From patchwork Sun May 12 10:37:58 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= <ludo@gnu.org>
X-Patchwork-Id: 13957
Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>
X-Original-To: patchwork@mira.cbaines.net
Delivered-To: patchwork@mira.cbaines.net
Received: by mira.cbaines.net (Postfix, from userid 113)
	id A157F16F4A; Sun, 12 May 2019 11:39:09 +0100 (BST)
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mira.cbaines.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham
	autolearn_force=no version=3.4.0
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	by mira.cbaines.net (Postfix) with ESMTP id 3F75716F26
	for <patchwork@mira.cbaines.net>; Sun, 12 May 2019 11:39:09 +0100 (BST)
Received: from localhost ([127.0.0.1]:41513 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>)
	id 1hPlsq-00072f-Pj
	for patchwork@mira.cbaines.net; Sun, 12 May 2019 06:39:08 -0400
Received: from eggs.gnu.org ([209.51.188.92]:53134)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1hPlsn-00071N-JC
	for guix-patches@gnu.org; Sun, 12 May 2019 06:39:06 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1hPlsl-0007WB-S1
	for guix-patches@gnu.org; Sun, 12 May 2019 06:39:05 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:56636)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1hPlsl-0007Vn-IT
	for guix-patches@gnu.org; Sun, 12 May 2019 06:39:03 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1hPlsl-0002tW-FB
	for guix-patches@gnu.org; Sun, 12 May 2019 06:39:03 -0400
X-Loop: help-debbugs@gnu.org
Subject: [bug#35697] [PATCH 4/8] linux-container: Do not add
	%CONTAINER-FILE-SYSTEMS to Docker image OSes.
Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Sun, 12 May 2019 10:39:03 +0000
Resent-Message-ID: <handler.35697.B35697.155765750411024@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 35697
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 35697@debbugs.gnu.org
Received: via spool by 35697-submit@debbugs.gnu.org id=B35697.155765750411024
	(code B ref 35697); Sun, 12 May 2019 10:39:03 +0000
Received: (at 35697) by debbugs.gnu.org; 12 May 2019 10:38:24 +0000
Received: from localhost ([127.0.0.1]:41934 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1hPls8-0002re-D5
	for submit@debbugs.gnu.org; Sun, 12 May 2019 06:38:24 -0400
Received: from eggs.gnu.org ([209.51.188.92]:38676)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <ludo@gnu.org>) id 1hPls6-0002qh-6T
	for 35697@debbugs.gnu.org; Sun, 12 May 2019 06:38:22 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:54352)
	by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@gnu.org>)
	id 1hPls1-0007Iy-1Y; Sun, 12 May 2019 06:38:17 -0400
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=41590 helo=gnu.org)
	by fencepost.gnu.org with esmtpsa
	(TLS1.2:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.82)
	(envelope-from <ludo@gnu.org>)
	id 1hPls0-00052w-IA; Sun, 12 May 2019 06:38:16 -0400
From: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org>
Date: Sun, 12 May 2019 12:37:58 +0200
Message-Id: <20190512103802.17032-4-ludo@gnu.org>
X-Mailer: git-send-email 2.21.0
In-Reply-To: <20190512103802.17032-1-ludo@gnu.org>
References: <20190512103802.17032-1-ludo@gnu.org>
MIME-Version: 1.0
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 209.51.188.43
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-patches/>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=subscribe>
Cc: Chris Marusich <cmmarusich@gmail.com>
Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
Sender: "Guix-patches"
	<guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>
X-getmail-retrieved-from-mailbox: Patches

Previously, 'guix system docker-image' would end up providing an OS that
would try to mount all of %CONTAINER-FILE-SYSTEMS as well as /gnu/store,
which is bound to fail in unprivileged Docker.

This patch makes it so that 'guix system container' still gets those
file systems, but 'guix system docker-image' doesn't.

* gnu/system/linux-container.scm (containerized-operating-system): Add
 #:extra-file-systems parameter and honor it.  Do not import
 %STORE-MAPPING.
(container-script): Add %STORE-MAPPING to MAPPINGS and pass
 #:extra-file-systems.
---
 gnu/system/linux-container.scm | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/gnu/system/linux-container.scm b/gnu/system/linux-container.scm
index ded5f279fe..5adec064f7 100644
--- a/gnu/system/linux-container.scm
+++ b/gnu/system/linux-container.scm
@@ -53,10 +53,12 @@ from OS that are needed on the bare metal and not in a container."
                      (return `(("locale" ,locale))))))
         base))
 
-(define (containerized-operating-system os mappings)
+(define* (containerized-operating-system os mappings
+                                         #:key
+                                         (extra-file-systems '()))
   "Return an operating system based on OS for use in a Linux container
 environment.  MAPPINGS is a list of <file-system-mapping> to realize in the
-containerized OS."
+containerized OS.  EXTRA-FILE-SYSTEMS is a list of file systems to add to OS."
   (define user-file-systems
     (remove (lambda (fs)
               (let ((target (file-system-mount-point fs))
@@ -88,15 +90,17 @@ containerized OS."
                         (memq (service-kind service)
                               useless-services))
                       (operating-system-user-services os)))
-    (file-systems (append (map mapping->fs (cons %store-mapping mappings))
-                          %container-file-systems
+    (file-systems (append (map mapping->fs mappings)
+                          extra-file-systems
                           user-file-systems))))
 
 (define* (container-script os #:key (mappings '()))
   "Return a derivation of a script that runs OS as a Linux container.
 MAPPINGS is a list of <file-system> objects that specify the files/directories
 that will be shared with the host system."
-  (let* ((os           (containerized-operating-system os mappings))
+  (let* ((os           (containerized-operating-system
+                        os (cons %store-mapping mappings)
+                        #:extra-file-systems %container-file-systems))
          (file-systems (filter file-system-needed-for-boot?
                                (operating-system-file-systems os)))
          (specs        (map file-system->spec file-systems)))