Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

skopeo: 0.2.0 -> 1.0.0, don't set policy and tmpdir during build #87821

Merged
merged 4 commits into from May 19, 2020
Merged

skopeo: 0.2.0 -> 1.0.0, don't set policy and tmpdir during build #87821

merged 4 commits into from May 19, 2020

Conversation

zowoq
Copy link
Contributor

@zowoq zowoq commented May 14, 2020

Motivation for this change
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@zowoq zowoq marked this pull request as draft May 14, 2020 13:31
@zowoq zowoq mentioned this pull request May 14, 2020
Merged
10 tasks
@nlewo
Copy link
Member

nlewo commented May 15, 2020

I think Skopeo should work out of the box without having to specify any specific arguments, excepting for security reasons.
We should instead work on Skopeo to improve its current configuration file management: they are working hard on rootless stuffs but a root account is required to use Skopeo out-of-the-box :/

@zowoq
Copy link
Contributor Author

zowoq commented May 15, 2020
edited

I think Skopeo should work out of the box without having to specify any specific arguments, excepting for security reasons.

I think skopeo disregarding the NixOS managed /etc/containers/policy.json without communicating that to the user could perhaps be called a security issue.

We should instead work on Skopeo to improve its current configuration file management: they are working hard on rootless stuffs but a root account is required to use Skopeo out-of-the-box

I agree with this, if they change this upstream in a consistent way for all of the tools that would be good.

However I see this as a inconsistency that we should resolve as we are the ones that are setting the policy at build time causing /etc/containers/policy.json to be ignored by skopeo while the other tools respect it and actually require it to function.

I think we should just accept that it doesn't work out of the box.

@zowoq
Copy link
Contributor Author

zowoq commented May 15, 2020
edited

Not necessarily a good alternative but we could use the same method to set the default policy for all of the tools and remove the etc/containers/policy.json managed by the module?

@zowoq
Copy link
Contributor Author

zowoq commented May 15, 2020

@NixOS/podman Any thoughts on this?

@adisbladis
Copy link
Member

We should instead work on Skopeo to improve its current configuration file management: they are working hard on rootless stuffs but a root account is required to use Skopeo out-of-the-box

This is a very good longer term goal, but in the mean time setting the policy to a built-in causing Skopeo to ignore /etc/containers/policy.json is the wrong call and completely inconsistent with the rest of the libpod/libcontainer ecosystem.

This issue is about more than just Skopeo, and more than just this one file. See containers/podman#6053.

@nlewo
Copy link
Member

nlewo commented May 15, 2020

I think we should just accept that it doesn't work out of the box.

It seems you are right :(

This issue is about more than just Skopeo, and more than just this one file. See containers/podman#6053.

I don't think the Graham proposal would fix our current issue.

@nlewo
Copy link
Member

nlewo commented May 15, 2020

@zowoq Could you rebase, nixosTests.docker-tools is fixed on master.

@zowoq zowoq marked this pull request as ready for review May 15, 2020 22:47
@johnae johnae mentioned this pull request May 18, 2020
Merged
@zowoq zowoq changed the title skopeo: don't set policy and tmpdir during build skopeo: 0.2.0 -> 1.0.0, don't set policy and tmpdir during build May 18, 2020
@zowoq
Copy link
Contributor Author

zowoq commented May 18, 2020

Bumped to 1.0.0.

@adisbladis adisbladis merged commit c57a98a into NixOS:master May 19, 2020
@zowoq zowoq deleted the skopeo branch May 19, 2020 01:29
@danstn danstn mentioned this pull request May 25, 2020
Closed
@zowoq
Copy link
Contributor Author

zowoq commented May 25, 2020

This broke nix-prefetch-docker, I've opened #88856 to fix it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mic92 Mic92 Mic92 left review comments

@nlewo nlewo Awaiting requested review from nlewo

@saschagrunert saschagrunert Awaiting requested review from saschagrunert

@adisbladis adisbladis Awaiting requested review from adisbladis

@vdemeester vdemeester Awaiting requested review from vdemeester

@kalbasit kalbasit Awaiting requested review from kalbasit

Assignees
No one assigned
Labels
8.has: documentation 10.rebuild-darwin: 1-10 10.rebuild-linux: 1-10 11.by: package-maintainer
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@zowoq @nlewo @adisbladis @Mic92