summaryrefslogtreecommitdiff
path: root/gnu/build
diff options
context:
space:
mode:
authorLudovic Courtès <ludo@gnu.org>2016-11-10 17:45:54 +0100
committerLudovic Courtès <ludo@gnu.org>2016-11-10 18:01:44 +0100
commit5970e8e248f6327c41c83b86bb2c89be7c3b1b4e (patch)
tree0f796474c90be43c8ce6f2e974064953e0b230c4 /gnu/build
parent5e7eaccb14382b2d49bc8b4fc10fc57876d6c56f (diff)
container: Pass a list of <file-system> objects as things to mount.
* gnu/build/linux-container.scm (mount-file-systems): 'mounts' is now a list of <file-system> objects instead of a list of lists ("specs"). Add call to 'file-system->spec' as the argument to 'mount-file-system'. (run-container, call-with-container): Adjust docstring accordingly. * gnu/system/file-systems.scm (spec->file-system): New procedure. * gnu/system/linux-container.scm (container-script)[script]: Call 'spec->file-system' inside gexp. * guix/scripts/environment.scm (launch-environment/container): Remove call to 'file-system->spec'. * tests/containers.scm ("call-with-container, mnt namespace") ("call-with-container, mnt namespace, wrong bind mount"): Pass a list of <file-system> objects.
Diffstat (limited to 'gnu/build')
-rw-r--r--gnu/build/linux-container.scm19
1 files changed, 11 insertions, 8 deletions
diff --git a/gnu/build/linux-container.scm b/gnu/build/linux-container.scm
index 3fccc9addb..b71d6a5f88 100644
--- a/gnu/build/linux-container.scm
+++ b/gnu/build/linux-container.scm
@@ -24,6 +24,7 @@
#:use-module (guix utils)
#:use-module (guix build utils)
#:use-module (guix build syscalls)
+ #:use-module (gnu system file-systems) ;<file-system>
#:use-module ((gnu build file-systems) #:select (mount-file-system))
#:export (user-namespace-supported?
unprivileged-user-namespace-supported?
@@ -72,8 +73,9 @@ exists."
;; specification:
;; https://raw.githubusercontent.com/docker/libcontainer/master/SPEC.md
(define* (mount-file-systems root mounts #:key mount-/sys? mount-/proc?)
- "Mount the essential file systems and the those in the MOUNTS list relative
-to ROOT, then make ROOT the new root directory for the process."
+ "Mount the essential file systems and the those in MOUNTS, a list of
+<file-system> objects, relative to ROOT; then make ROOT the new root directory
+for the process."
(define (scope dir)
(string-append root dir))
@@ -141,8 +143,9 @@ to ROOT, then make ROOT the new root directory for the process."
(symlink "/proc/self/fd/2" (scope "/dev/stderr"))
;; Mount user-specified file systems.
- (for-each (lambda (spec)
- (mount-file-system spec #:root root))
+ (for-each (lambda (file-system)
+ (mount-file-system (file-system->spec file-system)
+ #:root root))
mounts)
;; Jail the process inside the container's root file system.
@@ -197,8 +200,8 @@ corresponds to the symbols in NAMESPACES."
(define (run-container root mounts namespaces host-uids thunk)
"Run THUNK in a new container process and return its PID. ROOT specifies
-the root directory for the container. MOUNTS is a list of file system specs
-that specify the mapping of host file systems into the container. NAMESPACES
+the root directory for the container. MOUNTS is a list of <file-system>
+objects that specify file systems to mount inside the container. NAMESPACES
is a list of symbols that correspond to the possible Linux namespaces: mnt,
ipc, uts, user, and net. HOST-UIDS specifies the number of
host user identifiers to map into the user namespace."
@@ -256,8 +259,8 @@ host user identifiers to map into the user namespace."
(define* (call-with-container mounts thunk #:key (namespaces %namespaces)
(host-uids 1))
"Run THUNK in a new container process and return its exit status.
-MOUNTS is a list of file system specs that specify the mapping of host file
-systems into the container. NAMESPACES is a list of symbols corresponding to
+MOUNTS is a list of <file-system> objects that specify file systems to mount
+inside the container. NAMESPACES is a list of symbols corresponding to
the identifiers for Linux namespaces: mnt, ipc, uts, pid, user, and net. By
default, all namespaces are used. HOST-UIDS is the number of host user
identifiers to map into the container's user namespace, if there is one. By