guix - Wojtek's customized Guix

;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2017, 2018, 2019, 2020, 2022 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2020 Mathieu Othacehe <othacehe@gnu.org>
;;; Copyright © 2022 Leo Nikkilä <hello@lnikki.la>
;;; Copyright © 2022 Arun Isaac <arunisaac@systemreboot.net>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

(define-module (gnu build shepherd)
  #:use-module (gnu system file-systems)
  #:use-module (gnu build linux-container)
  #:use-module (guix build utils)
  #:use-module (srfi srfi-1)
  #:use-module (srfi srfi-26)
  #:use-module (ice-9 match)
  ;; XXX: Lazy-bind the Shepherd to avoid a compile-time dependency.
  #:autoload (shepherd service) (fork+exec-command
                                 read-pid-file
                                 exec-command
                                 %precious-signals)
  #:autoload (shepherd system) (unblock-signals)
  #:export (default-mounts
            fork+exec-command/container))

;;; Commentary:
;;;
;;; This module provides extensions to the GNU Shepherd.  In particular, it
;;; provides a helper to start services in a container.
;;;
;;; Code:

(define (clean-up file)
  (when file
    (catch 'system-error
      (lambda ()
        (delete-file file))
      (lambda args
        (unless (= ENOENT (system-error-errno args))
          (apply throw args))))))

(define-syntax-rule (catch-system-error exp)
  (catch 'system-error
    (lambda ()
      exp)
    (const #f)))

(define (default-namespaces args)
  ;; Most daemons are here to talk to the network, and most of them expect to
  ;; run under a non-zero UID.
  (fold delq %namespaces '(net user)))

(define* (default-mounts #:key (namespaces (default-namespaces '())))
  (define (tmpfs directory)
    (file-system
      (device "none")
      (mount-point directory)
      (type "tmpfs")
      (check? #f)))

  (define accounts
    ;; This is for processes in the default user namespace but living in a
    ;; different mount namespace, so that they can lookup users.
    (list (file-system-mapping
           (source "/etc/passwd") (target source))
          (file-system-mapping
           (source "/etc/group") (target source))))

  (append (cons (tmpfs "/tmp") %container-file-systems)
          (let ((mappings `(,@(if (memq 'net namespaces)
                                  '()
                                  %network-file-mappings)
                            ,@(if (and (memq 'mnt namespaces)
                                       (not (memq 'user namespaces)))
                                  accounts
                                  '())

                            ;; Tell the process what timezone we're in.  This
                            ;; makes sure that, for instance, its syslog
                            ;; messages have the correct timestamp.
                            ,(file-system-mapping
                              (source "/etc/localtime")
                              (target source))

                            ,%store-mapping)))    ;XXX: coarse-grain
            (map file-system-mapping->bind-mount
                 (filter (lambda (mapping)
                           (file-exists? (file-system-mapping-source mapping)))
                         mappings)))))

(define* (exec-command* command #:key user group log-file pid-file
                        (supplementary-groups '())
                        (directory "/") (environment-variables (environ)))
  "Like 'exec-command', but first restore signal handles modified by
shepherd (PID 1)."
  ;; First restore the default handlers.
  (for-each (cut sigaction <> SIG_DFL) %precious-signals)

  ;; Unblock any signals that have been blocked by the parent process.
  (unblock-signals %precious-signals)

  (mkdir-p "/var/run")
  (clean-up pid-file)

  (exec-command command
                #:user user
                #:group group
                #:supplementary-groups supplementary-groups
                #:log-file log-file
                #:directory directory
                #:environment-variables environment-variables))

(define* (fork+exec-command/container command
                                      #:key pid
                                      #:allow-other-keys
                                      #:rest args)
  "This is a variant of 'fork+exec-command' procedure, that joins the
namespaces of process PID beforehand.  If there is no support for containers,
on Hurd systems for instance, fallback to direct forking."
  (define (strip-pid args)
    ;; TODO: Replace with 'strip-keyword-arguments' when that no longer pulls
    ;; in (guix config).
    (let loop ((args args)
               (result '()))
      (match args
        (()
         (reverse result))
        ((#:pid _ . rest)
         (loop rest result))
        ((head . rest)
         (loop rest (cons head result))))))

  (let ((container-support? (file-exists? "/proc/self/ns")))
    (if (and container-support?
             (not (and pid (= pid (getpid)))))
        (container-excursion* pid
          (lambda ()
            ;; Note: In the Shepherd 0.9, 'fork+exec-command' expects to be
            ;; called from the shepherd process (because it creates a pipe to
            ;; capture stdout/stderr and spawns a logging fiber) so we cannot
            ;; use it here.
            (match (primitive-fork)
              (0 (dynamic-wind
                   (const #t)
                   (lambda ()
                     (apply exec-command* command (strip-pid args)))
                   (lambda ()
                     (primitive-_exit 127))))
              (pid pid))))               ;XXX: assuming the same PID namespace
        (apply fork+exec-command command (strip-pid args)))))

;; Local Variables:
;; eval: (put 'container-excursion* 'scheme-indent-function 1)
;; End:

;;; shepherd.scm ends here

;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2020 Marius Bakke <marius@gnu.org>. ;;; ;;; This file is part of GNU Guix. ;;; ;;; GNU Guix is free software; you can redistribute it and/or modify it ;;; under the terms of the GNU General Public License as published by ;;; the Free Software Foundation; either version 3 of the License, or (at ;;; your option) any later version. ;;; ;;; GNU Guix is distributed in the hope that it will be useful, but ;;; WITHOUT ANY WARRANTY; without even the implied warranty of ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ;;; GNU General Public License for more details. ;;; ;;; You should have received a copy of the GNU General Public License ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. (define-module (gnu tests ganeti) #:use-module (gnu) #:use-module (gnu tests) #:use-module (gnu system vm) #:use-module (gnu services) #:use-module (gnu services ganeti) #:use-module (gnu services networking) #:use-module (gnu services ssh) #:use-module (gnu packages virtualization) #:use-module (guix gexp) #:use-module (ice-9 format) #:export (%test-ganeti-kvm %test-ganeti-lxc)) (define %ganeti-os (operating-system (host-name "gnt1") (timezone "Etc/UTC") (locale "en_US.UTF-8") (bootloader (bootloader-configuration (bootloader grub-bootloader) (target "/dev/vda"))) (file-systems (cons (file-system (device (file-system-label "my-root")) (mount-point "/") (type "ext4")) %base-file-systems)) (firmware '()) ;; The hosts file must contain a nonlocal IP for host-name. ;; In addition, the cluster name must resolve to an IP address that ;; is not currently provisioned. (hosts-file (plain-file "hosts" (format #f " 127.0.0.1 localhost ::1 localhost 10.0.2.2 gnt1.example.com gnt1 192.168.254.254 ganeti.example.com "))) (packages (append (list ganeti-instance-debootstrap ganeti-instance-guix) %base-packages)) (services (append (list (static-networking-service "eth0" "10.0.2.2" #:netmask "255.255.255.0" #:gateway "10.0.2.1" #:name-servers '("10.0.2.1")) (service openssh-service-type (openssh-configuration (permit-root-login 'without-password))) (service ganeti-service-type (ganeti-configuration (file-storage-paths '("/srv/ganeti/file-storage")) (rapi-configuration (ganeti-rapi-configuration ;; Disable TLS so we can test the RAPI without ;; pulling in GnuTLS. (ssl? #f))) (os %default-ganeti-os)))) %base-services)))) (define* (run-ganeti-test hypervisor #:key (master-netdev "eth0") (hvparams '()) (extra-packages '()) (rapi-port 5080) (noded-port 1811)) "Run tests in %GANETI-OS." (define os (marionette-operating-system (operating-system (inherit %ganeti-os) (packages (append extra-packages (operating-system-packages %ganeti-os)))) #:imported-modules '((gnu services herd) (guix combinators)))) (define %forwarded-rapi-port 5080) (define %forwarded-noded-port 1811) (define vm (virtual-machine (operating-system os) ;; Some of the daemons are fairly memory-hungry. (memory-size 512) ;; Forward HTTP ports so we can access them from the "outside". (port-forwardings `((,%forwarded-rapi-port . ,rapi-port) (,%forwarded-noded-port . ,noded-port))))) (define test (with-imported-modules '((gnu build marionette)) #~(begin (use-modules (srfi srfi-11) (srfi srfi-64) (web uri) (web client) (web response) (gnu build marionette)) (define marionette (make-marionette (list #$vm))) (mkdir #$output) (chdir #$output) (test-begin "ganeti") ;; Ganeti uses the Shepherd to start/stop daemons, so make sure ;; it is ready before we begin. It takes a while because all ;; Ganeti daemons fail to start initially. (test-assert "shepherd is ready" (wait-for-unix-socket "/var/run/shepherd/socket" marionette)) (test-eq "gnt-cluster init" 0 (marionette-eval '(begin (setenv "PATH" ;; Init needs to run 'ssh-keygen', 'ip', etc. "/run/current-system/profile/sbin:/run/current-system/profile/bin") (system* #$(file-append ganeti "/sbin/gnt-cluster") "init" (string-append "--master-netdev=" #$master-netdev) ;; TODO: Enable more disk backends. "--enabled-disk-templates=file" (string-append "--enabled-hypervisors=" #$hypervisor) (string-append "--hypervisor-parameters=" #$hypervisor ":" (string-join '#$hvparams "\n")) ;; Set the default NIC mode to 'routed' to avoid having to ;; configure a full bridge to placate 'gnt-cluster verify'. "--nic-parameters=mode=routed,link=eth0" "ganeti.example.com")) marionette)) ;; Disable the watcher while doing daemon tests to prevent interference. (test-eq "watcher pause" 0 (marionette-eval '(begin (system* #$(file-append ganeti "/sbin/gnt-cluster") "watcher" "pause" "1h")) marionette)) (test-assert "force-start wconfd" ;; Check that the 'force-start' Shepherd action works, used in a ;; master-failover scenario. (marionette-eval '(begin (setenv "PATH" "/run/current-system/profile/bin") (invoke "herd" "stop" "ganeti-wconfd") (invoke "herd" "disable" "ganeti-wconfd") (invoke "herd" "force-start" "ganeti-wconfd")) marionette)) ;; Verify that the cluster is healthy. (test-eq "gnt-cluster verify 1" 0 (marionette-eval '(begin (system* #$(file-append ganeti "/sbin/gnt-cluster") "verify")) marionette)) ;; Try stopping and starting daemons with daemon-util like ;; 'gnt-node add', 'gnt-cluster init', etc. (test-eq "daemon-util stop-all" 0 (marionette-eval '(begin (system* #$(file-append ganeti "/lib/ganeti/daemon-util") "stop-all")) marionette)) (test-eq "daemon-util start-all" 0 (marionette-eval '(begin (system* #$(file-append ganeti "/lib/ganeti/daemon-util") "start-all")) marionette)) ;; Check that the cluster is still healthy after the daemon restarts. (test-eq "gnt-cluster verify 2" 0 (marionette-eval '(begin (system* #$(file-append ganeti "/sbin/gnt-cluster") "verify")) marionette)) (test-eq "watcher continue" 0 (marionette-eval '(begin (system* #$(file-append ganeti "/sbin/gnt-cluster") "watcher" "continue")) marionette)) ;; Try accessing the RAPI. This causes an expected failure: ;; https://github.com/ganeti/ganeti/issues/1502 ;; Run it anyway for easy testing of potential fixes. (test-equal "http-get RAPI version" '(200 "2") (let-values (((response text) (http-get #$(simple-format #f "http://localhost:~A/version" %forwarded-rapi-port) #:decode-body? #t))) (list (response-code response) text))) (test-equal "gnt-os list" "debootstrap+default\nguix+default\n" (marionette-eval '(begin (use-modules (ice-9 popen)) (let* ((port (open-pipe* OPEN_READ #$(file-append ganeti "/sbin/gnt-os") "list" "--no-headers")) (output (get-string-all port))) (close-pipe port) output)) marionette)) (test-eq "gnt-cluster destroy" 0 (marionette-eval '(begin (system* #$(file-append ganeti "/sbin/gnt-cluster") "destroy" "--yes-do-it")) marionette)) (test-end) (exit (= (test-runner-fail-count (test-runner-current)) 1))))) (gexp->derivation (string-append "ganeti-" hypervisor "-test") test)) (define %test-ganeti-kvm (system-test (name "ganeti-kvm") (description "Provision a Ganeti cluster using the KVM hypervisor.") (value (run-ganeti-test "kvm" ;; Set kernel_path to an empty string to prevent ;; 'gnt-cluster verify' from testing for its presence. #:hvparams '("kernel_path=") #:extra-packages (list qemu))))) (define %test-ganeti-lxc (system-test (name "ganeti-lxc") (description "Provision a Ganeti cluster using LXC as the hypervisor.") (value (run-ganeti-test "lxc" #:extra-packages (list lxc)))))