From 0b6c5acb2fe9b4f6fa29e46c521fcfed9a8e69be Mon Sep 17 00:00:00 2001 From: Jason Conroy Date: Sun, 27 Sep 2020 13:16:39 -0400 Subject: [PATCH] Instantiate nscd in each system container instead of using the container host's service. Currently, Guix system containers hosted on machines that run nscd are configured to use that daemon's socket by bind-mounting /var/run/nscd into the container's filesystem. As discussed in bug#41575, there are certain nscd configurations that expose information from the host's /etc files into the container's processes, and aside from the security implications, this exposure can lead to anomalous behavior inside the containers, including failure to boot. The following patch gives each container a private nscd instance. While Guix's default nscd configuration caches pretty aggressively (for hostnames, up to 32MB with a 12h TTL), the per-container nscd uses a smaller cache size of 256kB, which means that the overhead of this change should be modest even on systems with many containers. This patch has been lightly tested by verifying the following: - `make check` and `guix pull` - successful boot and operation of a system container - presence of nscd in the container - correct cache sizes in nscd.conf * gnu/system/linux-container.scm (%nscd-container-caches): Add it. (containerized-operating-system): instantiate nscd-service with smaller caches and add it to the generated operating-system, replacing any nscd-service specified by the caller. * gnu/system/file-systems.scm: (%network-file-mappings): remove "/var/run/nscd". --- gnu/system/file-systems.scm | 8 ++--- gnu/system/linux-container.scm | 59 +++++++++++++++++++++++----------- 2 files changed, 43 insertions(+), 24 deletions(-) diff --git a/gnu/system/file-systems.scm b/gnu/system/file-systems.scm index 5c02dfac93..464e87cb18 100644 --- a/gnu/system/file-systems.scm +++ b/gnu/system/file-systems.scm @@ -1,5 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès +;;; Copyright © 2020 Google LLC ;;; Copyright © 2020 Jakub Kądziołka ;;; Copyright © 2020 Maxim Cournoyer ;;; @@ -590,11 +591,8 @@ a bind mount." ;; XXX: On some GNU/Linux systems, /etc/resolv.conf is a ;; symlink to a file in a tmpfs which, for an unknown reason, ;; cannot be bind mounted read-only within the container. - ;; The same goes with /var/run/nscd, as discussed in - ;; . - (writable? (or (string=? file "/etc/resolv.conf") - (string=? file "/var/run/nscd"))))) - (cons "/var/run/nscd" %network-configuration-files))) + (writable? (string=? file "/etc/resolv.conf")))) + %network-configuration-files)) (define (file-system-type-predicate type) "Return a predicate that, when passed a file system, returns #t if that file diff --git a/gnu/system/linux-container.scm b/gnu/system/linux-container.scm index c5e2e4bf9c..4a9cd0efe2 100644 --- a/gnu/system/linux-container.scm +++ b/gnu/system/linux-container.scm @@ -3,6 +3,7 @@ ;;; Copyright © 2016, 2017, 2019, 2020 Ludovic Courtès ;;; Copyright © 2019 Arun Isaac ;;; Copyright © 2020 Efraim Flashner +;;; Copyright © 2020 Google LLC ;;; ;;; This file is part of GNU Guix. ;;; @@ -77,6 +78,15 @@ doing anything.") (start #~(const #t)))) #f)) +(define %nscd-container-caches + ;; Similar to %nscd-default-caches but with smaller cache sizes. This allows + ;; many containers to coexist on the same machine without exhausting RAM. + (map (lambda (cache) + (nscd-cache + (inherit cache) + (max-database-size (expt 2 18)))) ;256KiB + %nscd-default-caches)) + (define* (containerized-operating-system os mappings #:key shared-network? @@ -100,22 +110,39 @@ containerized OS. EXTRA-FILE-SYSTEMS is a list of file systems to add to OS." (file-system (inherit (file-system-mapping->bind-mount fs)) (needed-for-boot? #t))) - (define useless-services - ;; Services that make no sense in a container. Those that attempt to - ;; access /dev/tty[0-9] in particular cannot work in a container. + (define services-to-drop + ;; Service types to filter from the original operating-system. Some of + ;; these make no sense in a container (e.g., those that access + ;; /dev/tty[0-9]), while others just need to be reinstantiated with + ;; different configs that are better suited to containers. (append (list console-font-service-type mingetty-service-type - agetty-service-type) - ;; Remove nscd service if network is shared with the host. + agetty-service-type + ;; Reinstantiated below with smaller caches. + nscd-service-type) (if shared-network? - (list nscd-service-type - static-networking-service-type - dhcp-client-service-type - network-manager-service-type - connman-service-type - wicd-service-type) + ;; Replace these with dummy-networking-service-type below. + (list + static-networking-service-type + dhcp-client-service-type + network-manager-service-type + connman-service-type + wicd-service-type) (list)))) + (define services-to-add + (append + ;; Many Guix services depend on a 'networking' shepherd + ;; service, so make sure to provide a dummy 'networking' + ;; service when we are sure that networking is already set up + ;; in the host and can be used. That prevents double setup. + (if shared-network? + (list (service dummy-networking-service-type)) + '()) + (list + (nscd-service (nscd-configuration + (caches %nscd-container-caches)))))) + (operating-system (inherit os) (swap-devices '()) ; disable swap @@ -124,15 +151,9 @@ containerized OS. EXTRA-FILE-SYSTEMS is a list of file systems to add to OS." #:shared-network? shared-network?)) (services (append (remove (lambda (service) (memq (service-kind service) - useless-services)) + services-to-drop)) (operating-system-user-services os)) - ;; Many Guix services depend on a 'networking' shepherd - ;; service, so make sure to provide a dummy 'networking' - ;; service when we are sure that networking is already set up - ;; in the host and can be used. That prevents double setup. - (if shared-network? - (list (service dummy-networking-service-type)) - '()))) + services-to-add)) (file-systems (append (map mapping->fs (if shared-network? (append %network-file-mappings mappings) -- 2.20.1