From: "Thompson, David" <dthompson2@worcester.edu>
To: "Ludovic Courtès" <ludo@gnu.org>
Cc: guix-devel <guix-devel@gnu.org>, David Thompson <davet@gnu.org>
Subject: Re: [PATCH 11/15] gnu: system: Add Linux container module.
Date: Thu, 9 Jul 2015 09:00:09 -0400 [thread overview]
Message-ID: <CAJ=RwfZS5eCCawy1HL=P5YkS4sctYcVbqTTWGcHRN6i02Qa-1A@mail.gmail.com> (raw)
In-Reply-To: <87bnfohy1u.fsf@gnu.org>
[-- Attachment #1: Type: text/plain, Size: 1435 bytes --]
On Tue, Jul 7, 2015 at 9:55 AM, Ludovic Courtès <ludo@gnu.org> wrote:
> David Thompson <dthompson2@worcester.edu> skribis:
>
>> * gnu/system/linux-container.scm: New file.
>> * gnu-system.am (GNU_SYSTEM_MODULES): Add it.
>> * gnu/system.scm: Export 'operating-system-etc-directory',
>> 'operating-system-boot-script', 'operating-system-locale-directory', and
>> 'file-union'.
>> (operating-system-boot-script): Add #:container? keyword argument.
>> (operating-system-activation-script): Add #:container? keyword argument.
>> Don't call 'activate-firmware' or 'activate-ptrace-attach' when activating a
>> container.
>
> [...]
>
>> +(define* (operating-system-boot-script os #:key container?)
>> "Return the boot script for OS---i.e., the code started by the initrd once
>> we're running in the final root."
>
> Augment the docstring with something like:
>
> When CONTAINER? is true, skip all hardware-related operations as
> necessary when booting a Linux container.
>
>> +(define (system-container os)
>
> docstring
>
>> +(define* (container-script os #:key (mappings '()))
>
> docstring
>
> OK with these changes!
I made these changes and added a 'containerized-operating-system'
procedure to the module that does something similar to
'virtualized-operating-system' in (gnu system vm), as discussed in the
main thread.
Updated patch attached. WDYT?
- Dave
- Dave
[-- Attachment #2: 0001-gnu-system-Add-Linux-container-module.patch --]
[-- Type: text/x-diff, Size: 9291 bytes --]
From 7c41e765a91f6a4c50b692f6230d6e0e3e3b7099 Mon Sep 17 00:00:00 2001
From: David Thompson <davet@gnu.org>
Date: Mon, 8 Jun 2015 08:59:00 -0400
Subject: [PATCH] gnu: system: Add Linux container module.
* gnu/system/linux-container.scm: New file.
* gnu-system.am (GNU_SYSTEM_MODULES): Add it.
* gnu/system.scm: Export 'operating-system-etc-directory',
'operating-system-boot-script', 'operating-system-locale-directory', and
'file-union'.
(operating-system-boot-script): Add #:container? keyword argument.
(operating-system-activation-script): Add #:container? keyword argument.
Don't call 'activate-firmware' or 'activate-ptrace-attach' when activating a
container.
---
gnu-system.am | 1 +
gnu/system.scm | 30 +++++++----
gnu/system/linux-container.scm | 118 +++++++++++++++++++++++++++++++++++++++++
3 files changed, 139 insertions(+), 10 deletions(-)
create mode 100644 gnu/system/linux-container.scm
diff --git a/gnu-system.am b/gnu-system.am
index d6369b5..83d04d8 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -346,6 +346,7 @@ GNU_SYSTEM_MODULES = \
gnu/system/grub.scm \
gnu/system/install.scm \
gnu/system/linux.scm \
+ gnu/system/linux-container.scm \
gnu/system/linux-initrd.scm \
gnu/system/locale.scm \
gnu/system/nss.scm \
diff --git a/gnu/system.scm b/gnu/system.scm
index efad145..3ec1a4c 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -82,6 +82,11 @@
operating-system-derivation
operating-system-profile
operating-system-grub.cfg
+ operating-system-etc-directory
+ operating-system-locale-directory
+ operating-system-boot-script
+
+ file-union
local-host-aliases
%setuid-programs
@@ -679,7 +684,7 @@ variable is not set---hence the need for this wrapper."
(apply execl #$modprobe
(cons #$modprobe (cdr (command-line))))))))
-(define (operating-system-activation-script os)
+(define* (operating-system-activation-script os #:key container?)
"Return the activation script for OS---i.e., the code that \"activates\" the
stateful part of OS, including user accounts and groups, special directories,
etc."
@@ -753,12 +758,15 @@ etc."
;; Tell the kernel to use our 'modprobe' command.
(activate-modprobe #$modprobe)
- ;; Tell the kernel where firmware is.
- (activate-firmware
- (string-append #$firmware "/lib/firmware"))
-
- ;; Let users debug their own processes!
- (activate-ptrace-attach)
+ ;; Tell the kernel where firmware is, unless we are
+ ;; activating a container.
+ #$@(if container?
+ #~()
+ ;; Tell the kernel where firmware is.
+ #~((activate-firmware
+ (string-append #$firmware "/lib/firmware"))
+ ;; Let users debug their own processes!
+ (activate-ptrace-attach)))
;; Run the services' activation snippets.
;; TODO: Use 'load-compiled'.
@@ -767,11 +775,13 @@ etc."
;; Set up /run/current-system.
(activate-current-system)))))
-(define (operating-system-boot-script os)
+(define* (operating-system-boot-script os #:key container?)
"Return the boot script for OS---i.e., the code started by the initrd once
-we're running in the final root."
+we're running in the final root. When CONTAINER? is true, skip all
+hardware-related operations as necessary when booting a Linux container."
(mlet* %store-monad ((services (operating-system-services os))
- (activate (operating-system-activation-script os))
+ (activate (operating-system-activation-script
+ os #:container? container?))
(dmd-conf (dmd-configuration-file services)))
(gexp->file "boot"
#~(begin
diff --git a/gnu/system/linux-container.scm b/gnu/system/linux-container.scm
new file mode 100644
index 0000000..9e9bfea
--- /dev/null
+++ b/gnu/system/linux-container.scm
@@ -0,0 +1,118 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2015 David Thompson <davet@gnu.org>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu system linux-container)
+ #:use-module (ice-9 match)
+ #:use-module (srfi srfi-1)
+ #:use-module (guix config)
+ #:use-module (guix store)
+ #:use-module (guix gexp)
+ #:use-module (guix derivations)
+ #:use-module (guix monads)
+ #:use-module (gnu build linux-container)
+ #:use-module (gnu system)
+ #:use-module (gnu system file-systems)
+ #:export (mapping->file-system
+ system-container
+ containerized-operating-system
+ container-script))
+
+(define (mapping->file-system mapping)
+ "Return a file system that realizes MAPPING."
+ (match mapping
+ (($ <file-system-mapping> source target writable?)
+ (file-system
+ (mount-point target)
+ (device source)
+ (type "none")
+ (flags (if writable?
+ '(bind-mount)
+ '(bind-mount read-only)))
+ (check? #f)
+ (create-mount-point? #t)))))
+
+(define (system-container os)
+ "Return a derivation that builds OS as a Linux container."
+ (mlet* %store-monad
+ ((profile (operating-system-profile os))
+ (etc (operating-system-etc-directory os))
+ (boot (operating-system-boot-script os #:container? #t))
+ (locale (operating-system-locale-directory os)))
+ (file-union "system-container"
+ `(("boot" ,#~#$boot)
+ ("profile" ,#~#$profile)
+ ("locale" ,#~#$locale)
+ ("etc" ,#~#$etc)))))
+
+(define (containerized-operating-system os mappings)
+ "Return an operating system based on OS for use in a Linux container
+environment. MAPPINGS is a list of <file-system-mapping> to realize in the
+containerized OS."
+ (define user-file-systems
+ (remove (lambda (fs)
+ (let ((target (file-system-mount-point fs))
+ (source (file-system-device fs)))
+ (or (string=? target (%store-prefix))
+ (string=? target "/")
+ (string-prefix? "/dev/" source)
+ (string-prefix? "/dev" target)
+ (string-prefix? "/sys" target))))
+ (operating-system-file-systems os)))
+
+ (define (mapping->fs fs)
+ (file-system (inherit (mapping->file-system fs))
+ (needed-for-boot? #t)))
+
+ (operating-system (inherit os)
+ (swap-devices '()) ; disable swap
+ (file-systems (append (map mapping->fs (cons %store-mapping mappings))
+ %container-file-systems
+ user-file-systems))))
+
+(define* (container-script os #:key (mappings '()))
+ "Return a derivation of a script that runs OS as a Linux container.
+MAPPINGS is a list of <file-system> objects that specify the files/directories
+that will be shared with the host system."
+ (let* ((os (containerized-operating-system os mappings))
+ (file-systems (filter file-system-needed-for-boot?
+ (operating-system-file-systems os)))
+ (specs (map file-system->spec file-systems)))
+
+ (mlet* %store-monad ((os-drv (system-container os)))
+
+ (define script
+ #~(begin
+ (use-modules (gnu build linux-container))
+
+ (call-with-container '#$specs
+ (lambda ()
+ (setenv "HOME" "/root")
+ (setenv "TMPDIR" "/tmp")
+ (setenv "GUIX_NEW_SYSTEM" #$os-drv)
+ (for-each mkdir '("/run" "/bin" "/etc" "/home" "/var"))
+ (primitive-load (string-append #$os-drv "/boot"))))))
+
+ (gexp->script "run-container" script
+ #:modules '((ice-9 match)
+ (srfi srfi-98)
+ (guix config)
+ (guix utils)
+ (guix build utils)
+ (guix build syscalls)
+ (gnu build file-systems)
+ (gnu build linux-container))))))
--
2.4.3
next prev parent reply other threads:[~2015-07-09 13:00 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-06 13:16 [PATCH 01/15] build: syscalls: Add additional mount flags David Thompson
2015-07-06 13:16 ` [PATCH 02/15] build: syscalls: Add unmount flags David Thompson
2015-07-07 14:50 ` Ludovic Courtès
2015-07-07 22:44 ` Thompson, David
2015-07-06 13:16 ` [PATCH 03/15] build: syscalls: Add mkdtemp! David Thompson
2015-07-07 13:15 ` Ludovic Courtès
2015-07-07 22:52 ` Thompson, David
2015-07-06 13:16 ` [PATCH 04/15] utils: Add call-with-temporary-directory David Thompson
2015-07-07 13:15 ` Ludovic Courtès
2015-07-07 22:54 ` Thompson, David
2015-07-06 13:16 ` [PATCH 05/15] build: syscalls: Add clone syscall wrapper David Thompson
2015-07-07 13:23 ` Ludovic Courtès
2015-07-08 0:28 ` Thompson, David
2015-07-11 10:18 ` Ludovic Courtès
2015-07-06 13:16 ` [PATCH 06/15] build: syscalls: Add setns " David Thompson
2015-07-07 13:28 ` Ludovic Courtès
2015-07-08 0:57 ` Thompson, David
2015-07-06 13:16 ` [PATCH 07/15] build: syscalls: Add pivot-root David Thompson
2015-07-07 13:35 ` Ludovic Courtès
2015-07-08 1:18 ` Thompson, David
2015-07-08 12:47 ` Ludovic Courtès
2015-07-06 13:16 ` [PATCH 08/15] gnu: build: Add Linux container module David Thompson
2015-07-07 13:51 ` Ludovic Courtès
2015-07-08 12:38 ` Thompson, David
2015-07-08 21:57 ` Ludovic Courtès
2015-07-09 12:56 ` Thompson, David
2015-07-06 13:16 ` [PATCH 09/15] gnu: system: Move <file-system-mapping> into (gnu system file-systems) David Thompson
2015-07-07 13:51 ` Ludovic Courtès
2015-07-08 1:21 ` Thompson, David
2015-07-06 13:16 ` [PATCH 10/15] gnu: system: Move file-system->spec to " David Thompson
2015-07-07 13:51 ` Ludovic Courtès
2015-07-08 1:22 ` Thompson, David
2015-07-06 13:16 ` [PATCH 11/15] gnu: system: Add Linux container module David Thompson
2015-07-07 13:55 ` Ludovic Courtès
2015-07-09 13:00 ` Thompson, David [this message]
2015-07-10 17:57 ` Ludovic Courtès
2015-07-06 13:16 ` [PATCH 12/15] gnu: system: Add Linux container file systems David Thompson
2015-07-07 13:56 ` Ludovic Courtès
2015-07-09 12:56 ` Thompson, David
2015-07-06 13:16 ` [PATCH 13/15] scripts: system: Add 'container' action David Thompson
2015-07-07 14:05 ` Ludovic Courtès
2015-10-27 0:24 ` Thompson, David
2015-10-27 17:41 ` Ludovic Courtès
2015-10-30 17:28 ` Thompson, David
2015-07-06 13:16 ` [PATCH 14/15] scripts: environment: Add --container option David Thompson
2015-07-07 14:35 ` Ludovic Courtès
2015-07-09 13:16 ` Thompson, David
2015-07-10 18:03 ` Ludovic Courtès
2015-09-05 23:45 ` Thompson, David
2015-09-11 12:39 ` Ludovic Courtès
2015-10-10 21:11 ` Thompson, David
2015-10-11 19:34 ` Ludovic Courtès
2015-10-17 10:05 ` Ludovic Courtès
2015-10-22 1:23 ` Thompson, David
2015-10-25 21:38 ` Ludovic Courtès
2015-10-26 0:35 ` Thompson, David
2015-10-27 10:13 ` Ludovic Courtès
2015-10-31 1:25 ` Thompson, David
2015-10-31 10:28 ` Ludovic Courtès
2015-07-06 13:16 ` [PATCH 15/15] scripts: Add 'container' subcommand David Thompson
2015-07-07 14:50 ` Ludovic Courtès
2015-10-27 0:31 ` Thompson, David
2015-10-27 17:46 ` Ludovic Courtès
2015-07-07 13:14 ` [PATCH 01/15] build: syscalls: Add additional mount flags Ludovic Courtès
2015-07-07 22:42 ` Thompson, David
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAJ=RwfZS5eCCawy1HL=P5YkS4sctYcVbqTTWGcHRN6i02Qa-1A@mail.gmail.com' \
--to=dthompson2@worcester.edu \
--cc=davet@gnu.org \
--cc=guix-devel@gnu.org \
--cc=ludo@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).