* Login to a guix container
@ 2021-01-24 22:05 Pjotr Prins
2021-01-25 1:41 ` Ryan Prior
0 siblings, 1 reply; 5+ messages in thread
From: Pjotr Prins @ 2021-01-24 22:05 UTC (permalink / raw)
To: Guix
I was just thinking that it should be possible to login with ssh into
a GNU Guix shell running in a container that gets fired up by the
sshd. I am thinking about a safe shell for fetching files. If this
works no chroot setup is required.
Or is this a really dumb idea :)
Pj.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Login to a guix container
2021-01-24 22:05 Login to a guix container Pjotr Prins
@ 2021-01-25 1:41 ` Ryan Prior
2021-01-25 7:29 ` Ricardo Wurmus
0 siblings, 1 reply; 5+ messages in thread
From: Ryan Prior @ 2021-01-25 1:41 UTC (permalink / raw)
To: Development of GNU Guix and the GNU System distribution,
Pjotr Prins
[-- Attachment #1: Type: text/plain, Size: 611 bytes --]
On January 24, 2021, Pjotr Prins <pjotr.public12@thebird.nl> wrote:
> I was just thinking that it should be possible to login with ssh into
> a GNU Guix shell running in a container that gets fired up by the
> sshd. I am thinking about a safe shell for fetching files. If this
> works no chroot setup is required.
>
> Or is this a really dumb idea :)
I haven't seen any serious audit investigating security properties of
Guix containers. I do not think it's dumb to try this as an experiment,
but I do think it would be malpractice to trust user data with this
system before appropriately thorough evaluation.
[-- Attachment #2: Type: text/html, Size: 2915 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Login to a guix container
2021-01-25 1:41 ` Ryan Prior
@ 2021-01-25 7:29 ` Ricardo Wurmus
2021-01-25 8:30 ` Pjotr Prins
0 siblings, 1 reply; 5+ messages in thread
From: Ricardo Wurmus @ 2021-01-25 7:29 UTC (permalink / raw)
To: Ryan Prior; +Cc: guix-devel
Ryan Prior <ryanprior@hey.com> writes:
> On January 24, 2021, Pjotr Prins <pjotr.public12@thebird.nl> wrote:
>> I was just thinking that it should be possible to login with ssh into
>> a GNU Guix shell running in a container that gets fired up by the
>> sshd. I am thinking about a safe shell for fetching files. If this
>> works no chroot setup is required.
>>
>> Or is this a really dumb idea :)
>
> I haven't seen any serious audit investigating security properties of
> Guix containers. I do not think it's dumb to try this as an experiment,
> but I do think it would be malpractice to trust user data with this
> system before appropriately thorough evaluation.
In your requirements for an audit, how does a “Guix container” differ
from a “Linux container”? Guix uses the kernel features like cloning
namespaces and unsharing the filesystem directly. It merely mounts
individual store locations into the filesystem namespace.
“Malpractice” is a very big word for using user namespaces instead of
chroot without a “serious audit”.
--
Ricardo
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Login to a guix container
2021-01-25 7:29 ` Ricardo Wurmus
@ 2021-01-25 8:30 ` Pjotr Prins
2021-01-25 11:01 ` Ricardo Wurmus
0 siblings, 1 reply; 5+ messages in thread
From: Pjotr Prins @ 2021-01-25 8:30 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: guix-devel, Ryan Prior
On Mon, Jan 25, 2021 at 08:29:32AM +0100, Ricardo Wurmus wrote:
> In your requirements for an audit, how does a “Guix container” differ
> from a “Linux container”? Guix uses the kernel features like cloning
> namespaces and unsharing the filesystem directly. It merely mounts
> individual store locations into the filesystem namespace.
>
> “Malpractice” is a very big word for using user namespaces instead of
> chroot without a “serious audit”.
I agree. The alternative is using sftp chroot - if it is for file
transfers only, or a full chroot. A container should be safer as long
as we consider the Linux kernel itself safe. The reason I posed the
question was just that I was thinking the solution may be a bit over
the top.
Maybe more over the top would be to run Linux or even GNU Hurd in
qemu/kvm. The more I read about the GNU Hurd the more I like it (I
read this stuff for relaxation rather than work ;). Maybe we'll
experiment with that a little too. We can easily dedicate 1GB of RAM
for such VMs.
Anyway, off-topic on guix-dev, so I apologise. I must say that 'guix
environment -C' is one of the greatest Guix inventions and I just
start thinking of more applications beyond hosting web servers and
development environments. It is lovely :). Thanks everyone!
Pj.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Login to a guix container
2021-01-25 8:30 ` Pjotr Prins
@ 2021-01-25 11:01 ` Ricardo Wurmus
0 siblings, 0 replies; 5+ messages in thread
From: Ricardo Wurmus @ 2021-01-25 11:01 UTC (permalink / raw)
To: Pjotr Prins; +Cc: guix-devel, Ryan Prior
Pjotr Prins <pjotr.public12@thebird.nl> writes:
> Anyway, off-topic on guix-dev, so I apologise. I must say that 'guix
> environment -C' is one of the greatest Guix inventions and I just
> start thinking of more applications beyond hosting web servers and
> development environments. It is lovely :). Thanks everyone!
I agree. I’m currently experimenting with it to see if it can replace a
proprietary deployment of Shiny Server here at the institute. The idea
is to automatically spawn a containerized environment for an R Shiny
application when a user visits the application’s URL.
--
Ricardo
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-01-25 11:02 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-24 22:05 Login to a guix container Pjotr Prins
2021-01-25 1:41 ` Ryan Prior
2021-01-25 7:29 ` Ricardo Wurmus
2021-01-25 8:30 ` Pjotr Prins
2021-01-25 11:01 ` Ricardo Wurmus
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).