mirror of
https://codeberg.org/guix/guix.git
synced 2026-01-26 04:25:11 -06:00
a391394a22
Until now, the read-only file system set up by ‘call-with-container’
would always be writable. With this change, it can be made read-only.
With this patch, only ‘least-authority-wrapper’ switches to a read-only
root file system.
* gnu/build/linux-container.scm (remount-read-only): New procedure.
(mount-file-systems): Add #:writable-root? and #:populate-file-system
and honor them.
(run-container): Likewise.
(call-with-container): Likewise.
* gnu/system/linux-container.scm (container-script): Pass #:writable-root?
to ‘call-with-container’.
(eval/container): Add #:populate-file-system and #:writable-root? and
honor them.
* guix/scripts/environment.scm (launch-environment/container):
Pass #:writable-root? to ‘call-with-container’.
* guix/scripts/home.scm (spawn-home-container): Likewise.
* tests/containers.scm ("call-with-container, mnt namespace, read-only root")
("call-with-container, mnt namespace, writable root"): New tests.
Change-Id: I603e2fd08851338b737bb16c8af3f765e2538906
|
||
|---|---|---|
| .. | ||
| examples | ||
| images | ||
| accounts.scm | ||
| file-systems.scm | ||
| hurd.scm | ||
| image.scm | ||
| install.scm | ||
| keyboard.scm | ||
| linux-container.scm | ||
| linux-initrd.scm | ||
| locale.scm | ||
| mapped-devices.scm | ||
| nss.scm | ||
| pam.scm | ||
| privilege.scm | ||
| setuid.scm | ||
| shadow.scm | ||
| uuid.scm | ||
| vm.scm | ||