Re: Using the host /etc in the runtime
- From: Alexander Larsson <alexl redhat com>
- To: Giovanni Campagna <scampa giovanni gmail com>
- Cc: gnome-os-list gnome org
- Subject: Re: Using the host /etc in the runtime
- Date: Mon, 19 Jan 2015 10:37:18 +0100
On fre, 2015-01-16 at 02:19 -0800, Giovanni Campagna wrote:
Hello everyone,
I'm bringing this conversation to the list from a pull request on
github.
Basically what I'm proposing is that runtimes get the entire /etc
bindmounted from the host instead of having an /etc with defaults and
special case monkey patching.
I disagree, for several reasons. First of all the end goal is fully
sandboxed applications. In this case leaking anything at all from the
host os is bad, but leaking /etc/passwd, etc is pretty damn bad.
Secondly, the other goal is to ensure one app+runtime works on *any*
system. Allowing any part of the host state to influence if this works
is just bound to be case for problems.
You mention that we should have distros change their layouts in order
for apps to work on them, but i'm pretty sure this will never happen. It
would work much better if we enforced the standard inside the container,
and then let the distro configure their build of xdg-app to pick things
(like the ssl certs) from the right place on the host.
The reason for this is that there is a lot in /etc that is
customizable by the admin: there is localtime, hosts, nsswitch,
passwd, gtk settings, global/mandatory dconf, ssh settings, ssl
certificates... I believe that binding mounting each and every
"supported" configuration point is always going to miss something, and
will only make it harder to support complex applications.
We clearly don't want to just push whatever these are set to on the host
into the app, at least for security reasons. But also for reasons of
applicability. We need to look at each requirement and do the best
solution for it. For instance, ryan has some ideas on how to best do
dconf from inside an app sandbox, and its quite different from just
using the current approach.
In particular, the SSL certificate path is a good example of why bind
mounting all of /etc is useful: if I want to enable a new CA or
certificate for internal use, I don't want to go and add it to each
application (especially because it is technically impossible now, /etc
from the apps is immutable). But if we don't go the standard path,
then xdg-app-helper has to figure out how to bind mount the
certificate bundle path for each distro (and for each of the 4 major
crypto/ssl libraries).
We don't have to, we just have to decide how it looks inside the
container, and then have configure options to specify where things are
on the host system. Then each distro will build an xdg-app instance that
is correct for their setup.
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Alexander Larsson Red Hat, Inc
alexl redhat com alexander larsson gmail com
He's a witless hunchbacked jungle king for the 21st century. She's a
time-travelling gold-digging research scientist with a birthmark shaped
like Liberty's torch. They fight crime!
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]