GNU bug report logs - #70933
[PATCH] system: Do not add "--disable-chroot" to containers.

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 70933 in the body.
You can then email your comments to 70933 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Andreas Enge <andreas <at> enge.fr>
To: guix-patches <at> gnu.org
Cc: Andreas Enge <andreas <at> enge.fr>
Subject: [PATCH] system: Do not add "--disable-chroot" to containers.
Date: Tue, 14 May 2024 13:50:34 +0200

The rationale for these lines is that they enable non-privileged docker
containers. But I would like to create a privileged container with
chroot (in an openshift environment, where I suppose this environment
does additional encapsulation to enforce security), which these lines
prevent.

Users can still add the option. Alternatively, we could add an additional
field "chroot? (default: #t)" to guix-configuration.

Andreas



* gnu/system/linux-container.scm (containerized-operating-system): Do not
add "--disable-chroot".

Change-Id: I1eff9aa0d02d6e53bd4e42f3aeb07d0ab42616a8
---
 gnu/system/linux-container.scm | 11 -----------
 1 file changed, 11 deletions(-)

diff --git a/gnu/system/linux-container.scm b/gnu/system/linux-container.scm
index c780b68fba..2fc54a8121 100644
--- a/gnu/system/linux-container.scm
+++ b/gnu/system/linux-container.scm
@@ -159,17 +159,6 @@ (define* (containerized-operating-system os mappings
                                              (nscd-configuration
                                               (inherit (service-value s))
                                               (caches %nscd-container-caches))))
-                                   ((eq? guix-service-type (service-kind s))
-                                    ;; Pass '--disable-chroot' so that
-                                    ;; guix-daemon can build thing even in
-                                    ;; Docker without '--privileged'.
-                                    (service guix-service-type
-                                             (guix-configuration
-                                              (inherit (service-value s))
-                                              (extra-options
-                                               (cons "--disable-chroot"
-                                                     (guix-configuration-extra-options
-                                                      (service-value s)))))))
                                    (else s)))
                            (operating-system-user-services os))))
       (file-systems (append (map mapping->fs

base-commit: a682ddd70846d488cfbd82d65e8566ec6739813c
-- 
2.41.0

Message #8 received at 70933 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Andreas Enge <andreas <at> enge.fr>
Cc: 70933 <at> debbugs.gnu.org
Subject: Re: [bug#70933] [PATCH] system: Do not add "--disable-chroot" to
 containers.
Date: Fri, 31 May 2024 14:01:36 +0200

Hi,

Andreas Enge <andreas <at> enge.fr> skribis:

> The rationale for these lines is that they enable non-privileged docker
> containers. But I would like to create a privileged container with
> chroot (in an openshift environment, where I suppose this environment
> does additional encapsulation to enforce security), which these lines
> prevent.
>
> Users can still add the option. Alternatively, we could add an additional
> field "chroot? (default: #t)" to guix-configuration.

[...]

> -                                   ((eq? guix-service-type (service-kind s))
> -                                    ;; Pass '--disable-chroot' so that
> -                                    ;; guix-daemon can build thing even in
> -                                    ;; Docker without '--privileged'.

This is tricky, I’m not sure how to provide defaults that works in most
common setups while still allowing the use of privileged Docker
containers as in your case.

I think the current default is good because it’s the common case, but I
agree that we need to find a way to override it.

Thoughts?

Ludo’.

Message #11 received at 70933 <at> debbugs.gnu.org (full text, mbox):

From: Andreas Enge <andreas <at> enge.fr>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 70933 <at> debbugs.gnu.org
Subject: Re: [bug#70933] [PATCH] system: Do not add "--disable-chroot" to
 containers.
Date: Fri, 31 May 2024 16:26:58 +0200

Am Fri, May 31, 2024 at 02:01:36PM +0200 schrieb Ludovic Courtès:
> Andreas Enge <andreas <at> enge.fr> skribis:
> > The rationale for these lines is that they enable non-privileged docker
> > containers. But I would like to create a privileged container with
> > chroot (in an openshift environment, where I suppose this environment
> > does additional encapsulation to enforce security), which these lines
> > prevent.
> > Users can still add the option. Alternatively, we could add an additional
> > field "chroot? (default: #t)" to guix-configuration.
> This is tricky, I’m not sure how to provide defaults that works in most
> common setups while still allowing the use of privileged Docker
> containers as in your case.

The problem with a default is that apparently, for containers we want #f,
for real machines we want #t as the default; and then it should be
overridable. The only solution I see is to use a ternary value,
allowing chroot? to be #f, #t or 'default, with the last one, you guess it,
being the default. It would be replaced by #f or #t depending on whether
we are in a container or not.

I had considered it when suggesting the patch, but found it a bit too much
shepherding; I still think that "chroot? (default: #t)" would be enough.

Andreas

Message #14 received at 70933 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Andreas Enge <andreas <at> enge.fr>
Cc: 70933 <at> debbugs.gnu.org
Subject: Re: [bug#70933] [PATCH] system: Do not add "--disable-chroot" to
 containers.
Date: Tue, 25 Jun 2024 17:30:23 +0200

Hi!

Andreas Enge <andreas <at> enge.fr> skribis:

> Am Fri, May 31, 2024 at 02:01:36PM +0200 schrieb Ludovic Courtès:
>> Andreas Enge <andreas <at> enge.fr> skribis:
>> > The rationale for these lines is that they enable non-privileged docker
>> > containers. But I would like to create a privileged container with
>> > chroot (in an openshift environment, where I suppose this environment
>> > does additional encapsulation to enforce security), which these lines
>> > prevent.
>> > Users can still add the option. Alternatively, we could add an additional
>> > field "chroot? (default: #t)" to guix-configuration.
>> This is tricky, I’m not sure how to provide defaults that works in most
>> common setups while still allowing the use of privileged Docker
>> containers as in your case.
>
> The problem with a default is that apparently, for containers we want #f,
> for real machines we want #t as the default; and then it should be
> overridable. The only solution I see is to use a ternary value,
> allowing chroot? to be #f, #t or 'default, with the last one, you guess it,
> being the default. It would be replaced by #f or #t depending on whether
> we are in a container or not.

Making it a ternary value sounds like a good idea, indeed.  #t, #f, and
'default sounds like a good choice to me.

Thanks!

Ludo’.

Message #17 received at 70933 <at> debbugs.gnu.org (full text, mbox):

From: Andreas Enge <andreas <at> enge.fr>
To: 70933 <at> debbugs.gnu.org
Subject: Patch
Date: Fri, 5 Jul 2024 16:24:51 +0200

[Message part 1 (text/plain, inline)]

Here is a suggestion for a patch implementing the chroot? parameter.
I have tested it by reconfiguring a real machine and still need to
test it in containers.

Andreas

[0001-gnu-guix-configuration-Add-a-chroot-parameter.patch (text/plain, attachment)]

Message #20 received at 70933 <at> debbugs.gnu.org (full text, mbox):

From: Andreas Enge <andreas <at> enge.fr>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 70933 <at> debbugs.gnu.org
Subject: Re: [bug#70933] [PATCH] system: Do not add "--disable-chroot" to
 containers.
Date: Thu, 19 Sep 2024 10:01:47 +0200

Am Fri, May 31, 2024 at 04:26:58PM +0200 schrieb Andreas Enge:
> The problem with a default is that apparently, for containers we want #f,
> for real machines we want #t as the default; and then it should be
> overridable. The only solution I see is to use a ternary value,
> allowing chroot? to be #f, #t or 'default, with the last one, you guess it,
> being the default. It would be replaced by #f or #t depending on whether
> we are in a container or not.

The patch works in our kubernetes environment (where we create docker
containers with 'chroot? #t'). If there is agreement, I am happy to adapt
the documentation and to push.

Andreas

Message #23 received at 70933 <at> debbugs.gnu.org (full text, mbox):

From: Andreas Enge <andreas <at> enge.fr>
To: 70933 <at> debbugs.gnu.org
Cc: ludo <at> gnu.org
Subject: Push?
Date: Wed, 5 Feb 2025 16:13:05 +0100

Okay to push? If I do not hear back in a week, I will do so.
The patch is available in the wip-plmshift branch as well.

Andreas

Message #28 received at 70933-done <at> debbugs.gnu.org (full text, mbox):

From: Andreas Enge <andreas <at> enge.fr>
To: 70933-done <at> debbugs.gnu.org
Cc: ludo <at> gnu.org
Subject: Re: Push?
Date: Mon, 17 Feb 2025 14:59:00 +0100

Pushed!

Andreas

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.