GNU bug report logs - #50916
Experimental `guix container PID program args` not working as expected

Previous Next

Package: guix;

Reported by: Bonface Munyoki K. <me <at> bonfacemunyoki.com>

Date: Thu, 30 Sep 2021 14:24:01 UTC

Severity: normal

To reply to this bug, email your comments to 50916 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#50916; Package guix. (Thu, 30 Sep 2021 14:24:01 GMT) Full text and rfc822 format available.
Acknowledgement sent to Bonface Munyoki K. <me <at> bonfacemunyoki.com>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Thu, 30 Sep 2021 14:24:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Bonface Munyoki K. <me <at> bonfacemunyoki.com>
To: bug-guix <at> gnu.org
Subject: Experimental `guix container PID program args` not working as expected
Date: Thu, 30 Sep 2021 17:23:35 +0300

[Message part 1 (text/plain, inline)]
Hi Guix!

I've tried running a redis server in a container,
and interact with it from outside the container as
such:

--8<---------------cut here---------------start------------->8---
guix environment --ad-hoc --container redis coreutils
--8<---------------cut here---------------end--------------->8---

Thereby, when I get the PID of the above running
process, I expect that:

--8<---------------cut here---------------start------------->8---
guix container PID redis-server --version
--8<---------------cut here---------------end--------------->8---

to be the redis version from the container which
is *6.2.4*. However, the command gets the
underlying redis-server from the host-- an old
Debian distribution-- which is at *3.2.6*.

In a bid to troubleshoot this, I have tried
running:

--8<---------------cut here---------------start------------->8---
guix container PID /bin/sh
--8<---------------cut here---------------end--------------->8---

which returns a shell from /outside/ the
container. Also, I have tried:

--8<---------------cut here---------------start------------->8---
guix environment --ad-hoc --container --link-profile
--8<---------------cut here---------------end--------------->8---

outside the $HOME directory, and then later:

--8<---------------cut here---------------start------------->8---
guix container PID echo $GUIX_ENVIRONMENT
--8<---------------cut here---------------end--------------->8---

with the expectation that $GUIX_ENVIRONMENT will
output some path from the store. However, I get
nothing. Finally, I tried:

--8<---------------cut here---------------start------------->8---
guix container exec PID ps aux
--8<---------------cut here---------------end--------------->8---

to gain perspective of whether I see the processes
from the host's or container's perspective. That
command, at least on my end, clearly shows that I
am seeing things from the host's perspective. This
demonstrates that *guix container* as described in
https://guix.gnu.org/manual/en/html_node/Invoking-guix-container.html
doesn't not execute from the container; and as
such is a bug.

-- 
Bonface M. K.
D4F09EB110177E03C28E2FE1F5BBAE1E0392253F (hkp://keys.gnupg.net)
Free Software Activist
Humble GNU Emacs User | Bearer of scheme-y parens
Curator: <https://upbookclub.com> | Twitter: @BonfaceKilz

[signature.asc (application/pgp-signature, inline)]
Information forwarded to bug-guix <at> gnu.org:
bug#50916; Package guix. (Sat, 06 Aug 2022 19:57:02 GMT) Full text and rfc822 format available.

Message #8 received at 50916 <at> debbugs.gnu.org (full text, mbox):

From: kiasoc5 <kiasoc5 <at> disroot.org>
To: me <at> bonfacemunyoki.com, 50916 <at> debbugs.gnu.org
Subject: bug#50916: Experimental `guix container PID program args` not
 working as expected
Date: Sat, 6 Aug 2022 19:56:29 +0000

This bug still persists and effectively bypasses container sandboxing:

1. Start a container shell.

$ guix shell --container

2. Exec a shell inside the container. Here it is a foreign distro's
bash, and assume that there is only 1 container running.

$ guix container exec $(pgrep --full 'guix shell --container') /bin/bash

3. Observe that path is not empty.

$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/bin

This shell can access commands outside the container, such as kill
(part of util-linux).

4. Kill the container from the shell inside the container.

[env] $ kill -9 $(pgrep --full 'guix shell --container')
[env] $ echo $?
0

The shell still persists in the container, even though the container
itself is killed.

The problem is that in guix/scripts/container/exec.scm, execlp is used
to launch program with args. info guile says this about execlp:

  Similar to ‘execl’, however if FILENAME does not contain a slash then
  the file to execute will be located by searching the directories
  listed in the ‘PATH’ environment variable.

As seen above $PATH is set to a subset of the host system's PATH, not
the PATH inside the guix container.
This bug report was last modified 2 years and 116 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.