The underlying problem for system containers still hasn't been
solved, the part of issue 78356 that has been solved is only
home containers.
This reverts commit cbc35fd9aa.
This is a work around for #4788 (previously https://issues.guix.gnu.org/78356).
* gnu/system/linux-container.scm (container-script): Disable lock-mounts?
Change-Id: Ib8eacfc1f1f1a858acf19beb6c14e12c4648b8d9
* gnu/system/linux-container.scm (container-script): Accept pid-file command
line option to write out the container's process ID.
* doc/guix.texi (Invoking guix system): Document new option.
Change-Id: I93e8a99b39c1dd831f116104bf92c723d96c9965
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
This issue should now be resolved, with a test guarding it from re-appearing.
* gnu/system/linux-container.scm (container-script) [#:lock-mounts]: Delete
argument.
Change-Id: I93e94a0ee349c53967275b82e1a9a5bcc8e8f65c
This reverts commits 437bb9ece5 and
a57ed987ff, which were reported in
guix/guix#1169 to occasionally cause errors like:
guix shell: error: unshare : 268566528: Invalid argument
* gnu/packages/linux.scm (%dummy-linux-kernel-for-container): New variable.
* gnu/system/linux-container.scm (containerized-operating-system): Use it.
Change-Id: Ica49a0cd0b8ae4a78ba5fca879ae73f94e64474a
Fixes#420.
Previously, in systems produced by ‘guix system container’, the
‘loopback’ Shepherd service would fail to start with EEXIST, because the
“lo” interface already exists in the container. This commit provides a
fake ‘loopback’ Shepherd service that does nothing.
* gnu/system/linux-container.scm (dummy-networking-service-type): Change
to honor its configuration value.
(containerized-operating-system)[services-to-drop]: Add
‘static-networking-service-type’ in the non-‘shared-network?’ case.
[services-to-add]: Add ‘dummy-networking-service-type’ for loopback in
the non-‘shared-network?’ case.
Reported-by: Antonio Carlos Padoan Junior <acpadoanjr@yahoo.com.br>
Change-Id: I326b5f3b5e08f67b6613c186497c44b1e887b02e
Until now, the read-only file system set up by ‘call-with-container’
would always be writable. With this change, it can be made read-only.
With this patch, only ‘least-authority-wrapper’ switches to a read-only
root file system.
* gnu/build/linux-container.scm (remount-read-only): New procedure.
(mount-file-systems): Add #:writable-root? and #:populate-file-system
and honor them.
(run-container): Likewise.
(call-with-container): Likewise.
* gnu/system/linux-container.scm (container-script): Pass #:writable-root?
to ‘call-with-container’.
(eval/container): Add #:populate-file-system and #:writable-root? and
honor them.
* guix/scripts/environment.scm (launch-environment/container):
Pass #:writable-root? to ‘call-with-container’.
* guix/scripts/home.scm (spawn-home-container): Likewise.
* tests/containers.scm ("call-with-container, mnt namespace, read-only root")
("call-with-container, mnt namespace, writable root"): New tests.
Change-Id: I603e2fd08851338b737bb16c8af3f765e2538906
The parameter should take the values #t, #f or 'default.
In a container environment, 'default amounts to #f, otherwise it
amounts to #t.
* gnu/services/base.scm (guix-configuration)<chroot?>: New field.
(guix-shepherd-service): If chroot? is #f, add "--disable-chroot".
If it is #t or 'default, do nothing.
* gnu/system/linux-container.scm (containerized-operating-system):
If chroot? is 'default, replace it by #f.
* doc/guix.texi: Document the parameter.
Change-Id: I8b9c3f46ad8650fa6ed4acee947b4ae5d002d03d
Currently it's not possible to set `essential-services' when building
operating systems for containers, since `container-essential-services'
always uses the defaults.
It's possible to reference `essential-services' from the operating
system that's passed in, but since it's thunked, the operating system
needs to be defined in two passes to avoid an infinite loop.
* gnu/system/linux-container.scm (container-essential-services): Use
operating-system-essential-services instead of the defaults to allow
overriding the base services.
(containerized-operating-system): Update accordingly.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Change-Id: I81452487ef1ad01d3fa874c26d93a67d58ce6062
This allows for the use of Guix within a non-privileged Docker container
produced by 'guix system image -t docker'.
* gnu/system/linux-container.scm (containerized-operating-system):
Change 'guix-configuration' to add "--disable-chroot".
This is a followup to dbbc7e9461:
'nscd-service-type' isn't necessarily present in OS, so we cannot use
the 'modify-services' as it would now error out. This was happening
with the "guix system docker-image" test in 'tests/guix-system.sh'.
* gnu/system/linux-container.scm (containerized-operating-system): Use
'filter-map' instead of 'remove' + 'modify-services'.
Fixes <https://issues.guix.gnu.org/61627>.
* gnu/system/linux-container.scm (container-essential-services): When
shared-network? is true, remove the hosts-service-type service kind.
* gnu/system/linux-container.scm (container-script): Accept command line
options to bind mount host directories into the container.
* doc/guix.texi (Invoking guix system): Document options.
* gnu/system/linux-container.scm (%nscd-container-caches): New variable.
(containerized-operating-system): Instantiate nscd-service with smaller caches
and add it to the generated operating-system, replacing any nscd-service
specified by the caller.
* gnu/system/file-systems.scm: (%network-file-mappings): Remove "/var/run/nscd".
Signed-off-by: Mathieu Othacehe <othacehe@gnu.org>
This fixes a type error.
* gnu/system/linux-container.scm (eval/container): Use 'append-map', not
'map'.
* tests/containers.scm ("eval/container, non-empty load path"): New test.
* gnu/build/linux-container.scm (call-with-container): Add
#:process-spawned-hook and honor it.
* gnu/system/linux-container.scm (container-script)[script]:
Define 'explain' and pass it as #:process-spawned-hook'.
This allows containers created by "guix environment -CN" or by
"guix system container -N" to talk to the host nscd.
* gnu/system/file-systems.scm (%network-file-mappings): Add
"/var/run/nscd".
* gnu/build/shepherd.scm (default-mounts)[nscd-socket]: Remove.
* gnu/system/linux-container.scm (container-script)[nscd-run-directory]
[nscd-mapping, nscd-os, nscd-specs]: Remove.
[script]: Filter out from SPECS bind-mounts where the device does not
exist.
* guix/scripts/environment.scm (launch-environment/container)
[optional-mapping->fs]: New procedure.
[mappings]: Remove %NETWORK-FILE-MAPPINGS.
[file-systems]: Add %NETWORK-FILE-MAPPINGS here, filtered through
'optional-mapping->fs'.
* gnu/system/linux-container.scm (dummy-networking-service-type): New
variable.
(containerized-operating-system): If network is shared with host, replace
static-networking-service-type with dummy-networking-service-type.
* gnu/system/linux-container.scm (containerized-operating-system):
(container-script): Check for existence of the host nscd run directory in the
container script. This check should be run when the container is started, not
when the container script is created.
[network-mappings]: Delete variable.
[nscd-run-directory, nscd-mapping]: New variables.
Previously, the 'essential-services' would correspond to the initial,
non-containerized OS. Thus, all the file systems removed in
'container-essential-services' would actually still be there because the
essential services would be computed on the non-containerized OS.
This is a followup to 69cae3d335.
* gnu/system/linux-container.scm (container-essential-services): Call
'operating-system-default-essential-services' to get the baseline
services.
(containerized-operating-system): Pass THIS-OPERATING-SYSTEM, not OS, to
'container-essential-services'.
Add a dummy root file system to 'file-systems'.
(container-script)[mountable-file-system?]: New procedure.
Use it.
Previously, 'guix system docker-image' would end up providing an OS that
would try to mount all of %CONTAINER-FILE-SYSTEMS as well as /gnu/store,
which is bound to fail in unprivileged Docker.
This patch makes it so that 'guix system container' still gets those
file systems, but 'guix system docker-image' doesn't.
* gnu/system/linux-container.scm (containerized-operating-system): Add
#:extra-file-systems parameter and honor it. Do not include
%STORE-MAPPING and SHARED-NETWORK-FILE-MAPPINGS.
(container-script): Add %STORE-MAPPING and optionally NETWORK-MAPPINGS
to MAPPINGS and pass #:extra-file-systems.
* gnu/system/linux-container.scm (container-essential-services): If network is
to be shared with the host, remove network configuration files from etc
service.
(containerized-operating-system): If network is to be shared with the host,
remove nscd service and map host's /var/run/nscd if it exists.
(container-script): If network is to be shared with the host, do not create
network namespace.
* guix/scripts/system.scm (system-derivation-for-action): Add
#:container-shared-network? argument.
(perform-action): Add #:container-shared-network? argument.
(show-help): Add "-N, --network" help information.
(%options): Add network option.
(process-action): Call perform-action with #container-shared-network? argument.
* doc/guix.texi (Invoking guix system): Document the "-N, --network" option.
Co-authored-by: Christopher Baines <mail@cbaines.net>
This hack worked around a defect in the Shepherd 0.5.0 and is no longer
needed.
* gnu/services/shepherd.scm (%containerized-shepherd-service): Remove.
* gnu/system/linux-container.scm (container-essential-services): Don't
use it.
* gnu/system.scm (<operating-system>)[essential-services]: New field.
(operating-system-directory-base-entries): Remove #:container? keyword
and keep only the not-container branch.
(essential-services): Likewise.
(operating-system-services): Likewise, and call
'operating-system-essential-services' instead of 'essential-services'.
(operating-system-activation-script): Remove #:container?.
(operating-system-boot-script): Likewise.
(operating-system-derivation): Likewise.
* gnu/system/linux-container.scm (container-essential-services): New procedure.
(containerized-operating-system): Use it and set the
'essential-services' field.
(container-script): Remove call to 'operating-system-derivation'.
* gnu/system/vm.scm (system-docker-image): Likewise.
* doc/guix.texi (operating-system Reference): Document 'essential-services'.
* gnu/build/linux-container.scm (mount-file-systems): 'mounts' is now a
list of <file-system> objects instead of a list of lists ("specs").
Add call to 'file-system->spec' as the argument to 'mount-file-system'.
(run-container, call-with-container): Adjust docstring accordingly.
* gnu/system/file-systems.scm (spec->file-system): New procedure.
* gnu/system/linux-container.scm (container-script)[script]: Call
'spec->file-system' inside gexp.
* guix/scripts/environment.scm (launch-environment/container): Remove
call to 'file-system->spec'.
* tests/containers.scm ("call-with-container, mnt namespace")
("call-with-container, mnt namespace, wrong bind mount"): Pass a list of
<file-system> objects.
This fixes a regression introduced in
958dd3ce68.
* gnu/system/linux-container.scm (container-script)[script]: Add (guix
combinators) to the list of imported modules.
* gnu/system/linux-container.scm (containerized-operating-system)[user-file-systems]:
Check whether SOURCE is a string before calling 'string-prefix?'.
* gnu/services.scm (system-derivation): New procedure.
(system-service-type): New variable.
(boot-script-entry): New procedure.
(boot-service-type): Extend SYSTEM-SERVICE-TYPE.
(etc-entry): New procedure.
(etc-service-type): Extend SYSTEM-SERVICE-TYPE.
(fold-services): Change default #:target-type to SYSTEM-SERVICE-TYPE.
* gnu/system.scm (operating-system-directory-base-entries): New procedure.
(essential-services): Use it. Add an instance of
SYSTEM-SERVICE-TYPE.
(operating-system-boot-script): Pass #:target-type to 'fold-services'.
(operating-system-derivation): Rewrite in terms of 'fold-services'.
* gnu/system/linux-container.scm (system-container): Remove.
(container-script): Use 'operating-system-derivation'.
* guix/scripts/system.scm (export-extension-graph): Replace
BOOT-SERVICE-TYPE by SYSTEM-SERVICE-TYPE.
* doc/images/service-graph.dot: Add 'system' node and edges.
* doc/guix.texi (Service Composition): Mention SYSTEM-SERVICE-TYPE.
(Service Reference): Document it. Update 'fold-services'
documentation.
