GNU bug report logs -
#70314
[PATCH] guix: scripts: environment: add tls certs to networked containers
Previous Next
To reply to this bug, email your comments to 70314 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix <at> cbaines.net, dev <at> jpoiret.xyz, ludo <at> gnu.org, othacehe <at> gnu.org, rekado <at> elephly.net, zimon.toutoune <at> gmail.com, me <at> tobias.gr, guix-patches <at> gnu.org:
bug#70314; Package
guix-patches.
(Tue, 09 Apr 2024 19:15:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Richard Sent <richard <at> freakingpenguin.com>:
New bug report received and forwarded. Copy sent to
guix <at> cbaines.net, dev <at> jpoiret.xyz, ludo <at> gnu.org, othacehe <at> gnu.org, rekado <at> elephly.net, zimon.toutoune <at> gmail.com, me <at> tobias.gr, guix-patches <at> gnu.org.
(Tue, 09 Apr 2024 19:15:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
* guix/scripts/environment.scm: Add --no-tls flag. By default when starting a
container with -N, add nss-certs package and set SSL_CERT_DIR and
SSL_CERT_FILE environment variables. When --no-tls is passed, default to old
behavior.
* doc/guix.texi: Document it.
Change-Id: I3d222522fa9785fbf589f15efd14e6d6d072bfa7
---
Hi Guix!
Given the discussion on IRC and guix-devel [1] recently about making
nss-certs easier to use, this patch modifies guix environment (and
thus guix shell) to automatically add nss-certs to the profile when
sharing the network namespace, as well as setting the
mostly-standardized SSL_CERT_DIR and SSL_CERT_FILE environment
variables.
This behavior can be reverted with the --no-tls flag. Since presumably
the majority of shell users want TLS to work out of the box, adding
TLS by default makes sense to me.
Previous workarounds were verbose [2] and prone to failure [3].
[1] https://lists.gnu.org/archive/html/guix-devel/2024-04/msg00020.html
[2] https://lists.gnu.org/archive/html/guix-patches/2020-05/msg00197.html
[3] See tail of https://logs.guix.gnu.org/guix/2024-04-08.log, [2]
works coincidentally since guix system w/ nss-certs happens to have
identical nss-certs hash as the guix building the shell profile.
Otherwise the system version would not be visible inside the
container.
doc/guix.texi | 8 ++++++++
guix/scripts/environment.scm | 28 +++++++++++++++++++++++++++-
2 files changed, 35 insertions(+), 1 deletion(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 5827e0de14..912ed79ccd 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -6214,6 +6214,10 @@ Invoking guix shell
Containers created without this flag only have access to the loopback
device.
+@item --no-tls
+For containers that share the network namespace, disable automatically
+adding TLS/SSL certificates.
+
@item --link-profile
@itemx -P
For containers, link the environment profile to @file{~/.guix-profile}
@@ -6711,6 +6715,10 @@ Invoking guix environment
Containers created without this flag only have access to the loopback
device.
+@item --no-tls
+For containers that share the network namespace, disable automatically
+adding TLS/SSL certificates.
+
@item --link-profile
@itemx -P
For containers, link the environment profile to @file{~/.guix-profile}
diff --git a/guix/scripts/environment.scm b/guix/scripts/environment.scm
index 1d7a6e198d..b38882a4ca 100644
--- a/guix/scripts/environment.scm
+++ b/guix/scripts/environment.scm
@@ -49,6 +49,7 @@ (define-module (guix scripts environment)
#:autoload (guix build syscalls) (set-network-interface-up openpty login-tty)
#:use-module (gnu system file-systems)
#:autoload (gnu packages) (specification->package+output)
+ #:autoload (gnu packages certs) (nss-certs)
#:autoload (gnu packages bash) (bash)
#:autoload (gnu packages bootstrap) (bootstrap-executable %bootstrap-guile)
#:autoload (gnu packages package-management) (guix)
@@ -72,6 +73,9 @@ (define-module (guix scripts environment)
(define %default-shell
(or (getenv "SHELL") "/bin/sh"))
+(define %default-tls-certs
+ (list nss-certs))
+
(define* (show-search-paths profile manifest #:key pure?)
"Display the search paths of MANIFEST applied to PROFILE. When PURE? is #t,
do not augment existing environment variables with additional search paths."
@@ -108,6 +112,9 @@ (define (show-environment-options-help)
-C, --container run command within an isolated container"))
(display (G_ "
-N, --network allow containers to access the network"))
+ (display (G_ "
+ --no-tls do not add SSL/TLS certificates or set environment
+ variables for a networked container"))
(display (G_ "
-P, --link-profile link environment profile to ~/.guix-profile within
an isolated container"))
@@ -244,6 +251,9 @@ (define %options
(option '(#\N "network") #f #f
(lambda (opt name arg result)
(alist-cons 'network? #t result)))
+ (option '(#\T "no-tls") #f #f
+ (lambda (opt name arg result)
+ (alist-cons 'no-tls? #t result)))
(option '(#\W "nesting") #f #f
(lambda (opt name arg result)
(alist-cons 'nesting? #t result)))
@@ -359,6 +369,11 @@ (define (options/resolve-packages store opts)
(packages->outputs (load* file module) mode)))
(('manifest . file)
(manifest-entries (load-manifest file)))
+ (('network? . #t)
+ (if (assoc-ref opts 'no-tls?)
+ '()
+ (manifest-entries
+ (packages->manifest %default-tls-certs))))
(('nesting? . #t)
(if (assoc-ref opts 'profile)
'()
@@ -725,7 +740,7 @@ (define* (launch-environment/fork command profile manifest
(define* (launch-environment/container #:key command bash user user-mappings
profile manifest link-profile? network?
- map-cwd? emulate-fhs? nesting?
+ no-tls? map-cwd? emulate-fhs? nesting?
(setup-hook #f)
(symlinks '()) (white-list '()))
"Run COMMAND within a container that features the software in PROFILE.
@@ -929,6 +944,11 @@ (define* (launch-environment/container #:key command bash user user-mappings
;; Allow local AF_INET communications.
(set-network-interface-up "lo"))
+ (unless no-tls?
+ (setenv "SSL_CERT_DIR" (string-append profile "/etc/ssl/certs"))
+ (setenv "SSL_CERT_FILE" (string-append (getenv "SSL_CERT_DIR")
+ "/ca-certificates.crt")))
+
;; For convenience, start in the user's current working
;; directory or, if unmapped, the home directory.
(chdir (if map-cwd?
@@ -1078,6 +1098,7 @@ (define (guix-environment* opts)
(link-prof? (assoc-ref opts 'link-profile?))
(symlinks (assoc-ref opts 'symlinks))
(network? (assoc-ref opts 'network?))
+ (no-tls? (assoc-ref opts 'no-tls?))
(no-cwd? (assoc-ref opts 'no-cwd?))
(emulate-fhs? (assoc-ref opts 'emulate-fhs?))
(nesting? (assoc-ref opts 'nesting?))
@@ -1133,6 +1154,10 @@ (define (guix-environment* opts)
(when (pair? symlinks)
(leave (G_ "'--symlink' cannot be used without '--container'~%"))))
+ (when (and (not network?)
+ no-tls?)
+ (leave (G_ "'--no-tls' cannot be used without '--networking'~%")))
+
(with-store/maybe store
(with-status-verbosity (assoc-ref opts 'verbosity)
(define manifest-from-opts
@@ -1212,6 +1237,7 @@ (define (guix-environment* opts)
#:network? network?
#:map-cwd? (not no-cwd?)
#:emulate-fhs? emulate-fhs?
+ #:no-tls? no-tls?
#:nesting? nesting?
#:symlinks symlinks
#:setup-hook
base-commit: 35e1d9247e39f3c91512cf3d9ef1467962389e35
--
2.41.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#70314; Package
guix-patches.
(Wed, 04 Sep 2024 13:35:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 70314 <at> debbugs.gnu.org (full text, mbox):
Hi Richard,
Richard Sent <richard <at> freakingpenguin.com> skribis:
> * guix/scripts/environment.scm: Add --no-tls flag. By default when starting a
> container with -N, add nss-certs package and set SSL_CERT_DIR and
> SSL_CERT_FILE environment variables. When --no-tls is passed, default to old
> behavior.
> * doc/guix.texi: Document it.
>
> Change-Id: I3d222522fa9785fbf589f15efd14e6d6d072bfa7
Apparently this patch fell through the cracks, despite the long Cc:
list.
> Given the discussion on IRC and guix-devel [1] recently about making
> nss-certs easier to use, this patch modifies guix environment (and
> thus guix shell) to automatically add nss-certs to the profile when
> sharing the network namespace, as well as setting the
> mostly-standardized SSL_CERT_DIR and SSL_CERT_FILE environment
> variables.
>
> This behavior can be reverted with the --no-tls flag. Since presumably
> the majority of shell users want TLS to work out of the box, adding
> TLS by default makes sense to me.
[...]
> + (('network? . #t)
> + (if (assoc-ref opts 'no-tls?)
> + '()
> + (manifest-entries
> + (packages->manifest %default-tls-certs))))
Instead of adding the ‘nss-certs’ package, I would rather expose
/etc/ssl/certs (when it exists), for two reasons: (1) the system-chosen
certificates will be used, and (2) it’s less expensive than having to
compute the derivation of ‘nss-certs’.
Users who definitely want Guix’s ‘nss-certs’ can always add it to the
shell and it will take precedence over /etc/ssl/certs, assuming
SSL_CERT_{FILE,DIR} is defined.
WDYT?
Thanks,
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#70314; Package
guix-patches.
(Wed, 04 Sep 2024 15:04:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 70314 <at> debbugs.gnu.org (full text, mbox):
Hi Ludo!
Thanks for the response!
Ludovic Courtès <ludo <at> gnu.org> writes:
> Instead of adding the ‘nss-certs’ package, I would rather expose
> /etc/ssl/certs (when it exists), for two reasons: (1) the system-chosen
> certificates will be used, and (2) it’s less expensive than having to
> compute the derivation of ‘nss-certs’.
There is an issue with this that's cropped up in the past. The files in
/etc/ssl/certs/* are symlinks to store items. Because containers only
see a subset of store items that are in that container's profile, it
often sees the symlinks to store items but not the target file.
For example:
--8<---------------cut here---------------start------------->8---
$ guix shell -C bash coreutils --expose=/etc/ssl/certs -- bash
[env]$ ls /etc/ssl/certs/ca*
/etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca6e4ad9.0
[env]$ cat /etc/ssl/certs/ca-certificates.crt
cat: /etc/ssl/certs/ca-certificates.crt: No such file or directory
[env]$ ls -l /etc/ssl/certs/ca6e4ad9.0
lrwxrwxrwx 1 65534 overflow 85 Jan 1 1970 /etc/ssl/certs/ca6e4ad9.0 -> /gnu/store/5y39gqnvlfrw9gxyxbqqkdr8cxgp1fa1-nss-certs-3.88.1/etc/ssl/certs/ca6e4ad9.0
[env]$ cat /etc/ssl/certs/ca6e4ad9.0
cat: /etc/ssl/certs/ca6e4ad9.0: No such file or directory
--8<---------------cut here---------------end--------------->8---
We can /sort of/ solve this by adding nss-certs to the container, but
only when the nss-certs being added has the same hash as the nss-certs
package.
--8<---------------cut here---------------start------------->8---
# nss-certs w/o version adds v3.99 to the profile, which doesn't match
# the system. Ergo it's still unavailable.
~ $ guix shell -C bash coreutils --expose=/etc/ssl/certs -- bash -c 'cat /etc/ssl/certs/ca6e4ad9.0'
cat: /etc/ssl/certs/ca6e4ad9.0: No such file or directory
#
# If we specify 3.88.1, it does work, but only for various nss-certificates,
# not the ca-certificates.crt bundle file (which isn't a package).
guix shell -C bash coreutils nss-certs <at> 3.88.1 --expose=/etc/ssl/certs -- bash -c 'cat /etc/ssl/certs/ca6e4ad9.0'
# snip, contents of ca6e4ad9.0
#
~ $ guix shell -C bash coreutils nss-certs <at> 3.88.1 --expose=/etc/ssl/certs -- bash -c 'cat /etc/ssl/certs/ca-certificates.crt'
cat: /etc/ssl/certs/ca-certificates.crt: No such file or directory
--8<---------------cut here---------------end--------------->8---
This problem becomes impossible to solve in situations where the system
Guix and user Guix have different nss-certs hashes.
Be it by adding nss-certs to the container profile or by exposing
/etc/ssl/certs, we still need to calculate the nss-certs derivation.
(Perhaps a alternative solution is making sure symlink targets to store
items visible to a container are persisted. I don't know how complicated
that would be, but I imagine it's nontrivial.)
> Users who definitely want Guix’s ‘nss-certs’ can always add it to the
> shell and it will take precedence over /etc/ssl/certs, assuming
> SSL_CERT_{FILE,DIR} is defined.
True, although at present anyone who wants to use nss-certs must set
SSL_CERT_{FILE,DIR} manually (or coincidentally install a package that
registers the search path).
--8<---------------cut here---------------start------------->8---
# nss-certs alone doesn't set SSL_CERT_DIR
~ $ guix shell -C bash coreutils nss-certs <at> 3.88.1 -- bash -c 'echo $SSL_CERT_DIR'
# blank
#
# curl registers $SSL_CERT_{FILE,DIR}
~ $ guix shell -C bash coreutils nss-certs <at> 3.88.1 curl -- bash -c 'echo $SSL_CERT_DIR'
/gnu/store/hxylrsqs5cy87cgkxi5fmlzxvfhczlzj-profile/etc/ssl/certs
--8<---------------cut here---------------end--------------->8---
This is unintuitive. Many packages that make use of nss-certs don't
register the search path, e.g. rust-cargo [1]. I'd rather avoid a
solution that is "edit every package that may possibly use nss-certs now
and in the future to register the search path".
> WDYT?
My thoughts are if we have to decide between
1. Users who want TLS with standard public endpoints
2. Users who want TLS with custom private endpoints
it's better to prioritize a good experience for 1 and let 2 opt-out of
the "hand holding" defaults. But perhaps it's possible to make everyone
happy.
If desired this patch can be reworked as opt-in.
[1]: https://logs.guix.gnu.org/guix/2024-04-08.log
--
Take it easy,
Richard Sent
Making my computer weirder one commit at a time.
Information forwarded
to
guix-patches <at> gnu.org:
bug#70314; Package
guix-patches.
(Sun, 15 Sep 2024 21:41:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 70314 <at> debbugs.gnu.org (full text, mbox):
Hi Richard,
Cc: guix-devel to get more feedback: this is about adding ‘nss-certs’ by
default in ‘guix shell -CN’ containers, along with a ‘--no-tls’ option
to opt out:
https://issues.guix.gnu.org/70314
Richard Sent <richard <at> freakingpenguin.com> skribis:
> Ludovic Courtès <ludo <at> gnu.org> writes:
>
>> Instead of adding the ‘nss-certs’ package, I would rather expose
>> /etc/ssl/certs (when it exists), for two reasons: (1) the system-chosen
>> certificates will be used, and (2) it’s less expensive than having to
>> compute the derivation of ‘nss-certs’.
>
> There is an issue with this that's cropped up in the past. The files in
> /etc/ssl/certs/* are symlinks to store items. Because containers only
> see a subset of store items that are in that container's profile, it
> often sees the symlinks to store items but not the target file.
Oh, indeed.
[...]
>> Users who definitely want Guix’s ‘nss-certs’ can always add it to the
>> shell and it will take precedence over /etc/ssl/certs, assuming
>> SSL_CERT_{FILE,DIR} is defined.
>
> True, although at present anyone who wants to use nss-certs must set
> SSL_CERT_{FILE,DIR} manually (or coincidentally install a package that
> registers the search path).
Right.
[...]
> My thoughts are if we have to decide between
>
> 1. Users who want TLS with standard public endpoints
> 2. Users who want TLS with custom private endpoints
>
> it's better to prioritize a good experience for 1 and let 2 opt-out of
> the "hand holding" defaults. But perhaps it's possible to make everyone
> happy.
You’ve convinced me.
That it’s opt-out sounds reasonable to me. ‘--no-tls’ sounds reasonable
too as a name (I thought about ‘--no-x509-certificates’ but that’s
actually less accurate since there are the SSL_* variables in addition
to the certificates themselves).
I have some comments about the patch and I’d like others to weigh in too
before we commit this change.
Thank you!
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#70314; Package
guix-patches.
(Sun, 15 Sep 2024 21:50:02 GMT)
Full text and
rfc822 format available.
Message #17 received at 70314 <at> debbugs.gnu.org (full text, mbox):
Hi,
Richard Sent <richard <at> freakingpenguin.com> skribis:
> * guix/scripts/environment.scm: Add --no-tls flag. By default when starting a
> container with -N, add nss-certs package and set SSL_CERT_DIR and
> SSL_CERT_FILE environment variables. When --no-tls is passed, default to old
> behavior.
> * doc/guix.texi: Document it.
>
> Change-Id: I3d222522fa9785fbf589f15efd14e6d6d072bfa7
[...]
> + #:autoload (gnu packages certs) (nss-certs)
> #:autoload (gnu packages bash) (bash)
> #:autoload (gnu packages bootstrap) (bootstrap-executable %bootstrap-guile)
> #:autoload (gnu packages package-management) (guix)
> @@ -72,6 +73,9 @@ (define-module (guix scripts environment)
> (define %default-shell
> (or (getenv "SHELL") "/bin/sh"))
>
> +(define %default-tls-certs
> + (list nss-certs))
This would force all the package modules to be loaded upfront. Instead
you should arrange to not refer to ‘nss-certs’ until it’s needed.
This matters for startup time. To see how it affects the command, you
can run:
strace -c guix shell coreutils -- true
The second run should make as few system calls as possible.
> + (lambda (opt name arg result)
> + (alist-cons 'no-tls? #t result)))
Internally, I would reverse the logic to have ‘tls?’ instead (as a rule
of thumb, I always avoid negating Booleans in code).
> + (('network? . #t)
> + (if (assoc-ref opts 'no-tls?)
> + '()
> + (manifest-entries
> + (packages->manifest %default-tls-certs))))
Can we delay changes to the manifest until after all options have been
parsed, so we know whether ‘-C’ has been passed?
That way ‘guix shell -N --no-tls’ does not add ‘nss-certs’ to the
environments.
> (define* (launch-environment/container #:key command bash user user-mappings
> profile manifest link-profile? network?
> - map-cwd? emulate-fhs? nesting?
> + no-tls? map-cwd? emulate-fhs? nesting?
Same as above: ‘tls?’ rather than ‘no-tls?’.
Please make sure tests/guix-shell*.sh and tests/guix-environment*.sh
pass.
Thanks,
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#70314; Package
guix-patches.
(Mon, 16 Sep 2024 00:05:02 GMT)
Full text and
rfc822 format available.
Message #20 received at 70314 <at> debbugs.gnu.org (full text, mbox):
On Sunday, September 15th, 2024 at 4:39 PM, Ludovic Courtès <ludo <at> gnu.org> wrote:
> You’ve convinced me.
>
> That it’s opt-out sounds reasonable to me. ‘--no-tls’ sounds reasonable
> too as a name
Agreed on all points. Even though I'm aware of the need, I've forgotten to add tls-certs many times. Removing a known footgun for containers is a great plan.
Thanks!
Ryan
Information forwarded
to
guix-patches <at> gnu.org:
bug#70314; Package
guix-patches.
(Mon, 16 Sep 2024 15:23:02 GMT)
Full text and
rfc822 format available.
Message #23 received at 70314 <at> debbugs.gnu.org (full text, mbox):
Ludovic Courtès <ludo <at> gnu.org> writes:
> Can we delay changes to the manifest until after all options have been
> parsed, so we know whether ‘-C’ has been passed?
>
> That way ‘guix shell -N --no-tls’ does not add ‘nss-certs’ to the
> environments.
Is `$ guix shell -N -- true` valid? I know it works at present, but my
understanding is sharing the network only works with containers. From
the manual:
> ‘--network’
> ‘-N’
> For containers, share the network namespace with the host system.
> Containers created without this flag only have access to the
> loopback device.
Perhaps instead we should error when -N is passed without -C, ala
--8<---------------cut here---------------start------------->8---
modified guix/scripts/environment.scm
@@ -1153,7 +1153,9 @@ (define (guix-environment* opts)
(when nesting?
(leave (G_ "'--nesting' cannot be used without '--container'~%")))
(when (pair? symlinks)
- (leave (G_ "'--symlink' cannot be used without '--container'~%"))))
+ (leave (G_ "'--symlink' cannot be used without '--container'~%")))
+ (when network?
+ (leave (G_ "'--network cannot be used without '--container'~%"))))
(when (and (not network?)
no-tls?)
--8<---------------cut here---------------end--------------->8---
--
Take it easy,
Richard Sent
Making my computer weirder one commit at a time.
Information forwarded
to
guix-patches <at> gnu.org:
bug#70314; Package
guix-patches.
(Fri, 20 Sep 2024 16:12:02 GMT)
Full text and
rfc822 format available.
Message #26 received at 70314 <at> debbugs.gnu.org (full text, mbox):
Hi,
On mar., 09 avril 2024 at 15:05, Richard Sent <richard <at> freakingpenguin.com> wrote:
> This behavior can be reverted with the --no-tls flag. Since presumably
> the majority of shell users want TLS to work out of the box, adding
> TLS by default makes sense to me.
I agree. I have been annoyed more than once with this. Then it becomes
something odd that I have forgotten it’s odd. :-)
> + (display (G_ "
> + --no-tls do not add SSL/TLS certificates or set environment
> + variables for a networked container"))
[...]
> + (option '(#\T "no-tls") #f #f
> + (lambda (opt name arg result)
> + (alist-cons 'no-tls? #t result)))
There is a discrepancy, no? Missing the short ’-T’ option in the help?
Well, that’s said, I would prefer to not have any short option at all.
Because I think that option would be a rare option. And if it is not
and many people use “guix shell” without the package ’nss-tls’, then we
will still be able to add the short option. The converse is not true
> (option '(#\W "nesting") #f #f
> (lambda (opt name arg result)
> (alist-cons 'nesting? #t result)))
> @@ -359,6 +369,11 @@ (define (options/resolve-packages store opts)
> (packages->outputs (load* file module) mode)))
> (('manifest . file)
> (manifest-entries (load-manifest file)))
> + (('network? . #t)
> + (if (assoc-ref opts 'no-tls?)
> + '()
> + (manifest-entries
> + (packages->manifest %default-tls-certs))))
> (('nesting? . #t)
> (if (assoc-ref opts 'profile)
> '()
> @@ -725,7 +740,7 @@ (define* (launch-environment/fork command profile manifest
>
> (define* (launch-environment/container #:key command bash user user-mappings
> profile manifest link-profile? network?
> - map-cwd? emulate-fhs? nesting?
> + no-tls? map-cwd? emulate-fhs? nesting?
> (setup-hook #f)
> (symlinks '()) (white-list '()))
> "Run COMMAND within a container that features the software in PROFILE.
> @@ -929,6 +944,11 @@ (define* (launch-environment/container #:key command bash user user-mappings
> ;; Allow local AF_INET communications.
> (set-network-interface-up "lo"))
>
> + (unless no-tls?
> + (setenv "SSL_CERT_DIR" (string-append profile "/etc/ssl/certs"))
> + (setenv "SSL_CERT_FILE" (string-append (getenv "SSL_CERT_DIR")
> + "/ca-certificates.crt")))
> +
> ;; For convenience, start in the user's current working
> ;; directory or, if unmapped, the home directory.
> (chdir (if map-cwd?
> @@ -1078,6 +1098,7 @@ (define (guix-environment* opts)
> (link-prof? (assoc-ref opts 'link-profile?))
> (symlinks (assoc-ref opts 'symlinks))
> (network? (assoc-ref opts 'network?))
> + (no-tls? (assoc-ref opts 'no-tls?))
> (no-cwd? (assoc-ref opts 'no-cwd?))
> (emulate-fhs? (assoc-ref opts 'emulate-fhs?))
> (nesting? (assoc-ref opts 'nesting?))
> @@ -1133,6 +1154,10 @@ (define (guix-environment* opts)
> (when (pair? symlinks)
> (leave (G_ "'--symlink' cannot be used without '--container'~%"))))
>
> + (when (and (not network?)
> + no-tls?)
> + (leave (G_ "'--no-tls' cannot be used without '--networking'~%")))
> +
Why not a warning instead of leaving with an error?
Cheers,
simon
Information forwarded
to
guix-patches <at> gnu.org:
bug#70314; Package
guix-patches.
(Fri, 20 Sep 2024 16:12:02 GMT)
Full text and
rfc822 format available.
Message #29 received at 70314 <at> debbugs.gnu.org (full text, mbox):
Hi Ludo,
On dim., 15 sept. 2024 at 23:49, Ludovic Courtès <ludo <at> gnu.org> wrote:
>> + #:autoload (gnu packages certs) (nss-certs)
[...]
>> +(define %default-tls-certs
>> + (list nss-certs))
>
> This would force all the package modules to be loaded upfront. Instead
> you should arrange to not refer to ‘nss-certs’ until it’s needed.
This is a question I had but not reported when commenting elsewhere this
patch. I was thinking to suggest:
(module-ref (resolve-interface '(gnu packages certs)) 'nss-certs)
which lazily loads, IIUC. Then I gave a look to Guile manual which
mentions:
‘#:autoload MODULE SYMBOL-LIST’
[...]
An autoload is a good way to put off loading a big module
until it’s really needed, for instance for faster startup or
if it will only be needed in certain circumstances.
Therefore, could you explain the difference if there is one?
Cheers,
simon
Information forwarded
to
guix <at> cbaines.net, dev <at> jpoiret.xyz, ludo <at> gnu.org, othacehe <at> gnu.org, maxim.cournoyer <at> gmail.com, zimon.toutoune <at> gmail.com, me <at> tobias.gr, guix-patches <at> gnu.org:
bug#70314; Package
guix-patches.
(Tue, 28 Jan 2025 21:14:03 GMT)
Full text and
rfc822 format available.
Message #32 received at 70314 <at> debbugs.gnu.org (full text, mbox):
Add the --no-tls flag. By default when starting a container with -N, add the
nss-certs package to the profile and set the SSL_CERT_DIR and SSL_CERT_FILE
environment variables. When --no-tls is passed, default to the old behavior.
* guix/scripts/environment.scm (%default-tls-certs): New function.
(show-environment-options-help): Add help for --no-tls.
(%options): Add --no-tls option.
(options/resolve-packages): Add %default-tls-certs to profile when network is
true and no-tls is false.
(launch-environment/container): Add set-tls? argument and set
SSL_CERT_DIR/FILE if #t.
(guix-environment*): Sanity check no-tls? and pass the negated version to
launch-environment/container.
* doc/guix.texi (Invoking guix shell): Document it.
(Invoking guix environment): Ditto.
* tests/guix-environment-container.sh: Add tests for behavior with and without
no-tls flag.
Change-Id: I04735024df025740cb7a0e28f39a3bb5c7fcf895
---
Hi all. Been a while but I figured I'd take another crack at this.
> Ludo:
> This would force all the package modules to be loaded upfront. Instead you
> should arrange to not refer to ‘nss-certs’ until it’s needed.
Understood, %default-tls-certs is thunked in V2. To my understanding this
should achieve what we want.
> Ludo:
> Internally, I would reverse the logic to have ‘tls?’ instead (as a rule
> of thumb, I always avoid negating Booleans in code).
I choose no-tls? to be consistent with the no-cwd? option,. V2 now uses the
set-tls? option in launch-environment/container and no-tls? everywhere else,
which I think fits better because outside l-e/c, no-tls? is more of a flag for
if the --no-tls option was passed than a control boolean.
> Ludo:
> Can we delay changes to the manifest until after all options have been
> parsed, so we know whether ‘-C’ has been passed?
Possibly, but it would be inconsistent with how nesting? works at present,
which also requires -C. I believe emulate-fhs? also adds packages to the
profile immediately, see parse-args in guix/scripts/shell.scm, which AFAICT
splices a '-e (@@ (gnu packages base) glibc-for-fhs)' in the options.
One way this could be resolved is by creating a internal manifest, then
concatenating it with manifest-from-opts. i.e. have a user manifest containing
explicitly provided packages and an internal manifest containing
glibc-for-fhs, nss-certs and guix depending on emulate-fhs?, no-tls?, and
nesting?. That's probably outside the scope of this patch.
> Ludo:
> Please make sure tests/guix-shell*.sh and tests/guix-environment*.sh
> pass.
For the low low price of free, not only do you get passing tests but now you
get more tests! What a steal.
> Simon:
> I would prefer to not have any short option at all.
Agreed and changed.
> Simon:
> Why not a warning instead of leaving with an error?
I elected to go with an error to be consistent with the sanity checking around
container?. In my opinion, warnings are best for when a user is doing
something technically valid but likely unintended, errors are for the
"technically makes no sense".
doc/guix.texi | 8 +++++++
guix/scripts/environment.scm | 35 +++++++++++++++++++++++++++--
tests/guix-environment-container.sh | 11 +++++++++
3 files changed, 52 insertions(+), 2 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index b1b6d98e74..d291c15759 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -6289,6 +6289,10 @@ Invoking guix shell
Containers created without this flag only have access to the loopback
device.
+@item --no-tls
+For containers that share the network namespace, disable automatically
+adding TLS/SSL certificates.
+
@item --link-profile
@itemx -P
For containers, link the environment profile to @file{~/.guix-profile}
@@ -6786,6 +6790,10 @@ Invoking guix environment
Containers created without this flag only have access to the loopback
device.
+@item --no-tls
+For containers that share the network namespace, disable automatically
+adding TLS/SSL certificates.
+
@item --link-profile
@itemx -P
For containers, link the environment profile to @file{~/.guix-profile}
diff --git a/guix/scripts/environment.scm b/guix/scripts/environment.scm
index 648a497743..174d446635 100644
--- a/guix/scripts/environment.scm
+++ b/guix/scripts/environment.scm
@@ -3,6 +3,7 @@
;;; Copyright © 2015-2024 Ludovic Courtès <ludo <at> gnu.org>
;;; Copyright © 2018 Mike Gerwitz <mtg <at> gnu.org>
;;; Copyright © 2022, 2023 John Kehayias <john.kehayias <at> protonmail.com>
+;;; Copyright © 2025 Richard Sent <richard <at> freakingpenguin.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -50,6 +51,7 @@ (define-module (guix scripts environment)
#:use-module (gnu system file-systems)
#:autoload (gnu packages) (specification->package+output)
#:autoload (gnu packages bash) (bash)
+ #:autoload (gnu packages certs) (nss-certs)
#:autoload (gnu packages bootstrap) (bootstrap-executable %bootstrap-guile)
#:autoload (gnu packages package-management) (guix)
#:use-module (ice-9 match)
@@ -72,6 +74,10 @@ (define-module (guix scripts environment)
(define %default-shell
(or (getenv "SHELL") "/bin/sh"))
+(define (%default-tls-certs)
+ ;; Thunk to defer loading (gnu packages certs)
+ (list nss-certs))
+
(define* (show-search-paths profile manifest #:key pure?)
"Display the search paths of MANIFEST applied to PROFILE. When PURE? is #t,
do not augment existing environment variables with additional search paths."
@@ -108,6 +114,9 @@ (define (show-environment-options-help)
-C, --container run command within an isolated container"))
(display (G_ "
-N, --network allow containers to access the network"))
+ (display (G_ "
+ --no-tls do not add SSL/TLS certificates or set environment
+ variables for a networked container"))
(display (G_ "
-P, --link-profile link environment profile to ~/.guix-profile within
an isolated container"))
@@ -244,6 +253,9 @@ (define %options
(option '(#\N "network") #f #f
(lambda (opt name arg result)
(alist-cons 'network? #t result)))
+ (option '("no-tls") #f #f
+ (lambda (opt name arg result)
+ (alist-cons 'no-tls? #t result)))
(option '(#\W "nesting") #f #f
(lambda (opt name arg result)
(alist-cons 'nesting? #t result)))
@@ -359,6 +371,11 @@ (define (options/resolve-packages store opts)
(packages->outputs (load* file module) mode)))
(('manifest . file)
(manifest-entries (load-manifest file)))
+ (('network? . #t)
+ (if (assoc-ref opts 'no-tls?)
+ '()
+ (manifest-entries
+ (packages->manifest (%default-tls-certs)))))
(('nesting? . #t)
(if (assoc-ref opts 'profile)
'()
@@ -732,7 +749,8 @@ (define* (launch-environment/fork command profile manifest
(define* (launch-environment/container #:key command bash user user-mappings
profile manifest link-profile? network?
- map-cwd? emulate-fhs? nesting?
+ set-tls? map-cwd? emulate-fhs?
+ nesting?
(setup-hook #f)
(symlinks '()) (white-list '()))
"Run COMMAND within a container that features the software in PROFILE.
@@ -936,6 +954,11 @@ (define* (launch-environment/container #:key command bash user user-mappings
;; Allow local AF_INET communications.
(set-network-interface-up "lo"))
+ (when set-tls?
+ (setenv "SSL_CERT_DIR" (string-append profile "/etc/ssl/certs"))
+ (setenv "SSL_CERT_FILE" (string-append (getenv "SSL_CERT_DIR")
+ "/ca-certificates.crt")))
+
;; For convenience, start in the user's current working
;; directory or, if unmapped, the home directory.
(chdir (if map-cwd?
@@ -1085,6 +1108,7 @@ (define (guix-environment* opts)
(link-prof? (assoc-ref opts 'link-profile?))
(symlinks (assoc-ref opts 'symlinks))
(network? (assoc-ref opts 'network?))
+ (no-tls? (assoc-ref opts 'no-tls?))
(no-cwd? (assoc-ref opts 'no-cwd?))
(emulate-fhs? (assoc-ref opts 'emulate-fhs?))
(nesting? (assoc-ref opts 'nesting?))
@@ -1138,7 +1162,13 @@ (define (guix-environment* opts)
(when nesting?
(leave (G_ "'--nesting' cannot be used without '--container'~%")))
(when (pair? symlinks)
- (leave (G_ "'--symlink' cannot be used without '--container'~%"))))
+ (leave (G_ "'--symlink' cannot be used without '--container'~%")))
+ (when network?
+ (leave (G_ "'--network cannot be used without '--container'~%"))))
+
+ (when (and (not network?)
+ no-tls?)
+ (leave (G_ "'--no-tls' cannot be used without '--networking'~%")))
(with-status-verbosity (assoc-ref opts 'verbosity)
(with-store/maybe store
@@ -1217,6 +1247,7 @@ (define (guix-environment* opts)
#:white-list white-list
#:link-profile? link-prof?
#:network? network?
+ #:set-tls? (not no-tls?)
#:map-cwd? (not no-cwd?)
#:emulate-fhs? emulate-fhs?
#:nesting? nesting?
diff --git a/tests/guix-environment-container.sh b/tests/guix-environment-container.sh
index 09704f751c..7ffc7f8c9f 100644
--- a/tests/guix-environment-container.sh
+++ b/tests/guix-environment-container.sh
@@ -2,6 +2,7 @@
# Copyright © 2015 David Thompson <davet <at> gnu.org>
# Copyright © 2022, 2023 John Kehayias <john.kehayias <at> protonmail.com>
# Copyright © 2023 Ludovic Courtès <ludo <at> gnu.org>
+# Copyright © 2025 Richard Sent <richard <at> freakingpenguin.com>
#
# This file is part of GNU Guix.
#
@@ -272,3 +273,13 @@ guix shell -C -D guix -- "$env" guix build hello -d && false # cannot work
hello_drv="$(guix build hello -d)"
hello_drv_nested="$(cd "$(dirname env)" && guix shell --bootstrap -E GUIX_BUILD_OPTIONS -CW -D guix -- "$env" guix build hello -d)"
test "$hello_drv" = "$hello_drv_nested"
+
+# Test if SSL_CERT_{DIR,FILE} are set and readable in the container.
+#
+# -f does cover the case of a symlink to a file inaccessible within the
+# -container.
+guix shell -CN -- /bin/sh -c 'test -d $SSL_CERT_DIR'
+guix shell -CN -- /bin/sh -c 'test -f $SSL_CERT_FILE'
+# Confirm --no-tls causes SSL_CERT_{DIR,FILE} to be unset.
+guix shell -CN --no-tls -- /bin/sh -c 'test -z $SSL_CERT_DIR'
+guix shell -CN --no-tls -- /bin/sh -c 'test -z $SSL_CERT_FILE'
base-commit: 97fb1887ad10000c067168176c504274e29e4430
--
2.47.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#70314; Package
guix-patches.
(Wed, 29 Jan 2025 01:34:02 GMT)
Full text and
rfc822 format available.
Message #35 received at 70314 <at> debbugs.gnu.org (full text, mbox):
Hi,
Richard Sent <richard <at> freakingpenguin.com> writes:
> * guix/scripts/environment.scm: Add --no-tls flag. By default when starting a
> container with -N, add nss-certs package and set SSL_CERT_DIR and
> SSL_CERT_FILE environment variables. When --no-tls is passed, default to old
> behavior.
> * doc/guix.texi: Document it.
I just wanted to share that I have a WIP in progress that would address
this differently; by using p11-kit with a trusted path to nss certs by
default:
--8<---------------cut here---------------start------------->8---
gnu: p11-kit: Add nss-certs to default trust path.
* gnu/packages/tls.scm (p11-kit) [native-inputs]: Add nss-certs.
[arguments] <#:configure-flags>: Register its etc/ssl/certs directory as a
trust path.
Change-Id: Iee727edb1f51f8503fcbdd4ec1dee0d47a6bba39
1 file changed, 5 insertions(+), 2 deletions(-)
gnu/packages/tls.scm | 7 +++++--
modified gnu/packages/tls.scm
@@ -61,6 +61,7 @@ (define-module (gnu packages tls)
#:use-module (gnu packages base)
#:use-module (gnu packages bash)
#:use-module (gnu packages build-tools)
+ #:use-module (gnu packages certs)
#:use-module (gnu packages check)
#:use-module (gnu packages curl)
#:use-module (gnu packages dns)
@@ -160,6 +161,7 @@ (define-public p11-kit
docbook-xsl
gettext-minimal
libxslt
+ nss-certs ;default certs
pkg-config))
(inputs
(append (list libffi libtasn1)
@@ -175,9 +177,10 @@ (define-public p11-kit
(string-append
"-Dtrust_paths="
(string-join
- '("/etc/ssl/certs/ca-certificates.crt" ;guix, debian, gentoo, etc.
+ `("/etc/ssl/certs/ca-certificates.crt" ;guix, debian, gentoo, etc.
"/etc/pki/tls/certs/ca-bundle.crt" ;fedora, centos
- "/var/lib/ca-certificates/ca-bundle.pem") ;opensuse
+ "/var/lib/ca-certificates/ca-bundle.pem"
+ ,(search-input-directory %build-inputs "etc/ssl/certs"))
":")))))
(home-page "https://p11-glue.github.io/p11-glue/p11-kit.html")
(synopsis "PKCS#11 library")
--8<---------------cut here---------------end--------------->8---
And then building gnutls with the
'--with-default-trust-store-pkcs11=pkcs11:' configure flag. In theory
that would mean that any GnuTLS using application would work out of the
box. p11-kit also allows users to override certs by user configuration
in XDG directories, should someone want to add their own certs or
override the default trust store (to be documented).
In practice I haven't yet rebuilt the world with this, but encountered a
failing test that suggest it doesn't work as expected (but perhaps it's
just the test) [0].
For OpenSSL, there is supposedly a plugin that can be used to make it
use p11-kit managed certs, though I haven't investigated.
The idea to use p11-kit was suggested to us (via Andreas) in 2015 by the
main GnuTLS developper [1]
It's used on Fedora/Red Hat for example [2].
[0] https://gitlab.com/gnutls/gnutls/-/issues/1639
[1] https://lists.gnupg.org/pipermail/gnutls-devel/2015-February/007447.html
[2] https://src.fedoraproject.org/rpms/gnutls/blob/rawhide/f/gnutls.spec#_320
--
Thanks,
Maxim
Information forwarded
to
guix-patches <at> gnu.org:
bug#70314; Package
guix-patches.
(Wed, 29 Jan 2025 01:40:02 GMT)
Full text and
rfc822 format available.
Message #38 received at 70314 <at> debbugs.gnu.org (full text, mbox):
Hi,
Simon Tournier <zimon.toutoune <at> gmail.com> writes:
[...]
>> + (when (and (not network?)
>> + no-tls?)
>> + (leave (G_ "'--no-tls' cannot be used without '--networking'~%")))
>> +
>
> Why not a warning instead of leaving with an error?
Is it even worth it? The in the default case there is networking (not
containerized), and --networking is a no-op. No big deal? What's the
rationale for changing this? It can potentially affect someone's
script.
--
Thanks,
Maxim
Information forwarded
to
guix-patches <at> gnu.org:
bug#70314; Package
guix-patches.
(Sun, 23 Feb 2025 22:43:02 GMT)
Full text and
rfc822 format available.
Message #41 received at 70314 <at> debbugs.gnu.org (full text, mbox):
Hi Richard,
Richard Sent <richard <at> freakingpenguin.com> skribis:
> Add the --no-tls flag. By default when starting a container with -N, add the
> nss-certs package to the profile and set the SSL_CERT_DIR and SSL_CERT_FILE
> environment variables. When --no-tls is passed, default to the old behavior.
>
> * guix/scripts/environment.scm (%default-tls-certs): New function.
> (show-environment-options-help): Add help for --no-tls.
> (%options): Add --no-tls option.
> (options/resolve-packages): Add %default-tls-certs to profile when network is
> true and no-tls is false.
> (launch-environment/container): Add set-tls? argument and set
> SSL_CERT_DIR/FILE if #t.
> (guix-environment*): Sanity check no-tls? and pass the negated version to
> launch-environment/container.
> * doc/guix.texi (Invoking guix shell): Document it.
> (Invoking guix environment): Ditto.
> * tests/guix-environment-container.sh: Add tests for behavior with and without
> no-tls flag.
>
> Change-Id: I04735024df025740cb7a0e28f39a3bb5c7fcf895
> ---
> Hi all. Been a while but I figured I'd take another crack at this.
Sorry that it takes so long.
I’m happy with this version though I have one question:
> + (when set-tls?
> + (setenv "SSL_CERT_DIR" (string-append profile "/etc/ssl/certs"))
> + (setenv "SSL_CERT_FILE" (string-append (getenv "SSL_CERT_DIR")
> + "/ca-certificates.crt")))
What about symlinking /etc/ssl/certs in the container instead of setting
these two variables?
The reason I’m suggesting this is that these two variables are not
universal; example:
--8<---------------cut here---------------start------------->8---
$ ./pre-inst-env guix shell -CN wget coreutils
[env]$ echo $SSL_CERT_DIR/
/gnu/store/hbcsqh12n45bxv3r9992jz1vh63l3krf-profile/etc/ssl/certs/
[env]$ echo $SSL_CERT_FILE
/gnu/store/hbcsqh12n45bxv3r9992jz1vh63l3krf-profile/etc/ssl/certs/ca-certificates.crt
[env]$ wget -O/dev/null https://guix.gnu.org
--2025-02-23 22:39:48-- https://guix.gnu.org/
Resolving guix.gnu.org (guix.gnu.org)... 2a0c:e300::58, 185.233.100.56
Connecting to guix.gnu.org (guix.gnu.org)|2a0c:e300::58|:443... connected.
ERROR: The certificate of 'guix.gnu.org' is not trusted.
ERROR: The certificate of 'guix.gnu.org' doesn't have a known issuer.
--8<---------------cut here---------------end--------------->8---
The symlink saves us:
--8<---------------cut here---------------start------------->8---
[env]$ ln -s $GUIX_ENVIRONMENT/etc/ssl /etc/ssl
[env]$ wget -O/dev/null https://guix.gnu.org
--2025-02-23 22:41:06-- https://guix.gnu.org/
Resolving guix.gnu.org (guix.gnu.org)... 2a0c:e300::58, 185.233.100.56
Connecting to guix.gnu.org (guix.gnu.org)|2a0c:e300::58|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19897 (19K) [text/html]
Saving to: '/dev/null'
/dev/null 100%[==========================>] 19.43K --.-KB/s in 0s
2025-02-23 22:41:07 (168 MB/s) - '/dev/null' saved [19897/19897]
--8<---------------cut here---------------end--------------->8---
Thoughts?
We’ve close to completion, very!
Ludo’.
Merged 70314 75917.
Request was from
Ludovic Courtès <ludo <at> gnu.org>
to
control <at> debbugs.gnu.org.
(Sun, 23 Feb 2025 22:43:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
guix-patches <at> gnu.org:
bug#70314; Package
guix-patches.
(Wed, 21 May 2025 07:35:03 GMT)
Full text and
rfc822 format available.
Message #46 received at 70314 <at> debbugs.gnu.org (full text, mbox):
Hello!
Maxim Cournoyer <maxim.cournoyer <at> gmail.com> writes:
> Hi,
>
> Richard Sent <richard <at> freakingpenguin.com> writes:
>
>> * guix/scripts/environment.scm: Add --no-tls flag. By default when starting a
>> container with -N, add nss-certs package and set SSL_CERT_DIR and
>> SSL_CERT_FILE environment variables. When --no-tls is passed, default to old
>> behavior.
>> * doc/guix.texi: Document it.
>
> I just wanted to share that I have a WIP in progress that would address
> this differently; by using p11-kit with a trusted path to nss certs by
> default:
>
> gnu: p11-kit: Add nss-certs to default trust path.
>
> * gnu/packages/tls.scm (p11-kit) [native-inputs]: Add nss-certs.
> [arguments] <#:configure-flags>: Register its etc/ssl/certs directory as a
> trust path.
>
> Change-Id: Iee727edb1f51f8503fcbdd4ec1dee0d47a6bba39
>
> 1 file changed, 5 insertions(+), 2 deletions(-)
> gnu/packages/tls.scm | 7 +++++--
>
> modified gnu/packages/tls.scm
> @@ -61,6 +61,7 @@ (define-module (gnu packages tls)
> #:use-module (gnu packages base)
> #:use-module (gnu packages bash)
> #:use-module (gnu packages build-tools)
> + #:use-module (gnu packages certs)
> #:use-module (gnu packages check)
> #:use-module (gnu packages curl)
> #:use-module (gnu packages dns)
> @@ -160,6 +161,7 @@ (define-public p11-kit
> docbook-xsl
> gettext-minimal
> libxslt
> + nss-certs ;default certs
> pkg-config))
> (inputs
> (append (list libffi libtasn1)
> @@ -175,9 +177,10 @@ (define-public p11-kit
> (string-append
> "-Dtrust_paths="
> (string-join
> - '("/etc/ssl/certs/ca-certificates.crt" ;guix, debian, gentoo, etc.
> + `("/etc/ssl/certs/ca-certificates.crt" ;guix, debian, gentoo, etc.
> "/etc/pki/tls/certs/ca-bundle.crt" ;fedora, centos
> - "/var/lib/ca-certificates/ca-bundle.pem") ;opensuse
> + "/var/lib/ca-certificates/ca-bundle.pem"
> + ,(search-input-directory %build-inputs "etc/ssl/certs"))
> ":")))))
> (home-page "https://p11-glue.github.io/p11-glue/p11-kit.html")
> (synopsis "PKCS#11 library")
>
> And then building gnutls with the
> '--with-default-trust-store-pkcs11=pkcs11:' configure flag. In theory
> that would mean that any GnuTLS using application would work out of the
> box. p11-kit also allows users to override certs by user configuration
> in XDG directories, should someone want to add their own certs or
> override the default trust store (to be documented).
I've finally found the last details to make this work! I will send the
series soon. This would partially obsolete this series here in the case of
gnutls, since certs would always be made available to it. We could look
into the p11-kit plugin for openssl to extend that same goodness to openssl.
--
Thanks,
Maxim
This bug report was last modified 80 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.