Instantiate nscd in each system container.

* gnu/system/linux-container.scm (%nscd-container-caches): New variable.
(containerized-operating-system): Instantiate nscd-service with smaller caches
and add it to the generated operating-system, replacing any nscd-service
specified by the caller.
* gnu/system/file-systems.scm: (%network-file-mappings): Remove "/var/run/nscd".

Signed-off-by: Mathieu Othacehe <othacehe@gnu.org>

gnu/system/file-systems.scm

@@ -1,5 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2020 Google LLC
 ;;; Copyright © 2020 Jakub Kądziołka <kuba@kadziolka.net>
 ;;; Copyright © 2020 Maxim Cournoyer <maxim.cournoyer@gmail.com>
 ;;;
@@ -590,11 +591,8 @@ a bind mount."
                  ;; XXX: On some GNU/Linux systems, /etc/resolv.conf is a
                  ;; symlink to a file in a tmpfs which, for an unknown reason,
                  ;; cannot be bind mounted read-only within the container.
-                 ;; The same goes with /var/run/nscd, as discussed in
+                 (writable? (string=? file "/etc/resolv.conf"))))
-                 ;; <https://bugs.gnu.org/37967>.
+              %network-configuration-files))
-                 (writable? (or (string=? file "/etc/resolv.conf")
-                                (string=? file "/var/run/nscd")))))
-              (cons "/var/run/nscd" %network-configuration-files)))
 
 (define (file-system-type-predicate type)
   "Return a predicate that, when passed a file system, returns #t if that file

gnu/system/linux-container.scm

@@ -3,6 +3,7 @@
 ;;; Copyright © 2016, 2017, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2019 Arun Isaac <arunisaac@systemreboot.net>
 ;;; Copyright © 2020 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2020 Google LLC
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -77,6 +78,15 @@ doing anything.")
            (start #~(const #t))))
    #f))
 
+(define %nscd-container-caches
+  ;; Similar to %nscd-default-caches but with smaller cache sizes. This allows
+  ;; many containers to coexist on the same machine without exhausting RAM.
+  (map (lambda (cache)
+         (nscd-cache
+          (inherit cache)
+          (max-database-size (expt 2 18)))) ;256KiB
+       %nscd-default-caches))
+
 (define* (containerized-operating-system os mappings
                                          #:key
                                          shared-network?
@@ -100,22 +110,39 @@ containerized OS.  EXTRA-FILE-SYSTEMS is a list of file systems to add to OS."
     (file-system (inherit (file-system-mapping->bind-mount fs))
       (needed-for-boot? #t)))
 
-  (define useless-services
+  (define services-to-drop
-    ;; Services that make no sense in a container.  Those that attempt to
+    ;; Service types to filter from the original operating-system. Some of
-    ;; access /dev/tty[0-9] in particular cannot work in a container.
+    ;; these make no sense in a container (e.g., those that access
+    ;; /dev/tty[0-9]), while others just need to be reinstantiated with
+    ;; different configs that are better suited to containers.
     (append (list console-font-service-type
                   mingetty-service-type
-                  agetty-service-type)
+                  agetty-service-type
-            ;; Remove nscd service if network is shared with the host.
+                  ;; Reinstantiated below with smaller caches.
+                  nscd-service-type)
             (if shared-network?
-                (list nscd-service-type
+                ;; Replace these with dummy-networking-service-type below.
-                      static-networking-service-type
+                (list
-                      dhcp-client-service-type
+                 static-networking-service-type
-                      network-manager-service-type
+                 dhcp-client-service-type
-                      connman-service-type
+                 network-manager-service-type
-                      wicd-service-type)
+                 connman-service-type
+                 wicd-service-type)
                 (list))))
 
+  (define services-to-add
+    (append
+     ;; Many Guix services depend on a 'networking' shepherd
+     ;; service, so make sure to provide a dummy 'networking'
+     ;; service when we are sure that networking is already set up
+     ;; in the host and can be used.  That prevents double setup.
+     (if shared-network?
+         (list (service dummy-networking-service-type))
+         '())
+     (list
+      (nscd-service (nscd-configuration
+                     (caches %nscd-container-caches))))))
+
   (operating-system
     (inherit os)
     (swap-devices '()) ; disable swap
@@ -124,15 +151,9 @@ containerized OS.  EXTRA-FILE-SYSTEMS is a list of file systems to add to OS."
                          #:shared-network? shared-network?))
     (services (append (remove (lambda (service)
                                 (memq (service-kind service)
-                                      useless-services))
+                                      services-to-drop))
                               (operating-system-user-services os))
-                      ;; Many Guix services depend on a 'networking' shepherd
+                      services-to-add))
-                      ;; service, so make sure to provide a dummy 'networking'
-                      ;; service when we are sure that networking is already set up
-                      ;; in the host and can be used.  That prevents double setup.
-                      (if shared-network?
-                          (list (service dummy-networking-service-type))
-                          '())))
     (file-systems (append (map mapping->fs
                                (if shared-network?
                                    (append %network-file-mappings mappings)