GNU bug report logs -
#43540
[PATCH] Instantiate nscd in each system container instead of using the container host's service.
Previous Next
Reported by: Jason Conroy <conjaroy <at> gmail.com>
Date: Sun, 20 Sep 2020 22:06:01 UTC
Severity: normal
Tags: patch
Done: Mathieu Othacehe <othacehe <at> gnu.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 43540 in the body.
You can then email your comments to 43540 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org
:
bug#43540
; Package
guix-patches
.
(Sun, 20 Sep 2020 22:06:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Jason Conroy <conjaroy <at> gmail.com>
:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org
.
(Sun, 20 Sep 2020 22:06:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hello Guix,
Currently, Guix system containers hosted on machines that run nscd are
configured to use that daemon's socket by bind-mounting /var/run/nscd into
the container's filesystem. As discussed in bug#41575, there are certain
nscd configurations that expose information from the host's /etc files into
the container's processes, and aside from the security implications, this
exposure can lead to anomalous behavior inside the containers, including
failure to boot.
The following patch gives each container a private nscd instance. While
Guix's default nscd configuration caches pretty aggressively (for
hostnames, up to 32MB with a 12h TTL), the per-container nscd uses a
smaller cache size of 256kB, which means that the overhead of this change
should be modest even on systems with many containers.
This patch has been lightly tested by verifying the following:
- `make check` and `guix pull`
- successful boot and operation of a system container
- presence of nscd in the container
- correct cache sizes in nscd.conf
Per my employer's guidelines for OSS contributors, this patch contains:
- My corporate email address in the "From" line
- My employer listed as copyright holder (this has already been cleared
with Ludo')
Thanks!
Jason
[Message part 2 (text/html, inline)]
[one-nscd-per-container.patch (application/x-patch, attachment)]
Information forwarded
to
guix-patches <at> gnu.org
:
bug#43540
; Package
guix-patches
.
(Thu, 24 Sep 2020 08:02:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 43540 <at> debbugs.gnu.org (full text, mbox):
Hello Jason,
Thanks for this patch. You need to write a commit message that is
compliant with the ChangeLog format, see:
https://guix.gnu.org/manual/en/html_node/Submitting-Patches.html.
> +(define %nscd-container-caches
> + ;; Similar to %nscd-default-caches but with smaller cache sizes. This allows
> + ;; many containers to coexist on the same machine without exhausting RAM.
> + (list (nscd-cache (database 'hosts)
> + (positive-time-to-live (* 3600 12))
> + (negative-time-to-live 20)
> + (persistent? #t)
> + (max-database-size (expt 2 18)))
> + (nscd-cache (database 'services)
> + (positive-time-to-live (* 3600 24))
> + (negative-time-to-live 3600)
> + (check-files? #t) ;check /etc/services changes
> + (persistent? #t)
> + (max-database-size (expt 2 18)))))
You can write something like:
--8<---------------cut here---------------start------------->8---
(map (lambda (cache)
(nscd-cache
(inherit cache)
(max-database-size (expt 2 18)))) ;256KiB
%nscd-default-caches)
--8<---------------cut here---------------end--------------->8---
to avoid repeating the same values.
Otherwise, looks nice. Could you please send an updated version?
Thanks,
Mathieu
--
https://othacehe.org
Information forwarded
to
guix-patches <at> gnu.org
:
bug#43540
; Package
guix-patches
.
(Sun, 27 Sep 2020 17:46:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 43540 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi Mathieu, thanks for the feedback. Please find the revised patch and log
attached.
Cheers,
Jason
On Thu, Sep 24, 2020 at 4:01 AM Mathieu Othacehe <othacehe <at> gnu.org> wrote:
>
> Hello Jason,
>
> Thanks for this patch. You need to write a commit message that is
> compliant with the ChangeLog format, see:
> https://guix.gnu.org/manual/en/html_node/Submitting-Patches.html.
>
> > +(define %nscd-container-caches
> > + ;; Similar to %nscd-default-caches but with smaller cache sizes. This
> allows
> > + ;; many containers to coexist on the same machine without exhausting
> RAM.
> > + (list (nscd-cache (database 'hosts)
> > + (positive-time-to-live (* 3600 12))
> > + (negative-time-to-live 20)
> > + (persistent? #t)
> > + (max-database-size (expt 2 18)))
> > + (nscd-cache (database 'services)
> > + (positive-time-to-live (* 3600 24))
> > + (negative-time-to-live 3600)
> > + (check-files? #t) ;check /etc/services changes
> > + (persistent? #t)
> > + (max-database-size (expt 2 18)))))
>
> You can write something like:
>
> --8<---------------cut here---------------start------------->8---
> (map (lambda (cache)
> (nscd-cache
> (inherit cache)
> (max-database-size (expt 2 18)))) ;256KiB
> %nscd-default-caches)
> --8<---------------cut here---------------end--------------->8---
>
> to avoid repeating the same values.
>
> Otherwise, looks nice. Could you please send an updated version?
>
> Thanks,
>
> Mathieu
> --
> https://othacehe.org
>
[Message part 2 (text/html, inline)]
[one-nscd-per-container-v2.patch (text/x-patch, attachment)]
Reply sent
to
Mathieu Othacehe <othacehe <at> gnu.org>
:
You have taken responsibility.
(Thu, 01 Oct 2020 07:30:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Jason Conroy <conjaroy <at> gmail.com>
:
bug acknowledged by developer.
(Thu, 01 Oct 2020 07:30:03 GMT)
Full text and
rfc822 format available.
Message #16 received at 43540-done <at> debbugs.gnu.org (full text, mbox):
Hey Jason,
> Hi Mathieu, thanks for the feedback. Please find the revised patch and log attached.
Pushed with a slightly adjusted commit message as
5627bfe45ce46f498979b4ad2deab1fdfed22b6c.
Thanks,
Mathieu
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Thu, 29 Oct 2020 11:24:06 GMT)
Full text and
rfc822 format available.
This bug report was last modified 4 years and 253 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.