Re: Using the host /etc in the runtime

[Alexander Larsson <alexl redhat com>]

On fre, 2015-01-16 at 02:19 -0800, Giovanni Campagna wrote:
> Hello everyone,
>
>
> I'm bringing this conversation to the list from a pull request on
> github.
> Basically what I'm proposing is that runtimes get the entire /etc
> bindmounted from the host instead of having an /etc with defaults and
> special case monkey patching.

I disagree, for several reasons. First of all the end goal is fully
sandboxed applications. In this case leaking anything at all from the
host os is bad, but leaking /etc/passwd, etc is pretty damn bad.

Secondly, the other goal is to ensure one app+runtime works on *any*
system. Allowing any part of the host state to influence if this works
is just bound to be case for problems.

You mention that we should have distros change their layouts in order
for apps to work on them, but i'm pretty sure this will never happen. It
would work much better if we enforced the standard inside the container,
and then let the distro configure their build of xdg-app to pick things
(like the ssl certs) from the right place on the host.

> The reason for this is that there is a lot in /etc that is
> customizable by the admin: there is localtime, hosts, nsswitch,
> passwd, gtk settings, global/mandatory dconf, ssh settings, ssl
> certificates... I believe that binding mounting each and every
> "supported" configuration point is always going to miss something, and
> will only make it harder to support complex applications.

We clearly don't want to just push whatever these are set to on the host
into the app, at least for security reasons. But also for reasons of
applicability. We need to look at each requirement and do the best
solution for it. For instance, ryan has some ideas on how to best do
dconf from inside an app sandbox, and its quite different from just
using the current approach.

> In particular, the SSL certificate path is a good example of why bind
> mounting all of /etc is useful: if I want to enable a new CA or
> certificate for internal use, I don't want to go and add it to each
> application (especially because it is technically impossible now, /etc
> from the apps is immutable). But if we don't go the standard path,
> then xdg-app-helper has to figure out how to bind mount the
> certificate bundle path for each distro (and for each of the 4 major
> crypto/ssl libraries).

We don't have to, we just have to decide how it looks inside the
container, and then have configure options to specify where things are
on the host system. Then each distro will build an xdg-app instance that
is correct for their setup.

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 Alexander Larsson                                            Red Hat, Inc 
       alexl redhat com            alexander larsson gmail com 
He's a witless hunchbacked jungle king for the 21st century. She's a 
time-travelling gold-digging research scientist with a birthmark shaped 
like Liberty's torch. They fight crime!