Package: guix-patches;
Reported by: Richard Sent <richard <at> freakingpenguin.com>
Date: Tue, 9 Apr 2024 19:15:01 UTC
Severity: normal
Tags: patch
Merged with 75917
View this message in rfc822 format
From: Richard Sent <richard <at> freakingpenguin.com> To: 70314 <at> debbugs.gnu.org Cc: Richard Sent <richard <at> freakingpenguin.com>, Christopher Baines <guix <at> cbaines.net>, Josselin Poiret <dev <at> jpoiret.xyz>, Ludovic Courtès <ludo <at> gnu.org>, Mathieu Othacehe <othacehe <at> gnu.org>, Ricardo Wurmus <rekado <at> elephly.net>, Simon Tournier <zimon.toutoune <at> gmail.com>, Tobias Geerinckx-Rice <me <at> tobias.gr> Subject: [bug#70314] [PATCH] guix: scripts: environment: add tls certs to networked containers Date: Tue, 9 Apr 2024 15:05:29 -0400
* guix/scripts/environment.scm: Add --no-tls flag. By default when starting a
container with -N, add nss-certs package and set SSL_CERT_DIR and
SSL_CERT_FILE environment variables. When --no-tls is passed, default to old
behavior.
* doc/guix.texi: Document it.
Change-Id: I3d222522fa9785fbf589f15efd14e6d6d072bfa7
---
Hi Guix!
Given the discussion on IRC and guix-devel [1] recently about making
nss-certs easier to use, this patch modifies guix environment (and
thus guix shell) to automatically add nss-certs to the profile when
sharing the network namespace, as well as setting the
mostly-standardized SSL_CERT_DIR and SSL_CERT_FILE environment
variables.
This behavior can be reverted with the --no-tls flag. Since presumably
the majority of shell users want TLS to work out of the box, adding
TLS by default makes sense to me.
Previous workarounds were verbose [2] and prone to failure [3].
[1] https://lists.gnu.org/archive/html/guix-devel/2024-04/msg00020.html
[2] https://lists.gnu.org/archive/html/guix-patches/2020-05/msg00197.html
[3] See tail of https://logs.guix.gnu.org/guix/2024-04-08.log, [2]
works coincidentally since guix system w/ nss-certs happens to have
identical nss-certs hash as the guix building the shell profile.
Otherwise the system version would not be visible inside the
container.
doc/guix.texi | 8 ++++++++
guix/scripts/environment.scm | 28 +++++++++++++++++++++++++++-
2 files changed, 35 insertions(+), 1 deletion(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 5827e0de14..912ed79ccd 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -6214,6 +6214,10 @@ Invoking guix shell
Containers created without this flag only have access to the loopback
device.
+@item --no-tls
+For containers that share the network namespace, disable automatically
+adding TLS/SSL certificates.
+
@item --link-profile
@itemx -P
For containers, link the environment profile to @file{~/.guix-profile}
@@ -6711,6 +6715,10 @@ Invoking guix environment
Containers created without this flag only have access to the loopback
device.
+@item --no-tls
+For containers that share the network namespace, disable automatically
+adding TLS/SSL certificates.
+
@item --link-profile
@itemx -P
For containers, link the environment profile to @file{~/.guix-profile}
diff --git a/guix/scripts/environment.scm b/guix/scripts/environment.scm
index 1d7a6e198d..b38882a4ca 100644
--- a/guix/scripts/environment.scm
+++ b/guix/scripts/environment.scm
@@ -49,6 +49,7 @@ (define-module (guix scripts environment)
#:autoload (guix build syscalls) (set-network-interface-up openpty login-tty)
#:use-module (gnu system file-systems)
#:autoload (gnu packages) (specification->package+output)
+ #:autoload (gnu packages certs) (nss-certs)
#:autoload (gnu packages bash) (bash)
#:autoload (gnu packages bootstrap) (bootstrap-executable %bootstrap-guile)
#:autoload (gnu packages package-management) (guix)
@@ -72,6 +73,9 @@ (define-module (guix scripts environment)
(define %default-shell
(or (getenv "SHELL") "/bin/sh"))
+(define %default-tls-certs
+ (list nss-certs))
+
(define* (show-search-paths profile manifest #:key pure?)
"Display the search paths of MANIFEST applied to PROFILE. When PURE? is #t,
do not augment existing environment variables with additional search paths."
@@ -108,6 +112,9 @@ (define (show-environment-options-help)
-C, --container run command within an isolated container"))
(display (G_ "
-N, --network allow containers to access the network"))
+ (display (G_ "
+ --no-tls do not add SSL/TLS certificates or set environment
+ variables for a networked container"))
(display (G_ "
-P, --link-profile link environment profile to ~/.guix-profile within
an isolated container"))
@@ -244,6 +251,9 @@ (define %options
(option '(#\N "network") #f #f
(lambda (opt name arg result)
(alist-cons 'network? #t result)))
+ (option '(#\T "no-tls") #f #f
+ (lambda (opt name arg result)
+ (alist-cons 'no-tls? #t result)))
(option '(#\W "nesting") #f #f
(lambda (opt name arg result)
(alist-cons 'nesting? #t result)))
@@ -359,6 +369,11 @@ (define (options/resolve-packages store opts)
(packages->outputs (load* file module) mode)))
(('manifest . file)
(manifest-entries (load-manifest file)))
+ (('network? . #t)
+ (if (assoc-ref opts 'no-tls?)
+ '()
+ (manifest-entries
+ (packages->manifest %default-tls-certs))))
(('nesting? . #t)
(if (assoc-ref opts 'profile)
'()
@@ -725,7 +740,7 @@ (define* (launch-environment/fork command profile manifest
(define* (launch-environment/container #:key command bash user user-mappings
profile manifest link-profile? network?
- map-cwd? emulate-fhs? nesting?
+ no-tls? map-cwd? emulate-fhs? nesting?
(setup-hook #f)
(symlinks '()) (white-list '()))
"Run COMMAND within a container that features the software in PROFILE.
@@ -929,6 +944,11 @@ (define* (launch-environment/container #:key command bash user user-mappings
;; Allow local AF_INET communications.
(set-network-interface-up "lo"))
+ (unless no-tls?
+ (setenv "SSL_CERT_DIR" (string-append profile "/etc/ssl/certs"))
+ (setenv "SSL_CERT_FILE" (string-append (getenv "SSL_CERT_DIR")
+ "/ca-certificates.crt")))
+
;; For convenience, start in the user's current working
;; directory or, if unmapped, the home directory.
(chdir (if map-cwd?
@@ -1078,6 +1098,7 @@ (define (guix-environment* opts)
(link-prof? (assoc-ref opts 'link-profile?))
(symlinks (assoc-ref opts 'symlinks))
(network? (assoc-ref opts 'network?))
+ (no-tls? (assoc-ref opts 'no-tls?))
(no-cwd? (assoc-ref opts 'no-cwd?))
(emulate-fhs? (assoc-ref opts 'emulate-fhs?))
(nesting? (assoc-ref opts 'nesting?))
@@ -1133,6 +1154,10 @@ (define (guix-environment* opts)
(when (pair? symlinks)
(leave (G_ "'--symlink' cannot be used without '--container'~%"))))
+ (when (and (not network?)
+ no-tls?)
+ (leave (G_ "'--no-tls' cannot be used without '--networking'~%")))
+
(with-store/maybe store
(with-status-verbosity (assoc-ref opts 'verbosity)
(define manifest-from-opts
@@ -1212,6 +1237,7 @@ (define (guix-environment* opts)
#:network? network?
#:map-cwd? (not no-cwd?)
#:emulate-fhs? emulate-fhs?
+ #:no-tls? no-tls?
#:nesting? nesting?
#:symlinks symlinks
#:setup-hook
base-commit: 35e1d9247e39f3c91512cf3d9ef1467962389e35
--
2.41.0
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.