linux-container: Support having a read-only root file system.

Until now, the read-only file system set up by ‘call-with-container’ would always be writable. With this change, it can be made read-only. With this patch, only ‘least-authority-wrapper’ switches to a read-only root file system. * gnu/build/linux-container.scm (remount-read-only): New procedure. (mount-file-systems): Add #:writable-root? and #:populate-file-system and honor them. (run-container): Likewise. (call-with-container): Likewise. * gnu/system/linux-container.scm (container-script): Pass #:writable-root? to ‘call-with-container’. (eval/container): Add #:populate-file-system and #:writable-root? and honor them. * guix/scripts/environment.scm (launch-environment/container): Pass #:writable-root? to ‘call-with-container’. * guix/scripts/home.scm (spawn-home-container): Likewise. * tests/containers.scm ("call-with-container, mnt namespace, read-only root") ("call-with-container, mnt namespace, writable root"): New tests. Change-Id: I603e2fd08851338b737bb16c8af3f765e2538906
2025-07-10 08:30:39 +02:00 · 2025-04-04 16:36:17 +02:00 · 2025-04-04 16:36:17 +02:00 · a391394a22
commit a391394a22
parent acc4215644
5 changed files with 66 additions and 5 deletions
--- a/gnu/system/linux-container.scm
+++ b/gnu/system/linux-container.scm
@ -312,12 +312,15 @@ Run the container with the given options."))
                #:namespaces (if #$shared-network?
                                 (delq 'net %namespaces)
                                 %namespaces)
+                #:writable-root? #t
                #:process-spawned-hook explain)))))

    (gexp->script "run-container" script)))

 (define* (eval/container exp
                         #:key
+                         (populate-file-system (const #t))
+                         writable-root?
                         (mappings '())
                         (mounts '())
                         (namespaces %namespaces)
@ -367,6 +370,8 @@ effects."
                                   (list "-c"
                                         (object->string
                                          (lowered-gexp-sexp lowered))))))
+                  #:writable-root? writable-root?
+                  #:populate-file-system populate-file-system
                  #:namespaces namespaces
                  #:guest-uid guest-uid
                  #:guest-gid guest-gid))))))