From patchwork Tue Apr 9 19:05:29 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Sent X-Patchwork-Id: 62893 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id D999627BBE2; Tue, 9 Apr 2024 20:15:13 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 4E22B27BBE9 for ; Tue, 9 Apr 2024 20:15:12 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ruGvt-0005ET-Q7; Tue, 09 Apr 2024 15:15:01 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ruGvs-0005CI-4n for guix-patches@gnu.org; Tue, 09 Apr 2024 15:15:00 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ruGvr-0000nM-0o; Tue, 09 Apr 2024 15:14:59 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ruGvu-00039w-4B; Tue, 09 Apr 2024 15:15:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#70314] [PATCH] guix: scripts: environment: add tls certs to networked containers Resent-From: Richard Sent Original-Sender: "Debbugs-submit" Resent-CC: guix@cbaines.net, dev@jpoiret.xyz, ludo@gnu.org, othacehe@gnu.org, rekado@elephly.net, zimon.toutoune@gmail.com, me@tobias.gr, guix-patches@gnu.org Resent-Date: Tue, 09 Apr 2024 19:15:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 70314 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 70314@debbugs.gnu.org Cc: Richard Sent , Christopher Baines , Josselin Poiret , Ludovic =?utf-8?q?Court=C3=A8s?= , Mathieu Othacehe , Ricardo Wurmus , Simon Tournier , Tobias Geerinckx-Rice X-Debbugs-Original-To: guix-patches@gnu.org X-Debbugs-Original-Xcc: Christopher Baines , Josselin Poiret , Ludovic =?utf-8?q?Court=C3=A8s?= , Mathieu Othacehe , Ricardo Wurmus , Simon Tournier , Tobias Geerinckx-Rice Received: via spool by submit@debbugs.gnu.org id=B.171269009112050 (code B ref -1); Tue, 09 Apr 2024 19:15:01 +0000 Received: (at submit) by debbugs.gnu.org; 9 Apr 2024 19:14:51 +0000 Received: from localhost ([127.0.0.1]:51569 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ruGvi-00038I-QA for submit@debbugs.gnu.org; Tue, 09 Apr 2024 15:14:51 -0400 Received: from lists.gnu.org ([2001:470:142::17]:58288) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ruGvf-000382-LS for submit@debbugs.gnu.org; Tue, 09 Apr 2024 15:14:48 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ruGvR-000537-J4 for guix-patches@gnu.org; Tue, 09 Apr 2024 15:14:33 -0400 Received: from mail-108-mta156.mxroute.com ([136.175.108.156]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ruGvP-0000jl-7a for guix-patches@gnu.org; Tue, 09 Apr 2024 15:14:33 -0400 Received: from filter006.mxroute.com ([136.175.111.2] filter006.mxroute.com) (Authenticated sender: mN4UYu2MZsgR) by mail-108-mta156.mxroute.com (ZoneMTA) with ESMTPSA id 18ec44870ca0003bea.001 for (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Tue, 09 Apr 2024 19:14:25 +0000 X-Zone-Loop: 0445d534395d52d48c97f90279d4132ccfcfd03855ed X-Originating-IP: [136.175.111.2] DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=freakingpenguin.com; s=x; h=Content-Transfer-Encoding:MIME-Version: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=JvWL5kuMyv1uOvO1phcGN2CxkADzdkslXEnuB9xiFZc=; b=SLHl2W8jhw8+En+NPQx/zK+zBo J+1rR2Dc2AHjTxD0Jy8AL15bo1rJBlXbHpdbrJJjghLVGjvhA8tzD6rPtKUrzWj8mqM2QagJnrjrY 0bkRTIGO1bswG9eupQUNoXimdEhLReA8eIqEPJVWexea/XRDKJ5rKwfLaE2IbjWXSgc46nDiaSnWc qYca4ISf2nHYPfeA/mWUawrkbq/SwHHt/QLukphO7p66cDM6PlnLiKlhJelYa15v2fd1+o07BI4Ls Ly+mVmUs/p8x4jB2pitkztU5+dqI39mHdlPPNdDU8EN3wu6NUbnQK9gZoYonFabfbIkNIoGM3xZK3 TeEQ3WnA==; From: Richard Sent Date: Tue, 9 Apr 2024 15:05:29 -0400 Message-ID: <82121e1e6f3144f54d4a8e6d4276bb4581b627d2.1712689529.git.richard@freakingpenguin.com> MIME-Version: 1.0 X-Authenticated-Id: richard@freakingpenguin.com Received-SPF: pass client-ip=136.175.108.156; envelope-from=richard@freakingpenguin.com; helo=mail-108-mta156.mxroute.com X-Spam_score_int: -16 X-Spam_score: -1.7 X-Spam_bar: - X-Spam_report: (-1.7 / 5.0 requ) BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * guix/scripts/environment.scm: Add --no-tls flag. By default when starting a container with -N, add nss-certs package and set SSL_CERT_DIR and SSL_CERT_FILE environment variables. When --no-tls is passed, default to old behavior. * doc/guix.texi: Document it. Change-Id: I3d222522fa9785fbf589f15efd14e6d6d072bfa7 --- Hi Guix! Given the discussion on IRC and guix-devel [1] recently about making nss-certs easier to use, this patch modifies guix environment (and thus guix shell) to automatically add nss-certs to the profile when sharing the network namespace, as well as setting the mostly-standardized SSL_CERT_DIR and SSL_CERT_FILE environment variables. This behavior can be reverted with the --no-tls flag. Since presumably the majority of shell users want TLS to work out of the box, adding TLS by default makes sense to me. Previous workarounds were verbose [2] and prone to failure [3]. [1] https://lists.gnu.org/archive/html/guix-devel/2024-04/msg00020.html [2] https://lists.gnu.org/archive/html/guix-patches/2020-05/msg00197.html [3] See tail of https://logs.guix.gnu.org/guix/2024-04-08.log, [2] works coincidentally since guix system w/ nss-certs happens to have identical nss-certs hash as the guix building the shell profile. Otherwise the system version would not be visible inside the container. doc/guix.texi | 8 ++++++++ guix/scripts/environment.scm | 28 +++++++++++++++++++++++++++- 2 files changed, 35 insertions(+), 1 deletion(-) base-commit: 35e1d9247e39f3c91512cf3d9ef1467962389e35 diff --git a/doc/guix.texi b/doc/guix.texi index 5827e0de14..912ed79ccd 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -6214,6 +6214,10 @@ Invoking guix shell Containers created without this flag only have access to the loopback device. +@item --no-tls +For containers that share the network namespace, disable automatically +adding TLS/SSL certificates. + @item --link-profile @itemx -P For containers, link the environment profile to @file{~/.guix-profile} @@ -6711,6 +6715,10 @@ Invoking guix environment Containers created without this flag only have access to the loopback device. +@item --no-tls +For containers that share the network namespace, disable automatically +adding TLS/SSL certificates. + @item --link-profile @itemx -P For containers, link the environment profile to @file{~/.guix-profile} diff --git a/guix/scripts/environment.scm b/guix/scripts/environment.scm index 1d7a6e198d..b38882a4ca 100644 --- a/guix/scripts/environment.scm +++ b/guix/scripts/environment.scm @@ -49,6 +49,7 @@ (define-module (guix scripts environment) #:autoload (guix build syscalls) (set-network-interface-up openpty login-tty) #:use-module (gnu system file-systems) #:autoload (gnu packages) (specification->package+output) + #:autoload (gnu packages certs) (nss-certs) #:autoload (gnu packages bash) (bash) #:autoload (gnu packages bootstrap) (bootstrap-executable %bootstrap-guile) #:autoload (gnu packages package-management) (guix) @@ -72,6 +73,9 @@ (define-module (guix scripts environment) (define %default-shell (or (getenv "SHELL") "/bin/sh")) +(define %default-tls-certs + (list nss-certs)) + (define* (show-search-paths profile manifest #:key pure?) "Display the search paths of MANIFEST applied to PROFILE. When PURE? is #t, do not augment existing environment variables with additional search paths." @@ -108,6 +112,9 @@ (define (show-environment-options-help) -C, --container run command within an isolated container")) (display (G_ " -N, --network allow containers to access the network")) + (display (G_ " + --no-tls do not add SSL/TLS certificates or set environment + variables for a networked container")) (display (G_ " -P, --link-profile link environment profile to ~/.guix-profile within an isolated container")) @@ -244,6 +251,9 @@ (define %options (option '(#\N "network") #f #f (lambda (opt name arg result) (alist-cons 'network? #t result))) + (option '(#\T "no-tls") #f #f + (lambda (opt name arg result) + (alist-cons 'no-tls? #t result))) (option '(#\W "nesting") #f #f (lambda (opt name arg result) (alist-cons 'nesting? #t result))) @@ -359,6 +369,11 @@ (define (options/resolve-packages store opts) (packages->outputs (load* file module) mode))) (('manifest . file) (manifest-entries (load-manifest file))) + (('network? . #t) + (if (assoc-ref opts 'no-tls?) + '() + (manifest-entries + (packages->manifest %default-tls-certs)))) (('nesting? . #t) (if (assoc-ref opts 'profile) '() @@ -725,7 +740,7 @@ (define* (launch-environment/fork command profile manifest (define* (launch-environment/container #:key command bash user user-mappings profile manifest link-profile? network? - map-cwd? emulate-fhs? nesting? + no-tls? map-cwd? emulate-fhs? nesting? (setup-hook #f) (symlinks '()) (white-list '())) "Run COMMAND within a container that features the software in PROFILE. @@ -929,6 +944,11 @@ (define* (launch-environment/container #:key command bash user user-mappings ;; Allow local AF_INET communications. (set-network-interface-up "lo")) + (unless no-tls? + (setenv "SSL_CERT_DIR" (string-append profile "/etc/ssl/certs")) + (setenv "SSL_CERT_FILE" (string-append (getenv "SSL_CERT_DIR") + "/ca-certificates.crt"))) + ;; For convenience, start in the user's current working ;; directory or, if unmapped, the home directory. (chdir (if map-cwd? @@ -1078,6 +1098,7 @@ (define (guix-environment* opts) (link-prof? (assoc-ref opts 'link-profile?)) (symlinks (assoc-ref opts 'symlinks)) (network? (assoc-ref opts 'network?)) + (no-tls? (assoc-ref opts 'no-tls?)) (no-cwd? (assoc-ref opts 'no-cwd?)) (emulate-fhs? (assoc-ref opts 'emulate-fhs?)) (nesting? (assoc-ref opts 'nesting?)) @@ -1133,6 +1154,10 @@ (define (guix-environment* opts) (when (pair? symlinks) (leave (G_ "'--symlink' cannot be used without '--container'~%")))) + (when (and (not network?) + no-tls?) + (leave (G_ "'--no-tls' cannot be used without '--networking'~%"))) + (with-store/maybe store (with-status-verbosity (assoc-ref opts 'verbosity) (define manifest-from-opts @@ -1212,6 +1237,7 @@ (define (guix-environment* opts) #:network? network? #:map-cwd? (not no-cwd?) #:emulate-fhs? emulate-fhs? + #:no-tls? no-tls? #:nesting? nesting? #:symlinks symlinks #:setup-hook