Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

skopeo: 0.2.0 -> 1.0.0, don't set policy and tmpdir during build #87821

Merged
merged 4 commits into from May 19, 2020

Conversation

@zowoq
Copy link
Contributor

zowoq commented May 14, 2020

Motivation for this change
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
@zowoq zowoq marked this pull request as draft May 14, 2020
@zowoq zowoq mentioned this pull request May 14, 2020
4 of 10 tasks complete
@nlewo
Copy link
Member

nlewo commented May 15, 2020

I think Skopeo should work out of the box without having to specify any specific arguments, excepting for security reasons.
We should instead work on Skopeo to improve its current configuration file management: they are working hard on rootless stuffs but a root account is required to use Skopeo out-of-the-box :/

@zowoq
Copy link
Contributor Author

zowoq commented May 15, 2020

I think Skopeo should work out of the box without having to specify any specific arguments, excepting for security reasons.

I think skopeo disregarding the NixOS managed /etc/containers/policy.json without communicating that to the user could perhaps be called a security issue.

We should instead work on Skopeo to improve its current configuration file management: they are working hard on rootless stuffs but a root account is required to use Skopeo out-of-the-box

I agree with this, if they change this upstream in a consistent way for all of the tools that would be good.

However I see this as a inconsistency that we should resolve as we are the ones that are setting the policy at build time causing /etc/containers/policy.json to be ignored by skopeo while the other tools respect it and actually require it to function.

I think we should just accept that it doesn't work out of the box.

@zowoq
Copy link
Contributor Author

zowoq commented May 15, 2020

Not necessarily a good alternative but we could use the same method to set the default policy for all of the tools and remove the etc/containers/policy.json managed by the module?

@zowoq
Copy link
Contributor Author

zowoq commented May 15, 2020

@NixOS/podman Any thoughts on this?

@adisbladis
Copy link
Member

adisbladis commented May 15, 2020

We should instead work on Skopeo to improve its current configuration file management: they are working hard on rootless stuffs but a root account is required to use Skopeo out-of-the-box

This is a very good longer term goal, but in the mean time setting the policy to a built-in causing Skopeo to ignore /etc/containers/policy.json is the wrong call and completely inconsistent with the rest of the libpod/libcontainer ecosystem.

This issue is about more than just Skopeo, and more than just this one file. See containers/libpod#6053.

@nlewo
Copy link
Member

nlewo commented May 15, 2020

I think we should just accept that it doesn't work out of the box.

It seems you are right :(

This issue is about more than just Skopeo, and more than just this one file. See containers/libpod#6053.

I don't think the Graham proposal would fix our current issue.

@nlewo
Copy link
Member

nlewo commented May 15, 2020

@zowoq Could you rebase, nixosTests.docker-tools is fixed on master.

@zowoq zowoq force-pushed the zowoq:skopeo branch from d5cc1e2 to 4223249 May 15, 2020
@zowoq zowoq marked this pull request as ready for review May 15, 2020
@zowoq zowoq changed the title skopeo: don't set policy and tmpdir during build skopeo: 0.2.0 -> 1.0.0, don't set policy and tmpdir during build May 18, 2020
@zowoq
Copy link
Contributor Author

zowoq commented May 18, 2020

Bumped to 1.0.0.

@adisbladis adisbladis merged commit c57a98a into NixOS:master May 19, 2020
16 checks passed
16 checks passed
Evaluation Performance Report Evaluator Performance Report
Details
grahamcofborg-eval ^.^!
Details
grahamcofborg-eval-check-maintainers matching changed paths to changed attrs...
Details
grahamcofborg-eval-check-meta config.nix: checkMeta = true
Details
grahamcofborg-eval-darwin nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="2ee9aac"; rev="2ee9aac39bcc99cfeee1b35c25af5c4704ee61c8"; } ./pkgs/t
Details
grahamcofborg-eval-lib-tests nix-build --arg pkgs import ./. {} ./lib/tests/release.nix
Details
grahamcofborg-eval-nixos nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="2ee9aac"; rev="2ee9aac39bcc99cfeee1b35c25af5c4704ee61c8"; } ./nixos/
Details
grahamcofborg-eval-nixos-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="2ee9aac"; rev="2ee9aac39bcc99cfeee1b35c25af5c4704ee61c8"; } ./nixos/
Details
grahamcofborg-eval-nixos-options nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="2ee9aac"; rev="2ee9aac39bcc99cfeee1b35c25af5c4704ee61c8"; } ./nixos/
Details
grahamcofborg-eval-nixpkgs-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="2ee9aac"; rev="2ee9aac39bcc99cfeee1b35c25af5c4704ee61c8"; } ./pkgs/t
Details
grahamcofborg-eval-nixpkgs-tarball nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="2ee9aac"; rev="2ee9aac39bcc99cfeee1b35c25af5c4704ee61c8"; } ./pkgs/t
Details
grahamcofborg-eval-nixpkgs-unstable-jobset nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="2ee9aac"; rev="2ee9aac39bcc99cfeee1b35c25af5c4704ee61c8"; } ./pkgs/t
Details
grahamcofborg-eval-package-list nix-env -qa --json --file .
Details
grahamcofborg-eval-package-list-no-aliases nix-env -qa --json --file . --arg config { allowAliases = false; }
Details
skopeo, skopeo.passthru.tests on aarch64-linux Success
Details
skopeo, skopeo.passthru.tests on x86_64-linux Success
Details
@zowoq zowoq deleted the zowoq:skopeo branch May 19, 2020
@zowoq
Copy link
Contributor Author

zowoq commented May 25, 2020

This broke nix-prefetch-docker, I've opened #88856 to fix it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants
You can’t perform that action at this time.