[bug#66160] [PATCH] gnu: Add oci-container-service-type.

[paul via Guix-patches via <guix-patches@gnu.org>]

[-- Attachment #1: Type: text/plain, Size: 3012 bytes --]

Hello Ludo’ ,

On 10/19/23 22:13, Ludovic Courtès wrote:
> Hello,
>
> paul<goodoldpaul@autistici.org>  skribis:
>
>
> [...]
>
>>> Does ‘docker run’ necessarily need to run as root, or are there cases
>>> where one might want to run it as non-root?  (I expect the latter.)
>> yes you are right, it's only required to be in the docker group or in
>> general have enough permission to operate on the docker daemon
>> socket. I added a new service extension setting up an oci-container
>> user, that it's just in the docker group and can not login, that runs
>> oci backed services. it is also overridable by the user
> In that case, maybe create an “oci-service” account part of the “docker”
> group, and run ‘docker run’ as that user instead of running it as root?
> Would that be OK or am I overlooking something?
I already added such user in the latest version of my patch. I probably 
made a mess with patch subjects.
> What I’m suggesting above is that one would build a list of
> ‘oci-container-service-type’ instances, like:
>
>    (list (service oci-container-service-type
>                   (oci-container-configuration …))
>          (service oci-container-service-type
>                   (oci-container-configuration …))
>          …)
>
> Each instance above would correspond to exactly one program in a Docker
> image.
>
> I feel it’s slightly more natural than having a service type that
> implements support for multiple OCI services at once.
I agree it's more natural but (list service-a service-b ...) it's the 
same interface exposed by the shepherd-root-service-type, I believe for 
the same reasons I need the oci-nextcloud-service-type to instantiate 3 
shepherd services but only create a single account, activate a single 
data dir under /var/lib, something like this:

(defineoci-nextcloud-service-type
(service-type(name'nextcloud)
(extensions(list(service-extensionoci-container-service-type
(lambda (config) (make-nextcloud-container config) 
(make-nextcloud-cron-container config)))
(service-extensionaccount-service-type
(const%nextcloud-accounts))
(service-extensionactivation-service-type
%nextcloud-activation)))
(default-value(nextcloud-configuration))
(description
"This service provides the Nextcloud service as an OCI-backed container.")))

The only way where oci-container-service-type could support this use 
case by accepting a single configuration is I guess if multiple 
(service-extension oci-container-service-type ...) where allowed, am I 
understanding correctly? Is it legal in Guix to write somthing like:

(extensions(list(service-extensionoci-container-service-type
make-nextcloud-container) 
(service-extensionoci-container-service-typemake-nextcloud-cron-container) 
(service-extensionaccount-service-type
(const%nextcloud-accounts))
(service-extensionactivation-service-type
%nextcloud-activation)))

> Check out under gnu/tests/*.scm, in particular (gnu tests docker).

Thank you for the pointer, I'll look into those.

giacomo

[-- Attachment #2: Type: text/html, Size: 8940 bytes --]