Message ID | 67f49b23cfe3755c6802e2fc3351ef3cf0dcdfda.1715687434.git.andreas@enge.fr |
---|---|
State | New |
Headers | show |
Series | [bug#70933] system: Do not add "--disable-chroot" to containers. | expand |
Hi, Andreas Enge <andreas@enge.fr> skribis: > The rationale for these lines is that they enable non-privileged docker > containers. But I would like to create a privileged container with > chroot (in an openshift environment, where I suppose this environment > does additional encapsulation to enforce security), which these lines > prevent. > > Users can still add the option. Alternatively, we could add an additional > field "chroot? (default: #t)" to guix-configuration. [...] > - ((eq? guix-service-type (service-kind s)) > - ;; Pass '--disable-chroot' so that > - ;; guix-daemon can build thing even in > - ;; Docker without '--privileged'. This is tricky, I’m not sure how to provide defaults that works in most common setups while still allowing the use of privileged Docker containers as in your case. I think the current default is good because it’s the common case, but I agree that we need to find a way to override it. Thoughts? Ludo’.
Am Fri, May 31, 2024 at 02:01:36PM +0200 schrieb Ludovic Courtès: > Andreas Enge <andreas@enge.fr> skribis: > > The rationale for these lines is that they enable non-privileged docker > > containers. But I would like to create a privileged container with > > chroot (in an openshift environment, where I suppose this environment > > does additional encapsulation to enforce security), which these lines > > prevent. > > Users can still add the option. Alternatively, we could add an additional > > field "chroot? (default: #t)" to guix-configuration. > This is tricky, I’m not sure how to provide defaults that works in most > common setups while still allowing the use of privileged Docker > containers as in your case. The problem with a default is that apparently, for containers we want #f, for real machines we want #t as the default; and then it should be overridable. The only solution I see is to use a ternary value, allowing chroot? to be #f, #t or 'default, with the last one, you guess it, being the default. It would be replaced by #f or #t depending on whether we are in a container or not. I had considered it when suggesting the patch, but found it a bit too much shepherding; I still think that "chroot? (default: #t)" would be enough. Andreas
diff --git a/gnu/system/linux-container.scm b/gnu/system/linux-container.scm index c780b68fba..2fc54a8121 100644 --- a/gnu/system/linux-container.scm +++ b/gnu/system/linux-container.scm @@ -159,17 +159,6 @@ (define* (containerized-operating-system os mappings (nscd-configuration (inherit (service-value s)) (caches %nscd-container-caches)))) - ((eq? guix-service-type (service-kind s)) - ;; Pass '--disable-chroot' so that - ;; guix-daemon can build thing even in - ;; Docker without '--privileged'. - (service guix-service-type - (guix-configuration - (inherit (service-value s)) - (extra-options - (cons "--disable-chroot" - (guix-configuration-extra-options - (service-value s))))))) (else s))) (operating-system-user-services os)))) (file-systems (append (map mapping->fs