From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id KNesCB6DDmDgbwAA0tVLHw (envelope-from ) for ; Mon, 25 Jan 2021 08:36:46 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id 8Fp5BB6DDmC0JwAA1q6Kng (envelope-from ) for ; Mon, 25 Jan 2021 08:36:46 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id D48CB94043A for ; Mon, 25 Jan 2021 08:36:45 +0000 (UTC) Received: from localhost ([::1]:37426 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1l3xMa-0002nQ-G5 for larch@yhetil.org; Mon, 25 Jan 2021 03:36:44 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:57502) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1l3xGu-0000tw-3N for guix-devel@gnu.org; Mon, 25 Jan 2021 03:30:52 -0500 Received: from mail.thebird.nl ([94.142.245.5]:59028) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1l3xGi-0001mC-BL for guix-devel@gnu.org; Mon, 25 Jan 2021 03:30:49 -0500 Received: by mail.thebird.nl (Postfix, from userid 1000) id 9D814717E; Mon, 25 Jan 2021 09:30:37 +0100 (CET) Date: Mon, 25 Jan 2021 09:30:37 +0100 From: Pjotr Prins To: Ricardo Wurmus Subject: Re: Login to a guix container Message-ID: <20210125083037.hqkaalsoy6l3xfdi@thebird.nl> References: <20210124220544.kmsf3atiouj6zci7@thebird.nl> <9aa892b1c2ec59b15417a5871f1b83d481ab3419@hey.com> <87pn1tjwyr.fsf@elephly.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <87pn1tjwyr.fsf@elephly.net> User-Agent: NeoMutt/20170113 (1.7.2) Received-SPF: pass client-ip=94.142.245.5; envelope-from=pjotr2021@thebird.nl; helo=mail.thebird.nl X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org, Ryan Prior Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -2.35 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: D48CB94043A X-Spam-Score: -2.35 X-Migadu-Scanner: scn1.migadu.com X-TUID: x9JAmbFCqf16 On Mon, Jan 25, 2021 at 08:29:32AM +0100, Ricardo Wurmus wrote: > In your requirements for an audit, how does a “Guix container” differ > from a “Linux container”? Guix uses the kernel features like cloning > namespaces and unsharing the filesystem directly. It merely mounts > individual store locations into the filesystem namespace. > > “Malpractice” is a very big word for using user namespaces instead of > chroot without a “serious audit”. I agree. The alternative is using sftp chroot - if it is for file transfers only, or a full chroot. A container should be safer as long as we consider the Linux kernel itself safe. The reason I posed the question was just that I was thinking the solution may be a bit over the top. Maybe more over the top would be to run Linux or even GNU Hurd in qemu/kvm. The more I read about the GNU Hurd the more I like it (I read this stuff for relaxation rather than work ;). Maybe we'll experiment with that a little too. We can easily dedicate 1GB of RAM for such VMs. Anyway, off-topic on guix-dev, so I apologise. I must say that 'guix environment -C' is one of the greatest Guix inventions and I just start thinking of more applications beyond hosting web servers and development environments. It is lovely :). Thanks everyone! Pj.