[jackhill/guix/guix.git] / gnu / system / linux-container.scm

;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2015 David Thompson <davet@gnu.org>
;;; Copyright © 2016, 2017 Ludovic Courtès <ludo@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

(define-module (gnu system linux-container)
  #:use-module (ice-9 match)
  #:use-module (srfi srfi-1)
  #:use-module (guix config)
  #:use-module (guix store)
  #:use-module (guix gexp)
  #:use-module (guix derivations)
  #:use-module (guix monads)
  #:use-module (guix modules)
  #:use-module (gnu build linux-container)
  #:use-module (gnu services)
  #:use-module (gnu system)
  #:use-module (gnu system file-systems)
  #:export (system-container
            containerized-operating-system
            container-script))

(define (containerized-operating-system os mappings)
  "Return an operating system based on OS for use in a Linux container
environment.  MAPPINGS is a list of <file-system-mapping> to realize in the
containerized OS."
  (define user-file-systems
    (remove (lambda (fs)
              (let ((target (file-system-mount-point fs))
                    (source (file-system-device fs)))
                (or (string=? target (%store-prefix))
                    (string=? target "/")
                    (and (string? source)
                         (string-prefix? "/dev/" source))
                    (string-prefix? "/dev" target)
                    (string-prefix? "/sys" target))))
            (operating-system-file-systems os)))

  (define (mapping->fs fs)
    (file-system (inherit (file-system-mapping->bind-mount fs))
      (needed-for-boot? #t)))

  (operating-system (inherit os)
    (swap-devices '()) ; disable swap
    (file-systems (append (map mapping->fs (cons %store-mapping mappings))
                          %container-file-systems
                          user-file-systems))))

(define* (container-script os #:key (mappings '()))
  "Return a derivation of a script that runs OS as a Linux container.
MAPPINGS is a list of <file-system> objects that specify the files/directories
that will be shared with the host system."
  (let* ((os           (containerized-operating-system os mappings))
         (file-systems (filter file-system-needed-for-boot?
                               (operating-system-file-systems os)))
         (specs        (map file-system->spec file-systems)))

    (mlet* %store-monad ((os-drv (operating-system-derivation
                                  os
                                  #:container? #t)))

      (define script
        (with-imported-modules (source-module-closure
                                '((guix build utils)
                                  (gnu build linux-container)))
          #~(begin
              (use-modules (gnu build linux-container)
                           (gnu system file-systems) ;spec->file-system
                           (guix build utils))

              (call-with-container (map spec->file-system '#$specs)
                (lambda ()
                  (setenv "HOME" "/root")
                  (setenv "TMPDIR" "/tmp")
                  (setenv "GUIX_NEW_SYSTEM" #$os-drv)
                  (for-each mkdir-p '("/run" "/bin" "/etc" "/home" "/var"))
                  (primitive-load (string-append #$os-drv "/boot")))
                ;; A range of 65536 uid/gids is used to cover 16 bits worth of
                ;; users and groups, which is sufficient for most cases.
                ;;
                ;; See: http://www.freedesktop.org/software/systemd/man/systemd-nspawn.html#--private-users=
                #:host-uids 65536))))

      (gexp->script "run-container" script))))
Commit	Line	Data
239db054 DT	1	;;; GNU Guix --- Functional package management for GNU
239db054 DT	2	;;; Copyright © 2015 David Thompson <davet@gnu.org>
d2a5e698	3	;;; Copyright © 2016, 2017 Ludovic Courtès <ludo@gnu.org>
239db054 DT	4	;;;
	5	;;; This file is part of GNU Guix.
	6	;;;
	7	;;; GNU Guix is free software; you can redistribute it and/or modify it
	8	;;; under the terms of the GNU General Public License as published by
	9	;;; the Free Software Foundation; either version 3 of the License, or (at
	10	;;; your option) any later version.
	11	;;;
	12	;;; GNU Guix is distributed in the hope that it will be useful, but
	13	;;; WITHOUT ANY WARRANTY; without even the implied warranty of
	14	;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	15	;;; GNU General Public License for more details.
	16	;;;
	17	;;; You should have received a copy of the GNU General Public License
	18	;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
	19
	20	(define-module (gnu system linux-container)
	21	#:use-module (ice-9 match)
	22	#:use-module (srfi srfi-1)
	23	#:use-module (guix config)
	24	#:use-module (guix store)
	25	#:use-module (guix gexp)
	26	#:use-module (guix derivations)
	27	#:use-module (guix monads)
5e7eaccb	28	#:use-module (guix modules)
239db054	29	#:use-module (gnu build linux-container)
8e5999e0	30	#:use-module (gnu services)
239db054 DT	31	#:use-module (gnu system)
239db054 DT	32	#:use-module (gnu system file-systems)
d2a5e698	33	#:export (system-container
239db054 DT	34	containerized-operating-system
	35	container-script))
	36
239db054 DT	37	(define (containerized-operating-system os mappings)
	38	"Return an operating system based on OS for use in a Linux container
	39	environment. MAPPINGS is a list of <file-system-mapping> to realize in the
	40	containerized OS."
	41	(define user-file-systems
	42	(remove (lambda (fs)
	43	(let ((target (file-system-mount-point fs))
	44	(source (file-system-device fs)))
	45	(or (string=? target (%store-prefix))
	46	(string=? target "/")
1f1ff6a0 LC	47	(and (string? source)
1f1ff6a0 LC	48	(string-prefix? "/dev/" source))
239db054 DT	49	(string-prefix? "/dev" target)
	50	(string-prefix? "/sys" target))))
	51	(operating-system-file-systems os)))
	52
	53	(define (mapping->fs fs)
d2a5e698	54	(file-system (inherit (file-system-mapping->bind-mount fs))
239db054 DT	55	(needed-for-boot? #t)))
	56
	57	(operating-system (inherit os)
	58	(swap-devices '()) ; disable swap
	59	(file-systems (append (map mapping->fs (cons %store-mapping mappings))
	60	%container-file-systems
	61	user-file-systems))))
	62
	63	(define* (container-script os #:key (mappings '()))
	64	"Return a derivation of a script that runs OS as a Linux container.
	65	MAPPINGS is a list of <file-system> objects that specify the files/directories
	66	that will be shared with the host system."
	67	(let* ((os (containerized-operating-system os mappings))
	68	(file-systems (filter file-system-needed-for-boot?
	69	(operating-system-file-systems os)))
	70	(specs (map file-system->spec file-systems)))
	71
d62e201c LC	72	(mlet* %store-monad ((os-drv (operating-system-derivation
	73	os
	74	#:container? #t)))
239db054 DT	75
239db054 DT	76	(define script
5e7eaccb LC	77	(with-imported-modules (source-module-closure
	78	'((guix build utils)
	79	(gnu build linux-container)))
4ee96a79 LC	80	#~(begin
4ee96a79 LC	81	(use-modules (gnu build linux-container)
5970e8e2	82	(gnu system file-systems) ;spec->file-system
4ee96a79	83	(guix build utils))
239db054	84
5970e8e2	85	(call-with-container (map spec->file-system '#$specs)
4ee96a79 LC	86	(lambda ()
	87	(setenv "HOME" "/root")
	88	(setenv "TMPDIR" "/tmp")
	89	(setenv "GUIX_NEW_SYSTEM" #$os-drv)
	90	(for-each mkdir-p '("/run" "/bin" "/etc" "/home" "/var"))
	91	(primitive-load (string-append #$os-drv "/boot")))
	92	;; A range of 65536 uid/gids is used to cover 16 bits worth of
	93	;; users and groups, which is sufficient for most cases.
	94	;;
	95	;; See: http://www.freedesktop.org/software/systemd/man/systemd-nspawn.html#--private-users=
	96	#:host-uids 65536))))
239db054	97
4ee96a79	98	(gexp->script "run-container" script))))