From: Jason Conroy <conjaroy@gmail.com>
To: Mathieu Othacehe <othacehe@gnu.org>
Cc: 43540@debbugs.gnu.org
Subject: [bug#43540] [PATCH] Instantiate nscd in each system container instead of using the container host's service.
Date: Sun, 27 Sep 2020 13:44:32 -0400 [thread overview]
Message-ID: <CABWzUjVfHTvJK=tO7J2CwZ7gwTKqtAQY+_MKS6bbKM95FFsxYQ@mail.gmail.com> (raw)
In-Reply-To: <87ft777gdv.fsf@gnu.org>
[-- Attachment #1.1: Type: text/plain, Size: 1664 bytes --]
Hi Mathieu, thanks for the feedback. Please find the revised patch and log
attached.
Cheers,
Jason
On Thu, Sep 24, 2020 at 4:01 AM Mathieu Othacehe <othacehe@gnu.org> wrote:
>
> Hello Jason,
>
> Thanks for this patch. You need to write a commit message that is
> compliant with the ChangeLog format, see:
> https://guix.gnu.org/manual/en/html_node/Submitting-Patches.html.
>
> > +(define %nscd-container-caches
> > + ;; Similar to %nscd-default-caches but with smaller cache sizes. This
> allows
> > + ;; many containers to coexist on the same machine without exhausting
> RAM.
> > + (list (nscd-cache (database 'hosts)
> > + (positive-time-to-live (* 3600 12))
> > + (negative-time-to-live 20)
> > + (persistent? #t)
> > + (max-database-size (expt 2 18)))
> > + (nscd-cache (database 'services)
> > + (positive-time-to-live (* 3600 24))
> > + (negative-time-to-live 3600)
> > + (check-files? #t) ;check /etc/services changes
> > + (persistent? #t)
> > + (max-database-size (expt 2 18)))))
>
> You can write something like:
>
> --8<---------------cut here---------------start------------->8---
> (map (lambda (cache)
> (nscd-cache
> (inherit cache)
> (max-database-size (expt 2 18)))) ;256KiB
> %nscd-default-caches)
> --8<---------------cut here---------------end--------------->8---
>
> to avoid repeating the same values.
>
> Otherwise, looks nice. Could you please send an updated version?
>
> Thanks,
>
> Mathieu
> --
> https://othacehe.org
>
[-- Attachment #1.2: Type: text/html, Size: 2496 bytes --]
[-- Attachment #2: one-nscd-per-container-v2.patch --]
[-- Type: text/x-patch, Size: 7620 bytes --]
From 0b6c5acb2fe9b4f6fa29e46c521fcfed9a8e69be Mon Sep 17 00:00:00 2001
From: Jason Conroy <jconroy@google.com>
Date: Sun, 27 Sep 2020 13:16:39 -0400
Subject: [PATCH] Instantiate nscd in each system container instead of using
the container host's service.
Currently, Guix system containers hosted on machines that run nscd are
configured to use that daemon's socket by bind-mounting /var/run/nscd into the
container's filesystem. As discussed in bug#41575, there are certain nscd
configurations that expose information from the host's /etc files into the
container's processes, and aside from the security implications, this exposure
can lead to anomalous behavior inside the containers, including failure to
boot.
The following patch gives each container a private nscd instance. While Guix's
default nscd configuration caches pretty aggressively (for hostnames, up to
32MB with a 12h TTL), the per-container nscd uses a smaller cache size of
256kB, which means that the overhead of this change should be modest even on
systems with many containers.
This patch has been lightly tested by verifying the following:
- `make check` and `guix pull`
- successful boot and operation of a system container
- presence of nscd in the container
- correct cache sizes in nscd.conf
* gnu/system/linux-container.scm (%nscd-container-caches): Add it.
(containerized-operating-system): instantiate nscd-service with smaller caches
and add it to the generated operating-system, replacing any nscd-service
specified by the caller.
* gnu/system/file-systems.scm: (%network-file-mappings): remove "/var/run/nscd".
---
gnu/system/file-systems.scm | 8 ++---
gnu/system/linux-container.scm | 59 +++++++++++++++++++++++-----------
2 files changed, 43 insertions(+), 24 deletions(-)
diff --git a/gnu/system/file-systems.scm b/gnu/system/file-systems.scm
index 5c02dfac93..464e87cb18 100644
--- a/gnu/system/file-systems.scm
+++ b/gnu/system/file-systems.scm
@@ -1,5 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2020 Google LLC
;;; Copyright © 2020 Jakub Kądziołka <kuba@kadziolka.net>
;;; Copyright © 2020 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;;
@@ -590,11 +591,8 @@ a bind mount."
;; XXX: On some GNU/Linux systems, /etc/resolv.conf is a
;; symlink to a file in a tmpfs which, for an unknown reason,
;; cannot be bind mounted read-only within the container.
- ;; The same goes with /var/run/nscd, as discussed in
- ;; <https://bugs.gnu.org/37967>.
- (writable? (or (string=? file "/etc/resolv.conf")
- (string=? file "/var/run/nscd")))))
- (cons "/var/run/nscd" %network-configuration-files)))
+ (writable? (string=? file "/etc/resolv.conf"))))
+ %network-configuration-files))
(define (file-system-type-predicate type)
"Return a predicate that, when passed a file system, returns #t if that file
diff --git a/gnu/system/linux-container.scm b/gnu/system/linux-container.scm
index c5e2e4bf9c..4a9cd0efe2 100644
--- a/gnu/system/linux-container.scm
+++ b/gnu/system/linux-container.scm
@@ -3,6 +3,7 @@
;;; Copyright © 2016, 2017, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2019 Arun Isaac <arunisaac@systemreboot.net>
;;; Copyright © 2020 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2020 Google LLC
;;;
;;; This file is part of GNU Guix.
;;;
@@ -77,6 +78,15 @@ doing anything.")
(start #~(const #t))))
#f))
+(define %nscd-container-caches
+ ;; Similar to %nscd-default-caches but with smaller cache sizes. This allows
+ ;; many containers to coexist on the same machine without exhausting RAM.
+ (map (lambda (cache)
+ (nscd-cache
+ (inherit cache)
+ (max-database-size (expt 2 18)))) ;256KiB
+ %nscd-default-caches))
+
(define* (containerized-operating-system os mappings
#:key
shared-network?
@@ -100,22 +110,39 @@ containerized OS. EXTRA-FILE-SYSTEMS is a list of file systems to add to OS."
(file-system (inherit (file-system-mapping->bind-mount fs))
(needed-for-boot? #t)))
- (define useless-services
- ;; Services that make no sense in a container. Those that attempt to
- ;; access /dev/tty[0-9] in particular cannot work in a container.
+ (define services-to-drop
+ ;; Service types to filter from the original operating-system. Some of
+ ;; these make no sense in a container (e.g., those that access
+ ;; /dev/tty[0-9]), while others just need to be reinstantiated with
+ ;; different configs that are better suited to containers.
(append (list console-font-service-type
mingetty-service-type
- agetty-service-type)
- ;; Remove nscd service if network is shared with the host.
+ agetty-service-type
+ ;; Reinstantiated below with smaller caches.
+ nscd-service-type)
(if shared-network?
- (list nscd-service-type
- static-networking-service-type
- dhcp-client-service-type
- network-manager-service-type
- connman-service-type
- wicd-service-type)
+ ;; Replace these with dummy-networking-service-type below.
+ (list
+ static-networking-service-type
+ dhcp-client-service-type
+ network-manager-service-type
+ connman-service-type
+ wicd-service-type)
(list))))
+ (define services-to-add
+ (append
+ ;; Many Guix services depend on a 'networking' shepherd
+ ;; service, so make sure to provide a dummy 'networking'
+ ;; service when we are sure that networking is already set up
+ ;; in the host and can be used. That prevents double setup.
+ (if shared-network?
+ (list (service dummy-networking-service-type))
+ '())
+ (list
+ (nscd-service (nscd-configuration
+ (caches %nscd-container-caches))))))
+
(operating-system
(inherit os)
(swap-devices '()) ; disable swap
@@ -124,15 +151,9 @@ containerized OS. EXTRA-FILE-SYSTEMS is a list of file systems to add to OS."
#:shared-network? shared-network?))
(services (append (remove (lambda (service)
(memq (service-kind service)
- useless-services))
+ services-to-drop))
(operating-system-user-services os))
- ;; Many Guix services depend on a 'networking' shepherd
- ;; service, so make sure to provide a dummy 'networking'
- ;; service when we are sure that networking is already set up
- ;; in the host and can be used. That prevents double setup.
- (if shared-network?
- (list (service dummy-networking-service-type))
- '())))
+ services-to-add))
(file-systems (append (map mapping->fs
(if shared-network?
(append %network-file-mappings mappings)
--
2.20.1
next prev parent reply other threads:[~2020-09-27 17:46 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-20 22:05 [bug#43540] [PATCH] Instantiate nscd in each system container instead of using the container host's service Jason Conroy
2020-09-24 8:01 ` Mathieu Othacehe
2020-09-27 17:44 ` Jason Conroy [this message]
2020-10-01 7:29 ` bug#43540: " Mathieu Othacehe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CABWzUjVfHTvJK=tO7J2CwZ7gwTKqtAQY+_MKS6bbKM95FFsxYQ@mail.gmail.com' \
--to=conjaroy@gmail.com \
--cc=43540@debbugs.gnu.org \
--cc=othacehe@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).