From 30a6e595d72d11f30cf8d38740c59f5938f9c60a Mon Sep 17 00:00:00 2001 From: Richard Sent Date: Tue, 9 Apr 2024 15:05:29 -0400 Subject: guix: scripts: environment: add tls certs to networked containers * guix/scripts/environment.scm: Add --no-tls flag. By default when starting a container with -N, add nss-certs package and set SSL_CERT_DIR and SSL_CERT_FILE environment variables. When --no-tls is passed, default to old behavior. * doc/guix.texi: Document it. Change-Id: I3d222522fa9785fbf589f15efd14e6d6d072bfa7 --- doc/guix.texi | 8 ++++++++ guix/scripts/environment.scm | 28 +++++++++++++++++++++++++++- 2 files changed, 35 insertions(+), 1 deletion(-) diff --git a/doc/guix.texi b/doc/guix.texi index fc28a15980..b8bf5b84b6 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -6214,6 +6214,10 @@ For containers, share the network namespace with the host system. Containers created without this flag only have access to the loopback device. +@item --no-tls +For containers that share the network namespace, disable automatically +adding TLS/SSL certificates. + @item --link-profile @itemx -P For containers, link the environment profile to @file{~/.guix-profile} @@ -6711,6 +6715,10 @@ For containers, share the network namespace with the host system. Containers created without this flag only have access to the loopback device. +@item --no-tls +For containers that share the network namespace, disable automatically +adding TLS/SSL certificates. + @item --link-profile @itemx -P For containers, link the environment profile to @file{~/.guix-profile} diff --git a/guix/scripts/environment.scm b/guix/scripts/environment.scm index 1d7a6e198d..b38882a4ca 100644 --- a/guix/scripts/environment.scm +++ b/guix/scripts/environment.scm @@ -49,6 +49,7 @@ #:autoload (guix build syscalls) (set-network-interface-up openpty login-tty) #:use-module (gnu system file-systems) #:autoload (gnu packages) (specification->package+output) + #:autoload (gnu packages certs) (nss-certs) #:autoload (gnu packages bash) (bash) #:autoload (gnu packages bootstrap) (bootstrap-executable %bootstrap-guile) #:autoload (gnu packages package-management) (guix) @@ -72,6 +73,9 @@ (define %default-shell (or (getenv "SHELL") "/bin/sh")) +(define %default-tls-certs + (list nss-certs)) + (define* (show-search-paths profile manifest #:key pure?) "Display the search paths of MANIFEST applied to PROFILE. When PURE? is #t, do not augment existing environment variables with additional search paths." @@ -108,6 +112,9 @@ shell'." -C, --container run command within an isolated container")) (display (G_ " -N, --network allow containers to access the network")) + (display (G_ " + --no-tls do not add SSL/TLS certificates or set environment + variables for a networked container")) (display (G_ " -P, --link-profile link environment profile to ~/.guix-profile within an isolated container")) @@ -244,6 +251,9 @@ use '--preserve' instead~%")) (option '(#\N "network") #f #f (lambda (opt name arg result) (alist-cons 'network? #t result))) + (option '(#\T "no-tls") #f #f + (lambda (opt name arg result) + (alist-cons 'no-tls? #t result))) (option '(#\W "nesting") #f #f (lambda (opt name arg result) (alist-cons 'nesting? #t result))) @@ -359,6 +369,11 @@ for the corresponding packages." (packages->outputs (load* file module) mode))) (('manifest . file) (manifest-entries (load-manifest file))) + (('network? . #t) + (if (assoc-ref opts 'no-tls?) + '() + (manifest-entries + (packages->manifest %default-tls-certs)))) (('nesting? . #t) (if (assoc-ref opts 'profile) '() @@ -725,7 +740,7 @@ regexps in WHITE-LIST." (define* (launch-environment/container #:key command bash user user-mappings profile manifest link-profile? network? - map-cwd? emulate-fhs? nesting? + no-tls? map-cwd? emulate-fhs? nesting? (setup-hook #f) (symlinks '()) (white-list '())) "Run COMMAND within a container that features the software in PROFILE. @@ -929,6 +944,11 @@ WHILE-LIST." ;; Allow local AF_INET communications. (set-network-interface-up "lo")) + (unless no-tls? + (setenv "SSL_CERT_DIR" (string-append profile "/etc/ssl/certs")) + (setenv "SSL_CERT_FILE" (string-append (getenv "SSL_CERT_DIR") + "/ca-certificates.crt"))) + ;; For convenience, start in the user's current working ;; directory or, if unmapped, the home directory. (chdir (if map-cwd? @@ -1078,6 +1098,7 @@ command-line option processing with 'parse-command-line'." (link-prof? (assoc-ref opts 'link-profile?)) (symlinks (assoc-ref opts 'symlinks)) (network? (assoc-ref opts 'network?)) + (no-tls? (assoc-ref opts 'no-tls?)) (no-cwd? (assoc-ref opts 'no-cwd?)) (emulate-fhs? (assoc-ref opts 'emulate-fhs?)) (nesting? (assoc-ref opts 'nesting?)) @@ -1133,6 +1154,10 @@ command-line option processing with 'parse-command-line'." (when (pair? symlinks) (leave (G_ "'--symlink' cannot be used without '--container'~%")))) + (when (and (not network?) + no-tls?) + (leave (G_ "'--no-tls' cannot be used without '--networking'~%"))) + (with-store/maybe store (with-status-verbosity (assoc-ref opts 'verbosity) (define manifest-from-opts @@ -1212,6 +1237,7 @@ when using '--container'; doing nothing~%")) #:network? network? #:map-cwd? (not no-cwd?) #:emulate-fhs? emulate-fhs? + #:no-tls? no-tls? #:nesting? nesting? #:symlinks symlinks #:setup-hook -- cgit v1.2.3