[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#70933] [PATCH] system: Do not add "--disable-chroot" to containers.
|
From: |
Andreas Enge |
|
Subject: |
[bug#70933] [PATCH] system: Do not add "--disable-chroot" to containers. |
|
Date: |
Fri, 31 May 2024 16:26:58 +0200 |
Am Fri, May 31, 2024 at 02:01:36PM +0200 schrieb Ludovic Courtès:
> Andreas Enge <andreas@enge.fr> skribis:
> > The rationale for these lines is that they enable non-privileged docker
> > containers. But I would like to create a privileged container with
> > chroot (in an openshift environment, where I suppose this environment
> > does additional encapsulation to enforce security), which these lines
> > prevent.
> > Users can still add the option. Alternatively, we could add an additional
> > field "chroot? (default: #t)" to guix-configuration.
> This is tricky, I’m not sure how to provide defaults that works in most
> common setups while still allowing the use of privileged Docker
> containers as in your case.
The problem with a default is that apparently, for containers we want #f,
for real machines we want #t as the default; and then it should be
overridable. The only solution I see is to use a ternary value,
allowing chroot? to be #f, #t or 'default, with the last one, you guess it,
being the default. It would be replaced by #f or #t depending on whether
we are in a container or not.
I had considered it when suggesting the patch, but found it a bit too much
shepherding; I still think that "chroot? (default: #t)" would be enough.
Andreas