GNU bug report logs - #43540
[PATCH] Instantiate nscd in each system container instead of using the container host's service.

Previous Next

Package: guix-patches;

Reported by: Jason Conroy <conjaroy <at> gmail.com>

Date: Sun, 20 Sep 2020 22:06:01 UTC

Severity: normal

Tags: patch

Done: Mathieu Othacehe <othacehe <at> gnu.org>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 43540 in the body.
You can then email your comments to 43540 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to guix-patches <at> gnu.org:
bug#43540; Package guix-patches. (Sun, 20 Sep 2020 22:06:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jason Conroy <conjaroy <at> gmail.com>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Sun, 20 Sep 2020 22:06:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Jason Conroy <conjaroy <at> gmail.com>
To: guix-patches <at> gnu.org
Subject: [PATCH] Instantiate nscd in each system container instead of using
 the container host's service.
Date: Sun, 20 Sep 2020 18:05:02 -0400
[Message part 1 (text/plain, inline)]
Hello Guix,

Currently, Guix system containers hosted on machines that run nscd are
configured to use that daemon's socket by bind-mounting /var/run/nscd into
the container's filesystem. As discussed in bug#41575, there are certain
nscd configurations that expose information from the host's /etc files into
the container's processes, and aside from the security implications, this
exposure can lead to anomalous behavior inside the containers, including
failure to boot.

The following patch gives each container a private nscd instance. While
Guix's default nscd configuration caches pretty aggressively (for
hostnames, up to 32MB with a 12h TTL), the per-container nscd uses a
smaller cache size of 256kB, which means that the overhead of this change
should be modest even on systems with many containers.

This patch has been lightly tested by verifying the following:

- `make check` and `guix pull`
- successful boot and operation of a system container
- presence of nscd in the container
- correct cache sizes in nscd.conf

Per my employer's guidelines for OSS contributors, this patch contains:

- My corporate email address in the "From" line
- My employer listed as copyright holder (this has already been cleared
with Ludo')

Thanks!

Jason
[Message part 2 (text/html, inline)]
[one-nscd-per-container.patch (application/x-patch, attachment)]

Information forwarded to guix-patches <at> gnu.org:
bug#43540; Package guix-patches. (Thu, 24 Sep 2020 08:02:02 GMT) Full text and rfc822 format available.

Message #8 received at 43540 <at> debbugs.gnu.org (full text, mbox):

From: Mathieu Othacehe <othacehe <at> gnu.org>
To: Jason Conroy <conjaroy <at> gmail.com>
Cc: 43540 <at> debbugs.gnu.org
Subject: Re: [bug#43540] [PATCH] Instantiate nscd in each system container
 instead of using the container host's service.
Date: Thu, 24 Sep 2020 10:01:16 +0200
Hello Jason,

Thanks for this patch. You need to write a commit message that is
compliant with the ChangeLog format, see:
https://guix.gnu.org/manual/en/html_node/Submitting-Patches.html.

> +(define %nscd-container-caches
> +  ;; Similar to %nscd-default-caches but with smaller cache sizes. This allows
> +  ;; many containers to coexist on the same machine without exhausting RAM.
> +  (list (nscd-cache (database 'hosts)
> +                    (positive-time-to-live (* 3600 12))
> +                    (negative-time-to-live 20)
> +                    (persistent? #t)
> +                    (max-database-size (expt 2 18)))
> +        (nscd-cache (database 'services)
> +                    (positive-time-to-live (* 3600 24))
> +                    (negative-time-to-live 3600)
> +                    (check-files? #t)   ;check /etc/services changes
> +                    (persistent? #t)
> +                    (max-database-size (expt 2 18)))))

You can write something like:

--8<---------------cut here---------------start------------->8---
(map (lambda (cache)
       (nscd-cache
        (inherit cache)
        (max-database-size (expt 2 18)))) ;256KiB
     %nscd-default-caches)
--8<---------------cut here---------------end--------------->8---

to avoid repeating the same values.

Otherwise, looks nice. Could you please send an updated version?

Thanks,

Mathieu
-- 
https://othacehe.org




Information forwarded to guix-patches <at> gnu.org:
bug#43540; Package guix-patches. (Sun, 27 Sep 2020 17:46:01 GMT) Full text and rfc822 format available.

Message #11 received at 43540 <at> debbugs.gnu.org (full text, mbox):

From: Jason Conroy <conjaroy <at> gmail.com>
To: Mathieu Othacehe <othacehe <at> gnu.org>
Cc: 43540 <at> debbugs.gnu.org
Subject: Re: [bug#43540] [PATCH] Instantiate nscd in each system container
 instead of using the container host's service.
Date: Sun, 27 Sep 2020 13:44:32 -0400
[Message part 1 (text/plain, inline)]
Hi Mathieu, thanks for the feedback. Please find the revised patch and log
attached.

Cheers,

Jason


On Thu, Sep 24, 2020 at 4:01 AM Mathieu Othacehe <othacehe <at> gnu.org> wrote:

>
> Hello Jason,
>
> Thanks for this patch. You need to write a commit message that is
> compliant with the ChangeLog format, see:
> https://guix.gnu.org/manual/en/html_node/Submitting-Patches.html.
>
> > +(define %nscd-container-caches
> > +  ;; Similar to %nscd-default-caches but with smaller cache sizes. This
> allows
> > +  ;; many containers to coexist on the same machine without exhausting
> RAM.
> > +  (list (nscd-cache (database 'hosts)
> > +                    (positive-time-to-live (* 3600 12))
> > +                    (negative-time-to-live 20)
> > +                    (persistent? #t)
> > +                    (max-database-size (expt 2 18)))
> > +        (nscd-cache (database 'services)
> > +                    (positive-time-to-live (* 3600 24))
> > +                    (negative-time-to-live 3600)
> > +                    (check-files? #t)   ;check /etc/services changes
> > +                    (persistent? #t)
> > +                    (max-database-size (expt 2 18)))))
>
> You can write something like:
>
> --8<---------------cut here---------------start------------->8---
> (map (lambda (cache)
>        (nscd-cache
>         (inherit cache)
>         (max-database-size (expt 2 18)))) ;256KiB
>      %nscd-default-caches)
> --8<---------------cut here---------------end--------------->8---
>
> to avoid repeating the same values.
>
> Otherwise, looks nice. Could you please send an updated version?
>
> Thanks,
>
> Mathieu
> --
> https://othacehe.org
>
[Message part 2 (text/html, inline)]
[one-nscd-per-container-v2.patch (text/x-patch, attachment)]

Reply sent to Mathieu Othacehe <othacehe <at> gnu.org>:
You have taken responsibility. (Thu, 01 Oct 2020 07:30:02 GMT) Full text and rfc822 format available.

Notification sent to Jason Conroy <conjaroy <at> gmail.com>:
bug acknowledged by developer. (Thu, 01 Oct 2020 07:30:03 GMT) Full text and rfc822 format available.

Message #16 received at 43540-done <at> debbugs.gnu.org (full text, mbox):

From: Mathieu Othacehe <othacehe <at> gnu.org>
To: Jason Conroy <conjaroy <at> gmail.com>
Cc: 43540-done <at> debbugs.gnu.org
Subject: Re: [bug#43540] [PATCH] Instantiate nscd in each system container
 instead of using the container host's service.
Date: Thu, 01 Oct 2020 09:29:19 +0200
Hey Jason,

> Hi Mathieu, thanks for the feedback. Please find the revised patch and log attached.

Pushed with a slightly adjusted commit message as
5627bfe45ce46f498979b4ad2deab1fdfed22b6c.

Thanks,

Mathieu




bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Thu, 29 Oct 2020 11:24:06 GMT) Full text and rfc822 format available.

This bug report was last modified 4 years and 253 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.