From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id EAczKZ9W52bEBAEA62LTzQ:P1 (envelope-from ) for ; Sun, 15 Sep 2024 21:50:23 +0000 Received: from aspmx1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1.migadu.com with LMTPS id EAczKZ9W52bEBAEA62LTzQ (envelope-from ) for ; Sun, 15 Sep 2024 23:50:23 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b=uZugdw1U; dkim=fail ("headers rsa verify failed") header.d=gnu.org header.s=fencepost-gnu-org header.b=Flyb58Ou; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1726437023; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=uAwU9f++y+PAtidbis6EWEpL+lumBElQSlnfMJh9mH4=; b=TbBAQIu/u2mZwPRNbe8spbzJR4U3KDPDWDLYKtOZDUWYJQTNKMQ1ao5YnY5eEoQIxdTJMT 5zGIw27kt5hSvX2+QJR1mGCrF5xEdVvydpKb+5MZnXjzB3e8vw87Ptg2I1mO3oXTsHqYox hqTuwkJYnfg9WVBhmEbPu/Z1FEFJT56kquvN5ej9jP04CdOzOj3v3caQgukXMPGqO1ms2R fvb/G4m6/j9eeE7njLwdtEBw+IMZv1jCch0K9bZbMxUuslcRqZmVCROZN93ZZXk5vIghto u+HTDFtO3WIvQiCct75dIyElBsZy2U5ObxBTu9R7rfjsE+3NcYCrlMVQWOHyAg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b=uZugdw1U; dkim=fail ("headers rsa verify failed") header.d=gnu.org header.s=fencepost-gnu-org header.b=Flyb58Ou; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org ARC-Seal: i=1; s=key1; d=yhetil.org; t=1726437023; a=rsa-sha256; cv=none; b=E6np7ZakpbDGaDW8JxAmhgUTm6+zQETQCQjBNjGVI9+D/p7os9299pHqc8ZPsDYEvR9+ur ZxLwwQhKUu5VNBA+EZxVPFExQ9Rr2fPIL5EYWTtBVTERVs/TT1znuYbHEMGnV/nWD5AbLv 3AzFYMMeirdikV1BUg7d6W6J2KzU3ppdEJzAcimv27jylaH7G2WWcixqtGnYAVmFpEU3zQ DqojShdxL6UEDWxWQmnp+E9sXLT8nbSkTN6bwmWLUbnP0fCwism7mf9V/P7j3o8Tsj+Tol 3eNdLWqN5bK/UDSmZFxpUxZB7kzp5RTbpELUAfFmklwyT/BelTXQcZM+thdZZQ== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 8759436864 for ; Sun, 15 Sep 2024 23:50:23 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1spx80-0004wC-2p; Sun, 15 Sep 2024 17:49:56 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1spx7t-0004vu-VC for guix-patches@gnu.org; Sun, 15 Sep 2024 17:49:50 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1spx7t-00084m-Me for guix-patches@gnu.org; Sun, 15 Sep 2024 17:49:49 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:Date:References:In-Reply-To:From:To:Subject; bh=uAwU9f++y+PAtidbis6EWEpL+lumBElQSlnfMJh9mH4=; b=uZugdw1UCICLJmWxqplXzDv9yjcJyEtRmaxAW9uCTNIulg/FOpk7AZf/VHICx7w1pK2PZL7C/aB1aAe6ACDSG7EFyyKHZMq19jbKvppF/Xap7vUSVT89HVhcieLbx5/MN6JeK9t+zdgtnj9sHwzAdNIHG+M7Pd/jaHwCjnokROHcQ0eyTdQ7Olgg7wO81yuADSZfxrrkzQH9RlfImRcjp1542E9tfIqcs02YKNrdjhM9sC9AumUBUmKgf7Oac4SpODzm94vEjUvj5BFdpu9OXTlk+2VpfsyGBxzepF/GGLLUF1+m3+BVFRN+pYIWG9AjuwJLFUoB1qay2ny9p317XQ==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1spx86-0007KA-2J for guix-patches@gnu.org; Sun, 15 Sep 2024 17:50:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#70314] [PATCH] guix: scripts: environment: add tls certs to networked containers Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 15 Sep 2024 21:50:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 70314 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Richard Sent Cc: Josselin Poiret , Simon Tournier , Mathieu Othacehe , Tobias Geerinckx-Rice , Ricardo Wurmus , Christopher Baines , 70314@debbugs.gnu.org Received: via spool by 70314-submit@debbugs.gnu.org id=B70314.172643699328126 (code B ref 70314); Sun, 15 Sep 2024 21:50:02 +0000 Received: (at 70314) by debbugs.gnu.org; 15 Sep 2024 21:49:53 +0000 Received: from localhost ([127.0.0.1]:50640 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1spx7x-0007Ja-08 for submit@debbugs.gnu.org; Sun, 15 Sep 2024 17:49:53 -0400 Received: from eggs.gnu.org ([209.51.188.92]:51078) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1spx7v-0007JM-9J for 70314@debbugs.gnu.org; Sun, 15 Sep 2024 17:49:51 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1spx7b-00083s-7g; Sun, 15 Sep 2024 17:49:31 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=uAwU9f++y+PAtidbis6EWEpL+lumBElQSlnfMJh9mH4=; b=Flyb58OuaO0/Yx6bVWpF WPatEkJt+UuBeHC4p2UjAZxbAbKJV/OcKB/qjFIcmt655TSC4271Lk+TSjue+frsjmJAkmYZKMwEW wfttLbGySDEX9ZA3LxaBVP4FemQ3zxbGQYJrYkXyTyA69NYgdl1in3uWKBi73eEExsuM5jnMvgm4Z uFToP6jHldj9TcoVuG2RlM0ceT+wdqjMqq6cAnNi8no7CWQSt35yu2Y1O561+c+DxJZpyhfh0c0Bv srw04pnjiqW2vLVuxoYGschtPo5vd85BsYBagueF4UeB18d+0rhdpMc+6MT4pnN8c+2ZcjhWjF48A QyEAxMqeH5kjLg==; From: Ludovic =?UTF-8?Q?Court=C3=A8s?= In-Reply-To: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@freakingpenguin.com> (Richard Sent's message of "Tue, 9 Apr 2024 15:05:29 -0400") References: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@freakingpenguin.com> Date: Sun, 15 Sep 2024 23:49:27 +0200 Message-ID: <87o74obna0.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: -5.51 X-Spam-Score: -5.51 X-Migadu-Queue-Id: 8759436864 X-Migadu-Scanner: mx10.migadu.com X-TUID: MsLXT26mv28e Hi, Richard Sent skribis: > * guix/scripts/environment.scm: Add --no-tls flag. By default when starti= ng a > container with -N, add nss-certs package and set SSL_CERT_DIR and > SSL_CERT_FILE environment variables. When --no-tls is passed, default to = old > behavior. > * doc/guix.texi: Document it. > > Change-Id: I3d222522fa9785fbf589f15efd14e6d6d072bfa7 [...] > + #:autoload (gnu packages certs) (nss-certs) > #:autoload (gnu packages bash) (bash) > #:autoload (gnu packages bootstrap) (bootstrap-executable %bootstrap= -guile) > #:autoload (gnu packages package-management) (guix) > @@ -72,6 +73,9 @@ (define-module (guix scripts environment) > (define %default-shell > (or (getenv "SHELL") "/bin/sh")) >=20=20 > +(define %default-tls-certs > + (list nss-certs)) This would force all the package modules to be loaded upfront. Instead you should arrange to not refer to =E2=80=98nss-certs=E2=80=99 until it=E2= =80=99s needed. This matters for startup time. To see how it affects the command, you can run: strace -c guix shell coreutils -- true The second run should make as few system calls as possible. > + (lambda (opt name arg result) > + (alist-cons 'no-tls? #t result))) Internally, I would reverse the logic to have =E2=80=98tls?=E2=80=99 instea= d (as a rule of thumb, I always avoid negating Booleans in code). > + (('network? . #t) > + (if (assoc-ref opts 'no-tls?) > + '() > + (manifest-entries > + (packages->manifest %default-tls-certs)))) Can we delay changes to the manifest until after all options have been parsed, so we know whether =E2=80=98-C=E2=80=99 has been passed? That way =E2=80=98guix shell -N --no-tls=E2=80=99 does not add =E2=80=98nss= -certs=E2=80=99 to the environments. > (define* (launch-environment/container #:key command bash user user-mapp= ings > profile manifest link-profile? ne= twork? > - map-cwd? emulate-fhs? nesting? > + no-tls? map-cwd? emulate-fhs? nes= ting? Same as above: =E2=80=98tls?=E2=80=99 rather than =E2=80=98no-tls?=E2=80=99. Please make sure tests/guix-shell*.sh and tests/guix-environment*.sh pass. Thanks, Ludo=E2=80=99.