From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bug-guix-bounces+larch=yhetil.org@gnu.org>
Received: from mp0 ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id KJhfIfecRF/RFAAA0tVLHw
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 25 Aug 2020 05:09:11 +0000
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp0 with LMTPS
	id KKtfHfecRF/4UwAA1q6Kng
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 25 Aug 2020 05:09:11 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 147C29402C8
	for <larch@yhetil.org>; Tue, 25 Aug 2020 05:09:10 +0000 (UTC)
Received: from localhost ([::1]:56204 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	id 1kARCn-0005ls-Q4
	for larch@yhetil.org; Tue, 25 Aug 2020 01:09:09 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:52098)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1kARCg-0005ld-EV
 for bug-guix@gnu.org; Tue, 25 Aug 2020 01:09:02 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:48409)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1kARCg-0003Tc-5G
 for bug-guix@gnu.org; Tue, 25 Aug 2020 01:09:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1kARCf-0001TQ-Ue
 for bug-guix@gnu.org; Tue, 25 Aug 2020 01:09:01 -0400
X-Loop: help-debbugs@gnu.org
Subject: bug#41575: Container with openssh-service requires sshd user on the
 host
References: <87mu5s2z6u.fsf@alice.lan>
In-Reply-To: <87mu5s2z6u.fsf@alice.lan>
Resent-From: conjaroy <conjaroy@gmail.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guix@gnu.org
Resent-Date: Tue, 25 Aug 2020 05:09:01 +0000
Resent-Message-ID: <handler.41575.B41575.15983321335650@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 41575
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: 41575@debbugs.gnu.org
Received: via spool by 41575-submit@debbugs.gnu.org id=B41575.15983321335650
 (code B ref 41575); Tue, 25 Aug 2020 05:09:01 +0000
Received: (at 41575) by debbugs.gnu.org; 25 Aug 2020 05:08:53 +0000
Received: from localhost ([127.0.0.1]:59955 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1kARCW-0001Sx-0g
 for submit@debbugs.gnu.org; Tue, 25 Aug 2020 01:08:53 -0400
Received: from mail-ed1-f45.google.com ([209.85.208.45]:37378)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <conjaroy@gmail.com>) id 1kAPR4-0006zV-FR
 for 41575@debbugs.gnu.org; Mon, 24 Aug 2020 23:15:49 -0400
Received: by mail-ed1-f45.google.com with SMTP id i26so9923279edv.4
 for <41575@debbugs.gnu.org>; Mon, 24 Aug 2020 20:15:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; 
 h=mime-version:from:date:message-id:subject:to;
 bh=+e7/nfNGNU5f3z/A9sAKRiDQbC0lvkhqC7HGvdscGQ8=;
 b=o9Zq/cCR9V39Tytx2dM/sezY4eBt+2VGnzEEYxb0BxkUU64pczGB7bR1k7PMPDCLum
 +t4TjQASqvjPFdL1vGCx2RWTq3El5yZzx3So2TYztWJpR0TpIkPxTQfLOdhjrJqG5Bza
 CdhPKDanJR0I4qYx/dsQc2XHSHPD7euZi3/x+8znWKIwUaqMzI7S/Zb1VEVBbA6q6fQ0
 wwOaYRukkvy3tdPptSH/ur3uipQ7DclTWPMkK+e/0KNCtcNV+DBQQnEfmfYYGyriFoy9
 7gr6Af3tCOnsow5jf3BN0JDlrSVyjuYSllb6tf32mf/ejqmwfeOdyW6ITBTPDObRSekx
 TKLQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
 bh=+e7/nfNGNU5f3z/A9sAKRiDQbC0lvkhqC7HGvdscGQ8=;
 b=apbCU5bc7y9xOmq5ftz3kRfvQO8JeBtTqnm7X5TlEMwrOiUyue/fHvx6xli6V/Zqf+
 zQKpZ56QayluYxEPBtUUgJx3FpHu588i7aOIDWF0oclVqNWLNf6RVhIe09fw066+15eR
 UMEaNEyb3eIwk3UdtDri8uNaE45duppkTXEkX/Io7WEROja1MnE1NZYfl3ucVvY6vkJJ
 nvqZspw2SbimRyKXrZW4iQXEFIBgi4tqTW8EiN1qL989j+MDQjm7yu3aHn43f71EvSZv
 iSydYmqyJY1ZNNHGu01fsrE74PCYIqr8g1vJBo6EQjHF8/E/BjnMPmwlesTcGLRwCzID
 NILw==
X-Gm-Message-State: AOAM532fktk5lDk4qRib5fDI+mslVBOJNWmQcnHEE7NtFSgDDDfe0vQo
 gJYbRCbZpirH4s8Z6GkJAbjySRMswU18XQYheK5Eue+M
X-Google-Smtp-Source: ABdhPJzzA0JYoapxyH0ZEgmA57PdEopci7erAQPDL33j9jMrAZeVJ0Hm7EuVIpeXjL4p9SsycL1mhQ/o8tA820Q7wfs=
X-Received: by 2002:a50:aadd:: with SMTP id r29mr8162237edc.219.1598325340265; 
 Mon, 24 Aug 2020 20:15:40 -0700 (PDT)
MIME-Version: 1.0
From: conjaroy <conjaroy@gmail.com>
Date: Mon, 24 Aug 2020 23:15:04 -0400
Message-ID: <CABWzUjWkKJkAhJi8MMC1SiSZBPjZBBMgbRk7DavR9QQXhhfRDA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="00000000000024622a05adab1e78"
X-Spam-Score: 0.0 (/)
X-Mailman-Approved-At: Tue, 25 Aug 2020 01:08:50 -0400
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-Spam-Score: -1.0 (-)
X-BeenThere: bug-guix@gnu.org
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-guix>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+larch=yhetil.org@gnu.org>
X-Scanner: scn0
Authentication-Results: aspmx1.migadu.com;
	dkim=fail (rsa verify failed) header.d=gmail.com header.s=20161025 header.b=o9Zq/cCR;
	dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none);
	spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org
X-Spam-Score: 0.09
X-TUID: 3+rjU3pkrHCy

--00000000000024622a05adab1e78
Content-Type: text/plain; charset="UTF-8"

I've observed this error under similar circumstances: launching a guix
system container script with network sharing enabled, on a foreign disto
(Debian 10) with nscd running.

Using `strace -f /gnu/store/...-run-container`, we can observe the
container's lookup of user accounts via the foreign distro's nscd socket:

[pid 16582] socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 11
[pid 16582] connect(11, {sa_family=AF_UNIX,
sun_path="/var/run/nscd/socket"}, 110) = 0
[pid 16582] sendto(11, "\2\0\0\0\0\0\0\0\t\0\0\0postgres\0", 21,
MSG_NOSIGNAL, NULL, 0) = 21
[pid 16582] poll([{fd=11, events=POLLIN|POLLERR|POLLHUP}], 1, 5000) = 1
([{fd=11, revents=POLLIN}])
[pid 16582] read(11,
"\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\377\377\377\377\0\0\0\0\0\0\0\0"...,
36) = 36
[pid 16582] close(11)                   = 0

Since the user ("postgres") is indeed missing in the foreign disto, the
lookup fails. In this case, disabling nscd on the foreign distro allowed
the container script to run without error.

Based on comments in https://issues.guix.info/issue/28128, I see that it
was a deliberate choice to bind-mount the foreign distro's nscd socket
inside the container (instead of starting a separate containerized nscd
instance). But I'm having trouble seeing why it's acceptable to leak state
from the foreign distro's user space into the container. Is there something
I'm missing?

Cheers,

Jason

--00000000000024622a05adab1e78
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>I&#39;ve observed this error under similar circumstan=
ces: launching a <span>guix system container script with network sharing en=
abled, on a foreign disto (Debian 10) with nscd running.</span></div><div><=
br></div><div>Using `strace -f /gnu/store/...-run-container`, we can observ=
e the container&#39;s lookup of user accounts via the foreign distro&#39;s =
nscd socket:<br></div><div><br></div><div>[pid 16582] socket(AF_UNIX, SOCK_=
STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) =3D 11<br>[pid 16582] connect(11, {sa=
_family=3DAF_UNIX, sun_path=3D&quot;/var/run/nscd/socket&quot;}, 110) =3D 0=
<br>[pid 16582] sendto(11, &quot;\2\0\0\0\0\0\0\0\t\0\0\0postgres\0&quot;, =
21, MSG_NOSIGNAL, NULL, 0) =3D 21<br>[pid 16582] poll([{fd=3D11, events=3DP=
OLLIN|POLLERR|POLLHUP}], 1, 5000) =3D 1 ([{fd=3D11, revents=3DPOLLIN}])<br>=
[pid 16582] read(11, &quot;\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377=
\377\377\377\377\0\0\0\0\0\0\0\0&quot;..., 36) =3D 36<br>[pid 16582] close(=
11) =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =3D 0</d=
iv><div><br></div><div><div>Since the user (&quot;postgres&quot;) is indeed=
 missing in the foreign disto, the lookup fails. In this case, disabling ns=
cd on the foreign distro allowed the container script to run without error.=
 <br></div><div><br></div><div>Based on comments in <a href=3D"https://issu=
es.guix.info/issue/28128" target=3D"_blank">https://issues.guix.info/issue/=
28128</a>, I see that it was a deliberate choice to bind-mount the foreign =
distro&#39;s nscd socket inside the container (instead of starting a separa=
te containerized nscd instance). But I&#39;m having trouble seeing why it&#=
39;s acceptable to leak state from the foreign distro&#39;s user space into=
 the container. Is there something I&#39;m missing?</div><div><br></div><di=
v>Cheers,</div><div><br></div><div>Jason<br></div></div><div><span><span></=
span></span></div></div>

--00000000000024622a05adab1e78--