[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
06/07: scripts: environment: Add --container option.
From: |
David Thompson |
Subject: |
06/07: scripts: environment: Add --container option. |
Date: |
Thu, 20 Aug 2015 12:29:24 +0000 |
davexunit pushed a commit to branch wip-container
in repository guix.
commit 8303aba4bc05e620606767fd219dee6952d28626
Author: David Thompson <address@hidden>
Date: Fri Jun 19 08:57:44 2015 -0400
scripts: environment: Add --container option.
* guix/scripts/enviroment.scm (show-help): Show help for new option.
(%options): Add --container option.
(launch-environment, launch-environment/container): New procedures.
(guix-environment): Spawn new process in a container when requested.
* doc/guix.texi (Invoking guix environment): Document it.
---
doc/guix.texi | 49 +++++++++++++++++++++++--------
guix/scripts/environment.scm | 64 ++++++++++++++++++++++++++++++++++++++++-
2 files changed, 98 insertions(+), 15 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 539c2d1..741e38b 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -4324,6 +4324,18 @@ NumPy:
guix environment --ad-hoc python2-numpy python-2.7 -E python
@end example
+Sometimes it is desirable to isolate the environment as much as
+possible, for maximal purity and reproducibility. In particular, when
+using Guix on a host distro that is not GuixSD, it is desirable to
+prevent access to @file{/usr/bin} and other system-wide resources from
+the development environment. For example, the following command spawns
+a Guile REPL in a ``container'' where only the store and the current
+working directory are mounted:
+
address@hidden
+guix environment --ad-hoc --container guile --exec=guile
address@hidden example
+
The available options are summarized below.
@table @code
@@ -4389,6 +4401,15 @@ environment.
@item address@hidden
@itemx -s @var{system}
Attempt to build for @var{system}---e.g., @code{i686-linux}.
+
address@hidden --container
address@hidden -C
address@hidden container
+Run @var{command} within an isolated container. The current working
+directory outside the container is mapped to @file{/env} inside the
+container. Additionally, the spawned process runs as the current user
+outside the container, but has root privileges in the context of the
+container.
@end table
It also supports all of the common build options that @command{guix
@@ -6418,6 +6439,7 @@ This command also installs GRUB on the device specified in
@item vm
@cindex virtual machine
@cindex VM
address@hidden system vm}
Build a virtual machine that contain the operating system declared in
@var{file}, and return a script to run that virtual machine (VM).
Arguments given to the script are passed as is to QEMU.
@@ -6467,20 +6489,21 @@ using the following command:
@end example
@item container
address@hidden container
Return a script to run the operating system declared in @var{file}
-within a container. Currently, the script must be run as root in order
-to support more than a single user and group.
-
-The container shares its store with the host system.
-
-Additional file systems can be shared between the host and the container
-using the @code{--share} and @code{--expose} command-line options: the
-former specifies a directory to be shared with write access, while the
-latter provides read-only access to the shared directory.
-
-The example below creates a container in which the user's home directory
-is accessible read-only, and where the @file{/exchange} directory is a
-read-write mapping of the host's @file{$HOME/tmp}:
+within a @dfn{container}. Containers are a set of lightweight isolation
+mechanisms provided by the kernel Linux-libre. Containers are
+substantially less resource-demanding than full virtual machines since
+the kernel, shared objects, and other resources can be shared with the
+host system; this also means they provide thinner isolation. Currently,
address@hidden system container} must be run as root in order to support
+more than a single user and group.
+
+Containers share their store with the host system.
+
+As with the @code{vm} action (@pxref{guix system vm}), additional file
+systems to be shared between the host and container can be specified
+using the @option{--share} and @option{--expose} options:
@example
guix system container my-config.scm \
diff --git a/guix/scripts/environment.scm b/guix/scripts/environment.scm
index ecdbc7a..535dfaa 100644
--- a/guix/scripts/environment.scm
+++ b/guix/scripts/environment.scm
@@ -28,6 +28,9 @@
#:use-module (guix monads)
#:use-module ((guix gexp) #:select (lower-inputs))
#:use-module (guix scripts build)
+ #:use-module (gnu build linux-container)
+ #:use-module (gnu system linux-container)
+ #:use-module (gnu system file-systems)
#:use-module (gnu packages)
#:use-module (ice-9 format)
#:use-module (ice-9 match)
@@ -122,6 +125,8 @@ shell command in that environment.\n"))
--search-paths display needed environment variable definitions"))
(display (_ "
-s, --system=SYSTEM attempt to build for SYSTEM--e.g., \"i686-linux\""))
+ (display (_ "
+ -C, --container run command within an isolated container"))
(newline)
(show-build-options-help)
(newline)
@@ -174,6 +179,9 @@ shell command in that environment.\n"))
(lambda (opt name arg result)
(alist-cons 'system arg
(alist-delete 'system result eq?))))
+ (option '(#\C "container") #f #f
+ (lambda (opt name arg result)
+ (alist-cons 'container? #t result)))
%standard-build-options))
(define (pick-all alist key)
@@ -229,6 +237,54 @@ OUTPUT) tuples, using the build options in OPTS."
(built-derivations derivations)
(return derivations))))))))
+(define (launch-environment command inputs paths pure?)
+ "Run COMMAND in a new environment containing INPUTS, using the native search
+paths defined by the list PATHS. When PURE?, pre-existing environment
+variables are cleared before setting the new ones."
+ (create-environment inputs paths pure?)
+ (system command))
+
+(define (launch-environment/container command inputs paths)
+ "Run COMMAND within a Linux container that includes INPUTS and the
+environment variables defined by PATHS, a list of native search paths."
+ ;; Bind-mount the store and the current working directory within the
+ ;; container.
+ (let* ((cwd (getcwd))
+ (mappings
+ (list (file-system-mapping
+ (source (%store-prefix))
+ (target (%store-prefix))
+ (writable? #f))
+ (file-system-mapping
+ (source cwd)
+ (target cwd)
+ (writable? #t))
+ (file-system-mapping
+ (source "/bin/sh")
+ (target "/bin/sh")
+ (writable? #f))))
+ (file-systems
+ (append %container-file-systems
+ (map mapping->file-system mappings)))
+ (status
+ (call-with-container (map file-system->spec file-systems)
+ (lambda ()
+ ;; Setup directory for temporary files.
+ (mkdir "/tmp")
+ (for-each (lambda (var)
+ (setenv var "/tmp"))
+ ;; The same variables as in Nix's 'build.cc'.
+ '("TMPDIR" "TEMPDIR" "TMP" "TEMP"))
+
+ ;; For convenience, start in the user's current working
+ ;; directory rather than the root directory.
+ (chdir cwd)
+
+ ;; A container's environment is already purified, so no need to
+ ;; request it be purified again.
+ (launch-environment command inputs paths #f)))))
+ (status:exit-val status)))
+
;; Entry point.
(define (guix-environment . args)
(define (handle-argument arg result)
@@ -238,6 +294,7 @@ OUTPUT) tuples, using the build options in OPTS."
(let* ((opts (parse-command-line args %options (list %default-options)
#:argument-handler handle-argument))
(pure? (assoc-ref opts 'pure))
+ (container? (assoc-ref opts 'container?))
(ad-hoc? (assoc-ref opts 'ad-hoc?))
(command (assoc-ref opts 'exec))
(packages (pick-all (options/resolve-packages opts) 'package))
@@ -279,6 +336,9 @@ OUTPUT) tuples, using the build options in OPTS."
((assoc-ref opts 'search-paths)
(show-search-paths inputs paths pure?)
(return #t))
+ (container?
+ (return
+ (launch-environment/container command inputs paths)))
(else
- (create-environment inputs paths pure?)
- (return (exit (status:exit-val (system
command)))))))))))))
+ (return
+ (launch-environment command inputs paths pure?)))))))))))
- branch wip-container created (now 4daf483), David Thompson, 2015/08/20
- 06/07: scripts: environment: Add --container option.,
David Thompson <=
- 03/07: build: syscalls: Add pseudo-terminal bindings., David Thompson, 2015/08/20
- 01/07: gnu: guix-devel: Update snapshot and re-enable container tests., David Thompson, 2015/08/20
- 04/07: gnu: system: Add Linux container module., David Thompson, 2015/08/20
- 07/07: scripts: Add 'container' subcommand., David Thompson, 2015/08/20
- 02/07: build: container: Setup /dev/console., David Thompson, 2015/08/20
- 05/07: scripts: system: Add 'container' action., David Thompson, 2015/08/20