thu, 31 Dec 2020 13:18:36 -0500 Message-ID: Content-Type: multipart/alternative; boundary="00000000000016c49b05b7c6a996" Received-SPF: pass client-ip=2a00:1450:4864:20::62e; envelope-from=conjaroy@gmail.com; helo=mail-ej1-x62e.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Mailman-Approved-At: Thu, 31 Dec 2020 16:09:55 -0500 X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -1.23 Authentication-Results: aspmx1.migadu.com; dkim=fail (headers rsa verify failed) header.d=gmail.com header.s=20161025 header.b=fPJ1GNG1; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 08366940149 X-Spam-Score: -1.23 X-Migadu-Scanner: scn0.migadu.com X-TUID: N7qO7MqdNWaQ --00000000000016c49b05b7c6a996 Content-Type: text/plain; charset="UTF-8" If I understand correctly, the container script produced by "guix system container" will allocate the same uid and gid for a service on each execution, but only if the corresponding entry in the service list has the same absolute position as it did before. I.e., if the services are reordered or if there are additions and removals, it's unlikely that the id allocations will be the same. As long as a container's filesystems don't outlive the container itself, this works fine. But when host filesystems are bind-mounted inside the container with the --share or --expose options, it's important that each incarnation of a service uses the same uid and gid, because the bind mounts might be used to hold persistent state for those services. At first, I thought that I could just define static uids and gids for these system accounts by adding corresponding user-account and user-group entries. But this doesn't work: rather than changing how the system accounts are defined for these services, it results in /etc files with duplicate entries. (See https://issues.guix.gnu.org/45570 for details.) --00000000000016c49b05b7c6a996 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
If I understand correctly, the container script produ= ced by "guix system container" will allocate the same uid and gid= for a service on each execution, but only if the corresponding entry in th= e service list has the same absolute position as it did before. I.e., if th= e services are reordered or if there are additions and removals, it's u= nlikely that the id allocations will be the same.

= As long as a container's filesystems don't outlive the container it= self, this works fine. But when host filesystems are bind-mounted inside th= e container with the --share or --expose options, it's important that e= ach incarnation of a service uses the same uid and gid, because the bind mo= unts might be used to hold persistent state for those services.

At first, I thought that I could just define static uids = and gids for these system accounts by adding corresponding user-account and= user-group entries. But this doesn't work: rather than changing how th= e system accounts are defined for these services, it results in /etc files = with duplicate entries. (See = https://issues.guix.gnu.org/45570 for details.)


--00000000000016c49b05b7c6a996--