From unknown Sat Jun 14 00:05:25 2025
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
Content-Type: text/plain; charset=utf-8
From: bug#43371 <43371@debbugs.gnu.org>
To: bug#43371 <43371@debbugs.gnu.org>
Subject: Status: [PATCH] doc: prevent host/container nscd mismatch
Reply-To: bug#43371 <43371@debbugs.gnu.org>
Date: Sat, 14 Jun 2025 07:05:25 +0000

retitle 43371 [PATCH] doc: prevent host/container nscd mismatch
reassign 43371 guix-patches
submitter 43371 edk@beaver-labs.com
severity 43371 normal
tag 43371 patch

thanks


From debbugs-submit-bounces@debbugs.gnu.org Sun Sep 13 06:31:17 2020
Received: (at submit) by debbugs.gnu.org; 13 Sep 2020 10:31:17 +0000
Received: from localhost ([127.0.0.1]:49546 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1kHPHx-00081T-HW
	for submit@debbugs.gnu.org; Sun, 13 Sep 2020 06:31:17 -0400
Received: from lists.gnu.org ([209.51.188.17]:57558)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <edk@beaver-labs.com>) id 1kHPHv-00081H-Tt
 for submit@debbugs.gnu.org; Sun, 13 Sep 2020 06:31:16 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:60978)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <edk@beaver-labs.com>)
 id 1kHPHv-0002km-IJ
 for guix-patches@gnu.org; Sun, 13 Sep 2020 06:31:15 -0400
Received: from sender4-op-o11.zoho.com ([136.143.188.11]:17106)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <edk@beaver-labs.com>)
 id 1kHPHt-0005E1-IQ
 for guix-patches@gnu.org; Sun, 13 Sep 2020 06:31:15 -0400
ARC-Seal: i=1; a=rsa-sha256; t=1599993068; cv=none; 
 d=zohomail.com; s=zohoarc; 
 b=NHP5KAbCst7ACD6Adr4aI6yNf9v2xtqTGzjOBZjVAB8w5RKlR2d/q+5pW+EagvPoHUIype3iy9CvPNr8qzX6YENz9H+b/dg/aNFaSLVcupA8C5U/8MGjFkE7W+Hc2evWV+Uxd4ae/72fQXygRNPmQ6J5jZBP38ZMQvKyIbZz2s0=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc; 
 t=1599993068; h=Content-Type:Cc:Date:From:MIME-Version:Message-ID:Subject:To; 
 bh=9/Eymdti+Bs5n1qz3AhHhnUk5I1CZZVyiiwiUfvPYdI=; 
 b=n3At5lRyiNmdYW7RpJjhAoD45WDL0cPjswopzAorpMmrk5uRC875jQtufJ88/6IjJDpQ6ZntAolYbeJJw0IFU09FzkZBwoAxUFyBF2NMFoEc8FFm5rtLDuX3Yx0g8rrPoJPyheRHs29wE3a41Hz8nItW3Yh/o80/ag47WHdyGHc=
ARC-Authentication-Results: i=1; mx.zohomail.com;
 dkim=pass  header.i=beaver-labs.com;
 spf=pass  smtp.mailfrom=edk@beaver-labs.com;
 dmarc=pass header.from=<edk@beaver-labs.com> header.from=<edk@beaver-labs.com>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1599993068; 
 s=zoho; d=beaver-labs.com; i=edk@beaver-labs.com;
 h=From:To:Cc:Cc:Subject:Message-ID:Date:MIME-Version:Content-Type;
 bh=9/Eymdti+Bs5n1qz3AhHhnUk5I1CZZVyiiwiUfvPYdI=;
 b=OKneUkC/5OAMviHla2XfAPT3PsMkkDUth//fE//6cq21h/QlrKT0PBLC5hhmhDsi
 s0hagBXjCn+PeZ+/cOdKw+DGpCJ+3Ip3imclowtpnjM6xqyOkuI9vj3CRNGBD5A7anN
 okuNJkkgl4uJUPxG5YrVS2LjcB2zVBBCDPZcnWWI=
Received: from Rasoir (lfbn-idf3-1-1319-142.w92-170.abo.wanadoo.fr
 [92.170.248.142]) by mx.zohomail.com
 with SMTPS id 159999306668558.51591308873799;
 Sun, 13 Sep 2020 03:31:06 -0700 (PDT)
User-agent: mu4e 1.4.4; emacs 27.1
From: edk@beaver-labs.com
To: guix-patches@gnu.org
Subject: [PATCH] doc: prevent host/container nscd mismatch
Message-ID: <87lfhet1d2.fsf@rdklein.fr>
Date: Sun, 13 Sep 2020 12:30:49 +0200
MIME-Version: 1.0
Content-Type: text/plain
X-ZohoMailClient: External
Received-SPF: pass client-ip=136.143.188.11; envelope-from=edk@beaver-labs.com;
 helo=sender4-op-o11.zoho.com
X-detected-operating-system: by eggs.gnu.org: First seen = 2020/09/13 06:31:10
X-ACL-Warn: Detected OS   = Linux 3.11 and newer [fuzzy]
X-Spam_score_int: -16
X-Spam_score: -1.7
X-Spam_bar: -
X-Spam_report: (-1.7 / 5.0 requ) BAYES_00=-1.9, DKIM_INVALID=0.1,
 DKIM_SIGNED=0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01,
 RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.4 (-)
X-Debbugs-Envelope-To: submit
Cc: 41575@debbugs.gnu.org, conjaroy <conjaroy@gmail.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -2.4 (--)


doc/guix.texi: (Name Service Switch) add a workaround for bug #41575
---
 doc/guix.texi | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index a6e14ea177..a9472e680e 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -1706,6 +1706,20 @@ this binary incompatibility problem because those @code{libnss_*.so}
 files are loaded in the @command{nscd} process, not in applications
 themselves.
 
+For applications running in containers (@pxref{Invokin guix container}),
+however, @code{nscd} may leak information from the host to the container.
+If there is a configuration mismatch between the two ---e.g., the host
+has no @code{sshd} user while the container needs one--- then it may be
+worthwhile to limit which kind of information the host's @code{nscd}
+daemon may give to the container by adding the following to
+@code{/etc/nscd.conf}.
+
+@example
+        enable-cache            passwd          no
+        enable-cache            group           no
+        enable-cache            netgroup        no
+@end example
+
 @subsection X11 Fonts
 
 @cindex fonts
@@ -27582,7 +27596,7 @@ that should be preferably killed.
 
 @item @code{avoid-regexp} (default: @code{#f})
 A regular expression (as a string) to match the names of the processes
-that should @emph{not} be killed.
+that should @emph{not} be kcoilled.
 
 @item @code{memory-report-interval} (default: @code{0})
 The interval in seconds at which a memory report is printed.  It is
-- 
2.28.0





From debbugs-submit-bounces@debbugs.gnu.org Sun Sep 13 17:05:32 2020
Received: (at 43371) by debbugs.gnu.org; 13 Sep 2020 21:05:32 +0000
Received: from localhost ([127.0.0.1]:51899 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1kHZBk-0005bX-92
	for submit@debbugs.gnu.org; Sun, 13 Sep 2020 17:05:32 -0400
Received: from eggs.gnu.org ([209.51.188.92]:41224)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>)
 id 1kHZBi-0005bG-BO; Sun, 13 Sep 2020 17:05:30 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:38368)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ludo@gnu.org>)
 id 1kHZBc-0001xh-KJ; Sun, 13 Sep 2020 17:05:24 -0400
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=47944 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@gnu.org>)
 id 1kHZBW-00036i-Gf; Sun, 13 Sep 2020 17:05:24 -0400
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@gnu.org>
To: edk@beaver-labs.com
Subject: Re: [bug#43371] [PATCH] doc: prevent host/container nscd mismatch
References: <87lfhet1d2.fsf@rdklein.fr>
Date: Sun, 13 Sep 2020 23:05:09 +0200
In-Reply-To: <87lfhet1d2.fsf@rdklein.fr> (edk@beaver-labs.com's message of
 "Sun, 13 Sep 2020 12:30:49 +0200")
Message-ID: <87y2ld9ym2.fsf@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 43371
Cc: 43371@debbugs.gnu.org, conjaroy <conjaroy@gmail.com>, 41575@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hi,

edk@beaver-labs.com skribis:

> doc/guix.texi: (Name Service Switch) add a workaround for bug #41575
> ---
>  doc/guix.texi | 16 +++++++++++++++-
>  1 file changed, 15 insertions(+), 1 deletion(-)
>
> diff --git a/doc/guix.texi b/doc/guix.texi
> index a6e14ea177..a9472e680e 100644
> --- a/doc/guix.texi
> +++ b/doc/guix.texi
> @@ -1706,6 +1706,20 @@ this binary incompatibility problem because those =
@code{libnss_*.so}
>  files are loaded in the @command{nscd} process, not in applications
>  themselves.
>=20=20
> +For applications running in containers (@pxref{Invokin guix container}),
> +however, @code{nscd} may leak information from the host to the container.
> +If there is a configuration mismatch between the two ---e.g., the host
> +has no @code{sshd} user while the container needs one--- then it may be

I find the example is hard to understand.  How about: =E2=80=9Capplications=
 in
the container could end up looking users in the host=E2=80=9D?

> +worthwhile to limit which kind of information the host's @code{nscd}
> +daemon may give to the container by adding the following to
> +@code{/etc/nscd.conf}.
> +
> +@example
> +        enable-cache            passwd          no
> +        enable-cache            group           no
> +        enable-cache            netgroup        no
> +@end example

Actually, perhaps the better fix is to never use the host=E2=80=99s nscd?  =
We
could change =E2=80=98containerized-operating-system=E2=80=99 accordingly.

That would allow guest OSes to work correctly regardless of the host=E2=80=
=99s
nscd config, which seems like an improvement.

Thoughts?

Ludo=E2=80=99.




From debbugs-submit-bounces@debbugs.gnu.org Sun Sep 13 21:06:42 2020
Received: (at 43371) by debbugs.gnu.org; 14 Sep 2020 01:06:42 +0000
Received: from localhost ([127.0.0.1]:52171 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1kHcx7-0000va-Pt
	for submit@debbugs.gnu.org; Sun, 13 Sep 2020 21:06:42 -0400
Received: from mail-ed1-f66.google.com ([209.85.208.66]:35466)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <conjaroy@gmail.com>)
 id 1kHcx6-0000vC-2H; Sun, 13 Sep 2020 21:06:41 -0400
Received: by mail-ed1-f66.google.com with SMTP id i1so15945620edv.2;
 Sun, 13 Sep 2020 18:06:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=xtZUitQoLNRLMpaHn0LTMPzNu0weAcgRFIuvr/sl6uI=;
 b=sa0i/p9CvSmwskt5Qv7iJT70hYNW/8HcZfL/xqMbQ3AIBXDyXTvWxVemPt8cSc6933
 gAk2tXADusYQ4dzHb2cMucmK1e6GjFEPBgrZsJQHwmsNaCocmPBTYu963h2uLZKlPTrW
 IGDpw8W+oUPGxjKm4eny2PPpE17cpqJ9HsTyFXqBxvbVqtubzH6Sxdrk7UvE3uuHf0QY
 NrI6d9EZBIjyPkiTQ8fg+JEcNEsPJgxe4oa9EXAUdF+6iOYkOZNEinAtRgjMCEGl02Qo
 YK+KHi3233N9Q5JYg7Keyy+7LASl1kpkxVF2ZEwGjzjyP0hkfYyTjMJzV9PYGm52cXLN
 fHgg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=xtZUitQoLNRLMpaHn0LTMPzNu0weAcgRFIuvr/sl6uI=;
 b=Ozh7OfS9Kvd2UssyF+ffR1g92t8hzUNJgaBEGy+KUwnOM6f4P0cWz/VTJeVdCi5NKY
 JehYnhQniKkByFFM0PLjWV+F03NG0ec5FwnXVRAdU/dkB9n2wUI6Z1weNks5WK/aXgKj
 fX87jlvbV3U5pODyQ9cYiNYXnx2zQ8rqKKUma98yHa0qSzpvYVT2GlVt9YJxvKcPlIoG
 GCnorJ6nspmo9oiP13uvxvQM9HyEQ6mfiBWwLQ7YF0UxqRc/z66riSSu5IF+f8M/q8ct
 T3wfk6gOtjgpS8QV888U6myZVLNTVlsdrQ9vqFnUJSnJalsoc1fiORsuE83oZOiDIpgj
 dclA==
X-Gm-Message-State: AOAM532ISvNp5AbRxhHedqaFEkmcsWH8Cc60ricVQV5h0fmjBx/D233k
 2oLL+KQ560pTOh4ckpv7A2h4dVRU2Cg8AqFq638=
X-Google-Smtp-Source: ABdhPJzq4g2c4qoRt231qCvRa4/51HP7EpdwFWp0+uyRVaqy9D1cX5flk2XrLJJWR+0D31g0UeKsRUakouUDFq13YWk=
X-Received: by 2002:a50:dec9:: with SMTP id d9mr14992025edl.145.1600045594194; 
 Sun, 13 Sep 2020 18:06:34 -0700 (PDT)
MIME-Version: 1.0
References: <87lfhet1d2.fsf@rdklein.fr> <87y2ld9ym2.fsf@gnu.org>
In-Reply-To: <87y2ld9ym2.fsf@gnu.org>
From: conjaroy <conjaroy@gmail.com>
Date: Sun, 13 Sep 2020 21:05:58 -0400
Message-ID: <CABWzUjXioeJQ_iG4BdMbczwpb=4UGtZDmu=-9n3AXQ7495r56g@mail.gmail.com>
Subject: Re: [bug#43371] [PATCH] doc: prevent host/container nscd mismatch
To: =?UTF-8?Q?Ludovic_Court=C3=A8s?= <ludo@gnu.org>
Content-Type: multipart/alternative; boundary="00000000000044382e05af3ba5cb"
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 43371
Cc: 43371@debbugs.gnu.org, edk@beaver-labs.com, 41575@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

--00000000000044382e05af3ba5cb
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hello Ludo',

A separate nscd per container also seems like a reasonable option. However,
for the sake of machines hosting many long-lived containers, perhaps we
should consider reducing the cache size: currently it's 32MB for each name
service type, with an expiration of 12-24 hours:

https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/services/base.scm?id=3D=
1042d269a723360a02b19a2baafef1e24a3bfc73#n1115

Cheers,

Jason

On Sun, Sep 13, 2020 at 5:05 PM Ludovic Court=C3=A8s <ludo@gnu.org> wrote:

> Hi,
>
> edk@beaver-labs.com skribis:
>
> > doc/guix.texi: (Name Service Switch) add a workaround for bug #41575
> > ---
> >  doc/guix.texi | 16 +++++++++++++++-
> >  1 file changed, 15 insertions(+), 1 deletion(-)
> >
> > diff --git a/doc/guix.texi b/doc/guix.texi
> > index a6e14ea177..a9472e680e 100644
> > --- a/doc/guix.texi
> > +++ b/doc/guix.texi
> > @@ -1706,6 +1706,20 @@ this binary incompatibility problem because thos=
e
> @code{libnss_*.so}
> >  files are loaded in the @command{nscd} process, not in applications
> >  themselves.
> >
> > +For applications running in containers (@pxref{Invokin guix container}=
),
> > +however, @code{nscd} may leak information from the host to the
> container.
> > +If there is a configuration mismatch between the two ---e.g., the host
> > +has no @code{sshd} user while the container needs one--- then it may b=
e
>
> I find the example is hard to understand.  How about: =E2=80=9Capplicatio=
ns in
> the container could end up looking users in the host=E2=80=9D?
>
> > +worthwhile to limit which kind of information the host's @code{nscd}
> > +daemon may give to the container by adding the following to
> > +@code{/etc/nscd.conf}.
> > +
> > +@example
> > +        enable-cache            passwd          no
> > +        enable-cache            group           no
> > +        enable-cache            netgroup        no
> > +@end example
>
> Actually, perhaps the better fix is to never use the host=E2=80=99s nscd?=
  We
> could change =E2=80=98containerized-operating-system=E2=80=99 accordingly=
.
>
> That would allow guest OSes to work correctly regardless of the host=E2=
=80=99s
> nscd config, which seems like an improvement.
>
> Thoughts?
>
> Ludo=E2=80=99.
>

--00000000000044382e05af3ba5cb
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Hello Ludo&#39;,</div><div><br></div><div>A separate =
nscd per container also seems like a reasonable option. However, for the sa=
ke of machines hosting many long-lived containers, perhaps we should consid=
er reducing the cache size: currently it&#39;s 32MB for each name service t=
ype, with an expiration of 12-24 hours:</div><div><br></div><div><a href=3D=
"https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/services/base.scm?id=
=3D1042d269a723360a02b19a2baafef1e24a3bfc73#n1115">https://git.savannah.gnu=
.org/cgit/guix.git/tree/gnu/services/base.scm?id=3D1042d269a723360a02b19a2b=
aafef1e24a3bfc73#n1115</a><br></div><div><br></div><div>Cheers,</div><div><=
br></div><div>Jason<br></div></div><br><div class=3D"gmail_quote"><div dir=
=3D"ltr" class=3D"gmail_attr">On Sun, Sep 13, 2020 at 5:05 PM Ludovic Court=
=C3=A8s &lt;<a href=3D"mailto:ludo@gnu.org">ludo@gnu.org</a>&gt; wrote:<br>=
</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;b=
order-left:1px solid rgb(204,204,204);padding-left:1ex">Hi,<br>
<br>
<a href=3D"mailto:edk@beaver-labs.com" target=3D"_blank">edk@beaver-labs.co=
m</a> skribis:<br>
<br>
&gt; doc/guix.texi: (Name Service Switch) add a workaround for bug #41575<b=
r>
&gt; ---<br>
&gt;=C2=A0 doc/guix.texi | 16 +++++++++++++++-<br>
&gt;=C2=A0 1 file changed, 15 insertions(+), 1 deletion(-)<br>
&gt;<br>
&gt; diff --git a/doc/guix.texi b/doc/guix.texi<br>
&gt; index a6e14ea177..a9472e680e 100644<br>
&gt; --- a/doc/guix.texi<br>
&gt; +++ b/doc/guix.texi<br>
&gt; @@ -1706,6 +1706,20 @@ this binary incompatibility problem because tho=
se @code{libnss_*.so}<br>
&gt;=C2=A0 files are loaded in the @command{nscd} process, not in applicati=
ons<br>
&gt;=C2=A0 themselves.<br>
&gt;=C2=A0 <br>
&gt; +For applications running in containers (@pxref{Invokin guix container=
}),<br>
&gt; +however, @code{nscd} may leak information from the host to the contai=
ner.<br>
&gt; +If there is a configuration mismatch between the two ---e.g., the hos=
t<br>
&gt; +has no @code{sshd} user while the container needs one--- then it may =
be<br>
<br>
I find the example is hard to understand.=C2=A0 How about: =E2=80=9Capplica=
tions in<br>
the container could end up looking users in the host=E2=80=9D?<br>
<br>
&gt; +worthwhile to limit which kind of information the host&#39;s @code{ns=
cd}<br>
&gt; +daemon may give to the container by adding the following to<br>
&gt; +@code{/etc/nscd.conf}.<br>
&gt; +<br>
&gt; +@example<br>
&gt; +=C2=A0 =C2=A0 =C2=A0 =C2=A0 enable-cache=C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 passwd=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 no<br>
&gt; +=C2=A0 =C2=A0 =C2=A0 =C2=A0 enable-cache=C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 group=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0no<br>
&gt; +=C2=A0 =C2=A0 =C2=A0 =C2=A0 enable-cache=C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 netgroup=C2=A0 =C2=A0 =C2=A0 =C2=A0 no<br>
&gt; +@end example<br>
<br>
Actually, perhaps the better fix is to never use the host=E2=80=99s nscd?=
=C2=A0 We<br>
could change =E2=80=98containerized-operating-system=E2=80=99 accordingly.<=
br>
<br>
That would allow guest OSes to work correctly regardless of the host=E2=80=
=99s<br>
nscd config, which seems like an improvement.<br>
<br>
Thoughts?<br>
<br>
Ludo=E2=80=99.<br>
</blockquote></div>

--00000000000044382e05af3ba5cb--




From debbugs-submit-bounces@debbugs.gnu.org Mon Sep 14 03:24:57 2020
Received: (at 43371) by debbugs.gnu.org; 14 Sep 2020 07:24:57 +0000
Received: from localhost ([127.0.0.1]:52365 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1kHirB-0001mZ-FJ
	for submit@debbugs.gnu.org; Mon, 14 Sep 2020 03:24:57 -0400
Received: from sender4-op-o11.zoho.com ([136.143.188.11]:17183)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <edou@rdklein.fr>)
 id 1kHir7-0001mK-5B; Mon, 14 Sep 2020 03:24:56 -0400
ARC-Seal: i=1; a=rsa-sha256; t=1600068287; cv=none; 
 d=zohomail.com; s=zohoarc; 
 b=KARaXUHC/Th3UaELEKT/Oc8LctrXxWb+xrj3c0ai01etZYzWZYZOZlRGwYAQllHsSbO4g//Js7pTK8pAXE5VpPG/iY5Twe3ldentgAJGUlwKyNDFDLv+5OmImTRz63zoY2MpgfPcYx942KYHE+tO4JdjJGYGjcmaNz3t81kiXpw=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc; t=1600068287;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To;
 bh=WUZvGvr8bQjScpZLdl/HzjNBd6FNCmco/87g+jHpg+M=; 
 b=eLTIaGqIq5fVAC0n6O5x+DHyUO5e9oGWQYB2VhUXAjz+ddrMUkzQHGpt/vSgloRHqgS3GzBJAOme+/Wil7bYo49pgMHZO5ni8NkuomWD684ePMog+WhF5WpXLMPPf+tAmGY27XX1ZjhxffZQk7q1tfcwsjv9ekxHex8cE/mna/E=
ARC-Authentication-Results: i=1; mx.zohomail.com;
 dkim=pass  header.i=rdklein.fr;
 spf=pass  smtp.mailfrom=edou@rdklein.fr;
 dmarc=pass header.from=<edou@rdklein.fr> header.from=<edou@rdklein.fr>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1600068287; 
 s=zoho; d=rdklein.fr; i=edou@rdklein.fr;
 h=References:From:To:Cc:Subject:In-reply-to:Message-ID:Date:MIME-Version:Content-Type:Content-Transfer-Encoding;
 bh=WUZvGvr8bQjScpZLdl/HzjNBd6FNCmco/87g+jHpg+M=;
 b=S0NEAvF04CeHSEWEDZtgpxNEYonw4Un32hK+/nOFpGJHtlagiP9QEtHdhL6kgCd2
 Tn1bn23E+7yOU+GeMNUdMZeJw8AUrQ0xRPTxmpujmBbY4Z4f54rThNH0UTvescWDf08
 09OTq7PqeMrQSUZ/p7TIr2HJchzGEpcaaUc6se4k=
Received: from Rasoir (lfbn-idf3-1-1319-142.w92-170.abo.wanadoo.fr
 [92.170.248.142]) by mx.zohomail.com
 with SMTPS id 1600068285214802.4436076871384;
 Mon, 14 Sep 2020 00:24:45 -0700 (PDT)
References: <87lfhet1d2.fsf@rdklein.fr> <87y2ld9ym2.fsf@gnu.org>
User-agent: mu4e 1.4.4; emacs 27.1
From: Edouard Klein <edou@rdklein.fr>
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Subject: Re: [bug#43371] [PATCH] doc: prevent host/container nscd mismatch
In-reply-to: <87y2ld9ym2.fsf@gnu.org>
Message-ID: <87tuw0ddn3.fsf@rdklein.fr>
Date: Mon, 14 Sep 2020 09:24:32 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-ZohoMailClient: External
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 43371
Cc: 43371@debbugs.gnu.org, conjaroy <conjaroy@gmail.com>, 41575@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi !

Ludovic Court=C3=A8s writes:

> Hi,
>
> edk@beaver-labs.com skribis:
>
>> doc/guix.texi: (Name Service Switch) add a workaround for bug #41575
>> ---
>>  doc/guix.texi | 16 +++++++++++++++-
>>  1 file changed, 15 insertions(+), 1 deletion(-)
>>
>> diff --git a/doc/guix.texi b/doc/guix.texi
>> index a6e14ea177..a9472e680e 100644
>> --- a/doc/guix.texi
>> +++ b/doc/guix.texi
>> @@ -1706,6 +1706,20 @@ this binary incompatibility problem because those=
 @code{libnss_*.so}
>>  files are loaded in the @command{nscd} process, not in applications
>>  themselves.
>>=20=20
>> +For applications running in containers (@pxref{Invokin guix container}),
>> +however, @code{nscd} may leak information from the host to the containe=
r.
>> +If there is a configuration mismatch between the two ---e.g., the host
>> +has no @code{sshd} user while the container needs one--- then it may be
>
> I find the example is hard to understand.  How about: =E2=80=9Capplicatio=
ns in
> the container could end up looking users in the host=E2=80=9D?
>
>> +worthwhile to limit which kind of information the host's @code{nscd}
>> +daemon may give to the container by adding the following to
>> +@code{/etc/nscd.conf}.
>> +
>> +@example
>> +        enable-cache            passwd          no
>> +        enable-cache            group           no
>> +        enable-cache            netgroup        no
>> +@end example
>
> Actually, perhaps the better fix is to never use the host=E2=80=99s nscd?=
  We
> could change =E2=80=98containerized-operating-system=E2=80=99 accordingly.
>

I think this would be best, but I did not know where to make this
change, so I just edited the doc instead. I don't know if containers
need the host's nscd to avoid the libc issues mentionned in the doc, but
if they dont, then prevening them from accessing the host's nscd seems
logical and would solve the problem. And we wouldn't need to amend the
doc at all.

> That would allow guest OSes to work correctly regardless of the host=E2=
=80=99s
> nscd config, which seems like an improvement.
>
> Thoughts?
>
> Ludo=E2=80=99.





From debbugs-submit-bounces@debbugs.gnu.org Mon Sep 14 03:27:05 2020
Received: (at 43371) by debbugs.gnu.org; 14 Sep 2020 07:27:05 +0000
Received: from localhost ([127.0.0.1]:52376 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1kHitF-0001ql-Hw
	for submit@debbugs.gnu.org; Mon, 14 Sep 2020 03:27:05 -0400
Received: from eggs.gnu.org ([209.51.188.92]:44694)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>)
 id 1kHitD-0001qA-IM; Mon, 14 Sep 2020 03:27:04 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:47186)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ludo@gnu.org>)
 id 1kHit8-00039o-1y; Mon, 14 Sep 2020 03:26:58 -0400
Received: from [2001:660:6102:320:e120:2c8f:8909:cdfe] (port=44022 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@gnu.org>)
 id 1kHit7-0000b2-DF; Mon, 14 Sep 2020 03:26:57 -0400
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@gnu.org>
To: conjaroy <conjaroy@gmail.com>
Subject: Re: [bug#43371] [PATCH] doc: prevent host/container nscd mismatch
References: <87lfhet1d2.fsf@rdklein.fr> <87y2ld9ym2.fsf@gnu.org>
 <CABWzUjXioeJQ_iG4BdMbczwpb=4UGtZDmu=-9n3AXQ7495r56g@mail.gmail.com>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 29 Fructidor an 228 de la =?utf-8?Q?R=C3=A9volution?=
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Mon, 14 Sep 2020 09:26:47 +0200
In-Reply-To: <CABWzUjXioeJQ_iG4BdMbczwpb=4UGtZDmu=-9n3AXQ7495r56g@mail.gmail.com>
 (conjaroy@gmail.com's message of "Sun, 13 Sep 2020 21:05:58 -0400")
Message-ID: <87pn6oq0nc.fsf@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 43371
Cc: 43371@debbugs.gnu.org, edk@beaver-labs.com, 41575@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hi,

conjaroy <conjaroy@gmail.com> skribis:

> A separate nscd per container also seems like a reasonable option. Howeve=
r,
> for the sake of machines hosting many long-lived containers, perhaps we
> should consider reducing the cache size: currently it's 32MB for each name
> service type, with an expiration of 12-24 hours:
>
> https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/services/base.scm?id=
=3D1042d269a723360a02b19a2baafef1e24a3bfc73#n1115

Good point.

In that case, we can have =E2=80=98containerized-operating-system=E2=80=99 =
provide its
own NSS configuration with a reduced cache size (or without cache since
there=E2=80=99s caching happening on the host for host name lookups, for
instance).

WDYT?  Would you like to give it a try?

Thanks,
Ludo=E2=80=99.




From debbugs-submit-bounces@debbugs.gnu.org Mon Sep 14 18:54:14 2020
Received: (at 43371) by debbugs.gnu.org; 14 Sep 2020 22:54:14 +0000
Received: from localhost ([127.0.0.1]:56619 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1kHxMU-0004JF-7S
	for submit@debbugs.gnu.org; Mon, 14 Sep 2020 18:54:14 -0400
Received: from mail-ej1-f48.google.com ([209.85.218.48]:34869)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <conjaroy@gmail.com>)
 id 1kHxMS-0004Iv-2G; Mon, 14 Sep 2020 18:54:13 -0400
Received: by mail-ej1-f48.google.com with SMTP id u21so2293338eja.2;
 Mon, 14 Sep 2020 15:54:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=ePynswsaIa0nE2Wh54mr7byxLhuQn5WS3+UY+H1flkU=;
 b=bGKwBcnXK25UGL8VmMaUW8SGVzjRay/NPqZmVFsfJoLYQwEjBd6xucTUOXMkcGWwoZ
 fCVFrw4VlZp94wSShWrWSs6uYzTFopJ1ZnJYNdBPmdcIhA48qLnyaLRkEVY2uW0Ea6eI
 qV2tEfKA+Gh86/4O/nXYyWB5fv7FPY3jPmobj+Qu2Nyl8fS4CEsiagHHZp2z9K049HCG
 RdwckIQcchvNXtcOsXWIDcYy4/T9wi/rMBBihtzztnIue0EzB77/FfwMYKKvnI24EYhv
 Bm5PqDUfnpOrIYxx/7FK/23IrophdlV6ZhHcuv5fX3ozg60kWMW3FkqX/+X2C2s4YZ+2
 AXDw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=ePynswsaIa0nE2Wh54mr7byxLhuQn5WS3+UY+H1flkU=;
 b=DevnRrV9dksGVGOCvR85ZbDPvJg7PahMfRhJuAiQybCv1YfsjdoYNMOYh/4ojvBVHj
 kF8bSUgaTnI4Z5oymDPycIuWwndNFVrxeEovUOyXJT1hqL5wuOuk0JVksZYB8DSVkgfq
 f1jprVm+PicZZkvaIzXx684Nxe7GqGd5ThznGO5GwVU4au9dphAdTDqGC5YZ8jazR72V
 k6fIq3NjXVO163l7wJO27BlSJwmpvwCS4CH07h2TXOu1f6N1UYlbU4UMjgJVe/HP6O7Y
 f8XcyAIwd0RQdH4E51SyN58+2Yp5ArsfZh3/C408J7tkbuj5nUA2HNa2UOsGnrkJ7RxB
 1kBA==
X-Gm-Message-State: AOAM531Dt/eH43xYkTeV9DnptHfe834jgXEOVMjOzRvO6Mt5NNjO6yuS
 CFPecKNcm0YdwQ+fpK0G2ELKW3m7nefr7BVmdNg=
X-Google-Smtp-Source: ABdhPJw21E3GigAkaxm8LZRKUF2bNxlnuERVHEXnT+a9RGY9f2JhcHolBKWU4CyouT4rBYk7TMkJ5SLPKDID2vEkHHY=
X-Received: by 2002:a17:906:e4f:: with SMTP id
 q15mr17732895eji.155.1600124046074; 
 Mon, 14 Sep 2020 15:54:06 -0700 (PDT)
MIME-Version: 1.0
References: <87lfhet1d2.fsf@rdklein.fr> <87y2ld9ym2.fsf@gnu.org>
 <CABWzUjXioeJQ_iG4BdMbczwpb=4UGtZDmu=-9n3AXQ7495r56g@mail.gmail.com>
 <87pn6oq0nc.fsf@gnu.org>
In-Reply-To: <87pn6oq0nc.fsf@gnu.org>
From: conjaroy <conjaroy@gmail.com>
Date: Mon, 14 Sep 2020 18:53:30 -0400
Message-ID: <CABWzUjVavwY9_qUsqE0OhdnYhWMCSN4zKqsjK=kNZMDQLkAibw@mail.gmail.com>
Subject: Re: bug#41575: [bug#43371] [PATCH] doc: prevent host/container nscd
 mismatch
To: =?UTF-8?Q?Ludovic_Court=C3=A8s?= <ludo@gnu.org>
Content-Type: multipart/alternative; boundary="0000000000005ce61a05af4de98c"
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 43371
Cc: 43371@debbugs.gnu.org, edk@beaver-labs.com, 41575@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

--0000000000005ce61a05af4de98c
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Sure, I'm happy to take a stab at this.

Jason

On Mon, Sep 14, 2020 at 3:28 AM Ludovic Court=C3=A8s <ludo@gnu.org> wrote:

> In that case, we can have =E2=80=98containerized-operating-system=E2=80=
=99 provide its
> own NSS configuration with a reduced cache size (or without cache since
> there=E2=80=99s caching happening on the host for host name lookups, for
> instance).
>
> WDYT?  Would you like to give it a try?
>
> Thanks,
> Ludo=E2=80=99.
>
>
>
>

--0000000000005ce61a05af4de98c
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Sure, I&#39;m happy to take a stab at this.</div><div=
><br></div><div>Jason<br></div><br><div class=3D"gmail_quote"><div dir=3D"l=
tr" class=3D"gmail_attr">On Mon, Sep 14, 2020 at 3:28 AM Ludovic Court=C3=
=A8s &lt;<a href=3D"mailto:ludo@gnu.org">ludo@gnu.org</a>&gt; wrote:<br></d=
iv><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;bord=
er-left:1px solid rgb(204,204,204);padding-left:1ex">In that case, we can h=
ave =E2=80=98containerized-operating-system=E2=80=99 provide its<br>
own NSS configuration with a reduced cache size (or without cache since<br>
there=E2=80=99s caching happening on the host for host name lookups, for<br=
>
instance).<br>
<br>
WDYT?=C2=A0 Would you like to give it a try?<br>
<br>
Thanks,<br>
Ludo=E2=80=99.<br>
<br>
<br>
<br>
</blockquote></div></div>

--0000000000005ce61a05af4de98c--




From debbugs-submit-bounces@debbugs.gnu.org Mon Oct 05 04:36:20 2020
Received: (at 43371-done) by debbugs.gnu.org; 5 Oct 2020 08:36:20 +0000
Received: from localhost ([127.0.0.1]:47864 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1kPLyl-0000lX-AP
	for submit@debbugs.gnu.org; Mon, 05 Oct 2020 04:36:20 -0400
Received: from eggs.gnu.org ([209.51.188.92]:32876)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>)
 id 1kPLyj-0000lG-Cv; Mon, 05 Oct 2020 04:36:17 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:54795)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ludo@gnu.org>)
 id 1kPLya-0000W4-O1; Mon, 05 Oct 2020 04:36:11 -0400
Received: from [2001:660:6102:320:e120:2c8f:8909:cdfe] (port=34204 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@gnu.org>)
 id 1kPLyZ-0004LY-3U; Mon, 05 Oct 2020 04:36:08 -0400
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@gnu.org>
To: Edouard Klein <edou@rdklein.fr>
Subject: Re: [bug#43371] [PATCH] doc: prevent host/container nscd mismatch
References: <87lfhet1d2.fsf@rdklein.fr> <87y2ld9ym2.fsf@gnu.org>
 <87tuw0ddn3.fsf@rdklein.fr>
Date: Mon, 05 Oct 2020 10:36:05 +0200
In-Reply-To: <87tuw0ddn3.fsf@rdklein.fr> (Edouard Klein's message of "Mon, 14
 Sep 2020 09:24:32 +0200")
Message-ID: <87h7r93w96.fsf@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 43371-done
Cc: 41575@debbugs.gnu.org, 43371-done@debbugs.gnu.org,
 conjaroy <conjaroy@gmail.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hi,

Edouard Klein <edou@rdklein.fr> skribis:

>> Actually, perhaps the better fix is to never use the host=E2=80=99s nscd=
?  We
>> could change =E2=80=98containerized-operating-system=E2=80=99 accordingl=
y.
>>
>
> I think this would be best, but I did not know where to make this
> change, so I just edited the doc instead. I don't know if containers
> need the host's nscd to avoid the libc issues mentionned in the doc, but
> if they dont, then prevening them from accessing the host's nscd seems
> logical and would solve the problem. And we wouldn't need to amend the
> doc at all.

This has now been done by Jason in
5627bfe45ce46f498979b4ad2deab1fdfed22b6c.

Closing!

Ludo=E2=80=99.




From debbugs-submit-bounces@debbugs.gnu.org Mon Oct 05 13:02:22 2020
Received: (at 43371-done) by debbugs.gnu.org; 5 Oct 2020 17:02:22 +0000
Received: from localhost ([127.0.0.1]:50409 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1kPTsU-0005lE-41
	for submit@debbugs.gnu.org; Mon, 05 Oct 2020 13:02:22 -0400
Received: from sender4-op-o11.zoho.com ([136.143.188.11]:17128)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <edou@rdklein.fr>)
 id 1kPTsR-0005l1-PV; Mon, 05 Oct 2020 13:02:20 -0400
ARC-Seal: i=1; a=rsa-sha256; t=1601917326; cv=none; 
 d=zohomail.com; s=zohoarc; 
 b=dtzeolOg51pBauXPTOyCzerT/u1oa4BHUgsfvNH/R96xL4PX/KraO/cukfYu2RAZQAGbz1zwIFQ8lwiKnoMk2AsNgRkdPQTS1gYkmrOdAJ1RMoClwKNY8U1Sp6ST6NdwJBaUJbFlNefSGbWSyfgRU84H4U/GpE8pLb95qVZvJTU=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc; t=1601917326;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To;
 bh=I7ctLKpwiDcGkO24Gynng9bs5Ou87sneQy6r/lSuMDc=; 
 b=iNWiWZ4RiiKoR0pJT/fBBSAWAQg1TgjVhbjNdtzwv5LM0YsIxjBnGQU5osUm5WkMaVD91Z+5HW9vkl7qwEJWJ1/vtldk9fUTQYrBO9tQo0O7SaSD9FRIzsSUF2WISU9bBn5HzZLzuozX9FHu+MDXRMUHXmljrddu9TC4bOM8L+c=
ARC-Authentication-Results: i=1; mx.zohomail.com;
 dkim=pass  header.i=rdklein.fr;
 spf=pass  smtp.mailfrom=edou@rdklein.fr;
 dmarc=pass header.from=<edou@rdklein.fr> header.from=<edou@rdklein.fr>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1601917326; 
 s=zoho; d=rdklein.fr; i=edou@rdklein.fr;
 h=References:From:To:Cc:Subject:In-reply-to:Message-ID:Date:MIME-Version:Content-Type:Content-Transfer-Encoding;
 bh=I7ctLKpwiDcGkO24Gynng9bs5Ou87sneQy6r/lSuMDc=;
 b=dMECHjacbA4qFgbpkA6HYaq9wrN8RdG9wjXFYr9r8Xosq3yjcXfIW5LE+QR9Hy6C
 cJThktP/8ooEOPD8F6a1lcOKU/X+VxcM+k/k475WUY2jRIy0i7BLBmgzO/xksvz1OiS
 HKzBJwSUfd0+C+JKDr8+x6GE02dm1cawA60SjzP0=
Received: from Rasoir (lfbn-idf3-1-1319-142.w92-170.abo.wanadoo.fr
 [92.170.248.142]) by mx.zohomail.com
 with SMTPS id 1601917322767491.66033232222605;
 Mon, 5 Oct 2020 10:02:02 -0700 (PDT)
References: <87lfhet1d2.fsf@rdklein.fr> <87y2ld9ym2.fsf@gnu.org>
 <87tuw0ddn3.fsf@rdklein.fr> <87h7r93w96.fsf@gnu.org>
User-agent: mu4e 1.4.4; emacs 27.1
From: Edouard Klein <edou@rdklein.fr>
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Subject: Re: [bug#43371] [PATCH] doc: prevent host/container nscd mismatch
In-reply-to: <87h7r93w96.fsf@gnu.org>
Message-ID: <87h7r87gjd.fsf@rdklein.fr>
Date: Mon, 05 Oct 2020 19:01:58 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-ZohoMailClient: External
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 43371-done
Cc: 41575@debbugs.gnu.org, 43371-done@debbugs.gnu.org,
 conjaroy <conjaroy@gmail.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Thanks to you both :)


Ludovic Court=C3=A8s writes:

> Hi,
>
> Edouard Klein <edou@rdklein.fr> skribis:
>
>>> Actually, perhaps the better fix is to never use the host=E2=80=99s nsc=
d?  We
>>> could change =E2=80=98containerized-operating-system=E2=80=99 according=
ly.
>>>
>>
>> I think this would be best, but I did not know where to make this
>> change, so I just edited the doc instead. I don't know if containers
>> need the host's nscd to avoid the libc issues mentionned in the doc, but
>> if they dont, then prevening them from accessing the host's nscd seems
>> logical and would solve the problem. And we wouldn't need to amend the
>> doc at all.
>
> This has now been done by Jason in
> 5627bfe45ce46f498979b4ad2deab1fdfed22b6c.
>
> Closing!
>
> Ludo=E2=80=99.





From unknown Sat Jun 14 00:05:25 2025
Received: (at fakecontrol) by fakecontrolmessage;
To: internal_control@debbugs.gnu.org
From: Debbugs Internal Request <help-debbugs@gnu.org>
Subject: Internal Control
Message-Id: bug archived.
Date: Tue, 03 Nov 2020 12:24:08 +0000
User-Agent: Fakemail v42.6.9

# This is a fake control message.
#
# The action:
# bug archived.
thanks
# This fakemail brought to you by your local debbugs
# administrator