From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id eJa+KCjlXl9NRgAA0tVLHw (envelope-from ) for ; Mon, 14 Sep 2020 03:36:08 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id kFzrIijlXl+0cwAAB5/wlQ (envelope-from ) for ; Mon, 14 Sep 2020 03:36:08 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 1DA469400C7 for ; Mon, 14 Sep 2020 03:36:08 +0000 (UTC) Received: from localhost ([::1]:34422 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kHfHh-0006GD-Ci for larch@yhetil.org; Sun, 13 Sep 2020 23:36:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:53302) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kHcxT-00015y-H2 for guix-patches@gnu.org; Sun, 13 Sep 2020 21:07:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:40632) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kHcxT-0002cF-87 for guix-patches@gnu.org; Sun, 13 Sep 2020 21:07:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1kHcxT-0000wi-3O for guix-patches@gnu.org; Sun, 13 Sep 2020 21:07:03 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#43371] [PATCH] doc: prevent host/container nscd mismatch Resent-From: conjaroy Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 14 Sep 2020 01:07:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 43371 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 43371@debbugs.gnu.org, edk@beaver-labs.com, 41575@debbugs.gnu.org Received: via spool by 43371-submit@debbugs.gnu.org id=B43371.16000456023575 (code B ref 43371); Mon, 14 Sep 2020 01:07:03 +0000 Received: (at 43371) by debbugs.gnu.org; 14 Sep 2020 01:06:42 +0000 Received: from localhost ([127.0.0.1]:52171 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kHcx7-0000va-Pt for submit@debbugs.gnu.org; Sun, 13 Sep 2020 21:06:42 -0400 Received: from mail-ed1-f66.google.com ([209.85.208.66]:35466) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kHcx6-0000vC-2H; Sun, 13 Sep 2020 21:06:41 -0400 Received: by mail-ed1-f66.google.com with SMTP id i1so15945620edv.2; Sun, 13 Sep 2020 18:06:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xtZUitQoLNRLMpaHn0LTMPzNu0weAcgRFIuvr/sl6uI=; b=sa0i/p9CvSmwskt5Qv7iJT70hYNW/8HcZfL/xqMbQ3AIBXDyXTvWxVemPt8cSc6933 gAk2tXADusYQ4dzHb2cMucmK1e6GjFEPBgrZsJQHwmsNaCocmPBTYu963h2uLZKlPTrW IGDpw8W+oUPGxjKm4eny2PPpE17cpqJ9HsTyFXqBxvbVqtubzH6Sxdrk7UvE3uuHf0QY NrI6d9EZBIjyPkiTQ8fg+JEcNEsPJgxe4oa9EXAUdF+6iOYkOZNEinAtRgjMCEGl02Qo YK+KHi3233N9Q5JYg7Keyy+7LASl1kpkxVF2ZEwGjzjyP0hkfYyTjMJzV9PYGm52cXLN fHgg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xtZUitQoLNRLMpaHn0LTMPzNu0weAcgRFIuvr/sl6uI=; b=Ozh7OfS9Kvd2UssyF+ffR1g92t8hzUNJgaBEGy+KUwnOM6f4P0cWz/VTJeVdCi5NKY JehYnhQniKkByFFM0PLjWV+F03NG0ec5FwnXVRAdU/dkB9n2wUI6Z1weNks5WK/aXgKj fX87jlvbV3U5pODyQ9cYiNYXnx2zQ8rqKKUma98yHa0qSzpvYVT2GlVt9YJxvKcPlIoG GCnorJ6nspmo9oiP13uvxvQM9HyEQ6mfiBWwLQ7YF0UxqRc/z66riSSu5IF+f8M/q8ct T3wfk6gOtjgpS8QV888U6myZVLNTVlsdrQ9vqFnUJSnJalsoc1fiORsuE83oZOiDIpgj dclA== X-Gm-Message-State: AOAM532ISvNp5AbRxhHedqaFEkmcsWH8Cc60ricVQV5h0fmjBx/D233k 2oLL+KQ560pTOh4ckpv7A2h4dVRU2Cg8AqFq638= X-Google-Smtp-Source: ABdhPJzq4g2c4qoRt231qCvRa4/51HP7EpdwFWp0+uyRVaqy9D1cX5flk2XrLJJWR+0D31g0UeKsRUakouUDFq13YWk= X-Received: by 2002:a50:dec9:: with SMTP id d9mr14992025edl.145.1600045594194; Sun, 13 Sep 2020 18:06:34 -0700 (PDT) MIME-Version: 1.0 References: <87lfhet1d2.fsf@rdklein.fr> <87y2ld9ym2.fsf@gnu.org> In-Reply-To: <87y2ld9ym2.fsf@gnu.org> From: conjaroy Date: Sun, 13 Sep 2020 21:05:58 -0400 Message-ID: Content-Type: multipart/alternative; boundary="00000000000044382e05af3ba5cb" X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -1.0 (-) X-Mailman-Approved-At: Sun, 13 Sep 2020 23:35:58 -0400 X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=fail (rsa verify failed) header.d=gmail.com header.s=20161025 header.b=sa0i/p9C; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Spam-Score: 1.09 X-TUID: 1r42imKjpwn3 --00000000000044382e05af3ba5cb Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hello Ludo', A separate nscd per container also seems like a reasonable option. However, for the sake of machines hosting many long-lived containers, perhaps we should consider reducing the cache size: currently it's 32MB for each name service type, with an expiration of 12-24 hours: https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/services/base.scm?id=3D= 1042d269a723360a02b19a2baafef1e24a3bfc73#n1115 Cheers, Jason On Sun, Sep 13, 2020 at 5:05 PM Ludovic Court=C3=A8s wrote: > Hi, > > edk@beaver-labs.com skribis: > > > doc/guix.texi: (Name Service Switch) add a workaround for bug #41575 > > --- > > doc/guix.texi | 16 +++++++++++++++- > > 1 file changed, 15 insertions(+), 1 deletion(-) > > > > diff --git a/doc/guix.texi b/doc/guix.texi > > index a6e14ea177..a9472e680e 100644 > > --- a/doc/guix.texi > > +++ b/doc/guix.texi > > @@ -1706,6 +1706,20 @@ this binary incompatibility problem because thos= e > @code{libnss_*.so} > > files are loaded in the @command{nscd} process, not in applications > > themselves. > > > > +For applications running in containers (@pxref{Invokin guix container}= ), > > +however, @code{nscd} may leak information from the host to the > container. > > +If there is a configuration mismatch between the two ---e.g., the host > > +has no @code{sshd} user while the container needs one--- then it may b= e > > I find the example is hard to understand. How about: =E2=80=9Capplicatio= ns in > the container could end up looking users in the host=E2=80=9D? > > > +worthwhile to limit which kind of information the host's @code{nscd} > > +daemon may give to the container by adding the following to > > +@code{/etc/nscd.conf}. > > + > > +@example > > + enable-cache passwd no > > + enable-cache group no > > + enable-cache netgroup no > > +@end example > > Actually, perhaps the better fix is to never use the host=E2=80=99s nscd?= We > could change =E2=80=98containerized-operating-system=E2=80=99 accordingly= . > > That would allow guest OSes to work correctly regardless of the host=E2= =80=99s > nscd config, which seems like an improvement. > > Thoughts? > > Ludo=E2=80=99. > --00000000000044382e05af3ba5cb Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hello Ludo',

A separate = nscd per container also seems like a reasonable option. However, for the sa= ke of machines hosting many long-lived containers, perhaps we should consid= er reducing the cache size: currently it's 32MB for each name service t= ype, with an expiration of 12-24 hours:


Cheers,
<= br>
Jason

On Sun, Sep 13, 2020 at 5:05 PM Ludovic Court= =C3=A8s <ludo@gnu.org> wrote:
=
Hi,

edk@beaver-labs.co= m skribis:

> doc/guix.texi: (Name Service Switch) add a workaround for bug #41575 > ---
>=C2=A0 doc/guix.texi | 16 +++++++++++++++-
>=C2=A0 1 file changed, 15 insertions(+), 1 deletion(-)
>
> diff --git a/doc/guix.texi b/doc/guix.texi
> index a6e14ea177..a9472e680e 100644
> --- a/doc/guix.texi
> +++ b/doc/guix.texi
> @@ -1706,6 +1706,20 @@ this binary incompatibility problem because tho= se @code{libnss_*.so}
>=C2=A0 files are loaded in the @command{nscd} process, not in applicati= ons
>=C2=A0 themselves.
>=C2=A0
> +For applications running in containers (@pxref{Invokin guix container= }),
> +however, @code{nscd} may leak information from the host to the contai= ner.
> +If there is a configuration mismatch between the two ---e.g., the hos= t
> +has no @code{sshd} user while the container needs one--- then it may = be

I find the example is hard to understand.=C2=A0 How about: =E2=80=9Capplica= tions in
the container could end up looking users in the host=E2=80=9D?

> +worthwhile to limit which kind of information the host's @code{ns= cd}
> +daemon may give to the container by adding the following to
> +@code{/etc/nscd.conf}.
> +
> +@example
> +=C2=A0 =C2=A0 =C2=A0 =C2=A0 enable-cache=C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 passwd=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 no
> +=C2=A0 =C2=A0 =C2=A0 =C2=A0 enable-cache=C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 group=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0no
> +=C2=A0 =C2=A0 =C2=A0 =C2=A0 enable-cache=C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 netgroup=C2=A0 =C2=A0 =C2=A0 =C2=A0 no
> +@end example

Actually, perhaps the better fix is to never use the host=E2=80=99s nscd?= =C2=A0 We
could change =E2=80=98containerized-operating-system=E2=80=99 accordingly.<= br>
That would allow guest OSes to work correctly regardless of the host=E2=80= =99s
nscd config, which seems like an improvement.

Thoughts?

Ludo=E2=80=99.
--00000000000044382e05af3ba5cb--