[jackhill/guix/guix.git] / gnu / services / docker.scm

;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2018 Danny Milosavljevic <dannym@scratchpost.org>
;;; Copyright © 2020 Jakub Kądziołka <kuba@kadziolka.net>
;;; Copyright © 2020, 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;; Copyright © 2020 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2020 Jesse Dowell <jessedowell@gmail.com>
;;; Copyright © 2021 Brice Waegeneire <brice@waegenei.re>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

(define-module (gnu services docker)
  #:use-module (gnu services)
  #:use-module (gnu services configuration)
  #:use-module (gnu services base)
  #:use-module (gnu services dbus)
  #:use-module (gnu services shepherd)
  #:use-module (gnu system setuid)
  #:use-module (gnu system shadow)
  #:use-module (gnu packages docker)
  #:use-module (gnu packages linux)               ;singularity
  #:use-module (guix records)
  #:use-module (guix gexp)
  #:use-module (guix packages)

  #:export (docker-configuration
            docker-service-type
            singularity-service-type))

(define-configuration docker-configuration
  (docker
   (file-like docker)
   "Docker daemon package.")
  (docker-cli
   (file-like docker-cli)
   "Docker client package.")
  (containerd
   (file-like containerd)
   "containerd package.")
  (proxy
   (file-like docker-libnetwork-cmd-proxy)
   "The proxy package to support inter-container and outside-container
loop-back communications.")
  (enable-proxy?
   (boolean #t)
   "Enable or disable the user-land proxy (enabled by default).")
  (debug?
   (boolean #f)
   "Enable or disable debug output.")
  (enable-iptables?
   (boolean #t)
   "Enable addition of iptables rules (enabled by default).")
  (environment-variables
   (list '())
   "Environment variables to set for dockerd")
  (no-serialization))

(define %docker-accounts
  (list (user-group (name "docker") (system? #t))))

(define (%containerd-activation config)
  (let ((state-dir "/var/lib/containerd"))
    #~(begin
        (use-modules (guix build utils))
        (mkdir-p #$state-dir))))

(define (%docker-activation config)
  (%containerd-activation config)
  (let ((state-dir "/var/lib/docker"))
    #~(begin
        (use-modules (guix build utils))
        (mkdir-p #$state-dir))))

(define (containerd-shepherd-service config)
  (let* ((package (docker-configuration-containerd config))
         (debug? (docker-configuration-debug? config))
         (containerd (docker-configuration-containerd config)))
    (shepherd-service
           (documentation "containerd daemon.")
           (provision '(containerd))
           (start #~(make-forkexec-constructor
                     (list (string-append #$package "/bin/containerd")
                           #$@(if debug?
                                  '("--log-level=debug")
                                  '()))
                     ;; For finding containerd-shim binary.
                     #:environment-variables
                     (list (string-append "PATH=" #$containerd "/bin"))
                     #:pid-file "/run/containerd/containerd.pid"
                     #:pid-file-timeout 300
                     #:log-file "/var/log/containerd.log"))
           (stop #~(make-kill-destructor)))))

(define (docker-shepherd-service config)
  (let* ((docker (docker-configuration-docker config))
         (enable-proxy? (docker-configuration-enable-proxy? config))
         (enable-iptables? (docker-configuration-enable-iptables? config))
         (environment-variables (docker-configuration-environment-variables config))
         (proxy (docker-configuration-proxy config))
         (debug? (docker-configuration-debug? config)))
    (shepherd-service
           (documentation "Docker daemon.")
           (provision '(dockerd))
           (requirement '(containerd
                          dbus-system
                          elogind
                          file-system-/sys/fs/cgroup/blkio
                          file-system-/sys/fs/cgroup/cpu
                          file-system-/sys/fs/cgroup/cpuset
                          file-system-/sys/fs/cgroup/devices
                          file-system-/sys/fs/cgroup/memory
                          file-system-/sys/fs/cgroup/pids
                          networking
                          udev))
           (start #~(make-forkexec-constructor
                     (list (string-append #$docker "/bin/dockerd")
                           "-p" "/var/run/docker.pid"
                           #$@(if debug?
                                  '("--debug" "--log-level=debug")
                                  '())
                           #$@(if enable-proxy?
                                  (list "--userland-proxy=true"
                                        #~(string-append
                                           "--userland-proxy-path=" #$proxy "/bin/proxy"))
                                  '("--userland-proxy=false"))
                           (if #$enable-iptables?
                               "--iptables"
                               "--iptables=false")
                           "--containerd" "/run/containerd/containerd.sock")
                     #:environment-variables
                     (list #$@environment-variables)
                     #:pid-file "/var/run/docker.pid"
                     #:log-file "/var/log/docker.log"))
           (stop #~(make-kill-destructor)))))

(define docker-service-type
  (service-type (name 'docker)
                (description "Provide capability to run Docker application
bundles in Docker containers.")
                (extensions
                 (list
                  ;; Make sure the 'docker' command is available.
                  (service-extension profile-service-type
                                     (compose list docker-configuration-docker-cli))
                  (service-extension activation-service-type
                                     %docker-activation)
                  (service-extension shepherd-root-service-type
                                     (lambda (config)
                                       (list (containerd-shepherd-service config)
                                             (docker-shepherd-service config))))
                  (service-extension account-service-type
                                     (const %docker-accounts))))
                (default-value (docker-configuration))))

\f
;;;
;;; Singularity.
;;;

(define %singularity-activation
  (with-imported-modules '((guix build utils))
    #~(begin
        (use-modules (guix build utils))

        (define %mount-directory
          "/var/singularity/mnt/")

        ;; Create the directories that Singularity 2.6 expects to find.  Make
        ;; them #o755 like the 'install-data-hook' rule in 'Makefile.am' of
        ;; Singularity 2.6.1.
        (for-each (lambda (directory)
                    (let ((directory (string-append %mount-directory
                                                    directory)))
                      (mkdir-p directory)
                      (chmod directory #o755)))
                  '("container" "final" "overlay" "session"))
        (chmod %mount-directory #o755))))

(define (singularity-setuid-programs singularity)
  "Return the setuid-root programs that SINGULARITY needs."
  (define helpers
    ;; The helpers, under a meaningful name.
    (computed-file "singularity-setuid-helpers"
                   #~(begin
                       (mkdir #$output)
                       (for-each (lambda (program)
                                   (symlink (string-append #$singularity
                                                           "/libexec/singularity"
                                                           "/bin/"
                                                           program "-suid")
                                            (string-append #$output
                                                           "/singularity-"
                                                           program
                                                           "-helper")))
                                 '("action" "mount" "start")))))

  (map file-like->setuid-program
       (list (file-append helpers "/singularity-action-helper")
             (file-append helpers "/singularity-mount-helper")
             (file-append helpers "/singularity-start-helper"))))

(define singularity-service-type
  (service-type (name 'singularity)
                (description
                 "Install the Singularity application bundle tool.")
                (extensions
                 (list (service-extension setuid-program-service-type
                                          singularity-setuid-programs)
                       (service-extension activation-service-type
                                          (const %singularity-activation))))
                (default-value singularity)))
Commit	Line	Data
8af4c335 DM	1	;;; GNU Guix --- Functional package management for GNU
8af4c335 DM	2	;;; Copyright © 2018 Danny Milosavljevic <dannym@scratchpost.org>
2ef4d273	3	;;; Copyright © 2020 Jakub Kądziołka <kuba@kadziolka.net>
a9a67da5	4	;;; Copyright © 2020, 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
8422a67d	5	;;; Copyright © 2020 Efraim Flashner <efraim@flashner.co.il>
f0a09310	6	;;; Copyright © 2020 Jesse Dowell <jessedowell@gmail.com>
a85ec0bf	7	;;; Copyright © 2021 Brice Waegeneire <brice@waegenei.re>
8af4c335 DM	8	;;;
	9	;;; This file is part of GNU Guix.
	10	;;;
	11	;;; GNU Guix is free software; you can redistribute it and/or modify it
	12	;;; under the terms of the GNU General Public License as published by
	13	;;; the Free Software Foundation; either version 3 of the License, or (at
	14	;;; your option) any later version.
	15	;;;
	16	;;; GNU Guix is distributed in the hope that it will be useful, but
	17	;;; WITHOUT ANY WARRANTY; without even the implied warranty of
	18	;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	19	;;; GNU General Public License for more details.
	20	;;;
	21	;;; You should have received a copy of the GNU General Public License
	22	;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
	23
	24	(define-module (gnu services docker)
	25	#:use-module (gnu services)
	26	#:use-module (gnu services configuration)
	27	#:use-module (gnu services base)
	28	#:use-module (gnu services dbus)
	29	#:use-module (gnu services shepherd)
a85ec0bf	30	#:use-module (gnu system setuid)
8af4c335 DM	31	#:use-module (gnu system shadow)
8af4c335 DM	32	#:use-module (gnu packages docker)
08814aec	33	#:use-module (gnu packages linux) ;singularity
8af4c335 DM	34	#:use-module (guix records)
	35	#:use-module (guix gexp)
	36	#:use-module (guix packages)
	37
	38	#:export (docker-configuration
08814aec LC	39	docker-service-type
08814aec LC	40	singularity-service-type))
8af4c335 DM	41
	42	(define-configuration docker-configuration
	43	(docker
892f1b72	44	(file-like docker)
8af4c335	45	"Docker daemon package.")
f6dfe421	46	(docker-cli
892f1b72	47	(file-like docker-cli)
f6dfe421	48	"Docker client package.")
8af4c335	49	(containerd
892f1b72	50	(file-like containerd)
7a31d93a MC	51	"containerd package.")
7a31d93a MC	52	(proxy
892f1b72	53	(file-like docker-libnetwork-cmd-proxy)
7a31d93a MC	54	"The proxy package to support inter-container and outside-container
	55	loop-back communications.")
	56	(enable-proxy?
	57	(boolean #t)
7c9be7b7 MC	58	"Enable or disable the user-land proxy (enabled by default).")
	59	(debug?
	60	(boolean #f)
2b68a964 AA	61	"Enable or disable debug output.")
	62	(enable-iptables?
	63	(boolean #t)
a9a67da5	64	"Enable addition of iptables rules (enabled by default).")
4ace6455 AA	65	(environment-variables
	66	(list '())
	67	"Environment variables to set for dockerd")
a9a67da5	68	(no-serialization))
8af4c335 DM	69
	70	(define %docker-accounts
	71	(list (user-group (name "docker") (system? #t))))
	72
	73	(define (%containerd-activation config)
	74	(let ((state-dir "/var/lib/containerd"))
	75	#~(begin
	76	(use-modules (guix build utils))
	77	(mkdir-p #$state-dir))))
	78
	79	(define (%docker-activation config)
	80	(%containerd-activation config)
	81	(let ((state-dir "/var/lib/docker"))
	82	#~(begin
	83	(use-modules (guix build utils))
	84	(mkdir-p #$state-dir))))
	85
	86	(define (containerd-shepherd-service config)
7c9be7b7	87	(let* ((package (docker-configuration-containerd config))
6a5a477d OP	88	(debug? (docker-configuration-debug? config))
6a5a477d OP	89	(containerd (docker-configuration-containerd config)))
8af4c335 DM	90	(shepherd-service
	91	(documentation "containerd daemon.")
	92	(provision '(containerd))
	93	(start #~(make-forkexec-constructor
7c9be7b7 MC	94	(list (string-append #$package "/bin/containerd")
	95	#$@(if debug?
	96	'("--log-level=debug")
	97	'()))
6a5a477d OP	98	;; For finding containerd-shim binary.
	99	#:environment-variables
	100	(list (string-append "PATH=" #$containerd "/bin"))
b33e1a18 OP	101	#:pid-file "/run/containerd/containerd.pid"
b33e1a18 OP	102	#:pid-file-timeout 300
f0bfd0fc	103	#:log-file "/var/log/containerd.log"))
8af4c335 DM	104	(stop #~(make-kill-destructor)))))
	105
	106	(define (docker-shepherd-service config)
7a31d93a MC	107	(let* ((docker (docker-configuration-docker config))
7a31d93a MC	108	(enable-proxy? (docker-configuration-enable-proxy? config))
2b68a964	109	(enable-iptables? (docker-configuration-enable-iptables? config))
4ace6455	110	(environment-variables (docker-configuration-environment-variables config))
7c9be7b7 MC	111	(proxy (docker-configuration-proxy config))
7c9be7b7 MC	112	(debug? (docker-configuration-debug? config)))
8af4c335 DM	113	(shepherd-service
	114	(documentation "Docker daemon.")
	115	(provision '(dockerd))
8b0c1744	116	(requirement '(containerd
1c84e68b DM	117	dbus-system
1c84e68b DM	118	elogind
8b0c1744 DM	119	file-system-/sys/fs/cgroup/blkio
	120	file-system-/sys/fs/cgroup/cpu
	121	file-system-/sys/fs/cgroup/cpuset
	122	file-system-/sys/fs/cgroup/devices
	123	file-system-/sys/fs/cgroup/memory
2ef4d273	124	file-system-/sys/fs/cgroup/pids
1c84e68b DM	125	networking
1c84e68b DM	126	udev))
8af4c335 DM	127	(start #~(make-forkexec-constructor
8af4c335 DM	128	(list (string-append #$docker "/bin/dockerd")
7a31d93a	129	"-p" "/var/run/docker.pid"
7c9be7b7 MC	130	#$@(if debug?
	131	'("--debug" "--log-level=debug")
	132	'())
cd4bb173 OP	133	#$@(if enable-proxy?
	134	(list "--userland-proxy=true"
	135	#~(string-append
	136	"--userland-proxy-path=" #$proxy "/bin/proxy"))
	137	'("--userland-proxy=false"))
2b68a964 AA	138	(if #$enable-iptables?
2b68a964 AA	139	"--iptables"
b33e1a18 OP	140	"--iptables=false")
b33e1a18 OP	141	"--containerd" "/run/containerd/containerd.sock")
4ace6455 AA	142	#:environment-variables
4ace6455 AA	143	(list #$@environment-variables)
8af4c335 DM	144	#:pid-file "/var/run/docker.pid"
	145	#:log-file "/var/log/docker.log"))
	146	(stop #~(make-kill-destructor)))))
	147
	148	(define docker-service-type
	149	(service-type (name 'docker)
	150	(description "Provide capability to run Docker application
	151	bundles in Docker containers.")
	152	(extensions
	153	(list
8422a67d EF	154	;; Make sure the 'docker' command is available.
8422a67d EF	155	(service-extension profile-service-type
f6dfe421	156	(compose list docker-configuration-docker-cli))
8af4c335 DM	157	(service-extension activation-service-type
	158	%docker-activation)
	159	(service-extension shepherd-root-service-type
d3a0e74d DM	160	(lambda (config)
	161	(list (containerd-shepherd-service config)
	162	(docker-shepherd-service config))))
8af4c335 DM	163	(service-extension account-service-type
	164	(const %docker-accounts))))
	165	(default-value (docker-configuration))))
08814aec LC	166
	167	\f
	168	;;;
	169	;;; Singularity.
	170	;;;
	171
	172	(define %singularity-activation
	173	(with-imported-modules '((guix build utils))
	174	#~(begin
	175	(use-modules (guix build utils))
	176
	177	(define %mount-directory
	178	"/var/singularity/mnt/")
	179
	180	;; Create the directories that Singularity 2.6 expects to find. Make
	181	;; them #o755 like the 'install-data-hook' rule in 'Makefile.am' of
	182	;; Singularity 2.6.1.
	183	(for-each (lambda (directory)
	184	(let ((directory (string-append %mount-directory
	185	directory)))
	186	(mkdir-p directory)
	187	(chmod directory #o755)))
	188	'("container" "final" "overlay" "session"))
	189	(chmod %mount-directory #o755))))
	190
	191	(define (singularity-setuid-programs singularity)
	192	"Return the setuid-root programs that SINGULARITY needs."
	193	(define helpers
	194	;; The helpers, under a meaningful name.
	195	(computed-file "singularity-setuid-helpers"
	196	#~(begin
	197	(mkdir #$output)
	198	(for-each (lambda (program)
	199	(symlink (string-append #$singularity
	200	"/libexec/singularity"
	201	"/bin/"
	202	program "-suid")
	203	(string-append #$output
	204	"/singularity-"
	205	program
	206	"-helper")))
	207	'("action" "mount" "start")))))
	208
a85ec0bf BW	209	(map file-like->setuid-program
	210	(list (file-append helpers "/singularity-action-helper")
	211	(file-append helpers "/singularity-mount-helper")
	212	(file-append helpers "/singularity-start-helper"))))
08814aec LC	213
	214	(define singularity-service-type
	215	(service-type (name 'singularity)
	216	(description
	217	"Install the Singularity application bundle tool.")
	218	(extensions
	219	(list (service-extension setuid-program-service-type
	220	singularity-setuid-programs)
	221	(service-extension activation-service-type
	222	(const %singularity-activation))))
	223	(default-value singularity)))