From: Andreas Enge <andreas@enge.fr>
To: 70933@debbugs.gnu.org
Cc: Andreas Enge <andreas@enge.fr>
Subject: [bug#70933] [PATCH] system: Do not add "--disable-chroot" to containers.
Date: Tue, 14 May 2024 13:50:34 +0200 [thread overview]
Message-ID: <67f49b23cfe3755c6802e2fc3351ef3cf0dcdfda.1715687434.git.andreas@enge.fr> (raw)
The rationale for these lines is that they enable non-privileged docker
containers. But I would like to create a privileged container with
chroot (in an openshift environment, where I suppose this environment
does additional encapsulation to enforce security), which these lines
prevent.
Users can still add the option. Alternatively, we could add an additional
field "chroot? (default: #t)" to guix-configuration.
Andreas
* gnu/system/linux-container.scm (containerized-operating-system): Do not
add "--disable-chroot".
Change-Id: I1eff9aa0d02d6e53bd4e42f3aeb07d0ab42616a8
---
gnu/system/linux-container.scm | 11 -----------
1 file changed, 11 deletions(-)
diff --git a/gnu/system/linux-container.scm b/gnu/system/linux-container.scm
index c780b68fba..2fc54a8121 100644
--- a/gnu/system/linux-container.scm
+++ b/gnu/system/linux-container.scm
@@ -159,17 +159,6 @@ (define* (containerized-operating-system os mappings
(nscd-configuration
(inherit (service-value s))
(caches %nscd-container-caches))))
- ((eq? guix-service-type (service-kind s))
- ;; Pass '--disable-chroot' so that
- ;; guix-daemon can build thing even in
- ;; Docker without '--privileged'.
- (service guix-service-type
- (guix-configuration
- (inherit (service-value s))
- (extra-options
- (cons "--disable-chroot"
- (guix-configuration-extra-options
- (service-value s)))))))
(else s)))
(operating-system-user-services os))))
(file-systems (append (map mapping->fs
base-commit: a682ddd70846d488cfbd82d65e8566ec6739813c
--
2.41.0
next reply other threads:[~2024-05-14 11:56 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-14 11:50 Andreas Enge [this message]
2024-05-31 12:01 ` [bug#70933] [PATCH] system: Do not add "--disable-chroot" to containers Ludovic Courtès
2024-05-31 14:26 ` Andreas Enge
2024-06-25 15:30 ` Ludovic Courtès
2024-09-19 8:01 ` Andreas Enge
2024-07-05 14:24 ` [bug#70933] Patch Andreas Enge
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=67f49b23cfe3755c6802e2fc3351ef3cf0dcdfda.1715687434.git.andreas@enge.fr \
--to=andreas@enge.fr \
--cc=70933@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).