path: ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2015 David Thompson <davet@gnu.org> ;;; Copyright © 2016-2017, 2019-2023 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2019 Arun Isaac <arunisaac@systemreboot.net> ;;; Copyright © 2020 Efraim Flashner <efraim@flashner.co.il> ;;; Copyright © 2020 Google LLC ;;; Copyright © 2022 Ricardo Wurmus <rekado@elephly.net> ;;; Copyright © 2023 Pierre Langlois <pierre.langlois@gmx.com> ;;; Copyright © 2024 Leo Nikkilä <hello@lnikki.la> ;;; ;;; This file is part of GNU Guix. ;;; ;;; GNU Guix is free software; you can redistribute it and/or modify it ;;; under the terms of the GNU General Public License as published by ;;; the Free Software Foundation; either version 3 of the License, or (at ;;; your option) any later version. ;;; ;;; GNU Guix is distributed in the hope that it will be useful, but ;;; WITHOUT ANY WARRANTY; without even the implied warranty of ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ;;; GNU General Public License for more details. ;;; ;;; You should have received a copy of the GNU General Public License ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. (define-module (gnu system linux-container) #:use-module (ice-9 match) #:use-module (srfi srfi-1) #:use-module (guix config) #:use-module (guix store) #:use-module (guix gexp) #:use-module (guix derivations) #:use-module (guix monads) #:use-module (guix modules) #:use-module (gnu build linux-container) #:use-module (gnu services) #:use-module (gnu services base) #:use-module (gnu services networking) #:use-module (gnu services shepherd) #:use-module (gnu system) #:use-module (gnu system file-systems) #:export (system-container containerized-operating-system container-script eval/container)) (define* (container-essential-services os #:key shared-network?) "Return a list of essential services corresponding to OS, a non-containerized OS. This procedure essentially strips essential services from OS that are needed on the bare metal and not in a container." (define base (remove (lambda (service) (memq (service-kind service) (cons* (service-kind %linux-bare-metal-service) firmware-service-type system-service-type (if shared-network? (list hosts-service-type) '())))) (operating-system-essential-services os))) (cons (service system-service-type `(("locale" ,(operating-system-locale-directory os)))) ;; If network is to be shared with the host, remove network ;; configuration files from etc-service. (if shared-network? (modify-services base (etc-service-type files => (remove (match-lambda ((filename _) (member filename (map basename %network-configuration-files)))) files))) base))) (define dummy-networking-service-type (shepherd-service-type 'dummy-networking (const (shepherd-service (documentation "Provide loopback and networking without actually doing anything.") (provision '(loopback networking)) (start #~(const #t)))) #f (description "Provide loopback and networking without actually doing anything. This service is used by guest systems running in containers, where networking support is provided by the host."))) (define %nscd-container-caches ;; Similar to %nscd-default-caches but with smaller cache sizes. This allows ;; many containers to coexist on the same machine without exhausting RAM. (map (lambda (cache) (nscd-cache (inherit cache) (max-database-size (expt 2 18)))) ;256KiB %nscd-default-caches)) (define* (containerized-operating-system os mappings #:key shared-network? (extra-file-systems '())) "Return an operating system based on OS for use in a Linux container environment. MAPPINGS is a list of <file-system-mapping> to realize in the containerized OS. EXTRA-FILE-SYSTEMS is a list of file systems to add to OS." (define user-file-systems (remove (lambda (fs) (let ((target (file-system-mount-point fs)) (source (file-system-device fs))) (or (string=? target (%store-prefix)) (string=? target "/") (and (string? source) (string-prefix? "/dev/" source)) (string-prefix? "/dev/" target) (string-prefix? "/sys/" target)))) (operating-system-file-systems os))) (define (mapping->fs fs) (file-system (inherit (file-system-mapping->bind-mount fs)) (needed-for-boot? #t))) (define services-to-drop ;; Service types to filter from the original operating-system. Some of ;; these make no sense in a container (e.g., those that access ;; /dev/tty[0-9]), while others just need to be reinstantiated with ;; different configs that are better suited to containers. (append (list console-font-service-type mingetty-service-type agetty-service-type) (if shared-network? ;; Replace these with dummy-networking-service-type below. (list static-networking-service-type dhcp-client-service-type network-manager-service-type connman-service-type) (list)))) (define services-to-add ;; Many Guix services depend on a 'networking' shepherd ;; service, so make sure to provide a dummy 'networking' ;; service when we are sure that networking is already set up ;; in the host and can be used. That prevents double setup. (if shared-network? (list (service dummy-networking-service-type)) '())) (define os-with-base-essential-services (operating-system (inherit os) (swap-devices '()) ; disable swap (services (append services-to-add (filter-map (lambda (s) (cond ((memq (service-kind s) services-to-drop) #f) ((eq? nscd-service-type (service-kind s)) (service nscd-service-type (nscd-configuration (inherit (service-value s)) (caches %nscd-container-caches)))) ((eq? guix-service-type (service-kind s)) ;; Pass '--disable-chroot' so that ;; guix-daemon can bu-rw-r--r--composer.scm2912logplainabout -rw-r--r--containers.scm11539logplainabout -rw-r--r--cpan.scm4593logplainabout -rw-r--r--cpio.scm3327logplainabout -rw-r--r--cran.scm4894logplainabout -rw-r--r--crate.scm40282logplainabout -rw-r--r--cve-sample.json46447logplainabout -rw-r--r--cve.scm3672logplainabout -rw-r--r--debug-link.scm6709logplainabout -rw-r--r--derivations.scm71713logplainabout -rw-r--r--discovery.scm2540logplainabout -rw-r--r--egg.scm4099logplainabout -rw-r--r--elm.scm10343logplainabout -rw-r--r--elpa.scm5034logplainabout -rw-r--r--file-systems.scm4717logplainabout -rw-r--r--gem.scm10913logplainabout -rw-r--r--gexp.scm83461logplainabout -rw-r--r--git-authenticate.scm23620logplainabout -rw-r--r--git.scm10481logplainabout -rw-r--r--glob.scm2551logplainabout -rw-r--r--gnu-maintenance.scm7724logplainabout -rw-r--r--go.scm20085logplainabout -rw-r--r--grafts.scm27923logplainabout -rw-r--r--graph.scm24511logplainabout -rw-r--r--gremlin.scm8006logplainabout -rw-r--r--guix-archive.sh2841logplainabout -rw-r--r--guix-authenticate.sh3055logplainabout -rw-r--r--guix-build-branch.sh2222logplainabout -rw-r--r--guix-build.sh12887logplainabout -rw-r--r--guix-daemon.sh8289logplainabout -rw-r--r--guix-describe.sh1412logplainabout -rw-r--r--guix-download.sh3043logplainabout -rw-r--r--guix-environment-container.sh10380logplainabout -rw-r--r--guix-environment.sh9321logplainabout -rw-r--r--guix-gc.sh2714logplainabout -rw-r--r--guix-git-authenticate.sh3049logplainabout -rw-r--r--guix-graph.sh2922logplainabout -rw-r--r--guix-hash.sh3705logplainabout -rw-r--r--guix-home.sh8089logplainabout -rw-r--r--guix-lint.sh3213logplainabout -rwxr-xr-xguix-locate.sh2545logplainabout -rw-r--r--guix-pack-localstatedir.sh2565logplainabout -rw-r--r--guix-pack-relocatable.sh9367logplainabout -rw-r--r--guix-pack.sh5333logplainabout -rw-r--r--guix-package-aliases.sh2180logplainabout -rw-r--r--guix-package-net.sh8114logplainabout -rw-r--r--guix-package.sh17728logplainabout -rw-r--r--guix-refresh.sh4204logplainabout -rw-r--r--guix-repl.sh2376logplainabout -rw-r--r--guix-shell-export-manifest.sh3290logplainabout -rw-r--r--guix-shell.sh5760logplainabout -rw-r--r--guix-style.sh2007logplainabout -rw-r--r--guix-system.sh11553logplainabout -rw-r--r--guix-time-machine.sh1551logplainabout -rw-r--r--hackage.scm17774logplainabout -rw-r--r--hexpm.scm9291logplainabout -rw-r--r--home-import.scm7168logplainabout -rw-r--r--home-services.scm1678logplainabout -rw-r--r--http-client.scm2869logplainabout -rw-r--r--import-git.scm9248logplainabout -rw-r--r--import-github.scm5165logplainabout -rw-r--r--import-utils.scm11048logplainabout -rw-r--r--inferior.scm15074logplainabout -rw-r--r--ipfs.scm2021logplainabout d---------keys437logplain -rw-r--r--lint.scm62308logplainabout -rw-r--r--minetest.scm19410logplainabout -rw-r--r--modules.scm2591logplainabout -rw-r--r--monads.scm9589logplainabout -rw-r--r--nar.scm22167logplainabout -rw-r--r--networking.scm3660logplainabout -rwxr-xr-xnpm-binary.scm4883logplainabout -rw-r--r--offload.scm2683logplainabout -rw-r--r--opam.scm7344logplainabout -rw-r--r--openpgp.scm10524logplainabout -rw-r--r--pack.scm22012logplainabout -rw-r--r--packages.scm92298logplainabout -rw-r--r--pki.scm5361logplainabout -rw-r--r--print.scm6642logplainabout -rw-r--r--processes.scm4691logplainabout -rw-r--r--profiles.scm40027logplainabout -rw-r--r--publish.scm32462logplainabout -rw-r--r--pypi.scm17739logplainabout -rw-r--r--read-print.scm10090logplainabout -rw-r--r--records.scm19563logplainabout -rw-r--r--rpm.scm3084logplainabout -rw-r--r--scripts.scm2034logplainabout -rw-r--r--search-paths.scm1768logplainabout -rw-r--r--services.scm18643logplainabout d---------services282logplain -rw-r--r--sets.scm1507logplainabout -rw-r--r--size.scm4576logplainabout -rw-r--r--status.scm12718logplainabout -rw-r--r--store-database.scm5454logplainabout -rw-r--r--store-deduplication.scm9723logplainabout -rw-r--r--store-roots.scm2144logplainabout -rw-r--r--store.scm69680logplainabout -rw-r--r--style.scm20913logplainabout -rw-r--r--substitute.scm35928logplainabout -rw-r--r--swh.scm8498logplainabout -rw-r--r--syscalls.scm22800logplainabout -rw-r--r--system.scm5932logplainabout -rw-r--r--test.drv5922logplainabout -rw-r--r--texlive.scm34100logplainabout -rw-r--r--transformations.scm26116logplainabout -rw-r--r--ui.scm12065logplainabout -rw-r--r--union.scm9714logplainabout -rw-r--r--upstream.scm2396logplainabout -rw-r--r--utils.scm14393logplainabout -rw-r--r--uuid.scm2755logplainabout -rw-r--r--workers.scm2172logplainabout