GNU bug report logs -
#43371
[PATCH] doc: prevent host/container nscd mismatch
Previous Next
Reported by: edk <at> beaver-labs.com
Date: Sun, 13 Sep 2020 10:32:01 UTC
Severity: normal
Tags: patch
Done: Ludovic Courtès <ludo <at> gnu.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 43371 in the body.
You can then email your comments to 43371 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#43371; Package
guix-patches.
(Sun, 13 Sep 2020 10:32:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
edk <at> beaver-labs.com:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Sun, 13 Sep 2020 10:32:01 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
doc/guix.texi: (Name Service Switch) add a workaround for bug #41575
---
doc/guix.texi | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index a6e14ea177..a9472e680e 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -1706,6 +1706,20 @@ this binary incompatibility problem because those @code{libnss_*.so}
files are loaded in the @command{nscd} process, not in applications
themselves.
+For applications running in containers (@pxref{Invokin guix container}),
+however, @code{nscd} may leak information from the host to the container.
+If there is a configuration mismatch between the two ---e.g., the host
+has no @code{sshd} user while the container needs one--- then it may be
+worthwhile to limit which kind of information the host's @code{nscd}
+daemon may give to the container by adding the following to
+@code{/etc/nscd.conf}.
+
+@example
+ enable-cache passwd no
+ enable-cache group no
+ enable-cache netgroup no
+@end example
+
@subsection X11 Fonts
@cindex fonts
@@ -27582,7 +27596,7 @@ that should be preferably killed.
@item @code{avoid-regexp} (default: @code{#f})
A regular expression (as a string) to match the names of the processes
-that should @emph{not} be killed.
+that should @emph{not} be kcoilled.
@item @code{memory-report-interval} (default: @code{0})
The interval in seconds at which a memory report is printed. It is
--
2.28.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#43371; Package
guix-patches.
(Sun, 13 Sep 2020 21:06:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 43371 <at> debbugs.gnu.org (full text, mbox):
Hi,
edk <at> beaver-labs.com skribis:
> doc/guix.texi: (Name Service Switch) add a workaround for bug #41575
> ---
> doc/guix.texi | 16 +++++++++++++++-
> 1 file changed, 15 insertions(+), 1 deletion(-)
>
> diff --git a/doc/guix.texi b/doc/guix.texi
> index a6e14ea177..a9472e680e 100644
> --- a/doc/guix.texi
> +++ b/doc/guix.texi
> @@ -1706,6 +1706,20 @@ this binary incompatibility problem because those @code{libnss_*.so}
> files are loaded in the @command{nscd} process, not in applications
> themselves.
>
> +For applications running in containers (@pxref{Invokin guix container}),
> +however, @code{nscd} may leak information from the host to the container.
> +If there is a configuration mismatch between the two ---e.g., the host
> +has no @code{sshd} user while the container needs one--- then it may be
I find the example is hard to understand. How about: “applications in
the container could end up looking users in the host”?
> +worthwhile to limit which kind of information the host's @code{nscd}
> +daemon may give to the container by adding the following to
> +@code{/etc/nscd.conf}.
> +
> +@example
> + enable-cache passwd no
> + enable-cache group no
> + enable-cache netgroup no
> +@end example
Actually, perhaps the better fix is to never use the host’s nscd? We
could change ‘containerized-operating-system’ accordingly.
That would allow guest OSes to work correctly regardless of the host’s
nscd config, which seems like an improvement.
Thoughts?
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#43371; Package
guix-patches.
(Mon, 14 Sep 2020 01:07:03 GMT)
Full text and
rfc822 format available.
Message #11 received at 43371 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hello Ludo',
A separate nscd per container also seems like a reasonable option. However,
for the sake of machines hosting many long-lived containers, perhaps we
should consider reducing the cache size: currently it's 32MB for each name
service type, with an expiration of 12-24 hours:
https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/services/base.scm?id=1042d269a723360a02b19a2baafef1e24a3bfc73#n1115
Cheers,
Jason
On Sun, Sep 13, 2020 at 5:05 PM Ludovic Courtès <ludo <at> gnu.org> wrote:
> Hi,
>
> edk <at> beaver-labs.com skribis:
>
> > doc/guix.texi: (Name Service Switch) add a workaround for bug #41575
> > ---
> > doc/guix.texi | 16 +++++++++++++++-
> > 1 file changed, 15 insertions(+), 1 deletion(-)
> >
> > diff --git a/doc/guix.texi b/doc/guix.texi
> > index a6e14ea177..a9472e680e 100644
> > --- a/doc/guix.texi
> > +++ b/doc/guix.texi
> > @@ -1706,6 +1706,20 @@ this binary incompatibility problem because those
> @code{libnss_*.so}
> > files are loaded in the @command{nscd} process, not in applications
> > themselves.
> >
> > +For applications running in containers (@pxref{Invokin guix container}),
> > +however, @code{nscd} may leak information from the host to the
> container.
> > +If there is a configuration mismatch between the two ---e.g., the host
> > +has no @code{sshd} user while the container needs one--- then it may be
>
> I find the example is hard to understand. How about: “applications in
> the container could end up looking users in the host”?
>
> > +worthwhile to limit which kind of information the host's @code{nscd}
> > +daemon may give to the container by adding the following to
> > +@code{/etc/nscd.conf}.
> > +
> > +@example
> > + enable-cache passwd no
> > + enable-cache group no
> > + enable-cache netgroup no
> > +@end example
>
> Actually, perhaps the better fix is to never use the host’s nscd? We
> could change ‘containerized-operating-system’ accordingly.
>
> That would allow guest OSes to work correctly regardless of the host’s
> nscd config, which seems like an improvement.
>
> Thoughts?
>
> Ludo’.
>
[Message part 2 (text/html, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#43371; Package
guix-patches.
(Mon, 14 Sep 2020 07:25:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 43371 <at> debbugs.gnu.org (full text, mbox):
Hi !
Ludovic Courtès writes:
> Hi,
>
> edk <at> beaver-labs.com skribis:
>
>> doc/guix.texi: (Name Service Switch) add a workaround for bug #41575
>> ---
>> doc/guix.texi | 16 +++++++++++++++-
>> 1 file changed, 15 insertions(+), 1 deletion(-)
>>
>> diff --git a/doc/guix.texi b/doc/guix.texi
>> index a6e14ea177..a9472e680e 100644
>> --- a/doc/guix.texi
>> +++ b/doc/guix.texi
>> @@ -1706,6 +1706,20 @@ this binary incompatibility problem because those @code{libnss_*.so}
>> files are loaded in the @command{nscd} process, not in applications
>> themselves.
>>
>> +For applications running in containers (@pxref{Invokin guix container}),
>> +however, @code{nscd} may leak information from the host to the container.
>> +If there is a configuration mismatch between the two ---e.g., the host
>> +has no @code{sshd} user while the container needs one--- then it may be
>
> I find the example is hard to understand. How about: “applications in
> the container could end up looking users in the host”?
>
>> +worthwhile to limit which kind of information the host's @code{nscd}
>> +daemon may give to the container by adding the following to
>> +@code{/etc/nscd.conf}.
>> +
>> +@example
>> + enable-cache passwd no
>> + enable-cache group no
>> + enable-cache netgroup no
>> +@end example
>
> Actually, perhaps the better fix is to never use the host’s nscd? We
> could change ‘containerized-operating-system’ accordingly.
>
I think this would be best, but I did not know where to make this
change, so I just edited the doc instead. I don't know if containers
need the host's nscd to avoid the libc issues mentionned in the doc, but
if they dont, then prevening them from accessing the host's nscd seems
logical and would solve the problem. And we wouldn't need to amend the
doc at all.
> That would allow guest OSes to work correctly regardless of the host’s
> nscd config, which seems like an improvement.
>
> Thoughts?
>
> Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#43371; Package
guix-patches.
(Mon, 14 Sep 2020 07:28:01 GMT)
Full text and
rfc822 format available.
Message #17 received at 43371 <at> debbugs.gnu.org (full text, mbox):
Hi,
conjaroy <conjaroy <at> gmail.com> skribis:
> A separate nscd per container also seems like a reasonable option. However,
> for the sake of machines hosting many long-lived containers, perhaps we
> should consider reducing the cache size: currently it's 32MB for each name
> service type, with an expiration of 12-24 hours:
>
> https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/services/base.scm?id=1042d269a723360a02b19a2baafef1e24a3bfc73#n1115
Good point.
In that case, we can have ‘containerized-operating-system’ provide its
own NSS configuration with a reduced cache size (or without cache since
there’s caching happening on the host for host name lookups, for
instance).
WDYT? Would you like to give it a try?
Thanks,
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#43371; Package
guix-patches.
(Mon, 14 Sep 2020 22:55:02 GMT)
Full text and
rfc822 format available.
Message #20 received at 43371 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Sure, I'm happy to take a stab at this.
Jason
On Mon, Sep 14, 2020 at 3:28 AM Ludovic Courtès <ludo <at> gnu.org> wrote:
> In that case, we can have ‘containerized-operating-system’ provide its
> own NSS configuration with a reduced cache size (or without cache since
> there’s caching happening on the host for host name lookups, for
> instance).
>
> WDYT? Would you like to give it a try?
>
> Thanks,
> Ludo’.
>
>
>
>
[Message part 2 (text/html, inline)]
Reply sent
to
Ludovic Courtès <ludo <at> gnu.org>:
You have taken responsibility.
(Mon, 05 Oct 2020 08:37:03 GMT)
Full text and
rfc822 format available.
Notification sent
to
edk <at> beaver-labs.com:
bug acknowledged by developer.
(Mon, 05 Oct 2020 08:37:03 GMT)
Full text and
rfc822 format available.
Message #25 received at 43371-done <at> debbugs.gnu.org (full text, mbox):
Hi,
Edouard Klein <edou <at> rdklein.fr> skribis:
>> Actually, perhaps the better fix is to never use the host’s nscd? We
>> could change ‘containerized-operating-system’ accordingly.
>>
>
> I think this would be best, but I did not know where to make this
> change, so I just edited the doc instead. I don't know if containers
> need the host's nscd to avoid the libc issues mentionned in the doc, but
> if they dont, then prevening them from accessing the host's nscd seems
> logical and would solve the problem. And we wouldn't need to amend the
> doc at all.
This has now been done by Jason in
5627bfe45ce46f498979b4ad2deab1fdfed22b6c.
Closing!
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#43371; Package
guix-patches.
(Mon, 05 Oct 2020 17:03:02 GMT)
Full text and
rfc822 format available.
Message #28 received at 43371-done <at> debbugs.gnu.org (full text, mbox):
Thanks to you both :)
Ludovic Courtès writes:
> Hi,
>
> Edouard Klein <edou <at> rdklein.fr> skribis:
>
>>> Actually, perhaps the better fix is to never use the host’s nscd? We
>>> could change ‘containerized-operating-system’ accordingly.
>>>
>>
>> I think this would be best, but I did not know where to make this
>> change, so I just edited the doc instead. I don't know if containers
>> need the host's nscd to avoid the libc issues mentionned in the doc, but
>> if they dont, then prevening them from accessing the host's nscd seems
>> logical and would solve the problem. And we wouldn't need to amend the
>> doc at all.
>
> This has now been done by Jason in
> 5627bfe45ce46f498979b4ad2deab1fdfed22b6c.
>
> Closing!
>
> Ludo’.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Tue, 03 Nov 2020 12:24:08 GMT)
Full text and
rfc822 format available.
This bug report was last modified 3 years and 174 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.