Network services in ‘guix system docker-image’?

Network services in ‘guix system docker-image’?

[Ludovic Courtès]

[-- Attachment #1: Type: text/plain, Size: 388 bytes --]

Hello!

Does it make any sense at all to have things like a DHCP client and nscd
inside a Docker image produced by ‘guix system docker-image’?

I was going to apply the patch below to allow users to get rid of these
services by running ‘guix system docker-image --network’.  But now, I’m
wondering if there’s a use case to have them at all.

Thoughts?

Ludo’.


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: Type: text/x-patch, Size: 3145 bytes --]

diff --git a/doc/guix.texi b/doc/guix.texi
index d0592220a7..fd3d8b1e52 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -26934,6 +26934,10 @@ example, if you intend to build software using Guix inside of the Docker
 container, you may need to pass the @option{--privileged} option to
 @code{docker create}.
 
+Last, the @code{--network} option applies to @command{guix system
+docker-image}: it produces an image where network is supposedly shared
+with the host, and thus without services like nscd or NetworkManager.
+
 @item container
 Return a script to run the operating system declared in @var{file}
 within a container.  Containers are a set of lightweight isolation
diff --git a/gnu/system/vm.scm b/gnu/system/vm.scm
index 6f81ac16ff..082133407a 100644
--- a/gnu/system/vm.scm
+++ b/gnu/system/vm.scm
@@ -508,13 +508,17 @@ system."
 (define* (system-docker-image os
                               #:key
                               (name "guix-docker-image")
-                              (register-closures? (has-guix-service-type? os)))
+                              (register-closures? (has-guix-service-type? os))
+                              shared-network?)
   "Build a docker image.  OS is the desired <operating-system>.  NAME is the
-base name to use for the output file.  When REGISTER-CLOSURES? is true,
-register the closure of OS with Guix in the resulting Docker image.  By
-default, REGISTER-CLOSURES? is set to true only if a service of type
-GUIX-SERVICE-TYPE is present in the services definition of the operating
-system."
+base name to use for the output file.  When SHARED-NETWORK? is true, assume
+that the container will share network with the host and thus doesn't need a
+DHCP client, nscd, and so on.
+
+When REGISTER-CLOSURES? is true, register the closure of OS with Guix in the
+resulting Docker image.  By default, REGISTER-CLOSURES? is set to true only if
+a service of type GUIX-SERVICE-TYPE is present in the services definition of
+the operating system."
   (define schema
     (and register-closures?
          (local-file (search-path %load-path
@@ -531,7 +535,9 @@ system."
 
 
   (let ((os    (operating-system-with-gc-roots
-                (containerized-operating-system os '())
+                (containerized-operating-system os '()
+                                                #:shared-network?
+                                                shared-network?)
                 (list boot-program)))
         (name  (string-append name ".tar.gz"))
         (graph "system-graph"))
diff --git a/guix/scripts/system.scm b/guix/scripts/system.scm
index 2664c66a30..664ecac9e6 100644
--- a/guix/scripts/system.scm
+++ b/guix/scripts/system.scm
@@ -699,7 +699,7 @@ checking this by themselves in their 'check' procedure."
                         #:disk-image-size image-size
                         #:file-system-type file-system-type))
     ((docker-image)
-     (system-docker-image os))))
+     (system-docker-image os #:shared-network? container-shared-network?))))
 
 (define (maybe-suggest-running-guix-pull)
   "Suggest running 'guix pull' if this has never been done before."

Re: Network services in ‘guix system docker-image’?

[Christopher Baines]

[-- Attachment #1: Type: text/plain, Size: 573 bytes --]


Ludovic Courtès <ludovic.courtes@inria.fr> writes:

> Does it make any sense at all to have things like a DHCP client and nscd
> inside a Docker image produced by ‘guix system docker-image’?
>
> I was going to apply the patch below to allow users to get rid of these
> services by running ‘guix system docker-image --network’.  But now, I’m
> wondering if there’s a use case to have them at all.
>
> Thoughts?

I'm very unsure, but I don't think they'd be normally useful to
include. Making it an option is also fine though.

Thanks,

Chris

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 962 bytes --]