GNU bug report logs -
#70933
[PATCH] system: Do not add "--disable-chroot" to containers.
Previous Next
To reply to this bug, email your comments to 70933 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org
:
bug#70933
; Package
guix-patches
.
(Tue, 14 May 2024 11:56:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Andreas Enge <andreas <at> enge.fr>
:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org
.
(Tue, 14 May 2024 11:56:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
The rationale for these lines is that they enable non-privileged docker
containers. But I would like to create a privileged container with
chroot (in an openshift environment, where I suppose this environment
does additional encapsulation to enforce security), which these lines
prevent.
Users can still add the option. Alternatively, we could add an additional
field "chroot? (default: #t)" to guix-configuration.
Andreas
* gnu/system/linux-container.scm (containerized-operating-system): Do not
add "--disable-chroot".
Change-Id: I1eff9aa0d02d6e53bd4e42f3aeb07d0ab42616a8
---
gnu/system/linux-container.scm | 11 -----------
1 file changed, 11 deletions(-)
diff --git a/gnu/system/linux-container.scm b/gnu/system/linux-container.scm
index c780b68fba..2fc54a8121 100644
--- a/gnu/system/linux-container.scm
+++ b/gnu/system/linux-container.scm
@@ -159,17 +159,6 @@ (define* (containerized-operating-system os mappings
(nscd-configuration
(inherit (service-value s))
(caches %nscd-container-caches))))
- ((eq? guix-service-type (service-kind s))
- ;; Pass '--disable-chroot' so that
- ;; guix-daemon can build thing even in
- ;; Docker without '--privileged'.
- (service guix-service-type
- (guix-configuration
- (inherit (service-value s))
- (extra-options
- (cons "--disable-chroot"
- (guix-configuration-extra-options
- (service-value s)))))))
(else s)))
(operating-system-user-services os))))
(file-systems (append (map mapping->fs
base-commit: a682ddd70846d488cfbd82d65e8566ec6739813c
--
2.41.0
Information forwarded
to
guix-patches <at> gnu.org
:
bug#70933
; Package
guix-patches
.
(Fri, 31 May 2024 12:03:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 70933 <at> debbugs.gnu.org (full text, mbox):
Hi,
Andreas Enge <andreas <at> enge.fr> skribis:
> The rationale for these lines is that they enable non-privileged docker
> containers. But I would like to create a privileged container with
> chroot (in an openshift environment, where I suppose this environment
> does additional encapsulation to enforce security), which these lines
> prevent.
>
> Users can still add the option. Alternatively, we could add an additional
> field "chroot? (default: #t)" to guix-configuration.
[...]
> - ((eq? guix-service-type (service-kind s))
> - ;; Pass '--disable-chroot' so that
> - ;; guix-daemon can build thing even in
> - ;; Docker without '--privileged'.
This is tricky, I’m not sure how to provide defaults that works in most
common setups while still allowing the use of privileged Docker
containers as in your case.
I think the current default is good because it’s the common case, but I
agree that we need to find a way to override it.
Thoughts?
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org
:
bug#70933
; Package
guix-patches
.
(Fri, 31 May 2024 14:28:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 70933 <at> debbugs.gnu.org (full text, mbox):
Am Fri, May 31, 2024 at 02:01:36PM +0200 schrieb Ludovic Courtès:
> Andreas Enge <andreas <at> enge.fr> skribis:
> > The rationale for these lines is that they enable non-privileged docker
> > containers. But I would like to create a privileged container with
> > chroot (in an openshift environment, where I suppose this environment
> > does additional encapsulation to enforce security), which these lines
> > prevent.
> > Users can still add the option. Alternatively, we could add an additional
> > field "chroot? (default: #t)" to guix-configuration.
> This is tricky, I’m not sure how to provide defaults that works in most
> common setups while still allowing the use of privileged Docker
> containers as in your case.
The problem with a default is that apparently, for containers we want #f,
for real machines we want #t as the default; and then it should be
overridable. The only solution I see is to use a ternary value,
allowing chroot? to be #f, #t or 'default, with the last one, you guess it,
being the default. It would be replaced by #f or #t depending on whether
we are in a container or not.
I had considered it when suggesting the patch, but found it a bit too much
shepherding; I still think that "chroot? (default: #t)" would be enough.
Andreas
This bug report was last modified 17 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.