From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id ALc3Eb/iemYrVAAAe85BDQ:P1 (envelope-from ) for ; Tue, 25 Jun 2024 15:31:11 +0000 Received: from aspmx1.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2.migadu.com with LMTPS id ALc3Eb/iemYrVAAAe85BDQ (envelope-from ) for ; Tue, 25 Jun 2024 17:31:11 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gnu.org header.s=fencepost-gnu-org header.b=Trb8bCQZ; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1719329471; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=Q2uRdYso1M6bOgyaarh8tQCFOQRdsbJboqoFVS9mkhA=; b=g8FlEP5bK44r/3uRMGjEzKNYW2cbFwj6i+3VQ00+dj9INseuAmh97TOiCom3gI3JA2V9EG aQPRnZ8zwlDDYFMinaaj9VdBb+R8ZlLhSqF2XUPSAysIfznNlAvkBN/xC1D5j3zBN+V/6y H2a9tqd4C284PSB9XFr0gecF6JuS+LAlJnNHESwv4Q1PuqUU62W/JsJxY83uFDc8pMhODW OraFs5baUrHdo5qAOJjdbQWKoevQOOqPjHBfZG+Vs5ZbC6DokbubdjHTIRjjEuRJ4Wk8DV Ug1CreXU1Jfsy4CC6oInJwA3yRfWQy/dxct7hT5q4QFtAL/1lu0iuFe8AmEmoQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gnu.org header.s=fencepost-gnu-org header.b=Trb8bCQZ; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org ARC-Seal: i=1; s=key1; d=yhetil.org; t=1719329471; a=rsa-sha256; cv=none; b=iVZ1iFBVD4ODODt36v6cCNtm+dCL3WDvXKL1vq4Tt7hqVWZ9PuGC0BiVLqvruuebmpSXZl Y5SJ3k3IBUT+lBsqe1bLLcHGusdEbde9MoateBDj+lTGjPenRUi6b2y4/PMVevi/9ePA08 CSawDwSI+ze4DpE08b/k5pdEUceyhrThS7AVDYbyKVrS66AnFx2ajHvM3eQ4chSYilid4U afvQ+oxr374zTokDoohhnyFD5uNof3u5WadHCH/+8PZ6iJkzjLw536Ovg1nJpGAA/PlDk8 NZ4BIVOnNtRw9nvjgiMwuTKrbxubdt9pwdYnuHGwMS3XmizSsAsdGxr6NFaHxA== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 1474B5646C for ; Tue, 25 Jun 2024 17:31:11 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sM88M-00049n-Fx; Tue, 25 Jun 2024 11:31:02 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sM88K-00049d-Iz for guix-patches@gnu.org; Tue, 25 Jun 2024 11:31:00 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1sM88K-00031i-B0 for guix-patches@gnu.org; Tue, 25 Jun 2024 11:31:00 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1sM88M-0007Ni-16 for guix-patches@gnu.org; Tue, 25 Jun 2024 11:31:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#70933] [PATCH] system: Do not add "--disable-chroot" to containers. Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 25 Jun 2024 15:31:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 70933 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Andreas Enge Cc: 70933@debbugs.gnu.org Received: via spool by 70933-submit@debbugs.gnu.org id=B70933.171932943528342 (code B ref 70933); Tue, 25 Jun 2024 15:31:01 +0000 Received: (at 70933) by debbugs.gnu.org; 25 Jun 2024 15:30:35 +0000 Received: from localhost ([127.0.0.1]:37581 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sM87v-0007N4-Fj for submit@debbugs.gnu.org; Tue, 25 Jun 2024 11:30:35 -0400 Received: from eggs.gnu.org ([209.51.188.92]:42364) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sM87s-0007Mr-N2 for 70933@debbugs.gnu.org; Tue, 25 Jun 2024 11:30:33 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sM87l-0002zF-Iz; Tue, 25 Jun 2024 11:30:25 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=Q2uRdYso1M6bOgyaarh8tQCFOQRdsbJboqoFVS9mkhA=; b=Trb8bCQZ/c7inyJfBJZ5 fdBql56p7nensrfkH19GX0n0ZKPlHH1TQE/OqR01YUUHhvbuTmp4h4AoDH1MqCSOJIfQjvYyb9JiA uE294tj7I7Iz7x4S9XgD5lKv7uFoPHjA+RxJAayAdfMyTPJ6xohT8Feut1kwL/fhkLujdtN53jU68 nW9XhZxKfPKo24b9qXDUMD7SxyVHKOTEa2bU+8J5nMK19HoR5CdoFyWyHcLMyp3nLx0UkSPgGGII1 UwUPfqlerHjzaoouJbTYuoYuYIxCR0oHU0RG9TYpGtNwiRfNEFr8Agi1A66GSqom4X64JRnAcXBX4 jjgYocwumeHgbw==; From: Ludovic =?UTF-8?Q?Court=C3=A8s?= In-Reply-To: (Andreas Enge's message of "Fri, 31 May 2024 16:26:58 +0200") References: <67f49b23cfe3755c6802e2fc3351ef3cf0dcdfda.1715687434.git.andreas@enge.fr> <87mso6rxzz.fsf@gnu.org> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: Octidi 8 Messidor an 232 de la =?UTF-8?Q?R=C3=A9volution, ?= jour de =?UTF-8?Q?l'=C3=89chalotte?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Tue, 25 Jun 2024 17:30:23 +0200 Message-ID: <87h6dhca5s.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Queue-Id: 1474B5646C X-Migadu-Scanner: mx13.migadu.com X-Migadu-Spam-Score: -7.27 X-Spam-Score: -7.27 X-TUID: s3Jra1sKKRWT Hi! Andreas Enge skribis: > Am Fri, May 31, 2024 at 02:01:36PM +0200 schrieb Ludovic Court=C3=A8s: >> Andreas Enge skribis: >> > The rationale for these lines is that they enable non-privileged docker >> > containers. But I would like to create a privileged container with >> > chroot (in an openshift environment, where I suppose this environment >> > does additional encapsulation to enforce security), which these lines >> > prevent. >> > Users can still add the option. Alternatively, we could add an additio= nal >> > field "chroot? (default: #t)" to guix-configuration. >> This is tricky, I=E2=80=99m not sure how to provide defaults that works = in most >> common setups while still allowing the use of privileged Docker >> containers as in your case. > > The problem with a default is that apparently, for containers we want #f, > for real machines we want #t as the default; and then it should be > overridable. The only solution I see is to use a ternary value, > allowing chroot? to be #f, #t or 'default, with the last one, you guess i= t, > being the default. It would be replaced by #f or #t depending on whether > we are in a container or not. Making it a ternary value sounds like a good idea, indeed. #t, #f, and 'default sounds like a good choice to me. Thanks! Ludo=E2=80=99.