2018-12-31 00:39:02 +01:00
|
|
|
|
;;; GNU Guix --- Functional package management for GNU
|
|
|
|
|
|
;;; Copyright © 2018 Danny Milosavljevic <dannym@scratchpost.org>
|
2020-04-26 17:58:58 +02:00
|
|
|
|
;;; Copyright © 2020 Jakub Kądziołka <kuba@kadziolka.net>
|
2025-09-18 12:25:39 +09:00
|
|
|
|
;;; Copyright © 2020, 2021 Maxim Cournoyer <maxim@guixotic.coop>
|
2020-09-14 16:35:36 +03:00
|
|
|
|
;;; Copyright © 2020 Efraim Flashner <efraim@flashner.co.il>
|
2020-09-19 12:40:38 -04:00
|
|
|
|
;;; Copyright © 2020 Jesse Dowell <jessedowell@gmail.com>
|
2021-07-06 22:03:20 +02:00
|
|
|
|
;;; Copyright © 2021 Brice Waegeneire <brice@waegenei.re>
|
2025-11-15 11:58:40 +01:00
|
|
|
|
;;; Copyright © 2023, 2024, 2025 Giacomo Leidi <therewasa@fishinthecalculator.me>
|
2018-12-31 00:39:02 +01:00
|
|
|
|
;;;
|
|
|
|
|
|
;;; This file is part of GNU Guix.
|
|
|
|
|
|
;;;
|
|
|
|
|
|
;;; GNU Guix is free software; you can redistribute it and/or modify it
|
|
|
|
|
|
;;; under the terms of the GNU General Public License as published by
|
|
|
|
|
|
;;; the Free Software Foundation; either version 3 of the License, or (at
|
|
|
|
|
|
;;; your option) any later version.
|
|
|
|
|
|
;;;
|
|
|
|
|
|
;;; GNU Guix is distributed in the hope that it will be useful, but
|
|
|
|
|
|
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
|
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
|
;;; GNU General Public License for more details.
|
|
|
|
|
|
;;;
|
|
|
|
|
|
;;; You should have received a copy of the GNU General Public License
|
|
|
|
|
|
;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
|
|
|
|
|
|
|
(define-module (gnu services docker)
|
|
|
|
|
|
#:use-module (gnu services)
|
|
|
|
|
|
#:use-module (gnu services configuration)
|
2025-05-05 09:57:49 +02:00
|
|
|
|
#:use-module (gnu services containers)
|
2018-12-31 00:39:02 +01:00
|
|
|
|
#:use-module (gnu services shepherd)
|
2024-09-01 02:00:00 +02:00
|
|
|
|
#:use-module (gnu system privilege)
|
2018-12-31 00:39:02 +01:00
|
|
|
|
#:use-module (gnu system shadow)
|
|
|
|
|
|
#:use-module (gnu packages docker)
|
2019-06-04 22:29:40 +02:00
|
|
|
|
#:use-module (gnu packages linux) ;singularity
|
services: Add oci-service-type.
This patch implements a generalization of the
oci-container-service-type, which consequently is made deprecated. The
oci-service-type, in addition to all the features from the
oci-container-service-type, can now provision OCI networks and volumes.
It only handles OCI objects creation, the user is supposed to handle
state once the objects are provsioned.
It currently supports two different OCI runtimes: Docker and rootless
Podman. Both runtimes are tested to make sure provisioned containers
can connect to each other through provisioned networks and can
read/write data with provisioned volumes.
At last the Scheme API is thought to facilitate the implementation of a
Guix Home service in the future.
* gnu/build/oci-containers.scm: New file containg OCI runtime business
logic used in OCI backed Shepherd services.
oci-read-lines
(oci-system*,oci-object-exists?,oci-object-service-available?
oci-image-load,oci-log-verbose,oci-container-execlp,oci-object-create):
New procedures.
* gnu/local.mk: Add it.
* gnu/services/containers.scm (list-of-oci-containers?,
list-of-oci-networks?,list-of-oci-volumes?,%oci-supported-runtimes,
oci-runtime?,oci-runtime-system-environment,oci-runtime-system-extra-arguments,
oci-runtime-system-requirement,oci-runtime-cli,oci-runtime-system-cli,
oci-runtime-home-cli,oci-runtime-name,oci-runtime-group,
oci-container-shepherd-name,oci-networks-shepherd-name,
oci-networks-home-shepherd-name,oci-volumes-shepherd-name,
oci-volumes-home-shepherd-name,oci-container-configuration->options,
oci-network-configuration->options,oci-volume-configuration->options,
oci-container-shepherd-service,oci-objects-merge-lst,oci-extension-merge,
oci-service-accounts,oci-service-profile,oci-service-subids,
oci-configuration->shepherd-services,oci-configuration-extend): New
procedures.
(image-reference): Implement unambiguous naming convention, that paired
with the new implementation for listing caches images with docker ls or
podman ls, allows for more efficient image caching.
(oci-container-configuration)[user,group]: Change default-type to
maybe-string, since by default containers will run under the user and
group declared in oci-configuration records. When unset the
oci-service-type will derive their value from the OCI runtime state.
[runtime,host-environment,environment,shepherd-actions,ports,extra-arguments]:
define a predicate and use it as a type in the configuration. This
way errors are reported with source location information.
(lower-manifest): Defer to caller the logic of setting up an image tag.
(lower-oci-image): Rename to load-oci-image-state.
(oci-runtime-state): Intermediate representation of the OCI runtime
details. It is supposed to be an internal API.
(oci-state): Intermediate representation of the OCI provisioning state,
such as containers and networks. It is supposed to be an internal API.
(oci-container-invocation): Intermediate representation of the OCI
runtime run command to start a container. It is supposed to be an
internal API.
(%oci-image-loader): Rename to oci-image-loader and use
oci-runtime-state and (gnu build oci-containers).
(oci-container-shepherd-service): Use oci-state and oci-runtime-state,
add command-line action.
(oci-network-configuration,oci-volume-configuration,oci-configuration,
oci-extension): New record types.
(oci-service-type): New service-type.
* doc/guix.texi: Document it.
* gnu/tests/containers.scm: Test it.
* gnu/services/docker.scm: Deprecate the oci-container-service-type.
Change-Id: I656b3db85832e42d53072fcbfb91d1226f39ef38
Modified-by: Maxim Cournoyer <maxim@guixotic.coop>
Signed-off-by: Maxim Cournoyer <maxim@guixotic.coop>
2025-08-24 16:59:45 +02:00
|
|
|
|
#:use-module (guix deprecation)
|
|
|
|
|
|
#:use-module (guix diagnostics)
|
2018-12-31 00:39:02 +01:00
|
|
|
|
#:use-module (guix gexp)
|
services: Add oci-service-type.
This patch implements a generalization of the
oci-container-service-type, which consequently is made deprecated. The
oci-service-type, in addition to all the features from the
oci-container-service-type, can now provision OCI networks and volumes.
It only handles OCI objects creation, the user is supposed to handle
state once the objects are provsioned.
It currently supports two different OCI runtimes: Docker and rootless
Podman. Both runtimes are tested to make sure provisioned containers
can connect to each other through provisioned networks and can
read/write data with provisioned volumes.
At last the Scheme API is thought to facilitate the implementation of a
Guix Home service in the future.
* gnu/build/oci-containers.scm: New file containg OCI runtime business
logic used in OCI backed Shepherd services.
oci-read-lines
(oci-system*,oci-object-exists?,oci-object-service-available?
oci-image-load,oci-log-verbose,oci-container-execlp,oci-object-create):
New procedures.
* gnu/local.mk: Add it.
* gnu/services/containers.scm (list-of-oci-containers?,
list-of-oci-networks?,list-of-oci-volumes?,%oci-supported-runtimes,
oci-runtime?,oci-runtime-system-environment,oci-runtime-system-extra-arguments,
oci-runtime-system-requirement,oci-runtime-cli,oci-runtime-system-cli,
oci-runtime-home-cli,oci-runtime-name,oci-runtime-group,
oci-container-shepherd-name,oci-networks-shepherd-name,
oci-networks-home-shepherd-name,oci-volumes-shepherd-name,
oci-volumes-home-shepherd-name,oci-container-configuration->options,
oci-network-configuration->options,oci-volume-configuration->options,
oci-container-shepherd-service,oci-objects-merge-lst,oci-extension-merge,
oci-service-accounts,oci-service-profile,oci-service-subids,
oci-configuration->shepherd-services,oci-configuration-extend): New
procedures.
(image-reference): Implement unambiguous naming convention, that paired
with the new implementation for listing caches images with docker ls or
podman ls, allows for more efficient image caching.
(oci-container-configuration)[user,group]: Change default-type to
maybe-string, since by default containers will run under the user and
group declared in oci-configuration records. When unset the
oci-service-type will derive their value from the OCI runtime state.
[runtime,host-environment,environment,shepherd-actions,ports,extra-arguments]:
define a predicate and use it as a type in the configuration. This
way errors are reported with source location information.
(lower-manifest): Defer to caller the logic of setting up an image tag.
(lower-oci-image): Rename to load-oci-image-state.
(oci-runtime-state): Intermediate representation of the OCI runtime
details. It is supposed to be an internal API.
(oci-state): Intermediate representation of the OCI provisioning state,
such as containers and networks. It is supposed to be an internal API.
(oci-container-invocation): Intermediate representation of the OCI
runtime run command to start a container. It is supposed to be an
internal API.
(%oci-image-loader): Rename to oci-image-loader and use
oci-runtime-state and (gnu build oci-containers).
(oci-container-shepherd-service): Use oci-state and oci-runtime-state,
add command-line action.
(oci-network-configuration,oci-volume-configuration,oci-configuration,
oci-extension): New record types.
(oci-service-type): New service-type.
* doc/guix.texi: Document it.
* gnu/tests/containers.scm: Test it.
* gnu/services/docker.scm: Deprecate the oci-container-service-type.
Change-Id: I656b3db85832e42d53072fcbfb91d1226f39ef38
Modified-by: Maxim Cournoyer <maxim@guixotic.coop>
Signed-off-by: Maxim Cournoyer <maxim@guixotic.coop>
2025-08-24 16:59:45 +02:00
|
|
|
|
#:use-module (guix i18n)
|
2025-05-05 09:57:49 +02:00
|
|
|
|
#:use-module (guix records)
|
2023-10-24 22:59:00 +02:00
|
|
|
|
#:use-module (srfi srfi-1)
|
|
|
|
|
|
#:use-module (ice-9 format)
|
|
|
|
|
|
#:use-module (ice-9 match)
|
2025-05-05 09:57:49 +02:00
|
|
|
|
#:re-export (oci-image ;for backwards compatibility, until the
|
|
|
|
|
|
oci-image? ;oci-container-service-type is fully deprecated
|
|
|
|
|
|
oci-image-fields
|
|
|
|
|
|
oci-image-repository
|
|
|
|
|
|
oci-image-tag
|
|
|
|
|
|
oci-image-value
|
|
|
|
|
|
oci-image-pack-options
|
|
|
|
|
|
oci-image-target
|
|
|
|
|
|
oci-image-system
|
|
|
|
|
|
oci-image-grafts?
|
|
|
|
|
|
oci-container-configuration
|
|
|
|
|
|
oci-container-configuration?
|
|
|
|
|
|
oci-container-configuration-fields
|
|
|
|
|
|
oci-container-configuration-user
|
|
|
|
|
|
oci-container-configuration-group
|
|
|
|
|
|
oci-container-configuration-command
|
|
|
|
|
|
oci-container-configuration-entrypoint
|
|
|
|
|
|
oci-container-configuration-host-environment
|
|
|
|
|
|
oci-container-configuration-environment
|
|
|
|
|
|
oci-container-configuration-image
|
|
|
|
|
|
oci-container-configuration-provision
|
|
|
|
|
|
oci-container-configuration-requirement
|
|
|
|
|
|
oci-container-configuration-log-file
|
|
|
|
|
|
oci-container-configuration-auto-start?
|
|
|
|
|
|
oci-container-configuration-respawn?
|
|
|
|
|
|
oci-container-configuration-shepherd-actions
|
|
|
|
|
|
oci-container-configuration-network
|
|
|
|
|
|
oci-container-configuration-ports
|
|
|
|
|
|
oci-container-configuration-volumes
|
|
|
|
|
|
oci-container-configuration-container-user
|
|
|
|
|
|
oci-container-configuration-workdir
|
services: Add oci-service-type.
This patch implements a generalization of the
oci-container-service-type, which consequently is made deprecated. The
oci-service-type, in addition to all the features from the
oci-container-service-type, can now provision OCI networks and volumes.
It only handles OCI objects creation, the user is supposed to handle
state once the objects are provsioned.
It currently supports two different OCI runtimes: Docker and rootless
Podman. Both runtimes are tested to make sure provisioned containers
can connect to each other through provisioned networks and can
read/write data with provisioned volumes.
At last the Scheme API is thought to facilitate the implementation of a
Guix Home service in the future.
* gnu/build/oci-containers.scm: New file containg OCI runtime business
logic used in OCI backed Shepherd services.
oci-read-lines
(oci-system*,oci-object-exists?,oci-object-service-available?
oci-image-load,oci-log-verbose,oci-container-execlp,oci-object-create):
New procedures.
* gnu/local.mk: Add it.
* gnu/services/containers.scm (list-of-oci-containers?,
list-of-oci-networks?,list-of-oci-volumes?,%oci-supported-runtimes,
oci-runtime?,oci-runtime-system-environment,oci-runtime-system-extra-arguments,
oci-runtime-system-requirement,oci-runtime-cli,oci-runtime-system-cli,
oci-runtime-home-cli,oci-runtime-name,oci-runtime-group,
oci-container-shepherd-name,oci-networks-shepherd-name,
oci-networks-home-shepherd-name,oci-volumes-shepherd-name,
oci-volumes-home-shepherd-name,oci-container-configuration->options,
oci-network-configuration->options,oci-volume-configuration->options,
oci-container-shepherd-service,oci-objects-merge-lst,oci-extension-merge,
oci-service-accounts,oci-service-profile,oci-service-subids,
oci-configuration->shepherd-services,oci-configuration-extend): New
procedures.
(image-reference): Implement unambiguous naming convention, that paired
with the new implementation for listing caches images with docker ls or
podman ls, allows for more efficient image caching.
(oci-container-configuration)[user,group]: Change default-type to
maybe-string, since by default containers will run under the user and
group declared in oci-configuration records. When unset the
oci-service-type will derive their value from the OCI runtime state.
[runtime,host-environment,environment,shepherd-actions,ports,extra-arguments]:
define a predicate and use it as a type in the configuration. This
way errors are reported with source location information.
(lower-manifest): Defer to caller the logic of setting up an image tag.
(lower-oci-image): Rename to load-oci-image-state.
(oci-runtime-state): Intermediate representation of the OCI runtime
details. It is supposed to be an internal API.
(oci-state): Intermediate representation of the OCI provisioning state,
such as containers and networks. It is supposed to be an internal API.
(oci-container-invocation): Intermediate representation of the OCI
runtime run command to start a container. It is supposed to be an
internal API.
(%oci-image-loader): Rename to oci-image-loader and use
oci-runtime-state and (gnu build oci-containers).
(oci-container-shepherd-service): Use oci-state and oci-runtime-state,
add command-line action.
(oci-network-configuration,oci-volume-configuration,oci-configuration,
oci-extension): New record types.
(oci-service-type): New service-type.
* doc/guix.texi: Document it.
* gnu/tests/containers.scm: Test it.
* gnu/services/docker.scm: Deprecate the oci-container-service-type.
Change-Id: I656b3db85832e42d53072fcbfb91d1226f39ef38
Modified-by: Maxim Cournoyer <maxim@guixotic.coop>
Signed-off-by: Maxim Cournoyer <maxim@guixotic.coop>
2025-08-24 16:59:45 +02:00
|
|
|
|
oci-container-configuration-extra-arguments)
|
2018-12-31 00:39:02 +01:00
|
|
|
|
|
2024-06-02 09:15:54 +03:00
|
|
|
|
#:export (containerd-configuration
|
|
|
|
|
|
containerd-service-type
|
|
|
|
|
|
docker-configuration
|
2019-06-04 22:29:40 +02:00
|
|
|
|
docker-service-type
|
2023-10-24 22:59:00 +02:00
|
|
|
|
singularity-service-type
|
services: Add oci-service-type.
This patch implements a generalization of the
oci-container-service-type, which consequently is made deprecated. The
oci-service-type, in addition to all the features from the
oci-container-service-type, can now provision OCI networks and volumes.
It only handles OCI objects creation, the user is supposed to handle
state once the objects are provsioned.
It currently supports two different OCI runtimes: Docker and rootless
Podman. Both runtimes are tested to make sure provisioned containers
can connect to each other through provisioned networks and can
read/write data with provisioned volumes.
At last the Scheme API is thought to facilitate the implementation of a
Guix Home service in the future.
* gnu/build/oci-containers.scm: New file containg OCI runtime business
logic used in OCI backed Shepherd services.
oci-read-lines
(oci-system*,oci-object-exists?,oci-object-service-available?
oci-image-load,oci-log-verbose,oci-container-execlp,oci-object-create):
New procedures.
* gnu/local.mk: Add it.
* gnu/services/containers.scm (list-of-oci-containers?,
list-of-oci-networks?,list-of-oci-volumes?,%oci-supported-runtimes,
oci-runtime?,oci-runtime-system-environment,oci-runtime-system-extra-arguments,
oci-runtime-system-requirement,oci-runtime-cli,oci-runtime-system-cli,
oci-runtime-home-cli,oci-runtime-name,oci-runtime-group,
oci-container-shepherd-name,oci-networks-shepherd-name,
oci-networks-home-shepherd-name,oci-volumes-shepherd-name,
oci-volumes-home-shepherd-name,oci-container-configuration->options,
oci-network-configuration->options,oci-volume-configuration->options,
oci-container-shepherd-service,oci-objects-merge-lst,oci-extension-merge,
oci-service-accounts,oci-service-profile,oci-service-subids,
oci-configuration->shepherd-services,oci-configuration-extend): New
procedures.
(image-reference): Implement unambiguous naming convention, that paired
with the new implementation for listing caches images with docker ls or
podman ls, allows for more efficient image caching.
(oci-container-configuration)[user,group]: Change default-type to
maybe-string, since by default containers will run under the user and
group declared in oci-configuration records. When unset the
oci-service-type will derive their value from the OCI runtime state.
[runtime,host-environment,environment,shepherd-actions,ports,extra-arguments]:
define a predicate and use it as a type in the configuration. This
way errors are reported with source location information.
(lower-manifest): Defer to caller the logic of setting up an image tag.
(lower-oci-image): Rename to load-oci-image-state.
(oci-runtime-state): Intermediate representation of the OCI runtime
details. It is supposed to be an internal API.
(oci-state): Intermediate representation of the OCI provisioning state,
such as containers and networks. It is supposed to be an internal API.
(oci-container-invocation): Intermediate representation of the OCI
runtime run command to start a container. It is supposed to be an
internal API.
(%oci-image-loader): Rename to oci-image-loader and use
oci-runtime-state and (gnu build oci-containers).
(oci-container-shepherd-service): Use oci-state and oci-runtime-state,
add command-line action.
(oci-network-configuration,oci-volume-configuration,oci-configuration,
oci-extension): New record types.
(oci-service-type): New service-type.
* doc/guix.texi: Document it.
* gnu/tests/containers.scm: Test it.
* gnu/services/docker.scm: Deprecate the oci-container-service-type.
Change-Id: I656b3db85832e42d53072fcbfb91d1226f39ef38
Modified-by: Maxim Cournoyer <maxim@guixotic.coop>
Signed-off-by: Maxim Cournoyer <maxim@guixotic.coop>
2025-08-24 16:59:45 +02:00
|
|
|
|
;; For backwards compatibility, until the
|
|
|
|
|
|
;; oci-container-service-type is fully deprecated.
|
|
|
|
|
|
oci-container-shepherd-service
|
|
|
|
|
|
oci-container-service-type
|
|
|
|
|
|
%oci-container-accounts))
|
2018-12-31 00:39:02 +01:00
|
|
|
|
|
2023-12-28 23:47:37 -05:00
|
|
|
|
(define-maybe file-like)
|
|
|
|
|
|
|
2018-12-31 00:39:02 +01:00
|
|
|
|
(define-configuration docker-configuration
|
|
|
|
|
|
(docker
|
2021-11-18 22:44:26 +01:00
|
|
|
|
(file-like docker)
|
2018-12-31 00:39:02 +01:00
|
|
|
|
"Docker daemon package.")
|
2020-09-15 01:10:55 +03:00
|
|
|
|
(docker-cli
|
2021-11-18 22:44:26 +01:00
|
|
|
|
(file-like docker-cli)
|
2020-09-15 01:10:55 +03:00
|
|
|
|
"Docker client package.")
|
2018-12-31 00:39:02 +01:00
|
|
|
|
(containerd
|
2021-11-18 22:44:26 +01:00
|
|
|
|
(file-like containerd)
|
2024-06-02 09:15:54 +03:00
|
|
|
|
"Deprecated. Do not use.")
|
2019-04-05 02:34:16 -04:00
|
|
|
|
(proxy
|
2021-11-18 22:44:26 +01:00
|
|
|
|
(file-like docker-libnetwork-cmd-proxy)
|
2019-04-05 02:34:16 -04:00
|
|
|
|
"The proxy package to support inter-container and outside-container
|
|
|
|
|
|
loop-back communications.")
|
|
|
|
|
|
(enable-proxy?
|
|
|
|
|
|
(boolean #t)
|
2020-06-01 20:54:40 -04:00
|
|
|
|
"Enable or disable the user-land proxy (enabled by default).")
|
|
|
|
|
|
(debug?
|
|
|
|
|
|
(boolean #f)
|
2020-08-16 10:09:07 +02:00
|
|
|
|
"Enable or disable debug output.")
|
|
|
|
|
|
(enable-iptables?
|
|
|
|
|
|
(boolean #t)
|
2021-05-08 00:11:12 -04:00
|
|
|
|
"Enable addition of iptables rules (enabled by default).")
|
2021-11-04 07:48:09 +01:00
|
|
|
|
(environment-variables
|
|
|
|
|
|
(list '())
|
|
|
|
|
|
"Environment variables to set for dockerd")
|
2023-12-28 23:47:37 -05:00
|
|
|
|
(config-file
|
|
|
|
|
|
(maybe-file-like)
|
|
|
|
|
|
"JSON configuration file to pass to dockerd")
|
2021-05-08 00:11:12 -04:00
|
|
|
|
(no-serialization))
|
2018-12-31 00:39:02 +01:00
|
|
|
|
|
2024-06-02 09:15:54 +03:00
|
|
|
|
(define-configuration containerd-configuration
|
|
|
|
|
|
(containerd
|
|
|
|
|
|
(file-like containerd)
|
|
|
|
|
|
"containerd package.")
|
|
|
|
|
|
(debug?
|
|
|
|
|
|
(boolean #f)
|
|
|
|
|
|
"Enable or disable debug output.")
|
|
|
|
|
|
(environment-variables
|
|
|
|
|
|
(list '())
|
|
|
|
|
|
"Environment variables to set for containerd.")
|
|
|
|
|
|
(no-serialization))
|
|
|
|
|
|
|
2018-12-31 00:39:02 +01:00
|
|
|
|
(define %docker-accounts
|
|
|
|
|
|
(list (user-group (name "docker") (system? #t))))
|
|
|
|
|
|
|
|
|
|
|
|
(define (%containerd-activation config)
|
|
|
|
|
|
(let ((state-dir "/var/lib/containerd"))
|
|
|
|
|
|
#~(begin
|
|
|
|
|
|
(use-modules (guix build utils))
|
|
|
|
|
|
(mkdir-p #$state-dir))))
|
|
|
|
|
|
|
|
|
|
|
|
(define (%docker-activation config)
|
|
|
|
|
|
(%containerd-activation config)
|
|
|
|
|
|
(let ((state-dir "/var/lib/docker"))
|
|
|
|
|
|
#~(begin
|
|
|
|
|
|
(use-modules (guix build utils))
|
|
|
|
|
|
(mkdir-p #$state-dir))))
|
|
|
|
|
|
|
|
|
|
|
|
(define (containerd-shepherd-service config)
|
2024-06-02 09:15:54 +03:00
|
|
|
|
(match-record config <containerd-configuration>
|
|
|
|
|
|
(containerd debug? environment-variables)
|
2018-12-31 00:39:02 +01:00
|
|
|
|
(shepherd-service
|
2024-06-02 09:15:54 +03:00
|
|
|
|
(documentation "containerd daemon.")
|
|
|
|
|
|
(provision '(containerd))
|
2025-02-22 22:59:07 +01:00
|
|
|
|
(requirement '(user-processes))
|
2024-06-02 09:15:54 +03:00
|
|
|
|
(start #~(make-forkexec-constructor
|
|
|
|
|
|
(list (string-append #$containerd "/bin/containerd")
|
|
|
|
|
|
#$@(if debug?
|
|
|
|
|
|
'("--log-level=debug")
|
|
|
|
|
|
'()))
|
|
|
|
|
|
;; For finding containerd-shim binary.
|
|
|
|
|
|
#:environment-variables
|
|
|
|
|
|
(list #$@environment-variables
|
|
|
|
|
|
(string-append "PATH=" #$containerd "/bin"))
|
|
|
|
|
|
#:pid-file "/run/containerd/containerd.pid"
|
|
|
|
|
|
#:pid-file-timeout 300
|
|
|
|
|
|
#:log-file "/var/log/containerd.log"))
|
|
|
|
|
|
(stop #~(make-kill-destructor)))))
|
|
|
|
|
|
|
|
|
|
|
|
(define containerd-service-type
|
|
|
|
|
|
(service-type (name 'containerd)
|
|
|
|
|
|
(description "Run containerd container runtime.")
|
|
|
|
|
|
(extensions
|
|
|
|
|
|
(list
|
|
|
|
|
|
;; Make sure the 'ctr' command is available.
|
|
|
|
|
|
(service-extension profile-service-type
|
|
|
|
|
|
(compose list containerd-configuration-containerd))
|
|
|
|
|
|
(service-extension shepherd-root-service-type
|
|
|
|
|
|
(lambda (config)
|
|
|
|
|
|
(list (containerd-shepherd-service config))))))
|
|
|
|
|
|
(default-value (containerd-configuration))))
|
2018-12-31 00:39:02 +01:00
|
|
|
|
|
|
|
|
|
|
(define (docker-shepherd-service config)
|
2019-04-05 02:34:16 -04:00
|
|
|
|
(let* ((docker (docker-configuration-docker config))
|
|
|
|
|
|
(enable-proxy? (docker-configuration-enable-proxy? config))
|
2020-08-16 10:09:07 +02:00
|
|
|
|
(enable-iptables? (docker-configuration-enable-iptables? config))
|
2021-11-04 07:48:09 +01:00
|
|
|
|
(environment-variables (docker-configuration-environment-variables config))
|
2020-06-01 20:54:40 -04:00
|
|
|
|
(proxy (docker-configuration-proxy config))
|
2023-12-28 23:47:37 -05:00
|
|
|
|
(debug? (docker-configuration-debug? config))
|
|
|
|
|
|
(config-file (docker-configuration-config-file config)))
|
2018-12-31 00:39:02 +01:00
|
|
|
|
(shepherd-service
|
|
|
|
|
|
(documentation "Docker daemon.")
|
|
|
|
|
|
(provision '(dockerd))
|
2025-02-22 22:59:07 +01:00
|
|
|
|
(requirement '(user-processes
|
|
|
|
|
|
containerd
|
2019-02-11 18:29:01 +01:00
|
|
|
|
dbus-system
|
|
|
|
|
|
elogind
|
2023-06-24 03:11:26 +00:00
|
|
|
|
file-system-/sys/fs/cgroup
|
2019-02-11 18:29:01 +01:00
|
|
|
|
networking
|
|
|
|
|
|
udev))
|
2018-12-31 00:39:02 +01:00
|
|
|
|
(start #~(make-forkexec-constructor
|
|
|
|
|
|
(list (string-append #$docker "/bin/dockerd")
|
2019-04-05 02:34:16 -04:00
|
|
|
|
"-p" "/var/run/docker.pid"
|
2023-12-28 23:47:37 -05:00
|
|
|
|
#$@(if (not (eq? config-file %unset-value))
|
|
|
|
|
|
(list #~(string-append
|
|
|
|
|
|
"--config-file=" #$config-file))
|
|
|
|
|
|
'())
|
2020-06-01 20:54:40 -04:00
|
|
|
|
#$@(if debug?
|
|
|
|
|
|
'("--debug" "--log-level=debug")
|
|
|
|
|
|
'())
|
2020-09-23 23:34:21 +03:00
|
|
|
|
#$@(if enable-proxy?
|
|
|
|
|
|
(list "--userland-proxy=true"
|
|
|
|
|
|
#~(string-append
|
|
|
|
|
|
"--userland-proxy-path=" #$proxy "/bin/proxy"))
|
|
|
|
|
|
'("--userland-proxy=false"))
|
2020-08-16 10:09:07 +02:00
|
|
|
|
(if #$enable-iptables?
|
|
|
|
|
|
"--iptables"
|
2022-07-02 13:41:06 +03:00
|
|
|
|
"--iptables=false")
|
|
|
|
|
|
"--containerd" "/run/containerd/containerd.sock")
|
2021-11-04 07:48:09 +01:00
|
|
|
|
#:environment-variables
|
|
|
|
|
|
(list #$@environment-variables)
|
2018-12-31 00:39:02 +01:00
|
|
|
|
#:pid-file "/var/run/docker.pid"
|
|
|
|
|
|
#:log-file "/var/log/docker.log"))
|
|
|
|
|
|
(stop #~(make-kill-destructor)))))
|
|
|
|
|
|
|
|
|
|
|
|
(define docker-service-type
|
|
|
|
|
|
(service-type (name 'docker)
|
|
|
|
|
|
(description "Provide capability to run Docker application
|
|
|
|
|
|
bundles in Docker containers.")
|
|
|
|
|
|
(extensions
|
|
|
|
|
|
(list
|
2020-09-14 16:35:36 +03:00
|
|
|
|
;; Make sure the 'docker' command is available.
|
|
|
|
|
|
(service-extension profile-service-type
|
2020-09-15 01:10:55 +03:00
|
|
|
|
(compose list docker-configuration-docker-cli))
|
2018-12-31 00:39:02 +01:00
|
|
|
|
(service-extension activation-service-type
|
|
|
|
|
|
%docker-activation)
|
|
|
|
|
|
(service-extension shepherd-root-service-type
|
2019-01-10 14:50:47 +01:00
|
|
|
|
(lambda (config)
|
2024-06-02 09:15:54 +03:00
|
|
|
|
(list (docker-shepherd-service config))))
|
2018-12-31 00:39:02 +01:00
|
|
|
|
(service-extension account-service-type
|
|
|
|
|
|
(const %docker-accounts))))
|
|
|
|
|
|
(default-value (docker-configuration))))
|
2019-06-04 22:29:40 +02:00
|
|
|
|
|
|
|
|
|
|
�
|
|
|
|
|
|
;;;
|
|
|
|
|
|
;;; Singularity.
|
|
|
|
|
|
;;;
|
|
|
|
|
|
|
|
|
|
|
|
(define %singularity-activation
|
|
|
|
|
|
(with-imported-modules '((guix build utils))
|
|
|
|
|
|
#~(begin
|
|
|
|
|
|
(use-modules (guix build utils))
|
|
|
|
|
|
|
|
|
|
|
|
(define %mount-directory
|
|
|
|
|
|
"/var/singularity/mnt/")
|
|
|
|
|
|
|
|
|
|
|
|
;; Create the directories that Singularity 2.6 expects to find. Make
|
|
|
|
|
|
;; them #o755 like the 'install-data-hook' rule in 'Makefile.am' of
|
|
|
|
|
|
;; Singularity 2.6.1.
|
|
|
|
|
|
(for-each (lambda (directory)
|
|
|
|
|
|
(let ((directory (string-append %mount-directory
|
|
|
|
|
|
directory)))
|
|
|
|
|
|
(mkdir-p directory)
|
|
|
|
|
|
(chmod directory #o755)))
|
|
|
|
|
|
'("container" "final" "overlay" "session"))
|
|
|
|
|
|
(chmod %mount-directory #o755))))
|
|
|
|
|
|
|
2024-09-01 02:00:00 +02:00
|
|
|
|
(define (singularity-privileged-programs singularity)
|
|
|
|
|
|
"Return the privileged programs that SINGULARITY needs."
|
2019-06-04 22:29:40 +02:00
|
|
|
|
(define helpers
|
|
|
|
|
|
;; The helpers, under a meaningful name.
|
2024-09-01 02:00:00 +02:00
|
|
|
|
(computed-file "singularity-privileged-helpers"
|
2019-06-04 22:29:40 +02:00
|
|
|
|
#~(begin
|
|
|
|
|
|
(mkdir #$output)
|
|
|
|
|
|
(for-each (lambda (program)
|
|
|
|
|
|
(symlink (string-append #$singularity
|
|
|
|
|
|
"/libexec/singularity"
|
|
|
|
|
|
"/bin/"
|
|
|
|
|
|
program "-suid")
|
|
|
|
|
|
(string-append #$output
|
|
|
|
|
|
"/singularity-"
|
|
|
|
|
|
program
|
|
|
|
|
|
"-helper")))
|
|
|
|
|
|
'("action" "mount" "start")))))
|
|
|
|
|
|
|
2024-09-01 02:00:00 +02:00
|
|
|
|
(map file-like->setuid-program
|
2021-07-06 22:03:20 +02:00
|
|
|
|
(list (file-append helpers "/singularity-action-helper")
|
|
|
|
|
|
(file-append helpers "/singularity-mount-helper")
|
|
|
|
|
|
(file-append helpers "/singularity-start-helper"))))
|
2019-06-04 22:29:40 +02:00
|
|
|
|
|
|
|
|
|
|
(define singularity-service-type
|
|
|
|
|
|
(service-type (name 'singularity)
|
|
|
|
|
|
(description
|
|
|
|
|
|
"Install the Singularity application bundle tool.")
|
|
|
|
|
|
(extensions
|
2024-09-01 02:00:00 +02:00
|
|
|
|
(list (service-extension privileged-program-service-type
|
|
|
|
|
|
singularity-privileged-programs)
|
2019-06-04 22:29:40 +02:00
|
|
|
|
(service-extension activation-service-type
|
|
|
|
|
|
(const %singularity-activation))))
|
|
|
|
|
|
(default-value singularity)))
|
2023-10-24 22:59:00 +02:00
|
|
|
|
|
|
|
|
|
|
�
|
|
|
|
|
|
;;;
|
|
|
|
|
|
;;; OCI container.
|
|
|
|
|
|
;;;
|
|
|
|
|
|
|
services: Add oci-service-type.
This patch implements a generalization of the
oci-container-service-type, which consequently is made deprecated. The
oci-service-type, in addition to all the features from the
oci-container-service-type, can now provision OCI networks and volumes.
It only handles OCI objects creation, the user is supposed to handle
state once the objects are provsioned.
It currently supports two different OCI runtimes: Docker and rootless
Podman. Both runtimes are tested to make sure provisioned containers
can connect to each other through provisioned networks and can
read/write data with provisioned volumes.
At last the Scheme API is thought to facilitate the implementation of a
Guix Home service in the future.
* gnu/build/oci-containers.scm: New file containg OCI runtime business
logic used in OCI backed Shepherd services.
oci-read-lines
(oci-system*,oci-object-exists?,oci-object-service-available?
oci-image-load,oci-log-verbose,oci-container-execlp,oci-object-create):
New procedures.
* gnu/local.mk: Add it.
* gnu/services/containers.scm (list-of-oci-containers?,
list-of-oci-networks?,list-of-oci-volumes?,%oci-supported-runtimes,
oci-runtime?,oci-runtime-system-environment,oci-runtime-system-extra-arguments,
oci-runtime-system-requirement,oci-runtime-cli,oci-runtime-system-cli,
oci-runtime-home-cli,oci-runtime-name,oci-runtime-group,
oci-container-shepherd-name,oci-networks-shepherd-name,
oci-networks-home-shepherd-name,oci-volumes-shepherd-name,
oci-volumes-home-shepherd-name,oci-container-configuration->options,
oci-network-configuration->options,oci-volume-configuration->options,
oci-container-shepherd-service,oci-objects-merge-lst,oci-extension-merge,
oci-service-accounts,oci-service-profile,oci-service-subids,
oci-configuration->shepherd-services,oci-configuration-extend): New
procedures.
(image-reference): Implement unambiguous naming convention, that paired
with the new implementation for listing caches images with docker ls or
podman ls, allows for more efficient image caching.
(oci-container-configuration)[user,group]: Change default-type to
maybe-string, since by default containers will run under the user and
group declared in oci-configuration records. When unset the
oci-service-type will derive their value from the OCI runtime state.
[runtime,host-environment,environment,shepherd-actions,ports,extra-arguments]:
define a predicate and use it as a type in the configuration. This
way errors are reported with source location information.
(lower-manifest): Defer to caller the logic of setting up an image tag.
(lower-oci-image): Rename to load-oci-image-state.
(oci-runtime-state): Intermediate representation of the OCI runtime
details. It is supposed to be an internal API.
(oci-state): Intermediate representation of the OCI provisioning state,
such as containers and networks. It is supposed to be an internal API.
(oci-container-invocation): Intermediate representation of the OCI
runtime run command to start a container. It is supposed to be an
internal API.
(%oci-image-loader): Rename to oci-image-loader and use
oci-runtime-state and (gnu build oci-containers).
(oci-container-shepherd-service): Use oci-state and oci-runtime-state,
add command-line action.
(oci-network-configuration,oci-volume-configuration,oci-configuration,
oci-extension): New record types.
(oci-service-type): New service-type.
* doc/guix.texi: Document it.
* gnu/tests/containers.scm: Test it.
* gnu/services/docker.scm: Deprecate the oci-container-service-type.
Change-Id: I656b3db85832e42d53072fcbfb91d1226f39ef38
Modified-by: Maxim Cournoyer <maxim@guixotic.coop>
Signed-off-by: Maxim Cournoyer <maxim@guixotic.coop>
2025-08-24 16:59:45 +02:00
|
|
|
|
;; For backwards compatibility, until the
|
|
|
|
|
|
;; oci-container-service-type is fully deprecated.
|
|
|
|
|
|
(define-deprecated (oci-container-shepherd-service config)
|
|
|
|
|
|
oci-service-type
|
|
|
|
|
|
((@ (gnu services containers) oci-container-shepherd-service)
|
|
|
|
|
|
'docker config))
|
|
|
|
|
|
(define %oci-container-accounts
|
|
|
|
|
|
(filter user-account? (oci-service-accounts (oci-configuration))))
|
2023-10-24 22:59:00 +02:00
|
|
|
|
|
|
|
|
|
|
(define oci-container-service-type
|
|
|
|
|
|
(service-type (name 'oci-container)
|
services: Add oci-service-type.
This patch implements a generalization of the
oci-container-service-type, which consequently is made deprecated. The
oci-service-type, in addition to all the features from the
oci-container-service-type, can now provision OCI networks and volumes.
It only handles OCI objects creation, the user is supposed to handle
state once the objects are provsioned.
It currently supports two different OCI runtimes: Docker and rootless
Podman. Both runtimes are tested to make sure provisioned containers
can connect to each other through provisioned networks and can
read/write data with provisioned volumes.
At last the Scheme API is thought to facilitate the implementation of a
Guix Home service in the future.
* gnu/build/oci-containers.scm: New file containg OCI runtime business
logic used in OCI backed Shepherd services.
oci-read-lines
(oci-system*,oci-object-exists?,oci-object-service-available?
oci-image-load,oci-log-verbose,oci-container-execlp,oci-object-create):
New procedures.
* gnu/local.mk: Add it.
* gnu/services/containers.scm (list-of-oci-containers?,
list-of-oci-networks?,list-of-oci-volumes?,%oci-supported-runtimes,
oci-runtime?,oci-runtime-system-environment,oci-runtime-system-extra-arguments,
oci-runtime-system-requirement,oci-runtime-cli,oci-runtime-system-cli,
oci-runtime-home-cli,oci-runtime-name,oci-runtime-group,
oci-container-shepherd-name,oci-networks-shepherd-name,
oci-networks-home-shepherd-name,oci-volumes-shepherd-name,
oci-volumes-home-shepherd-name,oci-container-configuration->options,
oci-network-configuration->options,oci-volume-configuration->options,
oci-container-shepherd-service,oci-objects-merge-lst,oci-extension-merge,
oci-service-accounts,oci-service-profile,oci-service-subids,
oci-configuration->shepherd-services,oci-configuration-extend): New
procedures.
(image-reference): Implement unambiguous naming convention, that paired
with the new implementation for listing caches images with docker ls or
podman ls, allows for more efficient image caching.
(oci-container-configuration)[user,group]: Change default-type to
maybe-string, since by default containers will run under the user and
group declared in oci-configuration records. When unset the
oci-service-type will derive their value from the OCI runtime state.
[runtime,host-environment,environment,shepherd-actions,ports,extra-arguments]:
define a predicate and use it as a type in the configuration. This
way errors are reported with source location information.
(lower-manifest): Defer to caller the logic of setting up an image tag.
(lower-oci-image): Rename to load-oci-image-state.
(oci-runtime-state): Intermediate representation of the OCI runtime
details. It is supposed to be an internal API.
(oci-state): Intermediate representation of the OCI provisioning state,
such as containers and networks. It is supposed to be an internal API.
(oci-container-invocation): Intermediate representation of the OCI
runtime run command to start a container. It is supposed to be an
internal API.
(%oci-image-loader): Rename to oci-image-loader and use
oci-runtime-state and (gnu build oci-containers).
(oci-container-shepherd-service): Use oci-state and oci-runtime-state,
add command-line action.
(oci-network-configuration,oci-volume-configuration,oci-configuration,
oci-extension): New record types.
(oci-service-type): New service-type.
* doc/guix.texi: Document it.
* gnu/tests/containers.scm: Test it.
* gnu/services/docker.scm: Deprecate the oci-container-service-type.
Change-Id: I656b3db85832e42d53072fcbfb91d1226f39ef38
Modified-by: Maxim Cournoyer <maxim@guixotic.coop>
Signed-off-by: Maxim Cournoyer <maxim@guixotic.coop>
2025-08-24 16:59:45 +02:00
|
|
|
|
(extensions
|
|
|
|
|
|
(list (service-extension oci-service-type
|
|
|
|
|
|
(lambda (containers)
|
|
|
|
|
|
(warning
|
|
|
|
|
|
(G_
|
|
|
|
|
|
"'oci-container-service-type' is\
|
|
|
|
|
|
deprecated, use 'oci-service-type' instead~%"))
|
|
|
|
|
|
(oci-extension
|
|
|
|
|
|
(containers containers))))))
|
2023-10-24 22:59:00 +02:00
|
|
|
|
(default-value '())
|
|
|
|
|
|
(extend append)
|
|
|
|
|
|
(compose concatenate)
|
|
|
|
|
|
(description
|
2024-05-04 00:11:13 +02:00
|
|
|
|
"This service allows the management of OCI
|
2023-10-24 22:59:00 +02:00
|
|
|
|
containers as Shepherd services.")))
|