GNU bug report logs - #43540
[PATCH] Instantiate nscd in each system container instead of using the container host's service.

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 43540 in the body.
You can then email your comments to 43540 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Jason Conroy <conjaroy <at> gmail.com>
To: guix-patches <at> gnu.org
Subject: [PATCH] Instantiate nscd in each system container instead of using
 the container host's service.
Date: Sun, 20 Sep 2020 18:05:02 -0400

[Message part 1 (text/plain, inline)]

Hello Guix,

Currently, Guix system containers hosted on machines that run nscd are
configured to use that daemon's socket by bind-mounting /var/run/nscd into
the container's filesystem. As discussed in bug#41575, there are certain
nscd configurations that expose information from the host's /etc files into
the container's processes, and aside from the security implications, this
exposure can lead to anomalous behavior inside the containers, including
failure to boot.

The following patch gives each container a private nscd instance. While
Guix's default nscd configuration caches pretty aggressively (for
hostnames, up to 32MB with a 12h TTL), the per-container nscd uses a
smaller cache size of 256kB, which means that the overhead of this change
should be modest even on systems with many containers.

This patch has been lightly tested by verifying the following:

- `make check` and `guix pull`
- successful boot and operation of a system container
- presence of nscd in the container
- correct cache sizes in nscd.conf

Per my employer's guidelines for OSS contributors, this patch contains:

- My corporate email address in the "From" line
- My employer listed as copyright holder (this has already been cleared
with Ludo')

Thanks!

Jason

[Message part 2 (text/html, inline)]

[one-nscd-per-container.patch (application/x-patch, attachment)]

Message #8 received at 43540 <at> debbugs.gnu.org (full text, mbox):

From: Mathieu Othacehe <othacehe <at> gnu.org>
To: Jason Conroy <conjaroy <at> gmail.com>
Cc: 43540 <at> debbugs.gnu.org
Subject: Re: [bug#43540] [PATCH] Instantiate nscd in each system container
 instead of using the container host's service.
Date: Thu, 24 Sep 2020 10:01:16 +0200

Hello Jason,

Thanks for this patch. You need to write a commit message that is
compliant with the ChangeLog format, see:
https://guix.gnu.org/manual/en/html_node/Submitting-Patches.html.

> +(define %nscd-container-caches
> +  ;; Similar to %nscd-default-caches but with smaller cache sizes. This allows
> +  ;; many containers to coexist on the same machine without exhausting RAM.
> +  (list (nscd-cache (database 'hosts)
> +                    (positive-time-to-live (* 3600 12))
> +                    (negative-time-to-live 20)
> +                    (persistent? #t)
> +                    (max-database-size (expt 2 18)))
> +        (nscd-cache (database 'services)
> +                    (positive-time-to-live (* 3600 24))
> +                    (negative-time-to-live 3600)
> +                    (check-files? #t)   ;check /etc/services changes
> +                    (persistent? #t)
> +                    (max-database-size (expt 2 18)))))

You can write something like:

--8<---------------cut here---------------start------------->8---
(map (lambda (cache)
       (nscd-cache
        (inherit cache)
        (max-database-size (expt 2 18)))) ;256KiB
     %nscd-default-caches)
--8<---------------cut here---------------end--------------->8---

to avoid repeating the same values.

Otherwise, looks nice. Could you please send an updated version?

Thanks,

Mathieu
-- 
https://othacehe.org

Message #11 received at 43540 <at> debbugs.gnu.org (full text, mbox):

From: Jason Conroy <conjaroy <at> gmail.com>
To: Mathieu Othacehe <othacehe <at> gnu.org>
Cc: 43540 <at> debbugs.gnu.org
Subject: Re: [bug#43540] [PATCH] Instantiate nscd in each system container
 instead of using the container host's service.
Date: Sun, 27 Sep 2020 13:44:32 -0400

[Message part 1 (text/plain, inline)]

Hi Mathieu, thanks for the feedback. Please find the revised patch and log
attached.

Cheers,

Jason


On Thu, Sep 24, 2020 at 4:01 AM Mathieu Othacehe <othacehe <at> gnu.org> wrote:

>
> Hello Jason,
>
> Thanks for this patch. You need to write a commit message that is
> compliant with the ChangeLog format, see:
> https://guix.gnu.org/manual/en/html_node/Submitting-Patches.html.
>
> > +(define %nscd-container-caches
> > +  ;; Similar to %nscd-default-caches but with smaller cache sizes. This
> allows
> > +  ;; many containers to coexist on the same machine without exhausting
> RAM.
> > +  (list (nscd-cache (database 'hosts)
> > +                    (positive-time-to-live (* 3600 12))
> > +                    (negative-time-to-live 20)
> > +                    (persistent? #t)
> > +                    (max-database-size (expt 2 18)))
> > +        (nscd-cache (database 'services)
> > +                    (positive-time-to-live (* 3600 24))
> > +                    (negative-time-to-live 3600)
> > +                    (check-files? #t)   ;check /etc/services changes
> > +                    (persistent? #t)
> > +                    (max-database-size (expt 2 18)))))
>
> You can write something like:
>
> --8<---------------cut here---------------start------------->8---
> (map (lambda (cache)
>        (nscd-cache
>         (inherit cache)
>         (max-database-size (expt 2 18)))) ;256KiB
>      %nscd-default-caches)
> --8<---------------cut here---------------end--------------->8---
>
> to avoid repeating the same values.
>
> Otherwise, looks nice. Could you please send an updated version?
>
> Thanks,
>
> Mathieu
> --
> https://othacehe.org
>

[Message part 2 (text/html, inline)]

[one-nscd-per-container-v2.patch (text/x-patch, attachment)]

Message #16 received at 43540-done <at> debbugs.gnu.org (full text, mbox):

From: Mathieu Othacehe <othacehe <at> gnu.org>
To: Jason Conroy <conjaroy <at> gmail.com>
Cc: 43540-done <at> debbugs.gnu.org
Subject: Re: [bug#43540] [PATCH] Instantiate nscd in each system container
 instead of using the container host's service.
Date: Thu, 01 Oct 2020 09:29:19 +0200

Hey Jason,

> Hi Mathieu, thanks for the feedback. Please find the revised patch and log attached.

Pushed with a slightly adjusted commit message as
5627bfe45ce46f498979b4ad2deab1fdfed22b6c.

Thanks,

Mathieu

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.