diff options
| author | Ludovic Courtès <ludo@gnu.org> | 2025-04-08 13:50:59 +0200 |
|---|---|---|
| committer | Ludovic Courtès <ludo@gnu.org> | 2025-05-05 14:34:00 +0200 |
| commit | e1a0171a56602ecba193975ea2438329abb51c94 (patch) | |
| tree | 748bafd6719f3eef7656ac1cea58c44cb8e8231a | |
| parent | 3aa132e8c30658019281d51caa28b0fb41bab24d (diff) | |
| download | guix-e1a0171a56602ecba193975ea2438329abb51c94.tar.gz guix-e1a0171a56602ecba193975ea2438329abb51c94.zip | |
linux-container: Set up “lo” and generate /etc/hosts by default.
* gnu/build/linux-container.scm (run-container): Add #:loopback-network?
and honor it via #:populate-file-system.
(call-with-container): Add #:loopback-network? and pass it to
‘run-container’.
* guix/scripts/environment.scm (launch-environment/container): Remove
call to ‘set-network-interface-up’ and remove generation of /etc/hosts.
* guix/scripts/home.scm (spawn-home-container): Likewise.
Change-Id: I5933a4e8dc6d8e19235a79696b62299d74d1ba21
| -rw-r--r-- | gnu/build/linux-container.scm | 25 | ||||
| -rw-r--r-- | guix/scripts/environment.scm | 11 | ||||
| -rw-r--r-- | guix/scripts/home.scm | 15 |
3 files changed, 26 insertions, 25 deletions
diff --git a/gnu/build/linux-container.scm b/gnu/build/linux-container.scm index 4dcdaa8f33..345ce2de08 100644 --- a/gnu/build/linux-container.scm +++ b/gnu/build/linux-container.scm @@ -237,6 +237,7 @@ corresponds to the symbols in NAMESPACES." (define* (run-container root mounts namespaces host-uids thunk #:key (guest-uid 0) (guest-gid 0) (populate-file-system (const #t)) + (loopback-network? #t) writable-root?) "Run THUNK in a new container process and return its PID. ROOT specifies the root directory for the container. MOUNTS is a list of <file-system> @@ -244,6 +245,9 @@ objects that specify file systems to mount inside the container. NAMESPACES is a list of symbols that correspond to the possible Linux namespaces: mnt, ipc, uts, user, and net. +When LOOPBACK-NETWORK? is true and 'net is amount NAMESPACES, set up the +loopback device (\"lo\") and a minimal /etc/hosts. + When WRITABLE-ROOT? is false, remount the container's root as read-only before calling THUNK. Call POPULATE-FILE-SYSTEM before the root is (potentially) made read-only. @@ -275,7 +279,21 @@ that host UIDs (respectively GIDs) map to in the namespace." #:mount-/sys? (memq 'net namespaces) #:populate-file-system - populate-file-system + (lambda () + (populate-file-system) + (when (and (memq 'net namespaces) + loopback-network?) + (set-network-interface-up "lo") + + ;; When isolated from the + ;; network, provide a minimal + ;; /etc/hosts to resolve + ;; "localhost". + (mkdir-p "/etc") + (call-with-output-file "/etc/hosts" + (lambda (port) + (display "127.0.0.1 localhost\n" port) + (chmod port #o444))))) #:writable-root? (or writable-root? (not (memq 'mnt namespaces))))) @@ -350,6 +368,7 @@ if there are no child processes left." (relayed-signals (list SIGINT SIGTERM)) (child-is-pid1? #t) (populate-file-system (const #t)) + (loopback-network? #t) writable-root? (process-spawned-hook (const #t))) "Run THUNK in a new container process and return its exit status; call @@ -371,6 +390,9 @@ UIDs (respectively GIDs) map to in the namespace. RELAYED-SIGNALS is the list of signals that are \"relayed\" to the container process when caught by its parent. +When LOOPBACK-NETWORK? is true and 'net is amount NAMESPACES, set up the +loopback device (\"lo\") and a minimal /etc/hosts. + When WRITABLE-ROOT? is false, remount the container's root as read-only before calling THUNK. Call POPULATE-FILE-SYSTEM before the root is (potentially) made read-only. @@ -430,6 +452,7 @@ load path must be adjusted as needed." #:guest-uid guest-uid #:guest-gid guest-gid #:populate-file-system populate-file-system + #:loopback-network? loopback-network? #:writable-root? writable-root?))) (install-signal-handlers pid) (process-spawned-hook pid) diff --git a/guix/scripts/environment.scm b/guix/scripts/environment.scm index e14bc95df7..ad1b26454a 100644 --- a/guix/scripts/environment.scm +++ b/guix/scripts/environment.scm @@ -903,10 +903,6 @@ WHILE-LIST." (setenv "HOME" home-dir) - (unless network? - ;; Allow local AF_INET communications. - (set-network-interface-up "lo")) - ;; For convenience, start in the user's current working ;; directory or, if unmapped, the home directory. (chdir (if map-cwd? @@ -961,13 +957,6 @@ WHILE-LIST." (write-passwd (list passwd)) (write-group groups) - (unless network? - ;; When isolated from the network, provide a minimal /etc/hosts - ;; to resolve "localhost". - (call-with-output-file "/etc/hosts" - (lambda (port) - (display "127.0.0.1 localhost\n" port)))) - ;; Call an additional setup procedure, if provided. (when setup-hook (setup-hook profile))) diff --git a/guix/scripts/home.scm b/guix/scripts/home.scm index 5f1ab29cf0..57c0df6294 100644 --- a/guix/scripts/home.scm +++ b/guix/scripts/home.scm @@ -290,14 +290,11 @@ immediately. Return the exit status of the process in the container." (with-imported-modules `(((guix config) => ,(make-config.scm)) ,@(source-module-closure '((guix profiles) - (guix build utils) - (guix build syscalls)) + (guix build utils)) #:select? not-config?)) #~(begin (use-modules (guix build utils) - ((guix profiles) #:select (load-profile)) - ((guix build syscalls) - #:select (set-network-interface-up))) + ((guix profiles) #:select (load-profile))) (define shell #$(user-shell)) @@ -349,14 +346,6 @@ immediately. Return the exit status of the process in the container." (write-passwd (list passwd)) (write-group groups) - (unless network? - ;; When isolated from the network, provide a minimal /etc/hosts - ;; to resolve "localhost". - (call-with-output-file "/etc/hosts" - (lambda (port) - (display "127.0.0.1 localhost\n" port) - (chmod port #o444)))) - ;; Create /tmp; bits of code expect it, such as ;; 'least-authority-wrapper'. (mkdir-p "/tmp")) |