GNU bug report logs - #31894
Containerize openntpd service

Previous Next

Package: guix-patches;

Reported by: Efraim Flashner <efraim <at> flashner.co.il>

Date: Tue, 19 Jun 2018 09:33:01 UTC

Severity: normal

Done: Efraim Flashner <efraim <at> flashner.co.il>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: ludo <at> gnu.org (Ludovic Courtès)
To: Efraim Flashner <efraim <at> flashner.co.il>
Cc: 31894-done <at> debbugs.gnu.org
Subject: [bug#31894] Containerize openntpd service
Date: Tue, 26 Jun 2018 15:48:34 +0200

Efraim Flashner <efraim <at> flashner.co.il> skribis:

> On Fri, Jun 22, 2018 at 09:39:01PM +0200, Ludovic Courtès wrote:

[...]

>> One thing though: could you make sure containerization isn’t redundant
>> with what OpenNTPD already does?  Namely, could you grep the source for
>> calls to “chroot”, “unshare”, or “seccomp”?  If it happens to be already
>> doing one of these things, it may be that using a container brings
>> little or nothing.
>> 
>> If it’s OK, please push!
>
> From grepping the source:
>
> ./INSTALL-OpenNTPD always uses Privilege Separation (ie the majority of the
> ./INSTALL:processing is done as a chroot'ed, unprivileged user).
>
> The code also supports the assertion.
>
> it defaults to /var/empty, unless the --with-privsep-path=path flag is
> set, so it looks like my patch is unnecessary after all. :)

Heh, alright.  Perhaps you’ll find another candidate for
containerization.  ;-)

Thanks,
Ludo’.
This bug report was last modified 7 years and 45 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.