* [bug#43540] [PATCH] Instantiate nscd in each system container instead of using the container host's service.
@ 2020-09-20 22:05 Jason Conroy
2020-09-24 8:01 ` Mathieu Othacehe
0 siblings, 1 reply; 4+ messages in thread
From: Jason Conroy @ 2020-09-20 22:05 UTC (permalink / raw)
To: 43540
[-- Attachment #1.1: Type: text/plain, Size: 1252 bytes --]
Hello Guix,
Currently, Guix system containers hosted on machines that run nscd are
configured to use that daemon's socket by bind-mounting /var/run/nscd into
the container's filesystem. As discussed in bug#41575, there are certain
nscd configurations that expose information from the host's /etc files into
the container's processes, and aside from the security implications, this
exposure can lead to anomalous behavior inside the containers, including
failure to boot.
The following patch gives each container a private nscd instance. While
Guix's default nscd configuration caches pretty aggressively (for
hostnames, up to 32MB with a 12h TTL), the per-container nscd uses a
smaller cache size of 256kB, which means that the overhead of this change
should be modest even on systems with many containers.
This patch has been lightly tested by verifying the following:
- `make check` and `guix pull`
- successful boot and operation of a system container
- presence of nscd in the container
- correct cache sizes in nscd.conf
Per my employer's guidelines for OSS contributors, this patch contains:
- My corporate email address in the "From" line
- My employer listed as copyright holder (this has already been cleared
with Ludo')
Thanks!
Jason
[-- Attachment #1.2: Type: text/html, Size: 1587 bytes --]
[-- Attachment #2: one-nscd-per-container.patch --]
[-- Type: application/x-patch, Size: 6669 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* [bug#43540] [PATCH] Instantiate nscd in each system container instead of using the container host's service.
2020-09-20 22:05 [bug#43540] [PATCH] Instantiate nscd in each system container instead of using the container host's service Jason Conroy
@ 2020-09-24 8:01 ` Mathieu Othacehe
2020-09-27 17:44 ` Jason Conroy
0 siblings, 1 reply; 4+ messages in thread
From: Mathieu Othacehe @ 2020-09-24 8:01 UTC (permalink / raw)
To: Jason Conroy; +Cc: 43540
Hello Jason,
Thanks for this patch. You need to write a commit message that is
compliant with the ChangeLog format, see:
https://guix.gnu.org/manual/en/html_node/Submitting-Patches.html.
> +(define %nscd-container-caches
> + ;; Similar to %nscd-default-caches but with smaller cache sizes. This allows
> + ;; many containers to coexist on the same machine without exhausting RAM.
> + (list (nscd-cache (database 'hosts)
> + (positive-time-to-live (* 3600 12))
> + (negative-time-to-live 20)
> + (persistent? #t)
> + (max-database-size (expt 2 18)))
> + (nscd-cache (database 'services)
> + (positive-time-to-live (* 3600 24))
> + (negative-time-to-live 3600)
> + (check-files? #t) ;check /etc/services changes
> + (persistent? #t)
> + (max-database-size (expt 2 18)))))
You can write something like:
--8<---------------cut here---------------start------------->8---
(map (lambda (cache)
(nscd-cache
(inherit cache)
(max-database-size (expt 2 18)))) ;256KiB
%nscd-default-caches)
--8<---------------cut here---------------end--------------->8---
to avoid repeating the same values.
Otherwise, looks nice. Could you please send an updated version?
Thanks,
Mathieu
--
https://othacehe.org
^ permalink raw reply [flat|nested] 4+ messages in thread
* [bug#43540] [PATCH] Instantiate nscd in each system container instead of using the container host's service.
2020-09-24 8:01 ` Mathieu Othacehe
@ 2020-09-27 17:44 ` Jason Conroy
2020-10-01 7:29 ` bug#43540: " Mathieu Othacehe
0 siblings, 1 reply; 4+ messages in thread
From: Jason Conroy @ 2020-09-27 17:44 UTC (permalink / raw)
To: Mathieu Othacehe; +Cc: 43540
[-- Attachment #1.1: Type: text/plain, Size: 1664 bytes --]
Hi Mathieu, thanks for the feedback. Please find the revised patch and log
attached.
Cheers,
Jason
On Thu, Sep 24, 2020 at 4:01 AM Mathieu Othacehe <othacehe@gnu.org> wrote:
>
> Hello Jason,
>
> Thanks for this patch. You need to write a commit message that is
> compliant with the ChangeLog format, see:
> https://guix.gnu.org/manual/en/html_node/Submitting-Patches.html.
>
> > +(define %nscd-container-caches
> > + ;; Similar to %nscd-default-caches but with smaller cache sizes. This
> allows
> > + ;; many containers to coexist on the same machine without exhausting
> RAM.
> > + (list (nscd-cache (database 'hosts)
> > + (positive-time-to-live (* 3600 12))
> > + (negative-time-to-live 20)
> > + (persistent? #t)
> > + (max-database-size (expt 2 18)))
> > + (nscd-cache (database 'services)
> > + (positive-time-to-live (* 3600 24))
> > + (negative-time-to-live 3600)
> > + (check-files? #t) ;check /etc/services changes
> > + (persistent? #t)
> > + (max-database-size (expt 2 18)))))
>
> You can write something like:
>
> --8<---------------cut here---------------start------------->8---
> (map (lambda (cache)
> (nscd-cache
> (inherit cache)
> (max-database-size (expt 2 18)))) ;256KiB
> %nscd-default-caches)
> --8<---------------cut here---------------end--------------->8---
>
> to avoid repeating the same values.
>
> Otherwise, looks nice. Could you please send an updated version?
>
> Thanks,
>
> Mathieu
> --
> https://othacehe.org
>
[-- Attachment #1.2: Type: text/html, Size: 2496 bytes --]
[-- Attachment #2: one-nscd-per-container-v2.patch --]
[-- Type: text/x-patch, Size: 7620 bytes --]
From 0b6c5acb2fe9b4f6fa29e46c521fcfed9a8e69be Mon Sep 17 00:00:00 2001
From: Jason Conroy <jconroy@google.com>
Date: Sun, 27 Sep 2020 13:16:39 -0400
Subject: [PATCH] Instantiate nscd in each system container instead of using
the container host's service.
Currently, Guix system containers hosted on machines that run nscd are
configured to use that daemon's socket by bind-mounting /var/run/nscd into the
container's filesystem. As discussed in bug#41575, there are certain nscd
configurations that expose information from the host's /etc files into the
container's processes, and aside from the security implications, this exposure
can lead to anomalous behavior inside the containers, including failure to
boot.
The following patch gives each container a private nscd instance. While Guix's
default nscd configuration caches pretty aggressively (for hostnames, up to
32MB with a 12h TTL), the per-container nscd uses a smaller cache size of
256kB, which means that the overhead of this change should be modest even on
systems with many containers.
This patch has been lightly tested by verifying the following:
- `make check` and `guix pull`
- successful boot and operation of a system container
- presence of nscd in the container
- correct cache sizes in nscd.conf
* gnu/system/linux-container.scm (%nscd-container-caches): Add it.
(containerized-operating-system): instantiate nscd-service with smaller caches
and add it to the generated operating-system, replacing any nscd-service
specified by the caller.
* gnu/system/file-systems.scm: (%network-file-mappings): remove "/var/run/nscd".
---
gnu/system/file-systems.scm | 8 ++---
gnu/system/linux-container.scm | 59 +++++++++++++++++++++++-----------
2 files changed, 43 insertions(+), 24 deletions(-)
diff --git a/gnu/system/file-systems.scm b/gnu/system/file-systems.scm
index 5c02dfac93..464e87cb18 100644
--- a/gnu/system/file-systems.scm
+++ b/gnu/system/file-systems.scm
@@ -1,5 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2020 Google LLC
;;; Copyright © 2020 Jakub Kądziołka <kuba@kadziolka.net>
;;; Copyright © 2020 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;;
@@ -590,11 +591,8 @@ a bind mount."
;; XXX: On some GNU/Linux systems, /etc/resolv.conf is a
;; symlink to a file in a tmpfs which, for an unknown reason,
;; cannot be bind mounted read-only within the container.
- ;; The same goes with /var/run/nscd, as discussed in
- ;; <https://bugs.gnu.org/37967>.
- (writable? (or (string=? file "/etc/resolv.conf")
- (string=? file "/var/run/nscd")))))
- (cons "/var/run/nscd" %network-configuration-files)))
+ (writable? (string=? file "/etc/resolv.conf"))))
+ %network-configuration-files))
(define (file-system-type-predicate type)
"Return a predicate that, when passed a file system, returns #t if that file
diff --git a/gnu/system/linux-container.scm b/gnu/system/linux-container.scm
index c5e2e4bf9c..4a9cd0efe2 100644
--- a/gnu/system/linux-container.scm
+++ b/gnu/system/linux-container.scm
@@ -3,6 +3,7 @@
;;; Copyright © 2016, 2017, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2019 Arun Isaac <arunisaac@systemreboot.net>
;;; Copyright © 2020 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2020 Google LLC
;;;
;;; This file is part of GNU Guix.
;;;
@@ -77,6 +78,15 @@ doing anything.")
(start #~(const #t))))
#f))
+(define %nscd-container-caches
+ ;; Similar to %nscd-default-caches but with smaller cache sizes. This allows
+ ;; many containers to coexist on the same machine without exhausting RAM.
+ (map (lambda (cache)
+ (nscd-cache
+ (inherit cache)
+ (max-database-size (expt 2 18)))) ;256KiB
+ %nscd-default-caches))
+
(define* (containerized-operating-system os mappings
#:key
shared-network?
@@ -100,22 +110,39 @@ containerized OS. EXTRA-FILE-SYSTEMS is a list of file systems to add to OS."
(file-system (inherit (file-system-mapping->bind-mount fs))
(needed-for-boot? #t)))
- (define useless-services
- ;; Services that make no sense in a container. Those that attempt to
- ;; access /dev/tty[0-9] in particular cannot work in a container.
+ (define services-to-drop
+ ;; Service types to filter from the original operating-system. Some of
+ ;; these make no sense in a container (e.g., those that access
+ ;; /dev/tty[0-9]), while others just need to be reinstantiated with
+ ;; different configs that are better suited to containers.
(append (list console-font-service-type
mingetty-service-type
- agetty-service-type)
- ;; Remove nscd service if network is shared with the host.
+ agetty-service-type
+ ;; Reinstantiated below with smaller caches.
+ nscd-service-type)
(if shared-network?
- (list nscd-service-type
- static-networking-service-type
- dhcp-client-service-type
- network-manager-service-type
- connman-service-type
- wicd-service-type)
+ ;; Replace these with dummy-networking-service-type below.
+ (list
+ static-networking-service-type
+ dhcp-client-service-type
+ network-manager-service-type
+ connman-service-type
+ wicd-service-type)
(list))))
+ (define services-to-add
+ (append
+ ;; Many Guix services depend on a 'networking' shepherd
+ ;; service, so make sure to provide a dummy 'networking'
+ ;; service when we are sure that networking is already set up
+ ;; in the host and can be used. That prevents double setup.
+ (if shared-network?
+ (list (service dummy-networking-service-type))
+ '())
+ (list
+ (nscd-service (nscd-configuration
+ (caches %nscd-container-caches))))))
+
(operating-system
(inherit os)
(swap-devices '()) ; disable swap
@@ -124,15 +151,9 @@ containerized OS. EXTRA-FILE-SYSTEMS is a list of file systems to add to OS."
#:shared-network? shared-network?))
(services (append (remove (lambda (service)
(memq (service-kind service)
- useless-services))
+ services-to-drop))
(operating-system-user-services os))
- ;; Many Guix services depend on a 'networking' shepherd
- ;; service, so make sure to provide a dummy 'networking'
- ;; service when we are sure that networking is already set up
- ;; in the host and can be used. That prevents double setup.
- (if shared-network?
- (list (service dummy-networking-service-type))
- '())))
+ services-to-add))
(file-systems (append (map mapping->fs
(if shared-network?
(append %network-file-mappings mappings)
--
2.20.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* bug#43540: [PATCH] Instantiate nscd in each system container instead of using the container host's service.
2020-09-27 17:44 ` Jason Conroy
@ 2020-10-01 7:29 ` Mathieu Othacehe
0 siblings, 0 replies; 4+ messages in thread
From: Mathieu Othacehe @ 2020-10-01 7:29 UTC (permalink / raw)
To: Jason Conroy; +Cc: 43540-done
Hey Jason,
> Hi Mathieu, thanks for the feedback. Please find the revised patch and log attached.
Pushed with a slightly adjusted commit message as
5627bfe45ce46f498979b4ad2deab1fdfed22b6c.
Thanks,
Mathieu
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-10-01 7:30 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-20 22:05 [bug#43540] [PATCH] Instantiate nscd in each system container instead of using the container host's service Jason Conroy
2020-09-24 8:01 ` Mathieu Othacehe
2020-09-27 17:44 ` Jason Conroy
2020-10-01 7:29 ` bug#43540: " Mathieu Othacehe
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).