Instantiate nscd in each system container.
* gnu/system/linux-container.scm (%nscd-container-caches): New variable. (containerized-operating-system): Instantiate nscd-service with smaller caches and add it to the generated operating-system, replacing any nscd-service specified by the caller. * gnu/system/file-systems.scm: (%network-file-mappings): Remove "/var/run/nscd". Signed-off-by: Mathieu Othacehe <othacehe@gnu.org>master
parent
da6aec32cf
commit
5627bfe45c
|
@ -1,5 +1,6 @@
|
|||
;;; GNU Guix --- Functional package management for GNU
|
||||
;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
|
||||
;;; Copyright © 2020 Google LLC
|
||||
;;; Copyright © 2020 Jakub Kądziołka <kuba@kadziolka.net>
|
||||
;;; Copyright © 2020 Maxim Cournoyer <maxim.cournoyer@gmail.com>
|
||||
;;;
|
||||
|
@ -590,11 +591,8 @@ a bind mount."
|
|||
;; XXX: On some GNU/Linux systems, /etc/resolv.conf is a
|
||||
;; symlink to a file in a tmpfs which, for an unknown reason,
|
||||
;; cannot be bind mounted read-only within the container.
|
||||
;; The same goes with /var/run/nscd, as discussed in
|
||||
;; <https://bugs.gnu.org/37967>.
|
||||
(writable? (or (string=? file "/etc/resolv.conf")
|
||||
(string=? file "/var/run/nscd")))))
|
||||
(cons "/var/run/nscd" %network-configuration-files)))
|
||||
(writable? (string=? file "/etc/resolv.conf"))))
|
||||
%network-configuration-files))
|
||||
|
||||
(define (file-system-type-predicate type)
|
||||
"Return a predicate that, when passed a file system, returns #t if that file
|
||||
|
|
|
@ -3,6 +3,7 @@
|
|||
;;; Copyright © 2016, 2017, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
|
||||
;;; Copyright © 2019 Arun Isaac <arunisaac@systemreboot.net>
|
||||
;;; Copyright © 2020 Efraim Flashner <efraim@flashner.co.il>
|
||||
;;; Copyright © 2020 Google LLC
|
||||
;;;
|
||||
;;; This file is part of GNU Guix.
|
||||
;;;
|
||||
|
@ -77,6 +78,15 @@ doing anything.")
|
|||
(start #~(const #t))))
|
||||
#f))
|
||||
|
||||
(define %nscd-container-caches
|
||||
;; Similar to %nscd-default-caches but with smaller cache sizes. This allows
|
||||
;; many containers to coexist on the same machine without exhausting RAM.
|
||||
(map (lambda (cache)
|
||||
(nscd-cache
|
||||
(inherit cache)
|
||||
(max-database-size (expt 2 18)))) ;256KiB
|
||||
%nscd-default-caches))
|
||||
|
||||
(define* (containerized-operating-system os mappings
|
||||
#:key
|
||||
shared-network?
|
||||
|
@ -100,22 +110,39 @@ containerized OS. EXTRA-FILE-SYSTEMS is a list of file systems to add to OS."
|
|||
(file-system (inherit (file-system-mapping->bind-mount fs))
|
||||
(needed-for-boot? #t)))
|
||||
|
||||
(define useless-services
|
||||
;; Services that make no sense in a container. Those that attempt to
|
||||
;; access /dev/tty[0-9] in particular cannot work in a container.
|
||||
(define services-to-drop
|
||||
;; Service types to filter from the original operating-system. Some of
|
||||
;; these make no sense in a container (e.g., those that access
|
||||
;; /dev/tty[0-9]), while others just need to be reinstantiated with
|
||||
;; different configs that are better suited to containers.
|
||||
(append (list console-font-service-type
|
||||
mingetty-service-type
|
||||
agetty-service-type)
|
||||
;; Remove nscd service if network is shared with the host.
|
||||
agetty-service-type
|
||||
;; Reinstantiated below with smaller caches.
|
||||
nscd-service-type)
|
||||
(if shared-network?
|
||||
(list nscd-service-type
|
||||
static-networking-service-type
|
||||
dhcp-client-service-type
|
||||
network-manager-service-type
|
||||
connman-service-type
|
||||
wicd-service-type)
|
||||
;; Replace these with dummy-networking-service-type below.
|
||||
(list
|
||||
static-networking-service-type
|
||||
dhcp-client-service-type
|
||||
network-manager-service-type
|
||||
connman-service-type
|
||||
wicd-service-type)
|
||||
(list))))
|
||||
|
||||
(define services-to-add
|
||||
(append
|
||||
;; Many Guix services depend on a 'networking' shepherd
|
||||
;; service, so make sure to provide a dummy 'networking'
|
||||
;; service when we are sure that networking is already set up
|
||||
;; in the host and can be used. That prevents double setup.
|
||||
(if shared-network?
|
||||
(list (service dummy-networking-service-type))
|
||||
'())
|
||||
(list
|
||||
(nscd-service (nscd-configuration
|
||||
(caches %nscd-container-caches))))))
|
||||
|
||||
(operating-system
|
||||
(inherit os)
|
||||
(swap-devices '()) ; disable swap
|
||||
|
@ -124,15 +151,9 @@ containerized OS. EXTRA-FILE-SYSTEMS is a list of file systems to add to OS."
|
|||
#:shared-network? shared-network?))
|
||||
(services (append (remove (lambda (service)
|
||||
(memq (service-kind service)
|
||||
useless-services))
|
||||
services-to-drop))
|
||||
(operating-system-user-services os))
|
||||
;; Many Guix services depend on a 'networking' shepherd
|
||||
;; service, so make sure to provide a dummy 'networking'
|
||||
;; service when we are sure that networking is already set up
|
||||
;; in the host and can be used. That prevents double setup.
|
||||
(if shared-network?
|
||||
(list (service dummy-networking-service-type))
|
||||
'())))
|
||||
services-to-add))
|
||||
(file-systems (append (map mapping->fs
|
||||
(if shared-network?
|
||||
(append %network-file-mappings mappings)
|
||||
|
|
Reference in New Issue