GNU bug report logs - #70933
[PATCH] system: Do not add "--disable-chroot" to containers.

Previous Next

To reply to this bug, email your comments to 70933 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Andreas Enge <andreas <at> enge.fr>
To: guix-patches <at> gnu.org
Cc: Andreas Enge <andreas <at> enge.fr>
Subject: [PATCH] system: Do not add "--disable-chroot" to containers.
Date: Tue, 14 May 2024 13:50:34 +0200

The rationale for these lines is that they enable non-privileged docker
containers. But I would like to create a privileged container with
chroot (in an openshift environment, where I suppose this environment
does additional encapsulation to enforce security), which these lines
prevent.

Users can still add the option. Alternatively, we could add an additional
field "chroot? (default: #t)" to guix-configuration.

Andreas



* gnu/system/linux-container.scm (containerized-operating-system): Do not
add "--disable-chroot".

Change-Id: I1eff9aa0d02d6e53bd4e42f3aeb07d0ab42616a8
---
 gnu/system/linux-container.scm | 11 -----------
 1 file changed, 11 deletions(-)

diff --git a/gnu/system/linux-container.scm b/gnu/system/linux-container.scm
index c780b68fba..2fc54a8121 100644
--- a/gnu/system/linux-container.scm
+++ b/gnu/system/linux-container.scm
@@ -159,17 +159,6 @@ (define* (containerized-operating-system os mappings
                                              (nscd-configuration
                                               (inherit (service-value s))
                                               (caches %nscd-container-caches))))
-                                   ((eq? guix-service-type (service-kind s))
-                                    ;; Pass '--disable-chroot' so that
-                                    ;; guix-daemon can build thing even in
-                                    ;; Docker without '--privileged'.
-                                    (service guix-service-type
-                                             (guix-configuration
-                                              (inherit (service-value s))
-                                              (extra-options
-                                               (cons "--disable-chroot"
-                                                     (guix-configuration-extra-options
-                                                      (service-value s)))))))
                                    (else s)))
                            (operating-system-user-services os))))
       (file-systems (append (map mapping->fs

base-commit: a682ddd70846d488cfbd82d65e8566ec6739813c
-- 
2.41.0

Message #8 received at 70933 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Andreas Enge <andreas <at> enge.fr>
Cc: 70933 <at> debbugs.gnu.org
Subject: Re: [bug#70933] [PATCH] system: Do not add "--disable-chroot" to
 containers.
Date: Fri, 31 May 2024 14:01:36 +0200

Hi,

Andreas Enge <andreas <at> enge.fr> skribis:

> The rationale for these lines is that they enable non-privileged docker
> containers. But I would like to create a privileged container with
> chroot (in an openshift environment, where I suppose this environment
> does additional encapsulation to enforce security), which these lines
> prevent.
>
> Users can still add the option. Alternatively, we could add an additional
> field "chroot? (default: #t)" to guix-configuration.

[...]

> -                                   ((eq? guix-service-type (service-kind s))
> -                                    ;; Pass '--disable-chroot' so that
> -                                    ;; guix-daemon can build thing even in
> -                                    ;; Docker without '--privileged'.

This is tricky, I’m not sure how to provide defaults that works in most
common setups while still allowing the use of privileged Docker
containers as in your case.

I think the current default is good because it’s the common case, but I
agree that we need to find a way to override it.

Thoughts?

Ludo’.

Message #11 received at 70933 <at> debbugs.gnu.org (full text, mbox):

From: Andreas Enge <andreas <at> enge.fr>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 70933 <at> debbugs.gnu.org
Subject: Re: [bug#70933] [PATCH] system: Do not add "--disable-chroot" to
 containers.
Date: Fri, 31 May 2024 16:26:58 +0200

Am Fri, May 31, 2024 at 02:01:36PM +0200 schrieb Ludovic Courtès:
> Andreas Enge <andreas <at> enge.fr> skribis:
> > The rationale for these lines is that they enable non-privileged docker
> > containers. But I would like to create a privileged container with
> > chroot (in an openshift environment, where I suppose this environment
> > does additional encapsulation to enforce security), which these lines
> > prevent.
> > Users can still add the option. Alternatively, we could add an additional
> > field "chroot? (default: #t)" to guix-configuration.
> This is tricky, I’m not sure how to provide defaults that works in most
> common setups while still allowing the use of privileged Docker
> containers as in your case.

The problem with a default is that apparently, for containers we want #f,
for real machines we want #t as the default; and then it should be
overridable. The only solution I see is to use a ternary value,
allowing chroot? to be #f, #t or 'default, with the last one, you guess it,
being the default. It would be replaced by #f or #t depending on whether
we are in a container or not.

I had considered it when suggesting the patch, but found it a bit too much
shepherding; I still think that "chroot? (default: #t)" would be enough.

Andreas

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.