From patchwork Tue Apr 8 12:24:47 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 41453 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 814C127BC4B; Tue, 8 Apr 2025 13:28:39 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.4 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id DC01C27BC49 for ; Tue, 8 Apr 2025 13:28:38 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u2848-0008Ta-Rj; Tue, 08 Apr 2025 08:28:33 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u282q-00081P-SQ for guix-patches@gnu.org; Tue, 08 Apr 2025 08:27:19 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1u282n-00084e-GM; Tue, 08 Apr 2025 08:27:10 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=49DxrIYHU5tYnvbBLkEi8pYu8WtFgMzNY2UXTGvUQA8=; b=mpB9eaSinm9Lra83NMIGc4nxHcdN9Ost+eMmW6ucIYjJhCia/Ul6VeFBtTx8nbhAGL9qUWBLzCluodv71143ZWSBsQ2DGySVrMMT3P9PmLXNJWUI+0HxJvTi4Eq4yI/iKnOTeB0KwKY89JcKFNJJ+Gond1SchXOePAoIkLlXofOAG9isEYAGWQ/PhGv7W0e1tVTCadxEzJLLqhZkF6HsYK9PJuNvkAn/BRVRdqVIiP0KmGYyfBpaZR+967egO/SxohqczMNRNh3QWPLgH2aeAGCBs+n9koDwdq4J4oUGfpp7MMnyqYf40aS3kkOUqfloIBNIII6XpAFNYBfgQtjVDA==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1u282k-0001Q9-2v; Tue, 08 Apr 2025 08:27:06 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#77638] [PATCH 7/8] linux-container: Set up =?utf-8?b?4oCcbG8=?= =?utf-8?b?4oCd?= and generate /etc/hosts by default. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: andrew@trop.in, guix@cbaines.net, janneke@gnu.org, dev@jpoiret.xyz, ludo@gnu.org, othacehe@gnu.org, zimon.toutoune@gmail.com, tanguy@bioneland.org, me@tobias.gr, guix-patches@gnu.org Resent-Date: Tue, 08 Apr 2025 12:27:06 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 77638 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 77638@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= , Andrew Tropin , Christopher Baines , Janneke Nieuwenhuizen , Josselin Poiret , Ludovic =?utf-8?q?Court=C3=A8s?= , Mathieu Othacehe , Simon Tournier , Tanguy Le Carrour , Tobias Geerinckx-Rice X-Debbugs-Original-Xcc: Andrew Tropin , Christopher Baines , Janneke Nieuwenhuizen , Josselin Poiret , Ludovic =?utf-8?q?Court=C3=A8s?= , Mathieu Othacehe , Simon Tournier , Tanguy Le Carrour , Tobias Geerinckx-Rice Received: via spool by 77638-submit@debbugs.gnu.org id=B77638.17441152045280 (code B ref 77638); Tue, 08 Apr 2025 12:27:06 +0000 Received: (at 77638) by debbugs.gnu.org; 8 Apr 2025 12:26:44 +0000 Received: from localhost ([127.0.0.1]:59703 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u282N-0001N0-5A for submit@debbugs.gnu.org; Tue, 08 Apr 2025 08:26:43 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51420) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1u2822-0001Jf-3Y for 77638@debbugs.gnu.org; Tue, 08 Apr 2025 08:26:26 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u281u-0007px-G5; Tue, 08 Apr 2025 08:26:14 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=49DxrIYHU5tYnvbBLkEi8pYu8WtFgMzNY2UXTGvUQA8=; b=sXpejY0MdIEK2pK/TZMt u2QoKIqOHenMWrG6hz+40AvUbXy+vqgQg6Sho4hR+qnQ/6PZzGPSYQFDtgHInZInDkCwLaRJAo1+k lUgdJabli/+qdK2DWT6pPv5sXhJjaEbT2Pg5pUWtsL5oYpK2zR/ncq+oHMAIHwxl+uHQlVwlZhOkt F0uTduS0KcAcL4Dr36w4PkSl/9RmbAPUBlMcfgSO7y1REFSIW8hWOmWk1ssr6rCjhN+iVxUrtgZgG 5uPLRYVt8JXonUD6KoD68CHCkvG3t/S2zCrZiuCMWokqeWBRiQKlVcgH1fmuzEmA8nmah9PCWr/Fc KsKMGU/sjXKriw==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Tue, 8 Apr 2025 14:24:47 +0200 Message-ID: <1cb6588514b23eea3e5264fb7698548d8127bd63.1744114408.git.ludo@gnu.org> X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * gnu/build/linux-container.scm (run-container): Add #:loopback-network? and honor it via #:populate-file-system. (call-with-container): Add #:loopback-network? and pass it to ‘run-container’. * guix/scripts/environment.scm (launch-environment/container): Remove call to ‘set-network-interface-up’ and remove generation of /etc/hosts. * guix/scripts/home.scm (spawn-home-container): Likewise. Change-Id: I5933a4e8dc6d8e19235a79696b62299d74d1ba21 --- gnu/build/linux-container.scm | 25 ++++++++++++++++++++++++- guix/scripts/environment.scm | 11 ----------- guix/scripts/home.scm | 15 ++------------- 3 files changed, 26 insertions(+), 25 deletions(-) diff --git a/gnu/build/linux-container.scm b/gnu/build/linux-container.scm index 4dcdaa8f33..345ce2de08 100644 --- a/gnu/build/linux-container.scm +++ b/gnu/build/linux-container.scm @@ -237,6 +237,7 @@ (define (namespaces->bit-mask namespaces) (define* (run-container root mounts namespaces host-uids thunk #:key (guest-uid 0) (guest-gid 0) (populate-file-system (const #t)) + (loopback-network? #t) writable-root?) "Run THUNK in a new container process and return its PID. ROOT specifies the root directory for the container. MOUNTS is a list of @@ -244,6 +245,9 @@ (define* (run-container root mounts namespaces host-uids thunk is a list of symbols that correspond to the possible Linux namespaces: mnt, ipc, uts, user, and net. +When LOOPBACK-NETWORK? is true and 'net is amount NAMESPACES, set up the +loopback device (\"lo\") and a minimal /etc/hosts. + When WRITABLE-ROOT? is false, remount the container's root as read-only before calling THUNK. Call POPULATE-FILE-SYSTEM before the root is (potentially) made read-only. @@ -275,7 +279,21 @@ (define* (run-container root mounts namespaces host-uids thunk #:mount-/sys? (memq 'net namespaces) #:populate-file-system - populate-file-system + (lambda () + (populate-file-system) + (when (and (memq 'net namespaces) + loopback-network?) + (set-network-interface-up "lo") + + ;; When isolated from the + ;; network, provide a minimal + ;; /etc/hosts to resolve + ;; "localhost". + (mkdir-p "/etc") + (call-with-output-file "/etc/hosts" + (lambda (port) + (display "127.0.0.1 localhost\n" port) + (chmod port #o444))))) #:writable-root? (or writable-root? (not (memq 'mnt namespaces))))) @@ -350,6 +368,7 @@ (define* (call-with-container mounts thunk #:key (namespaces %namespaces) (relayed-signals (list SIGINT SIGTERM)) (child-is-pid1? #t) (populate-file-system (const #t)) + (loopback-network? #t) writable-root? (process-spawned-hook (const #t))) "Run THUNK in a new container process and return its exit status; call @@ -371,6 +390,9 @@ (define* (call-with-container mounts thunk #:key (namespaces %namespaces) RELAYED-SIGNALS is the list of signals that are \"relayed\" to the container process when caught by its parent. +When LOOPBACK-NETWORK? is true and 'net is amount NAMESPACES, set up the +loopback device (\"lo\") and a minimal /etc/hosts. + When WRITABLE-ROOT? is false, remount the container's root as read-only before calling THUNK. Call POPULATE-FILE-SYSTEM before the root is (potentially) made read-only. @@ -430,6 +452,7 @@ (define* (call-with-container mounts thunk #:key (namespaces %namespaces) #:guest-uid guest-uid #:guest-gid guest-gid #:populate-file-system populate-file-system + #:loopback-network? loopback-network? #:writable-root? writable-root?))) (install-signal-handlers pid) (process-spawned-hook pid) diff --git a/guix/scripts/environment.scm b/guix/scripts/environment.scm index 8f3bea8c30..ddd34394dd 100644 --- a/guix/scripts/environment.scm +++ b/guix/scripts/environment.scm @@ -901,10 +901,6 @@ (define* (launch-environment/container #:key command bash user user-mappings (setenv "HOME" home-dir) - (unless network? - ;; Allow local AF_INET communications. - (set-network-interface-up "lo")) - ;; For convenience, start in the user's current working ;; directory or, if unmapped, the home directory. (chdir (if map-cwd? @@ -959,13 +955,6 @@ (define* (launch-environment/container #:key command bash user user-mappings (write-passwd (list passwd)) (write-group groups) - (unless network? - ;; When isolated from the network, provide a minimal /etc/hosts - ;; to resolve "localhost". - (call-with-output-file "/etc/hosts" - (lambda (port) - (display "127.0.0.1 localhost\n" port)))) - ;; Call an additional setup procedure, if provided. (when setup-hook (setup-hook profile))) diff --git a/guix/scripts/home.scm b/guix/scripts/home.scm index 6fcb0ca382..fbf6d670ac 100644 --- a/guix/scripts/home.scm +++ b/guix/scripts/home.scm @@ -288,14 +288,11 @@ (define* (spawn-home-container home (with-imported-modules `(((guix config) => ,(make-config.scm)) ,@(source-module-closure '((guix profiles) - (guix build utils) - (guix build syscalls)) + (guix build utils)) #:select? not-config?)) #~(begin (use-modules (guix build utils) - ((guix profiles) #:select (load-profile)) - ((guix build syscalls) - #:select (set-network-interface-up))) + ((guix profiles) #:select (load-profile))) (define shell #$(user-shell)) @@ -347,14 +344,6 @@ (define* (spawn-home-container home (write-passwd (list passwd)) (write-group groups) - (unless network? - ;; When isolated from the network, provide a minimal /etc/hosts - ;; to resolve "localhost". - (call-with-output-file "/etc/hosts" - (lambda (port) - (display "127.0.0.1 localhost\n" port) - (chmod port #o444)))) - ;; Create /tmp; bits of code expect it, such as ;; 'least-authority-wrapper'. (mkdir-p "/tmp"))