GNU bug report logs - #43371
[PATCH] doc: prevent host/container nscd mismatch

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#43371: closed ([PATCH] doc: prevent host/container nscd mismatch)
Date: Mon, 05 Oct 2020 08:37:03 +0000

[Message part 1 (text/plain, inline)]

Your message dated Mon, 05 Oct 2020 10:36:05 +0200
with message-id <87h7r93w96.fsf <at> gnu.org>
and subject line Re: [bug#43371] [PATCH] doc: prevent host/container nscd mismatch
has caused the debbugs.gnu.org bug report #43371,
regarding [PATCH] doc: prevent host/container nscd mismatch
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
43371: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=43371
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: edk <at> beaver-labs.com
To: guix-patches <at> gnu.org
Cc: 41575 <at> debbugs.gnu.org, conjaroy <conjaroy <at> gmail.com>
Subject: [PATCH] doc: prevent host/container nscd mismatch
Date: Sun, 13 Sep 2020 12:30:49 +0200

doc/guix.texi: (Name Service Switch) add a workaround for bug #41575
---
 doc/guix.texi | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index a6e14ea177..a9472e680e 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -1706,6 +1706,20 @@ this binary incompatibility problem because those @code{libnss_*.so}
 files are loaded in the @command{nscd} process, not in applications
 themselves.
 
+For applications running in containers (@pxref{Invokin guix container}),
+however, @code{nscd} may leak information from the host to the container.
+If there is a configuration mismatch between the two ---e.g., the host
+has no @code{sshd} user while the container needs one--- then it may be
+worthwhile to limit which kind of information the host's @code{nscd}
+daemon may give to the container by adding the following to
+@code{/etc/nscd.conf}.
+
+@example
+        enable-cache            passwd          no
+        enable-cache            group           no
+        enable-cache            netgroup        no
+@end example
+
 @subsection X11 Fonts
 
 @cindex fonts
@@ -27582,7 +27596,7 @@ that should be preferably killed.
 
 @item @code{avoid-regexp} (default: @code{#f})
 A regular expression (as a string) to match the names of the processes
-that should @emph{not} be killed.
+that should @emph{not} be kcoilled.
 
 @item @code{memory-report-interval} (default: @code{0})
 The interval in seconds at which a memory report is printed.  It is
-- 
2.28.0

[Message part 3 (message/rfc822, inline)]

From: Ludovic Courtès <ludo <at> gnu.org>
To: Edouard Klein <edou <at> rdklein.fr>
Cc: 41575 <at> debbugs.gnu.org, 43371-done <at> debbugs.gnu.org,
 conjaroy <conjaroy <at> gmail.com>
Subject: Re: [bug#43371] [PATCH] doc: prevent host/container nscd mismatch
Date: Mon, 05 Oct 2020 10:36:05 +0200

Hi,

Edouard Klein <edou <at> rdklein.fr> skribis:

>> Actually, perhaps the better fix is to never use the host’s nscd?  We
>> could change ‘containerized-operating-system’ accordingly.
>>
>
> I think this would be best, but I did not know where to make this
> change, so I just edited the doc instead. I don't know if containers
> need the host's nscd to avoid the libc issues mentionned in the doc, but
> if they dont, then prevening them from accessing the host's nscd seems
> logical and would solve the problem. And we wouldn't need to amend the
> doc at all.

This has now been done by Jason in
5627bfe45ce46f498979b4ad2deab1fdfed22b6c.

Closing!

Ludo’.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.