mirror of
https://https.git.savannah.gnu.org/git/guix.git/
synced 2025-07-13 18:40:57 +02:00
guix home: ‘container’ provides a read-only root file system.
* guix/scripts/home.scm (spawn-home-container): Move creation of accounts, /etc/hosts, /tmp, and HOME-DIRECTORY from the first argument of ‘eval/container’ to #:populate-file-system. Remove #:writable-root?. * tests/guix-home.sh: Test that the root file system is read-only. Change-Id: Icda54706321d51b95b563c86c3fb2238cc65ee20
This commit is contained in:
Ludovic Courtès
parent
a391394a22
commit
7d28e6512c
2 changed files with 41 additions and 41 deletions
|
|
@ -34,6 +34,10 @@
|
||||||
home-shepherd-configuration-services
|
home-shepherd-configuration-services
|
||||||
shepherd-service-requirement)
|
shepherd-service-requirement)
|
||||||
#:autoload (guix modules) (source-module-closure)
|
#:autoload (guix modules) (source-module-closure)
|
||||||
|
#:autoload (gnu build accounts) (password-entry
|
||||||
|
group-entry
|
||||||
|
write-passwd
|
||||||
|
write-group)
|
||||||
#:autoload (gnu build linux-container) (call-with-container %namespaces)
|
#:autoload (gnu build linux-container) (call-with-container %namespaces)
|
||||||
#:use-module ((gnu system) #:select (operating-system?
|
#:use-module ((gnu system) #:select (operating-system?
|
||||||
operating-system-user-services))
|
operating-system-user-services))
|
||||||
|
|
@ -285,14 +289,13 @@ immediately. Return the exit status of the process in the container."
|
||||||
(with-extensions (list guile-gcrypt)
|
(with-extensions (list guile-gcrypt)
|
||||||
(with-imported-modules `(((guix config) => ,(make-config.scm))
|
(with-imported-modules `(((guix config) => ,(make-config.scm))
|
||||||
,@(source-module-closure
|
,@(source-module-closure
|
||||||
'((gnu build accounts)
|
'((guix profiles)
|
||||||
(guix profiles)
|
|
||||||
(guix build utils)
|
(guix build utils)
|
||||||
(guix build syscalls))
|
(guix build syscalls))
|
||||||
#:select? not-config?))
|
#:select? not-config?))
|
||||||
#~(begin
|
#~(begin
|
||||||
(use-modules (guix build utils)
|
(use-modules (guix build utils)
|
||||||
(gnu build accounts)
|
((guix profiles) #:select (load-profile))
|
||||||
((guix build syscalls)
|
((guix build syscalls)
|
||||||
#:select (set-network-interface-up)))
|
#:select (set-network-interface-up)))
|
||||||
|
|
||||||
|
|
@ -302,46 +305,10 @@ immediately. Return the exit status of the process in the container."
|
||||||
(define term
|
(define term
|
||||||
#$(getenv "TERM"))
|
#$(getenv "TERM"))
|
||||||
|
|
||||||
(define passwd
|
|
||||||
(password-entry
|
|
||||||
(name #$user-name)
|
|
||||||
(real-name #$user-real-name)
|
|
||||||
(uid #$uid) (gid #$gid) (shell shell)
|
|
||||||
(directory #$home-directory)))
|
|
||||||
|
|
||||||
(define groups
|
|
||||||
(list (group-entry (name "users") (gid #$gid))
|
|
||||||
(group-entry (gid 65534) ;the overflow GID
|
|
||||||
(name "overflow"))))
|
|
||||||
|
|
||||||
;; (guix profiles) loads (guix utils), which calls 'getpw' from the
|
|
||||||
;; top level. Thus, arrange so that it's loaded after /etc/passwd
|
|
||||||
;; has been created.
|
|
||||||
(module-autoload! (current-module)
|
|
||||||
'(guix profiles) '(load-profile))
|
|
||||||
|
|
||||||
;; Create /etc/passwd for applications that need it, such as mcron.
|
|
||||||
(mkdir-p "/etc")
|
|
||||||
(write-passwd (list passwd))
|
|
||||||
(write-group groups)
|
|
||||||
|
|
||||||
(unless #$network?
|
|
||||||
;; When isolated from the network, provide a minimal /etc/hosts
|
|
||||||
;; to resolve "localhost".
|
|
||||||
(call-with-output-file "/etc/hosts"
|
|
||||||
(lambda (port)
|
|
||||||
(display "127.0.0.1 localhost\n" port)
|
|
||||||
(chmod port #o444))))
|
|
||||||
|
|
||||||
;; Create /tmp; bits of code expect it, such as
|
|
||||||
;; 'least-authority-wrapper'.
|
|
||||||
(mkdir-p "/tmp")
|
|
||||||
|
|
||||||
;; Set PATH for things that the activation script might expect, such
|
;; Set PATH for things that the activation script might expect, such
|
||||||
;; as "env".
|
;; as "env".
|
||||||
(load-profile #$system-profile)
|
(load-profile #$system-profile)
|
||||||
|
|
||||||
(mkdir-p #$home-directory)
|
|
||||||
(setenv "HOME" #$home-directory)
|
(setenv "HOME" #$home-directory)
|
||||||
(setenv "GUIX_NEW_HOME" #$home)
|
(setenv "GUIX_NEW_HOME" #$home)
|
||||||
(primitive-load (string-append #$home "/activate"))
|
(primitive-load (string-append #$home "/activate"))
|
||||||
|
|
@ -361,6 +328,39 @@ immediately. Return the exit status of the process in the container."
|
||||||
((_ ...)
|
((_ ...)
|
||||||
#~("-c" #$(string-join command))))))))
|
#~("-c" #$(string-join command))))))))
|
||||||
|
|
||||||
|
#:populate-file-system
|
||||||
|
(lambda ()
|
||||||
|
;; Create files before the root file system is made read-only.
|
||||||
|
(define passwd
|
||||||
|
(password-entry
|
||||||
|
(name user-name)
|
||||||
|
(real-name user-real-name)
|
||||||
|
(uid uid) (gid gid)
|
||||||
|
(shell "/bin/sh") ;unused, doesn't have to match (user-shell)
|
||||||
|
(directory home-directory)))
|
||||||
|
|
||||||
|
(define groups
|
||||||
|
(list (group-entry (name "users") (gid gid))
|
||||||
|
(group-entry (gid 65534) ;the overflow GID
|
||||||
|
(name "overflow"))))
|
||||||
|
|
||||||
|
;; Create /etc/passwd for applications that need it, such as mcron.
|
||||||
|
(mkdir-p "/etc")
|
||||||
|
(write-passwd (list passwd))
|
||||||
|
(write-group groups)
|
||||||
|
|
||||||
|
(unless network?
|
||||||
|
;; When isolated from the network, provide a minimal /etc/hosts
|
||||||
|
;; to resolve "localhost".
|
||||||
|
(call-with-output-file "/etc/hosts"
|
||||||
|
(lambda (port)
|
||||||
|
(display "127.0.0.1 localhost\n" port)
|
||||||
|
(chmod port #o444))))
|
||||||
|
|
||||||
|
;; Create /tmp; bits of code expect it, such as
|
||||||
|
;; 'least-authority-wrapper'.
|
||||||
|
(mkdir-p "/tmp"))
|
||||||
|
|
||||||
#:namespaces (if network?
|
#:namespaces (if network?
|
||||||
(delq 'net %namespaces) ; share host network
|
(delq 'net %namespaces) ; share host network
|
||||||
%namespaces)
|
%namespaces)
|
||||||
|
|
@ -377,7 +377,6 @@ immediately. Return the exit status of the process in the container."
|
||||||
(type "tmpfs")
|
(type "tmpfs")
|
||||||
(check? #f)))
|
(check? #f)))
|
||||||
#:mappings (append network-mappings mappings)
|
#:mappings (append network-mappings mappings)
|
||||||
#:writable-root? #t
|
|
||||||
#:guest-uid uid
|
#:guest-uid uid
|
||||||
#:guest-gid gid))
|
#:guest-gid gid))
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,7 +1,7 @@
|
||||||
# GNU Guix --- Functional package management for GNU
|
# GNU Guix --- Functional package management for GNU
|
||||||
# Copyright © 2021-2023 Andrew Tropin <andrew@trop.in>
|
# Copyright © 2021-2023 Andrew Tropin <andrew@trop.in>
|
||||||
# Copyright © 2021 Oleg Pykhalov <go.wigust@gmail.com>
|
# Copyright © 2021 Oleg Pykhalov <go.wigust@gmail.com>
|
||||||
# Copyright © 2022, 2023 Ludovic Courtès <ludo@gnu.org>
|
# Copyright © 2022-2023, 2025 Ludovic Courtès <ludo@gnu.org>
|
||||||
#
|
#
|
||||||
# This file is part of GNU Guix.
|
# This file is part of GNU Guix.
|
||||||
#
|
#
|
||||||
|
|
@ -132,6 +132,7 @@ EOF
|
||||||
test -f '$HOME/sample/home.scm'
|
test -f '$HOME/sample/home.scm'
|
||||||
guix home container home.scm --expose="$PWD=$HOME/sample" -- \
|
guix home container home.scm --expose="$PWD=$HOME/sample" -- \
|
||||||
rm -v '$HOME/sample/home.scm' && false
|
rm -v '$HOME/sample/home.scm' && false
|
||||||
|
guix home container home.scm -- touch /whatever && false
|
||||||
else
|
else
|
||||||
echo "'guix home container' test SKIPPED" >&2
|
echo "'guix home container' test SKIPPED" >&2
|
||||||
fi
|
fi
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue