lxc and subuid

lxc and subuid

[Antonio Carlos Padoan Junior]

Hello,

I'm trying to figure out how to set a unprivileged container using lxc
in guix. I do not know either how to allocate subuid/gid space in guix, is it
possible? Any advices?

Best regards,
-- 
Antonio Carlos PADOAN JUNIOR
GPG fingerprint:
243F 237F 2DD3 4DCA 4EA3  1341 2481 90F9 B421 A6C9

Re: lxc and subuid

[Maxime Devos]

[-- Attachment #1: Type: text/plain, Size: 755 bytes --]

Antonio Carlos Padoan Junior schreef op wo 30-03-2022 om 08:51 [+0200]:
> Hello,
> 
> I'm trying to figure out how to set a unprivileged container using lxc
> in guix. I do not know either how to allocate subuid/gid space in guix,

subuid/gid are _not_ unprivileged.  They are an userspace feature by
the (privileged) setuid binary 'newuidmap', see
<https://manpages.debian.org/buster/uidmap/newuidmap.1.en.html>.

I don't think there's currently a mechanism for that in Guix System,
except manually creating and modifying /etc/subuid appropriately and
installing the setuid binaries.  However, I suppose that the 'user-
account' record could be extended to support subuid/subgid and
automatically create /etc/subuid.

Greetings,
Maxime

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

Re: lxc and subuid

[Antonio Carlos Padoan Junior]

Thanks Maxime,


Maxime Devos <maximedevos@telenet.be> writes:

> Antonio Carlos Padoan Junior schreef op wo 30-03-2022 om 08:51 [+0200]:
>> Hello,
>> 
>> I'm trying to figure out how to set a unprivileged container using lxc
>> in guix. I do not know either how to allocate subuid/gid space in guix,
>
> subuid/gid are _not_ unprivileged.  They are an userspace feature by
> the (privileged) setuid binary 'newuidmap', see
> <https://manpages.debian.org/buster/uidmap/newuidmap.1.en.html>.
>
> I don't think there's currently a mechanism for that in Guix System,
> except manually creating and modifying /etc/subuid appropriately and
> installing the setuid binaries.  However, I suppose that the 'user-
> account' record could be extended to support subuid/subgid and
> automatically create /etc/subuid.

I created them manually as you suggested. But now I'm in trouble with
the creation of virtual network interfaces for the container. It is not
possible to follow the standard lxc documentation and apply it for guix directly.
The same problem if I use lxd. 

I'm looking the "Singularity service" as an alternative for lxc but it seem it does
not install the daemon (as per guix documentation). I have no idea
how to properly proceed and set a viable singularity deamon in my machine.

I will try docker service instead, but this is not exactly what I'm
looking for (but I hope at least it will work).

I have the feeling people create guix packages and services for
personal use but without minimal documentation on how to use properly on
guix. Please consider that as a critic from someone that has goodwill
but who is a little bit frustrated today.   


>
> Greetings,
> Maxime
>

Best regards,
-- 
Antonio Carlos PADOAN JUNIOR
GPG fingerprint:
243F 237F 2DD3 4DCA 4EA3  1341 2481 90F9 B421 A6C9

Re: lxc and subuid

[Maxime Devos]

[-- Attachment #1: Type: text/plain, Size: 1962 bytes --]

Antonio Carlos Padoan Junior schreef op wo 30-03-2022 om 15:13 [+0200]:
> Thanks Maxime,
> 
> 
> Maxime Devos <maximedevos@telenet.be> writes:
> 
> > Antonio Carlos Padoan Junior schreef op wo 30-03-2022 om 08:51 [+0200]:
> > > Hello,
> > > 
> > > I'm trying to figure out how to set a unprivileged container using lxc
> > > in guix. I do not know either how to allocate subuid/gid space in guix,
> > 
> > subuid/gid are _not_ unprivileged.  They are an userspace feature by
> > the (privileged) setuid binary 'newuidmap', see
> > <https://manpages.debian.org/buster/uidmap/newuidmap.1.en.html>.
> > 
> > I don't think there's currently a mechanism for that in Guix System,
> > except manually creating and modifying /etc/subuid appropriately and
> > installing the setuid binaries.  However, I suppose that the 'user-
> > account' record could be extended to support subuid/subgid and
> > automatically create /etc/subuid.
> 
> I created them manually as you suggested. But now I'm in trouble with
> the creation of virtual network interfaces for the container. It is not
> possible to follow the standard lxc documentation and apply it for guix directly.
> The same problem if I use lxd. 
> 
> I'm looking the "Singularity service" as an alternative for lxc but it seem it does
> not install the daemon (as per guix documentation). I have no idea
> how to properly proceed and set a viable singularity deamon in my machine.
> 
> I will try docker service instead, but this is not exactly what I'm
> looking for (but I hope at least it will work).
> 
> I have the feeling people create guix packages and services for
> personal use but without minimal documentation on how to use properly on
> guix. Please consider that as a critic from someone that has goodwill
> but who is a little bit frustrated today.

I'm not familiar with lxc, lxd, Docker or Singularity so I'm afraid I
cannot help here.

Greetings,
Maxime.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

Re: lxc and subuid

[Ludovic Courtès]

Hi,

Maxime Devos <maximedevos@telenet.be> skribis:

> Antonio Carlos Padoan Junior schreef op wo 30-03-2022 om 08:51 [+0200]:
>> Hello,
>> 
>> I'm trying to figure out how to set a unprivileged container using lxc
>> in guix. I do not know either how to allocate subuid/gid space in guix,
>
> subuid/gid are _not_ unprivileged.  They are an userspace feature by
> the (privileged) setuid binary 'newuidmap', see
> <https://manpages.debian.org/buster/uidmap/newuidmap.1.en.html>.
>
> I don't think there's currently a mechanism for that in Guix System,
> except manually creating and modifying /etc/subuid appropriately and
> installing the setuid binaries.  However, I suppose that the 'user-
> account' record could be extended to support subuid/subgid and
> automatically create /etc/subuid.

Or we could unconditionally add 65536 subuids for each non-system user
account; that’s what other distros seem to be doing.

I think we could take advantage of it for ‘guix system container’: it
could run in an unprivileged user namespace and map several UIDs in that
namespace, such that it doesn’t need to run as root anymore.

Thoughts?

Ludo’.

Re: lxc and subuid

[Maxime Devos]

[-- Attachment #1: Type: text/plain, Size: 700 bytes --]

Ludovic Courtès schreef op vr 01-04-2022 om 10:12 [+0200]:
> Or we could unconditionally add 65536 subuids for each non-system user
> account; that’s what other distros seem to be doing.
> 
> I think we could take advantage of it for ‘guix system container’: it
> could run in an unprivileged user namespace and map several UIDs in that
> namespace, such that it doesn’t need to run as root anymore.

I think it will need to be conditional, because the container only has
access to 65536 uids.  So if the container contains at least one non-
system user, then all available uids are occupied so there is no room
anymore for 'root' or per-service users ...

Greetings,
Maxime.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

Re: lxc and subuid

[Antonio Carlos Padoan Junior]

Dears,

I would like stress my original intend. It would be great to have a easy
(supported/documented/secure) way to build foreign distributions
containers in guix (an ubuntu, debian or centos container). It could be
by means of lxc, lxd or singularity (or whatever). The idea is that guix
system becomes the distribution to rule them all (and not the contrary).

I tried to build a guix package for a recent singularity version, mainly
because the one available in guix is old and perhaps broken. But I
miserably failed.  Actually I do not master Go and its library system. I
finished installing a nix package on the top of guix and that is fine
for today.

I do not know how to help here but I would like to have the possibility
to create these "foreign" containers easily in guix. This would really impress
the ones who do not yet know guix system.



Maxime Devos <maximedevos@telenet.be> writes:

> Ludovic Courtès schreef op vr 01-04-2022 om 10:12 [+0200]:
>> Or we could unconditionally add 65536 subuids for each non-system user
>> account; that’s what other distros seem to be doing.
>> 
>> I think we could take advantage of it for ‘guix system container’: it
>> could run in an unprivileged user namespace and map several UIDs in that
>> namespace, such that it doesn’t need to run as root anymore.
>
> I think it will need to be conditional, because the container only has
> access to 65536 uids.  So if the container contains at least one non-
> system user, then all available uids are occupied so there is no room
> anymore for 'root' or per-service users ...
>
> Greetings,
> Maxime.
>

Best regards,
-- 
Antonio Carlos PADOAN JUNIOR
GPG fingerprint:
243F 237F 2DD3 4DCA 4EA3  1341 2481 90F9 B421 A6C9

Re: lxc and subuid

[Ludovic Courtès]

Hi!

Maxime Devos <maximedevos@telenet.be> skribis:

> Ludovic Courtès schreef op vr 01-04-2022 om 10:12 [+0200]:
>> Or we could unconditionally add 65536 subuids for each non-system user
>> account; that’s what other distros seem to be doing.
>> 
>> I think we could take advantage of it for ‘guix system container’: it
>> could run in an unprivileged user namespace and map several UIDs in that
>> namespace, such that it doesn’t need to run as root anymore.
>
> I think it will need to be conditional, because the container only has
> access to 65536 uids.  So if the container contains at least one non-
> system user, then all available uids are occupied so there is no room
> anymore for 'root' or per-service users ...

True; we could special-case that in ‘containerized-operating-system’.

But for bare-metal deployments, making that unconditional seems
reasonable to me.

Thanks,
Ludo’.