From patchwork Fri May 3 22:11:13 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Giacomo Leidi X-Patchwork-Id: 63902 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id A9B5B27BBEA; Fri, 3 May 2024 23:13:31 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 4060027BBE2 for ; Fri, 3 May 2024 23:13:30 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1s319c-0007ox-Hd; Fri, 03 May 2024 18:13:20 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1s318z-0007bp-Hb for guix-patches@gnu.org; Fri, 03 May 2024 18:12:41 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1s318z-0006h6-8Q for guix-patches@gnu.org; Fri, 03 May 2024 18:12:41 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1s319L-0005az-RR for guix-patches@gnu.org; Fri, 03 May 2024 18:13:03 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#67613] [PATCH v3 1/5] gnu: docker: Provide escape hatch in oci-container-configuration. References: <10a8cae4-a5a2-a2e0-fa64-95650ae2e703@autistici.org> In-Reply-To: <10a8cae4-a5a2-a2e0-fa64-95650ae2e703@autistici.org> Resent-From: Giacomo Leidi Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 03 May 2024 22:13:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 67613 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 67613@debbugs.gnu.org Cc: Giacomo Leidi Received: via spool by 67613-submit@debbugs.gnu.org id=B67613.171477432921462 (code B ref 67613); Fri, 03 May 2024 22:13:03 +0000 Received: (at 67613) by debbugs.gnu.org; 3 May 2024 22:12:09 +0000 Received: from localhost ([127.0.0.1]:49157 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s318S-0005a1-JL for submit@debbugs.gnu.org; Fri, 03 May 2024 18:12:09 -0400 Received: from confino.investici.org ([2a11:7980:1::2:0]:44617) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s318L-0005Yl-0X for 67613@debbugs.gnu.org; Fri, 03 May 2024 18:12:05 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=autistici.org; s=stigmate; t=1714774297; bh=uSPDQeyoMmWjrm+wlpvtf+0KB72qQd7O83h3OB7mS5k=; h=From:To:Cc:Subject:Date:From; b=XReK/9sv+QlDPhl1nMB0IOcnVuqCWGpL8JSHcIIpt9VC7hIhG+DhmCTW6DPb53rpO HLvqwqByiAc2rj6WYoH6sN60kXKFyQWBz9UtmftIOdu80GieI9cuBvEIgthhk524d6 qWsN15QIQD7QE/Go/y2rHy6K1rQsxYiCXDsYNLic= Received: from mx1.investici.org (unknown [127.0.0.1]) by confino.investici.org (Postfix) with ESMTP id 4VWQ4n5ysXz11Bg; Fri, 3 May 2024 22:11:37 +0000 (UTC) Received: from [93.190.126.19] (mx1.investici.org [93.190.126.19]) (Authenticated sender: goodoldpaul@autistici.org) by localhost (Postfix) with ESMTPSA id 4VWQ4n5TTxz11BS; Fri, 3 May 2024 22:11:37 +0000 (UTC) Date: Sat, 4 May 2024 00:11:13 +0200 Message-ID: <306393d4c3b28f242fb735d793ef127427f3d072.1714774276.git.goodoldpaul@autistici.org> X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Giacomo Leidi X-ACL-Warn: , Giacomo Leidi via Guix-patches X-Patchwork-Original-From: Giacomo Leidi via Guix-patches via From: Giacomo Leidi Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * gnu/services/docker.scm (exports): Add missing procedures; (oci-container-service-type)[description]: Docker and OCI images should mean the same thing; (oci-container-configuration): clarify field types; [extra-arguments]: new field; (oci-sanitize-extra-arguments): sanitize it; (oci-container-shepherd-service): use it. * doc/guix.texi: Document it. Change-Id: I64e9d82c8ae538d59d1c482f23070a880156ddf7 --- doc/guix.texi | 21 ++++++++++++------- gnu/services/docker.scm | 46 +++++++++++++++++++++++++++++++++-------- 2 files changed, 51 insertions(+), 16 deletions(-) base-commit: 7d4ae2fca723114fb1df56de33b82177fbc4d0a6 diff --git a/doc/guix.texi b/doc/guix.texi index 3f5d4e7f0d..19b7563916 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -40430,13 +40430,13 @@ Miscellaneous Services @item @code{group} (default: @code{"docker"}) (type: string) The group under whose authority docker commands will be run. -@item @code{command} (default: @code{()}) (type: list-of-strings) +@item @code{command} (default: @code{'()}) (type: list-of-strings) Overwrite the default command (@code{CMD}) of the image. @item @code{entrypoint} (default: @code{""}) (type: string) Overwrite the default entrypoint (@code{ENTRYPOINT}) of the image. -@item @code{environment} (default: @code{()}) (type: list) +@item @code{environment} (default: @code{'()}) (type: list) Set environment variables. This can be a list of pairs or strings, even mixed: @lisp @@ -40444,7 +40444,8 @@ Miscellaneous Services "JAVA_HOME=/opt/java") @end lisp -String are passed directly to the Docker CLI. You can refer to the +Pair members can be strings, gexps or file-like objects. +Strings are passed directly to the Docker CLI. You can refer to the @uref{https://docs.docker.com/engine/reference/commandline/run/#env,upstream} documentation for semantics. @@ -40459,7 +40460,7 @@ Miscellaneous Services @item @code{network} (default: @code{""}) (type: string) Set a Docker network for the spawned container. -@item @code{ports} (default: @code{()}) (type: list) +@item @code{ports} (default: @code{'()}) (type: list) Set the port or port ranges to expose from the spawned container. This can be a list of pairs or strings, even mixed: @@ -40468,11 +40469,12 @@ Miscellaneous Services "10443:443") @end lisp -String are passed directly to the Docker CLI. You can refer to the +Pair members can be strings, gexps or file-like objects. +Strings are passed directly to the Docker CLI. You can refer to the @uref{https://docs.docker.com/engine/reference/commandline/run/#publish,upstream} documentation for semantics. -@item @code{volumes} (default: @code{()}) (type: list) +@item @code{volumes} (default: @code{'()}) (type: list) Set volume mappings for the spawned container. This can be a list of pairs or strings, even mixed: @@ -40481,7 +40483,8 @@ Miscellaneous Services "/gnu/store:/gnu/store") @end lisp -String are passed directly to the Docker CLI. You can refer to the +Pair members can be strings, gexps or file-like objects. +Strings are passed directly to the Docker CLI. You can refer to the @uref{https://docs.docker.com/engine/reference/commandline/run/#volume,upstream} documentation for semantics. @@ -40496,6 +40499,10 @@ Miscellaneous Services @url{https://docs.docker.com/engine/reference/run/#workdir,upstream} documentation for semantics. +@item @code{extra-arguments} (default: @code{'()}) (type: list) +A list of strings, gexps or file-like objects that will be directly +passed to the @command{docker run} invokation. + @end table @end deftp diff --git a/gnu/services/docker.scm b/gnu/services/docker.scm index 4d32b96847..824c4ecbe6 100644 --- a/gnu/services/docker.scm +++ b/gnu/services/docker.scm @@ -58,6 +58,9 @@ (define-module (gnu services docker) oci-container-configuration-network oci-container-configuration-ports oci-container-configuration-volumes + oci-container-configuration-container-user + oci-container-configuration-workdir + oci-container-configuration-extra-arguments oci-container-service-type oci-container-shepherd-service)) @@ -297,6 +300,21 @@ (define (oci-sanitize-volumes value) ;; '(("/mnt/dir" . "/dir") "/run/current-system/profile:/java") (oci-sanitize-mixed-list "volumes" value ":")) +(define (oci-sanitize-extra-arguments value) + (define (valid? member) + (or (string? member) + (gexp? member) + (file-like? member))) + (map + (lambda (el) + (if (valid? el) + el + (raise + (formatted-message + (G_ "extra arguments may only be strings, gexps or file-like objects +but ~a was found") el)))) + value)) + (define-maybe/no-serialization string) (define-configuration/no-serialization oci-container-configuration @@ -314,15 +332,16 @@ (define-configuration/no-serialization oci-container-configuration "Overwrite the default entrypoint (@code{ENTRYPOINT}) of the image.") (environment (list '()) - "Set environment variables. This can be a list of pairs or strings, even -mixed: + "Set environment variables inside the container. This can be a list of pairs +or strings, even mixed: @lisp (list '(\"LANGUAGE\" . \"eo:ca:eu\") \"JAVA_HOME=/opt/java\") @end lisp -String are passed directly to the Docker CLI. You can refer to the +Pair members can be strings, gexps or file-like objects. Strings are passed +directly to the Docker CLI. You can refer to the @url{https://docs.docker.com/engine/reference/commandline/run/#env,upstream} documentation for semantics." (sanitizer oci-sanitize-environment)) @@ -347,7 +366,8 @@ (define-configuration/no-serialization oci-container-configuration \"10443:443\") @end lisp -String are passed directly to the Docker CLI. You can refer to the +Pair members can be strings, gexps or file-like objects. Strings are passed +directly to the Docker CLI. You can refer to the @url{https://docs.docker.com/engine/reference/commandline/run/#publish,upstream} documentation for semantics." (sanitizer oci-sanitize-ports)) @@ -361,7 +381,8 @@ (define-configuration/no-serialization oci-container-configuration \"/gnu/store:/gnu/store\") @end lisp -String are passed directly to the Docker CLI. You can refer to the +Pair members can be strings, gexps or file-like objects. Strings are passed +directly to the Docker CLI. You can refer to the @url{https://docs.docker.com/engine/reference/commandline/run/#volume,upstream} documentation for semantics." (sanitizer oci-sanitize-volumes)) @@ -375,7 +396,12 @@ (define-configuration/no-serialization oci-container-configuration "Set the current working for the spawned Shepherd service. You can refer to the @url{https://docs.docker.com/engine/reference/run/#workdir,upstream} -documentation for semantics.")) +documentation for semantics.") + (extra-arguments + (list '()) + "A list of strings, gexps or file-like objects that will be directly passed +to the @command{docker run} invokation." + (sanitizer oci-sanitize-extra-arguments))) (define oci-container-configuration->options (lambda (config) @@ -428,7 +454,9 @@ (define (oci-container-shepherd-service config) (provision (oci-container-configuration-provision config)) (image (oci-container-configuration-image config)) (options (oci-container-configuration->options config)) - (name (guess-name provision image))) + (name (guess-name provision image)) + (extra-arguments + (oci-container-configuration-extra-arguments config))) (shepherd-service (provision `(,(string->symbol name))) (requirement '(dockerd user-processes)) @@ -441,7 +469,7 @@ (define (oci-container-shepherd-service config) ;; docker run [OPTIONS] IMAGE [COMMAND] [ARG...] (list #$docker-command "run" "--rm" "--name" #$name - #$@options #$image #$@command) + #$@options #$@extra-arguments #$image #$@command) #:user #$user #:group #$group)) (stop @@ -482,5 +510,5 @@ (define oci-container-service-type (extend append) (compose concatenate) (description - "This service allows the management of Docker and OCI + "This service allows the management of OCI containers as Shepherd services."))) From patchwork Fri May 3 22:11:14 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Giacomo Leidi X-Patchwork-Id: 63901 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id BC40027BBEA; Fri, 3 May 2024 23:13:26 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id A548D27BBE2 for ; Fri, 3 May 2024 23:13:25 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1s3191-0007ch-Iz; Fri, 03 May 2024 18:12:43 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1s318z-0007ba-2Q for guix-patches@gnu.org; Fri, 03 May 2024 18:12:41 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1s318y-0006h0-Qg for guix-patches@gnu.org; Fri, 03 May 2024 18:12:40 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1s319L-0005as-Dp for guix-patches@gnu.org; Fri, 03 May 2024 18:13:03 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#67613] [PATCH v3 2/5] gnu: docker: Allow setting host environment variables in oci-container-configuration. Resent-From: Giacomo Leidi Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 03 May 2024 22:13:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 67613 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 67613@debbugs.gnu.org Cc: Giacomo Leidi Received: via spool by 67613-submit@debbugs.gnu.org id=B67613.171477432821456 (code B ref 67613); Fri, 03 May 2024 22:13:03 +0000 Received: (at 67613) by debbugs.gnu.org; 3 May 2024 22:12:08 +0000 Received: from localhost ([127.0.0.1]:49155 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s318R-0005Zs-S6 for submit@debbugs.gnu.org; Fri, 03 May 2024 18:12:08 -0400 Received: from confino.investici.org ([93.190.126.19]:51261) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s318N-0005Ym-5I for 67613@debbugs.gnu.org; Fri, 03 May 2024 18:12:04 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=autistici.org; s=stigmate; t=1714774298; bh=6sFpoz0Yh+7fXTBxs9Sticus2j2Ta1iLLk8267xgzrM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=XIrtfITk8ZZ4xochigA8QlQGrBMm7luzc88sKS3FTdkACgLE659dDZgZF/yFp+ZOd hd460bAOkd0g+05u9pP0Me04QrrL9gnkBZkZHgy9/oy8RfOimtLhlGUkV9eJp8SACD VwuKdDwLT+DC3rLVRPqs2fhZD4DESuHQciZfsQSw= Received: from mx1.investici.org (unknown [127.0.0.1]) by confino.investici.org (Postfix) with ESMTP id 4VWQ4p0dmRz11Bm; Fri, 3 May 2024 22:11:38 +0000 (UTC) Received: from [93.190.126.19] (mx1.investici.org [93.190.126.19]) (Authenticated sender: goodoldpaul@autistici.org) by localhost (Postfix) with ESMTPSA id 4VWQ4p0704z11BS; Fri, 3 May 2024 22:11:37 +0000 (UTC) Date: Sat, 4 May 2024 00:11:14 +0200 Message-ID: <0136493778f7159c4cdddf460b71f9d9f5094115.1714774277.git.goodoldpaul@autistici.org> X-Mailer: git-send-email 2.41.0 In-Reply-To: <306393d4c3b28f242fb735d793ef127427f3d072.1714774276.git.goodoldpaul@autistici.org> References: <306393d4c3b28f242fb735d793ef127427f3d072.1714774276.git.goodoldpaul@autistici.org> MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Giacomo Leidi X-ACL-Warn: , Giacomo Leidi via Guix-patches X-Patchwork-Original-From: Giacomo Leidi via Guix-patches via From: Giacomo Leidi Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * gnu/services/docker.scm (oci-container-configuration) [host-environment]: New field; (oci-sanitize-host-environment): sanitize it; (oci-container-shepherd-service): use it. * doc/guix.texi: Document it. Change-Id: I4d54d37736cf09f042a71cb0b6e673abc0948d9c --- doc/guix.texi | 17 +++++++++++++++++ gnu/services/docker.scm | 31 +++++++++++++++++++++++++++++-- 2 files changed, 46 insertions(+), 2 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 19b7563916..fad0bf8c7c 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -40436,6 +40436,23 @@ Miscellaneous Services @item @code{entrypoint} (default: @code{""}) (type: string) Overwrite the default entrypoint (@code{ENTRYPOINT}) of the image. +@item @code{host-environment} (default: @code{'()}) (type: list) +Set environment variables in the host environment where @command{docker +run} is invoked. This is especially useful to pass secrets from the +host to the container without having them on the @command{docker run}'s +command line: by setting the @code{MYSQL_PASSWORD} on the host and by passing +@code{--env MYSQL_PASSWORD} through the @code{extra-arguments} field, it is +possible to securely set values in the container environment. This field's +value can be a list of pairs or strings, even mixed: + +@lisp +(list '(\"LANGUAGE\" . \"eo:ca:eu\") + \"JAVA_HOME=/opt/java\") +@end lisp + +Pair members can be strings, gexps or file-like objects. Strings are passed +directly to @code{make-forkexec-constructor}. + @item @code{environment} (default: @code{'()}) (type: list) Set environment variables. This can be a list of pairs or strings, even mixed: diff --git a/gnu/services/docker.scm b/gnu/services/docker.scm index 824c4ecbe6..df5884aca1 100644 --- a/gnu/services/docker.scm +++ b/gnu/services/docker.scm @@ -5,7 +5,7 @@ ;;; Copyright © 2020 Efraim Flashner ;;; Copyright © 2020 Jesse Dowell ;;; Copyright © 2021 Brice Waegeneire -;;; Copyright © 2023 Giacomo Leidi +;;; Copyright © 2023, 2024 Giacomo Leidi ;;; ;;; This file is part of GNU Guix. ;;; @@ -285,6 +285,11 @@ (define (oci-sanitize-mixed-list name value delimiter) name el))))) value)) +(define (oci-sanitize-host-environment value) + ;; Expected spec format: + ;; '(("HOME" . "/home/nobody") "JAVA_HOME=/java") + (oci-sanitize-mixed-list "host-environment" value "=")) + (define (oci-sanitize-environment value) ;; Expected spec format: ;; '(("HOME" . "/home/nobody") "JAVA_HOME=/java") @@ -330,6 +335,24 @@ (define-configuration/no-serialization oci-container-configuration (entrypoint (maybe-string) "Overwrite the default entrypoint (@code{ENTRYPOINT}) of the image.") + (host-environment + (list '()) + "Set environment variables in the host environment where @command{docker run} +is invoked. This is especially useful to pass secrets from the host to the +container without having them on the @command{docker run}'s command line: by +setting the @code{MYSQL_PASSWORD} on the host and by passing +@code{--env MYSQL_PASSWORD} through the @code{extra-arguments} field, it is +possible to securely set values in the container environment. This field's +value can be a list of pairs or strings, even mixed: + +@lisp +(list '(\"LANGUAGE\" . \"eo:ca:eu\") + \"JAVA_HOME=/opt/java\") +@end lisp + +Pair members can be strings, gexps or file-like objects. Strings are passed +directly to @code{make-forkexec-constructor}." + (sanitizer oci-sanitize-host-environment)) (environment (list '()) "Set environment variables inside the container. This can be a list of pairs @@ -450,6 +473,8 @@ (define (oci-container-shepherd-service config) (let* ((docker-command (file-append docker-cli "/bin/docker")) (user (oci-container-configuration-user config)) (group (oci-container-configuration-group config)) + (host-environment + (oci-container-configuration-host-environment config)) (command (oci-container-configuration-command config)) (provision (oci-container-configuration-provision config)) (image (oci-container-configuration-image config)) @@ -471,7 +496,9 @@ (define (oci-container-shepherd-service config) "--name" #$name #$@options #$@extra-arguments #$image #$@command) #:user #$user - #:group #$group)) + #:group #$group + #:environment-variables + (list #$@host-environment))) (stop #~(lambda _ (invoke #$docker-command "rm" "-f" #$name))) From patchwork Fri May 3 22:11:15 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Giacomo Leidi X-Patchwork-Id: 63899 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id D919B27BBEA; Fri, 3 May 2024 23:12:54 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 384C827BBE2 for ; Fri, 3 May 2024 23:12:54 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1s318z-0007cG-Qt; Fri, 03 May 2024 18:12:42 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1s318y-0007bH-AY for guix-patches@gnu.org; Fri, 03 May 2024 18:12:40 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1s318y-0006gg-0a for guix-patches@gnu.org; Fri, 03 May 2024 18:12:40 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1s319K-0005ae-JR for guix-patches@gnu.org; Fri, 03 May 2024 18:13:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#67613] [PATCH v3 3/5] gnu: docker: Allow setting Shepherd dependencies in oci-container-configuration. Resent-From: Giacomo Leidi Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 03 May 2024 22:13:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 67613 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 67613@debbugs.gnu.org Cc: Giacomo Leidi Received: via spool by 67613-submit@debbugs.gnu.org id=B67613.171477432721440 (code B ref 67613); Fri, 03 May 2024 22:13:02 +0000 Received: (at 67613) by debbugs.gnu.org; 3 May 2024 22:12:07 +0000 Received: from localhost ([127.0.0.1]:49151 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s318Q-0005Zj-TW for submit@debbugs.gnu.org; Fri, 03 May 2024 18:12:07 -0400 Received: from confino.investici.org ([2a11:7980:1::2:0]:30459) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s318M-0005Yo-GF for 67613@debbugs.gnu.org; Fri, 03 May 2024 18:12:04 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=autistici.org; s=stigmate; t=1714774298; bh=IF73yfKJAY2tF8cE07yKmM09fnTiSTMU/R+ha729Atk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=pWxW8/7cLw/wpJcNrVE/1WiL5WwP10QZMlN9ibtm1XCt4hoIT5xn0N1cyr2vDjxVu fTIcqwnlUYHX+xR7AXMt6hOedJMcJNBpYPR11Bcmh5gFlKWAddMnicF/HuwbhcMPHK PIwj1lm9MAnLSSWqEVI4u4Y0zd+uAZr0EBjEncBs= Received: from mx1.investici.org (unknown [127.0.0.1]) by confino.investici.org (Postfix) with ESMTP id 4VWQ4p2Pd1z11C2; Fri, 3 May 2024 22:11:38 +0000 (UTC) Received: from [93.190.126.19] (mx1.investici.org [93.190.126.19]) (Authenticated sender: goodoldpaul@autistici.org) by localhost (Postfix) with ESMTPSA id 4VWQ4p1wkYz11BS; Fri, 3 May 2024 22:11:38 +0000 (UTC) Date: Sat, 4 May 2024 00:11:15 +0200 Message-ID: <9506edfb6edd9d3f2a8b832caf39005883a04ac2.1714774277.git.goodoldpaul@autistici.org> X-Mailer: git-send-email 2.41.0 In-Reply-To: <306393d4c3b28f242fb735d793ef127427f3d072.1714774276.git.goodoldpaul@autistici.org> References: <306393d4c3b28f242fb735d793ef127427f3d072.1714774276.git.goodoldpaul@autistici.org> MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Giacomo Leidi X-ACL-Warn: , Giacomo Leidi via Guix-patches X-Patchwork-Original-From: Giacomo Leidi via Guix-patches via From: Giacomo Leidi Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * gnu/services/docker.scm (oci-container-configuration) [requirement]: New field; (list-of-symbols): sanitize it; (oci-container-shepherd-service): use it. * doc/guix.texi: Document it. Change-Id: Ic0ba336a2257d6ef7c658cfc6cd630116661f581 --- doc/guix.texi | 4 ++++ gnu/services/docker.scm | 10 +++++++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/doc/guix.texi b/doc/guix.texi index fad0bf8c7c..2b9cc5602c 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -40474,6 +40474,10 @@ Miscellaneous Services @item @code{provision} (default: @code{""}) (type: string) Set the name of the provisioned Shepherd service. +@item @code{requirement} (default: @code{'()}) (type: list-of-symbols) +Set additional Shepherd services dependencies to the provisioned +Shepherd service. + @item @code{network} (default: @code{""}) (type: string) Set a Docker network for the spawned container. diff --git a/gnu/services/docker.scm b/gnu/services/docker.scm index df5884aca1..a5b1614fa9 100644 --- a/gnu/services/docker.scm +++ b/gnu/services/docker.scm @@ -320,6 +320,9 @@ (define (oci-sanitize-extra-arguments value) but ~a was found") el)))) value)) +(define list-of-symbols? + (list-of symbol?)) + (define-maybe/no-serialization string) (define-configuration/no-serialization oci-container-configuration @@ -376,6 +379,10 @@ (define-configuration/no-serialization oci-container-configuration (provision (maybe-string) "Set the name of the provisioned Shepherd service.") + (requirement + (list-of-symbols '()) + "Set additional Shepherd services dependencies to the provisioned Shepherd +service.") (network (maybe-string) "Set a Docker network for the spawned container.") @@ -477,6 +484,7 @@ (define (oci-container-shepherd-service config) (oci-container-configuration-host-environment config)) (command (oci-container-configuration-command config)) (provision (oci-container-configuration-provision config)) + (requirement (oci-container-configuration-requirement config)) (image (oci-container-configuration-image config)) (options (oci-container-configuration->options config)) (name (guess-name provision image)) @@ -484,7 +492,7 @@ (define (oci-container-shepherd-service config) (oci-container-configuration-extra-arguments config))) (shepherd-service (provision `(,(string->symbol name))) - (requirement '(dockerd user-processes)) + (requirement `(dockerd user-processes ,@requirement)) (respawn? #f) (documentation (string-append From patchwork Fri May 3 22:11:16 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Giacomo Leidi X-Patchwork-Id: 63898 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 6660D27BBEA; Fri, 3 May 2024 23:12:50 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 42F6727BBE9 for ; Fri, 3 May 2024 23:12:48 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1s3190-0007cU-75; Fri, 03 May 2024 18:12:42 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1s318x-0007bA-Rv for guix-patches@gnu.org; Fri, 03 May 2024 18:12:40 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1s318x-0006ga-IX for guix-patches@gnu.org; Fri, 03 May 2024 18:12:39 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1s319K-0005aX-5V for guix-patches@gnu.org; Fri, 03 May 2024 18:13:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#67613] [PATCH v3 4/5] gnu: docker: Allow passing tarballs for images in oci-container-configuration. Resent-From: Giacomo Leidi Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 03 May 2024 22:13:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 67613 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 67613@debbugs.gnu.org Cc: Giacomo Leidi Received: via spool by 67613-submit@debbugs.gnu.org id=B67613.171477432521431 (code B ref 67613); Fri, 03 May 2024 22:13:02 +0000 Received: (at 67613) by debbugs.gnu.org; 3 May 2024 22:12:05 +0000 Received: from localhost ([127.0.0.1]:49149 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s318O-0005ZS-GT for submit@debbugs.gnu.org; Fri, 03 May 2024 18:12:05 -0400 Received: from confino.investici.org ([2a11:7980:1::2:0]:32315) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s318L-0005Yp-ON for 67613@debbugs.gnu.org; Fri, 03 May 2024 18:12:02 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=autistici.org; s=stigmate; t=1714774298; bh=HH2mMLsliNtIIe8z875yGhYONaeqILotnGkQ2QwHgsI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Oj804NXgGvTkxRBoZcmU5CK0BFSZ89Fpcy1dOL8RFKu28/f5HyXQh7vHNCL+ozejA KrLAA9zs4OWF//TQuGJv77Mg2Mhlt67bvZKTzUtHuhrNLolSer+dWny4rJE7sG6mQm pNjDxPAP+0nVA19GZ7Utf81aSiwAgxLoL5gS1jPo= Received: from mx1.investici.org (unknown [127.0.0.1]) by confino.investici.org (Postfix) with ESMTP id 4VWQ4p48mNz11CB; Fri, 3 May 2024 22:11:38 +0000 (UTC) Received: from [93.190.126.19] (mx1.investici.org [93.190.126.19]) (Authenticated sender: goodoldpaul@autistici.org) by localhost (Postfix) with ESMTPSA id 4VWQ4p3hD6z11BS; Fri, 3 May 2024 22:11:38 +0000 (UTC) Date: Sat, 4 May 2024 00:11:16 +0200 Message-ID: <0c4d11411cd8efcea9c3252146cbc69c9155f2e9.1714774277.git.goodoldpaul@autistici.org> X-Mailer: git-send-email 2.41.0 In-Reply-To: <306393d4c3b28f242fb735d793ef127427f3d072.1714774276.git.goodoldpaul@autistici.org> References: <306393d4c3b28f242fb735d793ef127427f3d072.1714774276.git.goodoldpaul@autistici.org> MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Giacomo Leidi X-ACL-Warn: , Giacomo Leidi via Guix-patches X-Patchwork-Original-From: Giacomo Leidi via Guix-patches via From: Giacomo Leidi Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches This commit allows for loading an OCI image tarball before running an OCI backed Shepherd service. It does so by adding a one shot Shepherd service to the dependencies of the OCI backed service that at boot runs docker load on the tarball. * gnu/services/docker.scm (oci-image): New record; (lower-oci-image): new variable, lower it; (string-or-oci-image?): sanitize it; (oci-container-configuration)[image]: allow also for oci-image records; (oci-container-shepherd-service): use it; (%oci-image-loader): new variable. Change-Id: Ie504f479ea0d47f74b0ec5df9085673ffd3f639d --- doc/guix.texi | 70 +++++++++++- gnu/services/docker.scm | 244 ++++++++++++++++++++++++++++++++++++---- 2 files changed, 286 insertions(+), 28 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 2b9cc5602c..451bee5615 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -40390,6 +40390,17 @@ Miscellaneous Services @lisp (service oci-container-service-type (list + (oci-container-configuration + (image + (oci-image + (repository "guile") + (tag "3") + (value (specifications->manifest '("guile"))) + (pack-options '(#:symlinks (("/bin/guile" -> "bin/guile")) + #:max-layers 2)))) + (entrypoint "/bin/guile") + (command + '("-c" "(display \"hello!\n\")"))) (oci-container-configuration (image "prom/prometheus") (network "host") @@ -40466,9 +40477,10 @@ Miscellaneous Services @uref{https://docs.docker.com/engine/reference/commandline/run/#env,upstream} documentation for semantics. -@item @code{image} (type: string) -The image used to build the container. Images are resolved by the -Docker Engine, and follow the usual format +@item @code{image} (type: string-or-oci-image) +The image used to build the container. It can be a string or an +@code{oci-image} record. Strings are resolved by the Docker Engine, and +follow the usual format @code{myregistry.local:5000/testing/test-image:tag}. @item @code{provision} (default: @code{""}) (type: string) @@ -40529,6 +40541,58 @@ Miscellaneous Services @end deftp +@c %end of fragment + +@c %start of fragment + +@deftp {Data Type} oci-image +Available @code{oci-image} fields are: + +@table @asis +@item @code{repository} (type: string) +A string like @code{myregistry.local:5000/testing/test-image} that names +the OCI image. + +@item @code{tag} (default: @code{"latest"}) (type: string) +A string representing the OCI image tag. Defaults to @code{latest}. + +@item @code{value} (type: oci-lowerable-image) +A @code{manifest} or @code{operating-system} record that will be lowered +into an OCI compatible tarball. Otherwise this field's value can be a +gexp or a file-like object that evaluates to an OCI compatible tarball. + +@item @code{pack-options} (default: @code{'()}) (type: list) +An optional set of keyword arguments that will be passed to the +@code{docker-image} procedure from @code{guix scripts pack}. They can +be used to replicate @command{guix pack} behavior: + +@lisp +(oci-image + (repository "guile") + (tag "3") + (value + (specifications->manifest '("guile"))) + (pack-options '(#:symlinks (("/bin/guile" -> "bin/guile")) + #:max-layers 2))) +@end lisp + +If the @code{value} field is an @code{operating-system} record, this field's +value will be ignored. + +@item @code{system} (default: @code{""}) (type: string) +Attempt to build for a given system, e.g. "i686-linux" + +@item @code{target} (default: @code{""}) (type: string) +Attempt to cross-build for a given triple, e.g. "aarch64-linux-gnu" + +@item @code{grafts?} (default: @code{#f}) (type: boolean) +Whether to allow grafting or not in the pack build. + +@end table + +@end deftp + + @c %end of fragment @cindex Audit diff --git a/gnu/services/docker.scm b/gnu/services/docker.scm index a5b1614fa9..7aff8dcc5f 100644 --- a/gnu/services/docker.scm +++ b/gnu/services/docker.scm @@ -23,11 +23,14 @@ ;;; along with GNU Guix. If not, see . (define-module (gnu services docker) + #:use-module (gnu image) #:use-module (gnu services) #:use-module (gnu services configuration) #:use-module (gnu services base) #:use-module (gnu services dbus) #:use-module (gnu services shepherd) + #:use-module (gnu system) + #:use-module (gnu system image) #:use-module (gnu system setuid) #:use-module (gnu system shadow) #:use-module (gnu packages admin) ;shadow @@ -37,7 +40,11 @@ (define-module (gnu services docker) #:use-module (guix diagnostics) #:use-module (guix gexp) #:use-module (guix i18n) + #:use-module (guix monads) #:use-module (guix packages) + #:use-module (guix profiles) + #:use-module ((guix scripts pack) #:prefix pack:) + #:use-module (guix store) #:use-module (srfi srfi-1) #:use-module (ice-9 format) #:use-module (ice-9 match) @@ -45,6 +52,16 @@ (define-module (gnu services docker) #:export (docker-configuration docker-service-type singularity-service-type + oci-image + oci-image? + oci-image-fields + oci-image-repository + oci-image-tag + oci-image-value + oci-image-pack-options + oci-image-target + oci-image-system + oci-image-grafts? oci-container-configuration oci-container-configuration? oci-container-configuration-fields @@ -52,9 +69,11 @@ (define-module (gnu services docker) oci-container-configuration-group oci-container-configuration-command oci-container-configuration-entrypoint + oci-container-configuration-host-environment oci-container-configuration-environment oci-container-configuration-image oci-container-configuration-provision + oci-container-configuration-requirement oci-container-configuration-network oci-container-configuration-ports oci-container-configuration-volumes @@ -62,7 +81,8 @@ (define-module (gnu services docker) oci-container-configuration-workdir oci-container-configuration-extra-arguments oci-container-service-type - oci-container-shepherd-service)) + oci-container-shepherd-service + %oci-container-accounts)) (define-maybe file-like) @@ -320,11 +340,68 @@ (define (oci-sanitize-extra-arguments value) but ~a was found") el)))) value)) +(define (oci-image-reference image) + (if (string? image) + image + (string-append (oci-image-repository image) + ":" (oci-image-tag image)))) + +(define (oci-lowerable-image? image) + (or (manifest? image) + (operating-system? image) + (gexp? image) + (file-like? image))) + +(define (string-or-oci-image? image) + (or (string? image) + (oci-image? image))) + (define list-of-symbols? (list-of symbol?)) (define-maybe/no-serialization string) +(define-configuration/no-serialization oci-image + (repository + (string) + "A string like @code{myregistry.local:5000/testing/test-image} that names +the OCI image.") + (tag + (string "latest") + "A string representing the OCI image tag. Defaults to @code{latest}.") + (value + (oci-lowerable-image) + "A @code{manifest} or @code{operating-system} record that will be lowered +into an OCI compatible tarball. Otherwise this field's value can be a gexp +or a file-like object that evaluates to an OCI compatible tarball.") + (pack-options + (list '()) + "An optional set of keyword arguments that will be passed to the +@code{docker-image} procedure from @code{guix scripts pack}. They can be used +to replicate @command{guix pack} behavior: + +@lisp +(oci-image + (repository \"guile\") + (tag \"3\") + (manifest (specifications->manifest '(\"guile\"))) + (pack-options + '(#:symlinks ((\"/bin/guile\" -> \"bin/guile\")) + #:max-layers 2))) +@end lisp + +If the @code{value} field is an @code{operating-system} record, this field's +value will be ignored.") + (system + (maybe-string) + "Attempt to build for a given system, e.g. \"i686-linux\"") + (target + (maybe-string) + "Attempt to cross-build for a given triple, e.g. \"aarch64-linux-gnu\"") + (grafts? + (boolean #f) + "Whether to allow grafting or not in the pack build.")) + (define-configuration/no-serialization oci-container-configuration (user (string "oci-container") @@ -372,8 +449,9 @@ (define-configuration/no-serialization oci-container-configuration documentation for semantics." (sanitizer oci-sanitize-environment)) (image - (string) - "The image used to build the container. Images are resolved by the Docker + (string-or-oci-image) + "The image used to build the container. It can be a string or an +@code{oci-image} record. Strings are resolved by the Docker Engine, and follow the usual format @code{myregistry.local:5000/testing/test-image:tag}.") (provision @@ -470,14 +548,122 @@ (define oci-container-configuration->options (list "-v" spec)) (oci-container-configuration-volumes config)))))))) +(define* (get-keyword-value args keyword #:key (default #f)) + (let ((kv (memq keyword args))) + (if (and kv (>= (length kv) 2)) + (cadr kv) + default))) + +(define (lower-operating-system os target system) + (mlet* %store-monad + ((tarball + (lower-object + (system-image (os->image os #:type docker-image-type)) + system + #:target target))) + (return tarball))) + +(define (lower-manifest name image target system) + (define value (oci-image-value image)) + (define options (oci-image-pack-options image)) + (define image-reference + (oci-image-reference image)) + (define image-tag + (let* ((extra-options + (get-keyword-value options #:extra-options)) + (image-tag-option + (and extra-options + (get-keyword-value extra-options #:image-tag)))) + (if image-tag-option + '() + `(#:extra-options (#:image-tag ,image-reference))))) + + (mlet* %store-monad + ((_ (set-grafting + (oci-image-grafts? image))) + (guile (set-guile-for-build (default-guile))) + (profile + (profile-derivation value + #:target target + #:system system + #:hooks '() + #:locales? #f)) + (tarball (apply pack:docker-image + `(,name ,profile + ,@options + ,@image-tag + #:localstatedir? #t)))) + (return tarball))) + +(define (lower-oci-image name image) + (define value (oci-image-value image)) + (define image-target (oci-image-target image)) + (define image-system (oci-image-system image)) + (define target + (if (maybe-value-set? image-target) + image-target + (%current-target-system))) + (define system + (if (maybe-value-set? image-system) + image-system + (%current-system))) + (with-store store + (run-with-store store + (match value + ((? manifest? value) + (lower-manifest name image target system)) + ((? operating-system? value) + (lower-operating-system value target system)) + ((or (? gexp? value) + (? file-like? value)) + value) + (_ + (raise + (formatted-message + (G_ "oci-image value must contain only manifest, +operating-system, gexp or file-like records but ~a was found") + value)))) + #:target target + #:system system))) + +(define (%oci-image-loader name image tag) + (let ((docker (file-append docker-cli "/bin/docker")) + (tarball (lower-oci-image name image))) + (with-imported-modules '((guix build utils)) + (program-file (format #f "~a-image-loader" name) + #~(begin + (use-modules (guix build utils) + (ice-9 popen) + (ice-9 rdelim)) + + (format #t "Loading image for ~a from ~a...~%" #$name #$tarball) + (define line + (read-line + (open-input-pipe + (string-append #$docker " load -i " #$tarball)))) + + (unless (or (eof-object? line) + (string-null? line)) + (format #t "~a~%" line) + (let ((repository&tag + (string-drop line + (string-length + "Loaded image: ")))) + + (invoke #$docker "tag" repository&tag #$tag) + (format #t "Tagged ~a with ~a...~%" #$tarball #$tag)))))))) + (define (oci-container-shepherd-service config) (define (guess-name name image) (if (maybe-value-set? name) name (string-append "docker-" - (basename (car (string-split image #\:)))))) + (basename + (if (string? image) + (first (string-split image #\:)) + (oci-image-repository image)))))) - (let* ((docker-command (file-append docker-cli "/bin/docker")) + (let* ((docker (file-append docker-cli "/bin/docker")) (user (oci-container-configuration-user config)) (group (oci-container-configuration-group config)) (host-environment @@ -486,6 +672,7 @@ (define (oci-container-shepherd-service config) (provision (oci-container-configuration-provision config)) (requirement (oci-container-configuration-requirement config)) (image (oci-container-configuration-image config)) + (image-reference (oci-image-reference image)) (options (oci-container-configuration->options config)) (name (guess-name provision image)) (extra-arguments @@ -496,30 +683,37 @@ (define (oci-container-shepherd-service config) (respawn? #f) (documentation (string-append - "Docker backed Shepherd service for image: " image)) + "Docker backed Shepherd service for " + (if (oci-image? image) name image) ".")) (start - #~(make-forkexec-constructor - ;; docker run [OPTIONS] IMAGE [COMMAND] [ARG...] - (list #$docker-command "run" "--rm" - "--name" #$name - #$@options #$@extra-arguments #$image #$@command) - #:user #$user - #:group #$group - #:environment-variables - (list #$@host-environment))) + #~(lambda () + (when #$(oci-image? image) + (invoke #$(%oci-image-loader + name image image-reference))) + (fork+exec-command + ;; docker run [OPTIONS] IMAGE [COMMAND] [ARG...] + (list #$docker "run" "--rm" "--name" #$name + #$@options #$@extra-arguments + #$image-reference #$@command) + #:user #$user + #:group #$group + #:environment-variables + (list #$@host-environment)))) (stop #~(lambda _ - (invoke #$docker-command "rm" "-f" #$name))) + (invoke #$docker "rm" "-f" #$name))) (actions - (list - (shepherd-action - (name 'pull) - (documentation - (format #f "Pull ~a's image (~a)." - name image)) - (procedure - #~(lambda _ - (invoke #$docker-command "pull" #$image))))))))) + (if (oci-image? image) + '() + (list + (shepherd-action + (name 'pull) + (documentation + (format #f "Pull ~a's image (~a)." + name image)) + (procedure + #~(lambda _ + (invoke #$docker "pull" #$image)))))))))) (define %oci-container-accounts (list (user-account From patchwork Fri May 3 22:11:17 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Giacomo Leidi X-Patchwork-Id: 63900 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 78CB227BBEA; Fri, 3 May 2024 23:13:15 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 6E8A827BBE2 for ; Fri, 3 May 2024 23:13:14 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1s319N-0007gv-5g; Fri, 03 May 2024 18:13:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1s318y-0007bR-N8 for guix-patches@gnu.org; Fri, 03 May 2024 18:12:40 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1s318y-0006gr-Es for guix-patches@gnu.org; Fri, 03 May 2024 18:12:40 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1s319K-0005al-Vt for guix-patches@gnu.org; Fri, 03 May 2024 18:13:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#67613] [PATCH v3 5/5] gnu: Add tests for oci-container-service-type. Resent-From: Giacomo Leidi Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 03 May 2024 22:13:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 67613 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 67613@debbugs.gnu.org Cc: Giacomo Leidi Received: via spool by 67613-submit@debbugs.gnu.org id=B67613.171477432821448 (code B ref 67613); Fri, 03 May 2024 22:13:02 +0000 Received: (at 67613) by debbugs.gnu.org; 3 May 2024 22:12:08 +0000 Received: from localhost ([127.0.0.1]:49153 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s318R-0005Zl-9z for submit@debbugs.gnu.org; Fri, 03 May 2024 18:12:07 -0400 Received: from confino.investici.org ([93.190.126.19]:21143) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s318M-0005Yt-Aj for 67613@debbugs.gnu.org; Fri, 03 May 2024 18:12:04 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=autistici.org; s=stigmate; t=1714774298; bh=Xbm+8P4WPH98zxI4eyd0IgFpoZ6bIgnMgYZdledOUOk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=UU4ewKN8CN6xNvKHDMdsO/bP9xmP4O8BJMOnSZNSsrtao9c90eEOXZMUuoRuo6vot 7My2XV/8cq9gKkDGCcsqVIdP7oeFwXdZ9UXSmJ5oE3ta8POE6IipIYYuHiOgl5W1ke yUeXlDU+B1VM12f2hLHMeATTRMRBaaPSqUCl/PSQ= Received: from mx1.investici.org (unknown [127.0.0.1]) by confino.investici.org (Postfix) with ESMTP id 4VWQ4p5jmmz11CJ; Fri, 3 May 2024 22:11:38 +0000 (UTC) Received: from [93.190.126.19] (mx1.investici.org [93.190.126.19]) (Authenticated sender: goodoldpaul@autistici.org) by localhost (Postfix) with ESMTPSA id 4VWQ4p5FJMz11BS; Fri, 3 May 2024 22:11:38 +0000 (UTC) Date: Sat, 4 May 2024 00:11:17 +0200 Message-ID: <24a83c33df8bf8f71df9fea01b0485982799bdc1.1714774277.git.goodoldpaul@autistici.org> X-Mailer: git-send-email 2.41.0 In-Reply-To: <306393d4c3b28f242fb735d793ef127427f3d072.1714774276.git.goodoldpaul@autistici.org> References: <306393d4c3b28f242fb735d793ef127427f3d072.1714774276.git.goodoldpaul@autistici.org> MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Giacomo Leidi X-ACL-Warn: , Giacomo Leidi via Guix-patches X-Patchwork-Original-From: Giacomo Leidi via Guix-patches via From: Giacomo Leidi Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * gnu/tests/docker.scm (run-oci-container-test): New variable; (%test-oci-container): new variable. Change-Id: Idefc3840bdc6e0ed4264e8f27373cd9a670f87a0 --- gnu/tests/docker.scm | 131 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 130 insertions(+), 1 deletion(-) diff --git a/gnu/tests/docker.scm b/gnu/tests/docker.scm index 9e9d2e2d07..d550136b4a 100644 --- a/gnu/tests/docker.scm +++ b/gnu/tests/docker.scm @@ -1,6 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2019 Danny Milosavljevic ;;; Copyright © 2019-2023 Ludovic Courtès +;;; Copyright © 2024 Giacomo Leidi ;;; ;;; This file is part of GNU Guix. ;;; @@ -29,6 +30,7 @@ (define-module (gnu tests docker) #:use-module (gnu services networking) #:use-module (gnu services docker) #:use-module (gnu services desktop) + #:use-module (gnu packages) #:use-module ((gnu packages base) #:select (glibc)) #:use-module (gnu packages guile) #:use-module (gnu packages docker) @@ -43,7 +45,8 @@ (define-module (gnu tests docker) #:use-module (guix build-system trivial) #:use-module ((guix licenses) #:prefix license:) #:export (%test-docker - %test-docker-system)) + %test-docker-system + %test-oci-container)) (define %docker-os (simple-operating-system @@ -316,3 +319,129 @@ (define %test-docker-system (locale-libcs (list glibc))) #:type docker-image-type))) run-docker-system-test))))) + + +(define %oci-os + (simple-operating-system + (service dhcp-client-service-type) + (service dbus-root-service-type) + (service polkit-service-type) + (service elogind-service-type) + (service docker-service-type) + (extra-special-file "/shared.txt" + (plain-file "shared.txt" "hello")) + (service oci-container-service-type + (list + (oci-container-configuration + (image + (oci-image + (repository "guile") + (value + (specifications->manifest '("guile"))) + (pack-options + '(#:symlinks (("/bin" -> "bin")))))) + (entrypoint + "/bin/guile") + (command + '("-c" "(let l ((c 300))(display c)(sleep 1)(when(positive? c)(l (- c 1))))")) + (host-environment + '(("VARIABLE" . "value"))) + (volumes + '(("/shared.txt" . "/shared.txt:ro"))) + (extra-arguments + '("--env" "VARIABLE"))))))) + +(define (run-oci-container-test) + "Run IMAGE as an OCI backed Shepherd service, inside OS." + + (define os + (marionette-operating-system + (operating-system-with-gc-roots + %oci-os + (list)) + #:imported-modules '((gnu services herd) + (guix combinators)))) + + (define vm + (virtual-machine + (operating-system os) + (volatile? #f) + (memory-size 1024) + (disk-image-size (* 3000 (expt 2 20))) + (port-forwardings '()))) + + (define test + (with-imported-modules '((gnu build marionette)) + #~(begin + (use-modules (srfi srfi-11) (srfi srfi-64) + (gnu build marionette)) + + (define marionette + ;; Relax timeout to accommodate older systems and + ;; allow for pulling the image. + (make-marionette (list #$vm) #:timeout 60)) + + (test-runner-current (system-test-runner #$output)) + (test-begin "oci-container") + + (test-assert "dockerd running" + (marionette-eval + '(begin + (use-modules (gnu services herd)) + (match (start-service 'dockerd) + (#f #f) + (('service response-parts ...) + (match (assq-ref response-parts 'running) + ((pid) (number? pid)))))) + marionette)) + + (sleep 10) ; let service start + + (test-assert "docker-guile running" + (marionette-eval + '(begin + (use-modules (gnu services herd)) + (match (start-service 'docker-guile) + (#f #f) + (('service response-parts ...) + (match (assq-ref response-parts 'running) + ((pid) (number? pid)))))) + marionette)) + + (test-equal "passing host environment variables and volumes" + '("value" "hello") + (marionette-eval + `(begin + (use-modules (ice-9 popen) + (ice-9 rdelim)) + + (define slurp + (lambda args + (let* ((port (apply open-pipe* OPEN_READ args)) + (output (let ((line (read-line port))) + (if (eof-object? line) + "" + line))) + (status (close-pipe port))) + output))) + (let* ((response1 (slurp + ,(string-append #$docker-cli "/bin/docker") + "exec" "docker-guile" + "/bin/guile" "-c" "(display (getenv \"VARIABLE\"))")) + (response2 (slurp + ,(string-append #$docker-cli "/bin/docker") + "exec" "docker-guile" + "/bin/guile" "-c" "(begin (use-modules (ice-9 popen) (ice-9 rdelim)) +(display (call-with-input-file \"/shared.txt\" read-line)))"))) + (list response1 response2))) + marionette)) + + (test-end)))) + + (gexp->derivation "oci-container-test" test)) + +(define %test-oci-container + (system-test + (name "oci-container") + (description "Test OCI backed Shepherd service.") + (value (run-oci-container-test))))