linux-container: Handle CLONE_NEWCGROUP and use it by default.

Adds low-level support for launching Linux containers with cgroup namespaces. * gnu/build/linux-container.scm (%namespaces): Add 'cgroup. (namespaces->bit-mask): Handle it. * guix/build/syscalls.scm (CLONE_NEWCGROUP): New variable. Signed-off-by: Ludovic Courtès <ludo@gnu.org>
2025-07-14 11:00:36 +02:00 · 2021-12-29 19:52:16 -08:00 · 2021-12-29 19:52:16 -08:00 · bfdeba11f8
commit bfdeba11f8
parent 2c1807c516
2 changed files with 4 additions and 1 deletions
--- a/gnu/build/linux-container.scm
+++ b/gnu/build/linux-container.scm
@ -52,7 +52,7 @@ exists."
  (file-exists? "/proc/self/setgroups"))
 (define %namespaces
-  '(mnt pid ipc uts user net))
+  '(cgroup mnt pid ipc uts user net))
 (define (call-with-clean-exit thunk)
  "Apply THUNK, but exit with a status code of 1 if it fails."
@ -210,6 +210,7 @@ corresponds to the symbols in NAMESPACES."
  ;; Use the same flags as fork(3) in addition to the namespace flags.
  (apply logior SIGCHLD
         (map (match-lambda
               ('cgroup  CLONE_NEWCGROUP)
               ('mnt  CLONE_NEWNS)
               ('uts  CLONE_NEWUTS)
               ('ipc  CLONE_NEWIPC)
--- a/guix/build/syscalls.scm
+++ b/guix/build/syscalls.scm
@ -132,6 +132,7 @@
            CLONE_CHILD_CLEARTID
            CLONE_CHILD_SETTID
            CLONE_NEWCGROUP
            CLONE_NEWNS
            CLONE_NEWUTS
            CLONE_NEWIPC
@ -1025,6 +1026,7 @@ caller lacks root privileges."
 ;; Linux clone flags, from linux/sched.h
 (define CLONE_CHILD_CLEARTID #x00200000)
 (define CLONE_CHILD_SETTID   #x01000000)
 (define CLONE_NEWCGROUP      #x02000000)
 (define CLONE_NEWNS          #x00020000)
 (define CLONE_NEWUTS         #x04000000)
 (define CLONE_NEWIPC         #x08000000)