all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* [bug#70933] [PATCH] system: Do not add "--disable-chroot" to containers.
@ 2024-05-14 11:50 Andreas Enge
  2024-05-31 12:01 ` Ludovic Courtès
  0 siblings, 1 reply; 4+ messages in thread
From: Andreas Enge @ 2024-05-14 11:50 UTC (permalink / raw)
  To: 70933; +Cc: Andreas Enge

The rationale for these lines is that they enable non-privileged docker
containers. But I would like to create a privileged container with
chroot (in an openshift environment, where I suppose this environment
does additional encapsulation to enforce security), which these lines
prevent.

Users can still add the option. Alternatively, we could add an additional
field "chroot? (default: #t)" to guix-configuration.

Andreas



* gnu/system/linux-container.scm (containerized-operating-system): Do not
add "--disable-chroot".

Change-Id: I1eff9aa0d02d6e53bd4e42f3aeb07d0ab42616a8
---
 gnu/system/linux-container.scm | 11 -----------
 1 file changed, 11 deletions(-)

diff --git a/gnu/system/linux-container.scm b/gnu/system/linux-container.scm
index c780b68fba..2fc54a8121 100644
--- a/gnu/system/linux-container.scm
+++ b/gnu/system/linux-container.scm
@@ -159,17 +159,6 @@ (define* (containerized-operating-system os mappings
                                              (nscd-configuration
                                               (inherit (service-value s))
                                               (caches %nscd-container-caches))))
-                                   ((eq? guix-service-type (service-kind s))
-                                    ;; Pass '--disable-chroot' so that
-                                    ;; guix-daemon can build thing even in
-                                    ;; Docker without '--privileged'.
-                                    (service guix-service-type
-                                             (guix-configuration
-                                              (inherit (service-value s))
-                                              (extra-options
-                                               (cons "--disable-chroot"
-                                                     (guix-configuration-extra-options
-                                                      (service-value s)))))))
                                    (else s)))
                            (operating-system-user-services os))))
       (file-systems (append (map mapping->fs

base-commit: a682ddd70846d488cfbd82d65e8566ec6739813c
-- 
2.41.0





^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [bug#70933] [PATCH] system: Do not add "--disable-chroot" to containers.
  2024-05-14 11:50 [bug#70933] [PATCH] system: Do not add "--disable-chroot" to containers Andreas Enge
@ 2024-05-31 12:01 ` Ludovic Courtès
  2024-05-31 14:26   ` Andreas Enge
  0 siblings, 1 reply; 4+ messages in thread
From: Ludovic Courtès @ 2024-05-31 12:01 UTC (permalink / raw)
  To: Andreas Enge; +Cc: 70933

Hi,

Andreas Enge <andreas@enge.fr> skribis:

> The rationale for these lines is that they enable non-privileged docker
> containers. But I would like to create a privileged container with
> chroot (in an openshift environment, where I suppose this environment
> does additional encapsulation to enforce security), which these lines
> prevent.
>
> Users can still add the option. Alternatively, we could add an additional
> field "chroot? (default: #t)" to guix-configuration.

[...]

> -                                   ((eq? guix-service-type (service-kind s))
> -                                    ;; Pass '--disable-chroot' so that
> -                                    ;; guix-daemon can build thing even in
> -                                    ;; Docker without '--privileged'.

This is tricky, I’m not sure how to provide defaults that works in most
common setups while still allowing the use of privileged Docker
containers as in your case.

I think the current default is good because it’s the common case, but I
agree that we need to find a way to override it.

Thoughts?

Ludo’.




^ permalink raw reply	[flat|nested] 4+ messages in thread
* [bug#70933] [PATCH] system: Do not add "--disable-chroot" to containers.
  2024-05-31 12:01 ` Ludovic Courtès
@ 2024-05-31 14:26   ` Andreas Enge
  2024-06-25 15:30     ` Ludovic Courtès
  0 siblings, 1 reply; 4+ messages in thread
From: Andreas Enge @ 2024-05-31 14:26 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 70933

Am Fri, May 31, 2024 at 02:01:36PM +0200 schrieb Ludovic Courtès:
> Andreas Enge <andreas@enge.fr> skribis:
> > The rationale for these lines is that they enable non-privileged docker
> > containers. But I would like to create a privileged container with
> > chroot (in an openshift environment, where I suppose this environment
> > does additional encapsulation to enforce security), which these lines
> > prevent.
> > Users can still add the option. Alternatively, we could add an additional
> > field "chroot? (default: #t)" to guix-configuration.
> This is tricky, I’m not sure how to provide defaults that works in most
> common setups while still allowing the use of privileged Docker
> containers as in your case.

The problem with a default is that apparently, for containers we want #f,
for real machines we want #t as the default; and then it should be
overridable. The only solution I see is to use a ternary value,
allowing chroot? to be #f, #t or 'default, with the last one, you guess it,
being the default. It would be replaced by #f or #t depending on whether
we are in a container or not.

I had considered it when suggesting the patch, but found it a bit too much
shepherding; I still think that "chroot? (default: #t)" would be enough.

Andreas





^ permalink raw reply	[flat|nested] 4+ messages in thread
* [bug#70933] [PATCH] system: Do not add "--disable-chroot" to containers.
  2024-05-31 14:26   ` Andreas Enge
@ 2024-06-25 15:30     ` Ludovic Courtès
  0 siblings, 0 replies; 4+ messages in thread
From: Ludovic Courtès @ 2024-06-25 15:30 UTC (permalink / raw)
  To: Andreas Enge; +Cc: 70933

Hi!

Andreas Enge <andreas@enge.fr> skribis:

> Am Fri, May 31, 2024 at 02:01:36PM +0200 schrieb Ludovic Courtès:
>> Andreas Enge <andreas@enge.fr> skribis:
>> > The rationale for these lines is that they enable non-privileged docker
>> > containers. But I would like to create a privileged container with
>> > chroot (in an openshift environment, where I suppose this environment
>> > does additional encapsulation to enforce security), which these lines
>> > prevent.
>> > Users can still add the option. Alternatively, we could add an additional
>> > field "chroot? (default: #t)" to guix-configuration.
>> This is tricky, I’m not sure how to provide defaults that works in most
>> common setups while still allowing the use of privileged Docker
>> containers as in your case.
>
> The problem with a default is that apparently, for containers we want #f,
> for real machines we want #t as the default; and then it should be
> overridable. The only solution I see is to use a ternary value,
> allowing chroot? to be #f, #t or 'default, with the last one, you guess it,
> being the default. It would be replaced by #f or #t depending on whether
> we are in a container or not.

Making it a ternary value sounds like a good idea, indeed.  #t, #f, and
'default sounds like a good choice to me.

Thanks!

Ludo’.




^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-06-25 15:31 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-05-14 11:50 [bug#70933] [PATCH] system: Do not add "--disable-chroot" to containers Andreas Enge
2024-05-31 12:01 ` Ludovic Courtès
2024-05-31 14:26   ` Andreas Enge
2024-06-25 15:30     ` Ludovic Courtès

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.