GNU bug report logs - #41575
Container with openssh-service requires sshd user on the host

Previous Next

Package: guix;

Reported by: Edouard Klein <edk <at> beaver-labs.com>

Date: Thu, 28 May 2020 09:21:01 UTC

Severity: normal

Full log

Message #26 received at 41575 <at> debbugs.gnu.org (full text, mbox):

From: conjaroy <conjaroy <at> gmail.com>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 43371 <at> debbugs.gnu.org, edk <at> beaver-labs.com, 41575 <at> debbugs.gnu.org
Subject: Re: [bug#43371] [PATCH] doc: prevent host/container nscd mismatch
Date: Sun, 13 Sep 2020 21:05:58 -0400

[Message part 1 (text/plain, inline)]
Hello Ludo',

A separate nscd per container also seems like a reasonable option. However,
for the sake of machines hosting many long-lived containers, perhaps we
should consider reducing the cache size: currently it's 32MB for each name
service type, with an expiration of 12-24 hours:

https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/services/base.scm?id=1042d269a723360a02b19a2baafef1e24a3bfc73#n1115

Cheers,

Jason

On Sun, Sep 13, 2020 at 5:05 PM Ludovic Courtès <ludo <at> gnu.org> wrote:

> Hi,
>
> edk <at> beaver-labs.com skribis:
>
> > doc/guix.texi: (Name Service Switch) add a workaround for bug #41575
> > ---
> >  doc/guix.texi | 16 +++++++++++++++-
> >  1 file changed, 15 insertions(+), 1 deletion(-)
> >
> > diff --git a/doc/guix.texi b/doc/guix.texi
> > index a6e14ea177..a9472e680e 100644
> > --- a/doc/guix.texi
> > +++ b/doc/guix.texi
> > @@ -1706,6 +1706,20 @@ this binary incompatibility problem because those
> @code{libnss_*.so}
> >  files are loaded in the @command{nscd} process, not in applications
> >  themselves.
> >
> > +For applications running in containers (@pxref{Invokin guix container}),
> > +however, @code{nscd} may leak information from the host to the
> container.
> > +If there is a configuration mismatch between the two ---e.g., the host
> > +has no @code{sshd} user while the container needs one--- then it may be
>
> I find the example is hard to understand.  How about: “applications in
> the container could end up looking users in the host”?
>
> > +worthwhile to limit which kind of information the host's @code{nscd}
> > +daemon may give to the container by adding the following to
> > +@code{/etc/nscd.conf}.
> > +
> > +@example
> > +        enable-cache            passwd          no
> > +        enable-cache            group           no
> > +        enable-cache            netgroup        no
> > +@end example
>
> Actually, perhaps the better fix is to never use the host’s nscd?  We
> could change ‘containerized-operating-system’ accordingly.
>
> That would allow guest OSes to work correctly regardless of the host’s
> nscd config, which seems like an improvement.
>
> Thoughts?
>
> Ludo’.
>

[Message part 2 (text/html, inline)]
This bug report was last modified 4 years and 253 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.