From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id KPZbJsF22Ga3gAAA62LTzQ:P1 (envelope-from ) for ; Wed, 04 Sep 2024 15:03:29 +0000 Received: from aspmx1.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1.migadu.com with LMTPS id KPZbJsF22Ga3gAAA62LTzQ (envelope-from ) for ; Wed, 04 Sep 2024 17:03:29 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b=tvYFwO9X; dkim=none ("invalid DKIM record") header.d=freakingpenguin.com header.s=x header.b=ZzjQL0aG; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1725462209; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=y8ymVquvZ+UXFBRyi0vg5JSfHsoYOtF0vcc5BEDoVsk=; b=fde9tsnii9xqgG8HFGKJUpbvE4GX3lhzNHDPnq+yw/a7mW5uwHmA3/M2u0EwxbKCF1X+NC zrCEDEwpAmQ8w72znVBe5xocYZwpIr0ourv7runZ4YsZu0kSyRCGF1P9t2sVf2M94bCA1G T+nfbs0k5EY4DVHQhSWCRzSLbbXrcxqILPEho7OXSTelOeC77S2Lu4iC4EaCl4IWTRw+S8 N4uV9edEToSf7xHNAx+kFWeiNBxfSt3PlL6Q0eTjh4CFUxLP5UMzq6unJLqOgtdEHRpPrR KfjeQrYCXGqXWnez1uCb+6/hB09RRNQ8WY6FdbAz/+NDJ05KKUD12iC6maNVGg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1725462209; a=rsa-sha256; cv=none; b=d6noLnjXpftD0+f0PfVQFkLCo/VczrkgshRQX6sh3oHMqxK6adsY8PY/ZYZOviFZ1ZTnKr AF5ByVDEC/LOHAiGPSnTXmeE/wFTEmDhPCYE8k9TVDlo8QdsMG1ZewsP89pAk7Dx9sNE6o 47wZc4XTqbE0sJNkB2Xnj//lVM93ojIZpaMEjptrYdpdFT9T5+VNZgMsOgRL9Xy49Sg0Sw I5252xY35NczBWz4gbeqeprRMJuGd+ZiATQi7B6N1uEAohmpmLmickJrdz6YZnDisq8jCS uPZaXC8lXDxme0y4xp5J2e5MkLPD97qJi/t/jfePrWyNlxy4eaR8iYA9aLUftA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b=tvYFwO9X; dkim=none ("invalid DKIM record") header.d=freakingpenguin.com header.s=x header.b=ZzjQL0aG; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 55AE6680CD for ; Wed, 4 Sep 2024 17:03:29 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1slrXC-0005Az-EY; Wed, 04 Sep 2024 11:03:02 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1slrXA-000532-25 for guix-patches@gnu.org; Wed, 04 Sep 2024 11:03:00 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1slrX9-0007H4-P2 for guix-patches@gnu.org; Wed, 04 Sep 2024 11:02:59 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:Date:References:In-Reply-To:From:To:Subject; bh=y8ymVquvZ+UXFBRyi0vg5JSfHsoYOtF0vcc5BEDoVsk=; b=tvYFwO9XuTFxJYLSDnNAwe3nA76xbvR0Ox4l5M2F/CqZlyO/ouxf3EEypaLBIfHNEcgJvBjCgwYH8EVzGbiDhEdHus3O/jx1/uFD7vy5P4dCdl77PAsbN7EPLoFgPE28oiyFagFZGkPPt5XUiBZHGNBzG6d8oj8UQPH5TH8aML7VIOpUm4hUoYdvN4Kyn27ziDZlmqJeosF8LktKjdKgCCa0LRU3VTxpMAKK6u2wQSCPJBMaV6O0mchVCyfGL1GZHEC96EP9JsHzyhBDy55wzqHLFeQaJBSQqmoA7hvkjv+TFkrhAb4UKmdh5xHvs5/ZJ9Y7nsHu2Sfz26KmnFkRGQ==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1slrYA-0004Xz-Dw for guix-patches@gnu.org; Wed, 04 Sep 2024 11:04:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#70314] [PATCH] guix: scripts: environment: add tls certs to networked containers Resent-From: Richard Sent Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 04 Sep 2024 15:04:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 70314 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: Josselin Poiret , Simon Tournier , Mathieu Othacehe , Tobias Geerinckx-Rice , Ricardo Wurmus , Christopher Baines , 70314@debbugs.gnu.org Received: via spool by 70314-submit@debbugs.gnu.org id=B70314.172546219817417 (code B ref 70314); Wed, 04 Sep 2024 15:04:02 +0000 Received: (at 70314) by debbugs.gnu.org; 4 Sep 2024 15:03:18 +0000 Received: from localhost ([127.0.0.1]:35146 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1slrXR-0004Wr-UK for submit@debbugs.gnu.org; Wed, 04 Sep 2024 11:03:18 -0400 Received: from mail-108-mta19.mxroute.com ([136.175.108.19]:38833) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1slrXQ-0004Wi-BF for 70314@debbugs.gnu.org; Wed, 04 Sep 2024 11:03:17 -0400 Received: from filter006.mxroute.com ([136.175.111.3] filter006.mxroute.com) (Authenticated sender: mN4UYu2MZsgR) by mail-108-mta19.mxroute.com (ZoneMTA) with ESMTPSA id 191bd8ea7100003e01.002 for <70314@debbugs.gnu.org> (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Wed, 04 Sep 2024 15:02:08 +0000 X-Zone-Loop: a6495c6d0ecc69cddad9e5f6df9fd783d06814031b07 X-Originating-IP: [136.175.111.3] DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=freakingpenguin.com; s=x; h=Content-Transfer-Encoding:Content-Type: MIME-Version:Message-ID:Date:References:In-Reply-To:Subject:Cc:To:From:Sender :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=y8ymVquvZ+UXFBRyi0vg5JSfHsoYOtF0vcc5BEDoVsk=; b=ZzjQL0aG33gDGGm1QW6f3Kijah wr/w1+l/iZvwmBD2M77dC33wdnU2+QVKlwcGPQj8fGu2qvS+42LhhptmbV6QfBUPmtNXVM70KSt+g j0SkRyMnv8qcxxbnyrvQ6+8ZKiFOe+JCzV/Hjb52ZTdMgH/rg3e4+dpwl/qn6CjpE+XNW+3YHj7S5 b2joccohAPwGWB9/IC80sFkWoTt/wqAz7GaN3NupNY5lyCkySp2Hjwizh1exQbt+OsiD38o+tyg85 VGt608eiBPTBak+T4vv34XfNMLhGUMDLfrwOCecsl8w0t7Uf5TJ+Ezc4aVTjpjpotl3jDqFQN4w3z QUUHNnag==; From: Richard Sent In-Reply-To: <87jzfree6t.fsf@gnu.org> ("Ludovic =?UTF-8?Q?Court=C3=A8s?="'s message of "Wed, 04 Sep 2024 15:33:30 +0200") References: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@freakingpenguin.com> <87jzfree6t.fsf@gnu.org> Date: Wed, 04 Sep 2024 11:01:53 -0400 Message-ID: <871q1zsbry.fsf@freakingpenguin.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Authenticated-Id: richard@freakingpenguin.com X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Queue-Id: 55AE6680CD X-Migadu-Scanner: mx12.migadu.com X-Migadu-Spam-Score: -9.02 X-Spam-Score: -9.02 X-TUID: 1RXKRPrDO8Yl Hi Ludo! Thanks for the response! Ludovic Court=C3=A8s writes: > Instead of adding the =E2=80=98nss-certs=E2=80=99 package, I would rather= expose > /etc/ssl/certs (when it exists), for two reasons: (1) the system-chosen > certificates will be used, and (2) it=E2=80=99s less expensive than havin= g to > compute the derivation of =E2=80=98nss-certs=E2=80=99. There is an issue with this that's cropped up in the past. The files in /etc/ssl/certs/* are symlinks to store items. Because containers only see a subset of store items that are in that container's profile, it often sees the symlinks to store items but not the target file. For example: --8<---------------cut here---------------start------------->8--- $ guix shell -C bash coreutils --expose=3D/etc/ssl/certs -- bash [env]$ ls /etc/ssl/certs/ca* /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca6e4ad9.0 [env]$ cat /etc/ssl/certs/ca-certificates.crt cat: /etc/ssl/certs/ca-certificates.crt: No such file or directory [env]$ ls -l /etc/ssl/certs/ca6e4ad9.0 lrwxrwxrwx 1 65534 overflow 85 Jan 1 1970 /etc/ssl/certs/ca6e4ad9.0 -> /g= nu/store/5y39gqnvlfrw9gxyxbqqkdr8cxgp1fa1-nss-certs-3.88.1/etc/ssl/certs/ca= 6e4ad9.0 [env]$ cat /etc/ssl/certs/ca6e4ad9.0=20=20 cat: /etc/ssl/certs/ca6e4ad9.0: No such file or directory --8<---------------cut here---------------end--------------->8--- We can /sort of/ solve this by adding nss-certs to the container, but only when the nss-certs being added has the same hash as the nss-certs package. --8<---------------cut here---------------start------------->8--- # nss-certs w/o version adds v3.99 to the profile, which doesn't match # the system. Ergo it's still unavailable. ~ $ guix shell -C bash coreutils --expose=3D/etc/ssl/certs -- bash -c 'cat = /etc/ssl/certs/ca6e4ad9.0' cat: /etc/ssl/certs/ca6e4ad9.0: No such file or directory #=20 # If we specify 3.88.1, it does work, but only for various nss-certificates, # not the ca-certificates.crt bundle file (which isn't a package). guix shell -C bash coreutils nss-certs@3.88.1 --expose=3D/etc/ssl/certs -- = bash -c 'cat /etc/ssl/certs/ca6e4ad9.0' # snip, contents of ca6e4ad9.0 #=20 ~ $ guix shell -C bash coreutils nss-certs@3.88.1 --expose=3D/etc/ssl/certs= -- bash -c 'cat /etc/ssl/certs/ca-certificates.crt' cat: /etc/ssl/certs/ca-certificates.crt: No such file or directory --8<---------------cut here---------------end--------------->8--- This problem becomes impossible to solve in situations where the system Guix and user Guix have different nss-certs hashes. Be it by adding nss-certs to the container profile or by exposing /etc/ssl/certs, we still need to calculate the nss-certs derivation. (Perhaps a alternative solution is making sure symlink targets to store items visible to a container are persisted. I don't know how complicated that would be, but I imagine it's nontrivial.) > Users who definitely want Guix=E2=80=99s =E2=80=98nss-certs=E2=80=99 can = always add it to the > shell and it will take precedence over /etc/ssl/certs, assuming > SSL_CERT_{FILE,DIR} is defined. True, although at present anyone who wants to use nss-certs must set SSL_CERT_{FILE,DIR} manually (or coincidentally install a package that registers the search path). --8<---------------cut here---------------start------------->8--- # nss-certs alone doesn't set SSL_CERT_DIR ~ $ guix shell -C bash coreutils nss-certs@3.88.1 -- bash -c 'echo $SSL_CER= T_DIR' # blank # # curl registers $SSL_CERT_{FILE,DIR} ~ $ guix shell -C bash coreutils nss-certs@3.88.1 curl -- bash -c 'echo $SS= L_CERT_DIR' /gnu/store/hxylrsqs5cy87cgkxi5fmlzxvfhczlzj-profile/etc/ssl/certs --8<---------------cut here---------------end--------------->8--- This is unintuitive. Many packages that make use of nss-certs don't register the search path, e.g. rust-cargo [1]. I'd rather avoid a solution that is "edit every package that may possibly use nss-certs now and in the future to register the search path". > WDYT? My thoughts are if we have to decide between 1. Users who want TLS with standard public endpoints 2. Users who want TLS with custom private endpoints it's better to prioritize a good experience for 1 and let 2 opt-out of the "hand holding" defaults. But perhaps it's possible to make everyone happy. If desired this patch can be reworked as opt-in. [1]: https://logs.guix.gnu.org/guix/2024-04-08.log --=20 Take it easy, Richard Sent Making my computer weirder one commit at a time.