unofficial mirror of guix-patches@gnu.org 
 help / color / mirror / code / Atom feed
* [bug#43371] [PATCH] doc: prevent host/container nscd mismatch
@ 2020-09-13 10:30 edk
  2020-09-13 21:05 ` Ludovic Courtès
  0 siblings, 1 reply; 6+ messages in thread
From: edk @ 2020-09-13 10:30 UTC (permalink / raw)
  To: 43371; +Cc: 41575, conjaroy


doc/guix.texi: (Name Service Switch) add a workaround for bug #41575
---
 doc/guix.texi | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index a6e14ea177..a9472e680e 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -1706,6 +1706,20 @@ this binary incompatibility problem because those @code{libnss_*.so}
 files are loaded in the @command{nscd} process, not in applications
 themselves.
 
+For applications running in containers (@pxref{Invokin guix container}),
+however, @code{nscd} may leak information from the host to the container.
+If there is a configuration mismatch between the two ---e.g., the host
+has no @code{sshd} user while the container needs one--- then it may be
+worthwhile to limit which kind of information the host's @code{nscd}
+daemon may give to the container by adding the following to
+@code{/etc/nscd.conf}.
+
+@example
+        enable-cache            passwd          no
+        enable-cache            group           no
+        enable-cache            netgroup        no
+@end example
+
 @subsection X11 Fonts
 
 @cindex fonts
@@ -27582,7 +27596,7 @@ that should be preferably killed.
 
 @item @code{avoid-regexp} (default: @code{#f})
 A regular expression (as a string) to match the names of the processes
-that should @emph{not} be killed.
+that should @emph{not} be kcoilled.
 
 @item @code{memory-report-interval} (default: @code{0})
 The interval in seconds at which a memory report is printed.  It is
-- 
2.28.0





^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [bug#43371] [PATCH] doc: prevent host/container nscd mismatch
  2020-09-13 10:30 [bug#43371] [PATCH] doc: prevent host/container nscd mismatch edk
@ 2020-09-13 21:05 ` Ludovic Courtès
  2020-09-14  1:05   ` conjaroy
  2020-09-14  7:24   ` Edouard Klein
  0 siblings, 2 replies; 6+ messages in thread
From: Ludovic Courtès @ 2020-09-13 21:05 UTC (permalink / raw)
  To: edk; +Cc: 43371, conjaroy, 41575

Hi,

edk@beaver-labs.com skribis:

> doc/guix.texi: (Name Service Switch) add a workaround for bug #41575
> ---
>  doc/guix.texi | 16 +++++++++++++++-
>  1 file changed, 15 insertions(+), 1 deletion(-)
>
> diff --git a/doc/guix.texi b/doc/guix.texi
> index a6e14ea177..a9472e680e 100644
> --- a/doc/guix.texi
> +++ b/doc/guix.texi
> @@ -1706,6 +1706,20 @@ this binary incompatibility problem because those @code{libnss_*.so}
>  files are loaded in the @command{nscd} process, not in applications
>  themselves.
>  
> +For applications running in containers (@pxref{Invokin guix container}),
> +however, @code{nscd} may leak information from the host to the container.
> +If there is a configuration mismatch between the two ---e.g., the host
> +has no @code{sshd} user while the container needs one--- then it may be

I find the example is hard to understand.  How about: “applications in
the container could end up looking users in the host”?

> +worthwhile to limit which kind of information the host's @code{nscd}
> +daemon may give to the container by adding the following to
> +@code{/etc/nscd.conf}.
> +
> +@example
> +        enable-cache            passwd          no
> +        enable-cache            group           no
> +        enable-cache            netgroup        no
> +@end example

Actually, perhaps the better fix is to never use the host’s nscd?  We
could change ‘containerized-operating-system’ accordingly.

That would allow guest OSes to work correctly regardless of the host’s
nscd config, which seems like an improvement.

Thoughts?

Ludo’.




^ permalink raw reply	[flat|nested] 6+ messages in thread

* [bug#43371] [PATCH] doc: prevent host/container nscd mismatch
  2020-09-13 21:05 ` Ludovic Courtès
@ 2020-09-14  1:05   ` conjaroy
       [not found]     ` <87pn6oq0nc.fsf@gnu.org>
  2020-09-14  7:24   ` Edouard Klein
  1 sibling, 1 reply; 6+ messages in thread
From: conjaroy @ 2020-09-14  1:05 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 43371, edk, 41575

[-- Attachment #1: Type: text/plain, Size: 2223 bytes --]

Hello Ludo',

A separate nscd per container also seems like a reasonable option. However,
for the sake of machines hosting many long-lived containers, perhaps we
should consider reducing the cache size: currently it's 32MB for each name
service type, with an expiration of 12-24 hours:

https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/services/base.scm?id=1042d269a723360a02b19a2baafef1e24a3bfc73#n1115

Cheers,

Jason

On Sun, Sep 13, 2020 at 5:05 PM Ludovic Courtès <ludo@gnu.org> wrote:

> Hi,
>
> edk@beaver-labs.com skribis:
>
> > doc/guix.texi: (Name Service Switch) add a workaround for bug #41575
> > ---
> >  doc/guix.texi | 16 +++++++++++++++-
> >  1 file changed, 15 insertions(+), 1 deletion(-)
> >
> > diff --git a/doc/guix.texi b/doc/guix.texi
> > index a6e14ea177..a9472e680e 100644
> > --- a/doc/guix.texi
> > +++ b/doc/guix.texi
> > @@ -1706,6 +1706,20 @@ this binary incompatibility problem because those
> @code{libnss_*.so}
> >  files are loaded in the @command{nscd} process, not in applications
> >  themselves.
> >
> > +For applications running in containers (@pxref{Invokin guix container}),
> > +however, @code{nscd} may leak information from the host to the
> container.
> > +If there is a configuration mismatch between the two ---e.g., the host
> > +has no @code{sshd} user while the container needs one--- then it may be
>
> I find the example is hard to understand.  How about: “applications in
> the container could end up looking users in the host”?
>
> > +worthwhile to limit which kind of information the host's @code{nscd}
> > +daemon may give to the container by adding the following to
> > +@code{/etc/nscd.conf}.
> > +
> > +@example
> > +        enable-cache            passwd          no
> > +        enable-cache            group           no
> > +        enable-cache            netgroup        no
> > +@end example
>
> Actually, perhaps the better fix is to never use the host’s nscd?  We
> could change ‘containerized-operating-system’ accordingly.
>
> That would allow guest OSes to work correctly regardless of the host’s
> nscd config, which seems like an improvement.
>
> Thoughts?
>
> Ludo’.
>

[-- Attachment #2: Type: text/html, Size: 3017 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [bug#43371] [PATCH] doc: prevent host/container nscd mismatch
  2020-09-13 21:05 ` Ludovic Courtès
  2020-09-14  1:05   ` conjaroy
@ 2020-09-14  7:24   ` Edouard Klein
       [not found]     ` <87h7r93w96.fsf@gnu.org>
  1 sibling, 1 reply; 6+ messages in thread
From: Edouard Klein @ 2020-09-14  7:24 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 43371, conjaroy, 41575

Hi !

Ludovic Courtès writes:

> Hi,
>
> edk@beaver-labs.com skribis:
>
>> doc/guix.texi: (Name Service Switch) add a workaround for bug #41575
>> ---
>>  doc/guix.texi | 16 +++++++++++++++-
>>  1 file changed, 15 insertions(+), 1 deletion(-)
>>
>> diff --git a/doc/guix.texi b/doc/guix.texi
>> index a6e14ea177..a9472e680e 100644
>> --- a/doc/guix.texi
>> +++ b/doc/guix.texi
>> @@ -1706,6 +1706,20 @@ this binary incompatibility problem because those @code{libnss_*.so}
>>  files are loaded in the @command{nscd} process, not in applications
>>  themselves.
>>  
>> +For applications running in containers (@pxref{Invokin guix container}),
>> +however, @code{nscd} may leak information from the host to the container.
>> +If there is a configuration mismatch between the two ---e.g., the host
>> +has no @code{sshd} user while the container needs one--- then it may be
>
> I find the example is hard to understand.  How about: “applications in
> the container could end up looking users in the host”?
>
>> +worthwhile to limit which kind of information the host's @code{nscd}
>> +daemon may give to the container by adding the following to
>> +@code{/etc/nscd.conf}.
>> +
>> +@example
>> +        enable-cache            passwd          no
>> +        enable-cache            group           no
>> +        enable-cache            netgroup        no
>> +@end example
>
> Actually, perhaps the better fix is to never use the host’s nscd?  We
> could change ‘containerized-operating-system’ accordingly.
>

I think this would be best, but I did not know where to make this
change, so I just edited the doc instead. I don't know if containers
need the host's nscd to avoid the libc issues mentionned in the doc, but
if they dont, then prevening them from accessing the host's nscd seems
logical and would solve the problem. And we wouldn't need to amend the
doc at all.

> That would allow guest OSes to work correctly regardless of the host’s
> nscd config, which seems like an improvement.
>
> Thoughts?
>
> Ludo’.





^ permalink raw reply	[flat|nested] 6+ messages in thread

* [bug#43371] bug#41575: [bug#43371] [PATCH] doc: prevent host/container nscd mismatch
       [not found]     ` <87pn6oq0nc.fsf@gnu.org>
@ 2020-09-14 22:53       ` conjaroy
  0 siblings, 0 replies; 6+ messages in thread
From: conjaroy @ 2020-09-14 22:53 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 43371, edk, 41575

[-- Attachment #1: Type: text/plain, Size: 447 bytes --]

Sure, I'm happy to take a stab at this.

Jason

On Mon, Sep 14, 2020 at 3:28 AM Ludovic Courtès <ludo@gnu.org> wrote:

> In that case, we can have ‘containerized-operating-system’ provide its
> own NSS configuration with a reduced cache size (or without cache since
> there’s caching happening on the host for host name lookups, for
> instance).
>
> WDYT?  Would you like to give it a try?
>
> Thanks,
> Ludo’.
>
>
>
>

[-- Attachment #2: Type: text/html, Size: 783 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [bug#43371] [PATCH] doc: prevent host/container nscd mismatch
       [not found]     ` <87h7r93w96.fsf@gnu.org>
@ 2020-10-05 17:01       ` Edouard Klein
  0 siblings, 0 replies; 6+ messages in thread
From: Edouard Klein @ 2020-10-05 17:01 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 41575, 43371-done, conjaroy

Thanks to you both :)


Ludovic Courtès writes:

> Hi,
>
> Edouard Klein <edou@rdklein.fr> skribis:
>
>>> Actually, perhaps the better fix is to never use the host’s nscd?  We
>>> could change ‘containerized-operating-system’ accordingly.
>>>
>>
>> I think this would be best, but I did not know where to make this
>> change, so I just edited the doc instead. I don't know if containers
>> need the host's nscd to avoid the libc issues mentionned in the doc, but
>> if they dont, then prevening them from accessing the host's nscd seems
>> logical and would solve the problem. And we wouldn't need to amend the
>> doc at all.
>
> This has now been done by Jason in
> 5627bfe45ce46f498979b4ad2deab1fdfed22b6c.
>
> Closing!
>
> Ludo’.





^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2020-10-05 17:03 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-13 10:30 [bug#43371] [PATCH] doc: prevent host/container nscd mismatch edk
2020-09-13 21:05 ` Ludovic Courtès
2020-09-14  1:05   ` conjaroy
     [not found]     ` <87pn6oq0nc.fsf@gnu.org>
2020-09-14 22:53       ` [bug#43371] bug#41575: " conjaroy
2020-09-14  7:24   ` Edouard Klein
     [not found]     ` <87h7r93w96.fsf@gnu.org>
2020-10-05 17:01       ` Edouard Klein

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).