all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* [PATCH] build: container: Add #:host-uids argument to call-with-container.
@ 2015-08-02  1:55 David Thompson
  2015-08-08 18:06 ` Thompson, David
  0 siblings, 1 reply; 3+ messages in thread
From: David Thompson @ 2015-08-02  1:55 UTC (permalink / raw)
  To: guix-devel

[-- Attachment #1: Type: text/plain, Size: 170 bytes --]

This patch should resolve the issues we're having with the container
tests when building Guix with Guix.  Tested on 'wip-container' with
'guix environment --container'.


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-build-container-Add-host-uids-argument-to-call-with-.patch --]
[-- Type: text/x-patch, Size: 6067 bytes --]

From 096ac10f187c6d9c72462c4747cd6c8433eb8f02 Mon Sep 17 00:00:00 2001
From: David Thompson <dthompson2@worcester.edu>
Date: Sat, 1 Aug 2015 21:04:31 -0400
Subject: [PATCH] build: container: Add #:host-uids argument to
 call-with-container.

It's not always possible to map 65536 uids when creating a container as the
root user within another user namespace.  This is true when building Guix
within the build daemon's container.  By using a uid range of 1 by default,
even as the root user, the tests now pass.

* gnu/build/linux-container.scm (initialize-user-namespace, run-container):
  Add 'host-uids' argument.
  (call-with-container): Add #:host-uids keyword argument.
* tests/containers.scm ("container-excursion"): Update 'run-container' call.
---
 gnu/build/linux-container.scm | 38 +++++++++++++++++++-------------------
 tests/containers.scm          |  2 +-
 2 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/gnu/build/linux-container.scm b/gnu/build/linux-container.scm
index 7a03a29..af59904 100644
--- a/gnu/build/linux-container.scm
+++ b/gnu/build/linux-container.scm
@@ -120,23 +120,17 @@ to ROOT, then make ROOT the new root directory for the process."
     (umount "real-root" MNT_DETACH)
     (rmdir "real-root")))
 
-(define (initialize-user-namespace pid)
-  "Configure the user namespace for PID."
+(define (initialize-user-namespace pid host-uids)
+  "Configure the user namespace for PID.  HOST-UIDS specifies the number of
+host user identifiers to map into the user namespace."
   (define proc-dir
     (string-append "/proc/" (number->string pid)))
 
   (define (scope file)
     (string-append proc-dir file))
 
-  ;; Only root can map more than a single uid/gid.  A range of 65536 uid/gids
-  ;; is used to cover 16 bits worth of users and groups, which is sufficient
-  ;; for most cases.
-  ;;
-  ;; See also: http://www.freedesktop.org/software/systemd/man/systemd-nspawn.html#--private-users=
-  (let* ((uid       (getuid))
-         (gid       (getgid))
-         (uid-range (if (zero? uid) 65536 1))
-         (gid-range (if (zero? gid) 65536 1)))
+  (let ((uid (getuid))
+        (gid (getgid)))
 
     ;; Only root can write to the gid map without first disabling the
     ;; setgroups syscall.
@@ -149,10 +143,10 @@ to ROOT, then make ROOT the new root directory for the process."
     ;; within the container.
     (call-with-output-file (scope "/uid_map")
       (lambda (port)
-        (format port "0 ~d ~d" uid uid-range)))
+        (format port "0 ~d ~d" uid host-uids)))
     (call-with-output-file (scope "/gid_map")
       (lambda (port)
-        (format port "0 ~d ~d" gid gid-range)))))
+        (format port "0 ~d ~d" gid host-uids)))))
 
 (define (namespaces->bit-mask namespaces)
   "Return the number suitable for the 'flags' argument of 'clone' that
@@ -167,12 +161,13 @@ corresponds to the symbols in NAMESPACES."
                ('net  CLONE_NEWNET))
               namespaces)))
 
-(define (run-container root mounts namespaces thunk)
+(define (run-container root mounts namespaces host-uids thunk)
   "Run THUNK in a new container process and return its PID.  ROOT specifies
 the root directory for the container.  MOUNTS is a list of file system specs
 that specify the mapping of host file systems into the container.  NAMESPACES
 is a list of symbols that correspond to the possible Linux namespaces: mnt,
-ipc, uts, user, and net."
+ipc, uts, user, and net.  HOST-UIDS specifies the number of
+host user identifiers to map into the user namespace."
   ;; The parent process must initialize the user namespace for the child
   ;; before it can boot.  To negotiate this, a pipe is used such that the
   ;; child process blocks until the parent writes to it.
@@ -196,26 +191,31 @@ ipc, uts, user, and net."
              (thunk))))
          (pid
           (when (memq 'user namespaces)
-            (initialize-user-namespace pid))
+            (initialize-user-namespace pid host-uids))
           ;; TODO: Initialize cgroups.
           (close in)
           (write 'ready out)
           (close out)
           pid))))))
 
-(define* (call-with-container mounts thunk #:key (namespaces %namespaces))
+(define* (call-with-container mounts thunk #:key (namespaces %namespaces)
+                              (host-uids 1))
   "Run THUNK in a new container process and return its exit status.
 MOUNTS is a list of file system specs that specify the mapping of host file
 systems into the container.  NAMESPACES is a list of symbols corresponding to
 the identifiers for Linux namespaces: mnt, ipc, uts, pid, user, and net.  By
-default, all namespaces are used.
+default, all namespaces are used.  HOST-UIDS is the number of host user
+identifiers to map into the container's user namespace, if there is one.  By
+default, only a single uid/gid, that of the current user, is mapped into the
+container.  The host user that creates the container is the root user (uid/gid
+0) within the container.  Only root can map more than a single uid/gid.
 
 Note that if THUNK needs to load any additional Guile modules, the relevant
 module files must be present in one of the mappings in MOUNTS and the Guile
 load path must be adjusted as needed."
   (call-with-temporary-directory
    (lambda (root)
-     (let ((pid (run-container root mounts namespaces thunk)))
+     (let ((pid (run-container root mounts namespaces host-uids thunk)))
        ;; Catch SIGINT and kill the container process.
        (sigaction SIGINT
          (lambda (signum)
diff --git a/tests/containers.scm b/tests/containers.scm
index cb1aedd..cc90f1e 100644
--- a/tests/containers.scm
+++ b/tests/containers.scm
@@ -102,7 +102,7 @@
                    (readlink (string-append "/proc/" pid "/ns/" ns)))
                  '("user" "ipc" "uts" "net" "pid" "mnt"))))
 
-        (let* ((pid (run-container root '() %namespaces container))
+        (let* ((pid (run-container root '() %namespaces 1 container))
                (container-namespaces (namespaces pid))
                (result
                 (begin
-- 
2.4.3


[-- Attachment #3: Type: text/plain, Size: 38 bytes --]


-- 
David Thompson
GPG Key: 0FF1D807

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] build: container: Add #:host-uids argument to call-with-container.
  2015-08-02  1:55 [PATCH] build: container: Add #:host-uids argument to call-with-container David Thompson
@ 2015-08-08 18:06 ` Thompson, David
  2015-08-18 15:53   ` Ludovic Courtès
  0 siblings, 1 reply; 3+ messages in thread
From: Thompson, David @ 2015-08-08 18:06 UTC (permalink / raw)
  To: guix-devel

On Sat, Aug 1, 2015 at 9:55 PM, David Thompson <dthompson2@worcester.edu> wrote:
> This patch should resolve the issues we're having with the container
> tests when building Guix with Guix.  Tested on 'wip-container' with
> 'guix environment --container'.

I pushed this.

- Dave

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] build: container: Add #:host-uids argument to call-with-container.
  2015-08-08 18:06 ` Thompson, David
@ 2015-08-18 15:53   ` Ludovic Courtès
  0 siblings, 0 replies; 3+ messages in thread
From: Ludovic Courtès @ 2015-08-18 15:53 UTC (permalink / raw)
  To: Thompson, David; +Cc: guix-devel

"Thompson, David" <dthompson2@worcester.edu> skribis:

> On Sat, Aug 1, 2015 at 9:55 PM, David Thompson <dthompson2@worcester.edu> wrote:
>> This patch should resolve the issues we're having with the container
>> tests when building Guix with Guix.  Tested on 'wip-container' with
>> 'guix environment --container'.
>
> I pushed this.

Thanks.

Ludo'.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2015-08-18 15:53 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-08-02  1:55 [PATCH] build: container: Add #:host-uids argument to call-with-container David Thompson
2015-08-08 18:06 ` Thompson, David
2015-08-18 15:53   ` Ludovic Courtès

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.