From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms1.migadu.com with LMTPS id +I5qMXTeWWYEPQAAe85BDQ:P1 (envelope-from ) for ; Fri, 31 May 2024 16:28:05 +0200 Received: from aspmx1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2.migadu.com with LMTPS id +I5qMXTeWWYEPQAAe85BDQ (envelope-from ) for ; Fri, 31 May 2024 16:28:04 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1717165684; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=0BqRpqiu2KlW2aNMqP2OYPW2uE8HMBgQXfGmRTeSaCw=; b=V3YKH9+6gbNpw3wDur+jjwzwjIUni/Nk6RyOCvDeFp/E0IvNEDTivnQ+l+dIP2TAtKpftl 9qBELAboYRJcNz3fM1jhhAUU5n2F12kpX3R+L3q0oLsj1Dj9d1dphKH7G41x3gClrcC5Dq DkYH0aaeGL2TaJj6C175MNanVbAD5aCs+kiYwY2OhWx6KTYOaqcXWpmUZIInhMTNbxh64l U2OEiJHyvENUZbM7mDceLO9i4pGdjkBBj5LbrY88Zo+TilPLSK5jueYWdmwArasd6eK4OK hhavtWayqdd4E4+0ijEqV3pgd4hHnqVGyNI21mXi/s52PnTGvIeZgikxriIdfw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Seal: i=1; s=key1; d=yhetil.org; t=1717165684; a=rsa-sha256; cv=none; b=TnqMDRUEtkx4LGyuMA/OVEXzEMKl3Uazm1rD2mwqUdFVnGnAhAIIiLjVPFdejB/1kRjGTZ Cvggb7gq7TuPxg5zVbziLEUhSvf2QYKS/VLiGrMLm8NAa/cxlpoNNveRBXb0U9bIHOM8gd iv0FnDOLFa5QIYAZpC+L0d32DGAdw8xC/xzLW+55oFg+3q9uSvZ0SYNzlIAqTiiLYTwUwr 9pE6H+/nW3Pc62e/u3FHtGRv/4kKqNoFy/vnSvflUVRozR9JwrrOymWg0JniwNuZCHN9eO o/OFqvf/D49vRaXUxIONBr0MEK0iJIaMpB8eMqFV4AGsJWhJcSdkNd0nt3hLBQ== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 8A10F75655 for ; Fri, 31 May 2024 16:28:04 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sD3EX-00077g-48; Fri, 31 May 2024 10:27:53 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sD3EV-00077Q-BJ for guix-patches@gnu.org; Fri, 31 May 2024 10:27:51 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1sD3EV-0006Rf-32 for guix-patches@gnu.org; Fri, 31 May 2024 10:27:51 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1sD3Ef-0000Xi-Mv for guix-patches@gnu.org; Fri, 31 May 2024 10:28:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#70933] [PATCH] system: Do not add "--disable-chroot" to containers. Resent-From: Andreas Enge Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 31 May 2024 14:28:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 70933 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 70933@debbugs.gnu.org Received: via spool by 70933-submit@debbugs.gnu.org id=B70933.17171656722071 (code B ref 70933); Fri, 31 May 2024 14:28:01 +0000 Received: (at 70933) by debbugs.gnu.org; 31 May 2024 14:27:52 +0000 Received: from localhost ([127.0.0.1]:55131 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sD3EV-0000XL-KD for submit@debbugs.gnu.org; Fri, 31 May 2024 10:27:51 -0400 Received: from hera.aquilenet.fr ([185.233.100.1]:57908) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sD3ET-0000X4-M4 for 70933@debbugs.gnu.org; Fri, 31 May 2024 10:27:50 -0400 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 1605DA2A; Fri, 31 May 2024 16:27:03 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at hera.aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qbpMUOQFakGh; Fri, 31 May 2024 16:27:02 +0200 (CEST) Received: from jurong (sauterelle.math.u-bordeaux1.fr [147.210.16.128]) by hera.aquilenet.fr (Postfix) with ESMTPSA id 8FC19960; Fri, 31 May 2024 16:27:02 +0200 (CEST) Date: Fri, 31 May 2024 16:26:58 +0200 From: Andreas Enge Message-ID: References: <67f49b23cfe3755c6802e2fc3351ef3cf0dcdfda.1715687434.git.andreas@enge.fr> <87mso6rxzz.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <87mso6rxzz.fsf@gnu.org> X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Spam-Score: -5.85 X-Migadu-Queue-Id: 8A10F75655 X-Migadu-Scanner: mx10.migadu.com X-Migadu-Spam-Score: -5.85 X-TUID: Jsmac2uxMmWA Am Fri, May 31, 2024 at 02:01:36PM +0200 schrieb Ludovic Courtès: > Andreas Enge skribis: > > The rationale for these lines is that they enable non-privileged docker > > containers. But I would like to create a privileged container with > > chroot (in an openshift environment, where I suppose this environment > > does additional encapsulation to enforce security), which these lines > > prevent. > > Users can still add the option. Alternatively, we could add an additional > > field "chroot? (default: #t)" to guix-configuration. > This is tricky, I’m not sure how to provide defaults that works in most > common setups while still allowing the use of privileged Docker > containers as in your case. The problem with a default is that apparently, for containers we want #f, for real machines we want #t as the default; and then it should be overridable. The only solution I see is to use a ternary value, allowing chroot? to be #f, #t or 'default, with the last one, you guess it, being the default. It would be replaced by #f or #t depending on whether we are in a container or not. I had considered it when suggesting the patch, but found it a bit too much shepherding; I still think that "chroot? (default: #t)" would be enough. Andreas