From debbugs-submit-bounces@debbugs.gnu.org Tue Aug 20 19:21:50 2024 Received: (at submit) by debbugs.gnu.org; 20 Aug 2024 23:21:50 +0000 Received: from localhost ([127.0.0.1]:33997 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sgYAc-0001gM-MJ for submit@debbugs.gnu.org; Tue, 20 Aug 2024 19:21:50 -0400 Received: from lists.gnu.org ([209.51.188.17]:33664) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sgYAZ-0001g7-Va for submit@debbugs.gnu.org; Tue, 20 Aug 2024 19:21:44 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sgY9r-0003S7-T9 for guix-patches@gnu.org; Tue, 20 Aug 2024 19:20:59 -0400 Received: from confino.investici.org ([93.190.126.19]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sgY9p-0006Ik-5i for guix-patches@gnu.org; Tue, 20 Aug 2024 19:20:59 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=autistici.org; s=stigmate; t=1724196042; bh=AA4oWvXHVaw+NedFS4E4xBk09wLCddomeJw0BlV4SSU=; h=Date:To:From:Subject:From; b=dSKh+O2z0Ym+hHUHc70rTMb9OZjULJ3WXcgq9exW9oYfrqz3Qw6ji7GzdpLjzqqAp EdXrTvZq9tJOMcSV2QoAuPKN2Z1eBz5RC0LjClRu3e5vDrap+R4e+FBQ483+RJCHp7 FIxD387pIyZJamm5gZ0W1+/QczRgd7zlmDdb+h/g= Received: from mx1.investici.org (unknown [127.0.0.1]) by confino.investici.org (Postfix) with ESMTP id 4WpQSB2b3tz10yg for ; Tue, 20 Aug 2024 23:20:42 +0000 (UTC) Received: from [93.190.126.19] (mx1.investici.org [93.190.126.19]) (Authenticated sender: goodoldpaul@autistici.org) by localhost (Postfix) with ESMTPSA id 4WpQSB28bCz10yR for ; Tue, 20 Aug 2024 23:20:42 +0000 (UTC) Content-Type: multipart/alternative; boundary="------------v1JVzU8lZJNC0ZgVNItyF6EJ" Message-ID: <1b3dc75d-fe89-6153-ccc7-222f829b2e14@autistici.org> Date: Wed, 21 Aug 2024 01:20:41 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.15.0 To: guix-patches@gnu.org Content-Language: en-US From: paul Subject: Add rootless-podman-service-type Received-SPF: pass client-ip=93.190.126.19; envelope-from=goodoldpaul@autistici.org; helo=confino.investici.org X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) This is a multi-part message in MIME format. --------------v1JVzU8lZJNC0ZgVNItyF6EJ Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Dear Guixers, I'm sending a patchset adding rootless Podman support to the Guix System. I'm currently using this on my systems as it's set up in my personal channel [0]. By adding the following to my own system config (use-modules (small-guix system accounts) (small-guix services containers)) (service iptables-service-type) (service rootless-podman-service-type          (rootless-podman-configuration           (subgids            (list (subid-range (name "alice"))))           (subuids            (list (subid-range (name "alice")))))) I'm able to run the following rootless Podman hello world $ podman run -it --rm docker.io/alpine cat /etc/*release* NAME="Alpine Linux" ID=alpine VERSION_ID=3.20.2 PRETTY_NAME="Alpine Linux v3.20" HOME_URL="https://alpinelinux.org/" BUG_REPORT_URL="https://gitlab.alpinelinux.org/alpine/aports/-/issues" and with guix shell podman compose I'm able to run this Podman compose hello world [1]: $ mkdir data $ echo hello world > data/index.html $ podman compose up -d ... exit code: 0 $ curl localhost:8080 hello world This patch depends on the subids-service-type from issue #72337 [2]. Please let me know your thoughts. Thank you for your work, giacomo [0]: https://gitlab.com/orang3/small-guix/-/blob/master/small-guix/services/containers.scm?ref_type=heads#L197 [1]: https://github.com/fishinthecalculator/rootless-podman-nginx-static-server [2]: https://issues.guix.gnu.org/72337 --------------v1JVzU8lZJNC0ZgVNItyF6EJ Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit

Dear Guixers,

I'm sending a patchset adding rootless Podman support to the Guix System. I'm currently using this on my systems as it's set up in my personal channel [0]. By adding the following to my own system config

(use-modules (small-guix system accounts)
             (small-guix services containers))

(service iptables-service-type)
(service rootless-podman-service-type
         (rootless-podman-configuration
          (subgids
           (list (subid-range (name "alice"))))
          (subuids
           (list (subid-range (name "alice"))))))

I'm able to run the following rootless Podman hello world

$ podman run -it --rm docker.io/alpine cat /etc/*release*
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.20.2
PRETTY_NAME="Alpine Linux v3.20"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://gitlab.alpinelinux.org/alpine/aports/-/issues"

and with guix shell podman compose I'm able to run this Podman compose hello world [1]:

$ mkdir data
$ echo hello world > data/index.html
$ podman compose up -d

...

exit code: 0
$ curl localhost:8080
hello world


This patch depends on the subids-service-type from issue #72337 [2]. Please let me know your thoughts.

Thank you for your work,

giacomo


[0]: https://gitlab.com/orang3/small-guix/-/blob/master/small-guix/services/containers.scm?ref_type=heads#L197
[1]: https://github.com/fishinthecalculator/rootless-podman-nginx-static-server
[2]: https://issues.guix.gnu.org/72337

--------------v1JVzU8lZJNC0ZgVNItyF6EJ-- From debbugs-submit-bounces@debbugs.gnu.org Tue Aug 20 19:23:01 2024 Received: (at 72740) by debbugs.gnu.org; 20 Aug 2024 23:23:01 +0000 Received: from localhost ([127.0.0.1]:34012 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sgYBp-0001j9-D7 for submit@debbugs.gnu.org; Tue, 20 Aug 2024 19:23:01 -0400 Received: from confino.investici.org ([93.190.126.19]:37593) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sgYBo-0001ix-Bc for 72740@debbugs.gnu.org; Tue, 20 Aug 2024 19:23:00 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=autistici.org; s=stigmate; t=1724196136; bh=4XovS601RWwNTXDlPjrcAWDfEF2V0eS8kozEuQzK9ug=; h=From:To:Cc:Subject:Date:From; b=Ve/e/mQfR4zC2UhOt6Zxcp5gIr7jtjbQV/znLkYd9pmqLwtkGbC4MERpaQLlxjbko k2MqTZTQVi4LtjwNP5I3K9BEch/ND6MCdlAHAXXN9oWRySql1sKvLtyR9gtWUS1iGw N7uRNgWBR4Cggt3pJi2/MQR/QpQc0dGiJRalPj3Y= Received: from mx1.investici.org (unknown [127.0.0.1]) by confino.investici.org (Postfix) with ESMTP id 4WpQV00KPqz10yg; Tue, 20 Aug 2024 23:22:16 +0000 (UTC) Received: from [93.190.126.19] (mx1.investici.org [93.190.126.19]) (Authenticated sender: goodoldpaul@autistici.org) by localhost (Postfix) with ESMTPSA id 4WpQTz6fn4z10yR; Tue, 20 Aug 2024 23:22:15 +0000 (UTC) From: Giacomo Leidi To: 72740@debbugs.gnu.org Subject: [PATCH 1/4] system: pam: Export pam records predicates. Date: Wed, 21 Aug 2024 01:21:42 +0200 Message-ID: <7f30738a5f43710d33a7bc9dfdd913f4ca113525.1724196105.git.goodoldpaul@autistici.org> X-Mailer: git-send-email 2.45.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 72740 Cc: Giacomo Leidi X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) * gnu/system/pam.scm: Export pam-service-name?, pam-entry? and pam-limits-entry?. Change-Id: I609acfcaae85b4969dc385b72b307e470f5a246e --- gnu/system/pam.scm | 3 +++ 1 file changed, 3 insertions(+) diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm index a035a92e25..5c7c4e8153 100644 --- a/gnu/system/pam.scm +++ b/gnu/system/pam.scm @@ -34,6 +34,7 @@ (define-module (gnu system pam) #:use-module ((guix utils) #:select (%current-system)) #:use-module (gnu packages linux) #:export (pam-service + pam-service-name? pam-service-name pam-service-account pam-service-auth @@ -41,11 +42,13 @@ (define-module (gnu system pam) pam-service-session pam-entry + pam-entry? pam-entry-control pam-entry-module pam-entry-arguments pam-limits-entry + pam-limits-entry? pam-limits-entry-domain pam-limits-entry-type pam-limits-entry-item base-commit: 00245fdcd4909d7e6b20fe88f5d089717115adc1 -- 2.45.2 From debbugs-submit-bounces@debbugs.gnu.org Tue Aug 20 19:23:02 2024 Received: (at 72740) by debbugs.gnu.org; 20 Aug 2024 23:23:02 +0000 Received: from localhost ([127.0.0.1]:34014 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sgYBp-0001jB-Mc for submit@debbugs.gnu.org; Tue, 20 Aug 2024 19:23:02 -0400 Received: from confino.investici.org ([93.190.126.19]:45913) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sgYBo-0001iy-I8 for 72740@debbugs.gnu.org; Tue, 20 Aug 2024 19:23:00 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=autistici.org; s=stigmate; t=1724196136; bh=8g73toAfE/xtZ8PWBrZviMHfwJmvzIl81nmJRW70e3Q=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=E7WZo1J5Bpkyhp+N7/tzqXATmK1nzOIcPMM8AJQm0GxfAM4AmKSqZLYIYpj/ChLHp gRZBCJO/Qg3gf2EiwFe+IaURum8fwbfybeVVbEmgZPfkg8QMwZWEfKRjWMigvszCQ/ GwxHrqsxbpG36Jtakgsi+zaxqy+5sy3+y54DkI40= Received: from mx1.investici.org (unknown [127.0.0.1]) by confino.investici.org (Postfix) with ESMTP id 4WpQV02bV5z10yh; Tue, 20 Aug 2024 23:22:16 +0000 (UTC) Received: from [93.190.126.19] (mx1.investici.org [93.190.126.19]) (Authenticated sender: goodoldpaul@autistici.org) by localhost (Postfix) with ESMTPSA id 4WpQV01Ythz10yR; Tue, 20 Aug 2024 23:22:16 +0000 (UTC) From: Giacomo Leidi To: 72740@debbugs.gnu.org Subject: [PATCH 2/4] services: pam: Allow extension of pam limits. Date: Wed, 21 Aug 2024 01:21:43 +0200 Message-ID: <559e88e645a1a585e55fc8a36e30b5dd62267686.1724196105.git.goodoldpaul@autistici.org> X-Mailer: git-send-email 2.45.2 In-Reply-To: <7f30738a5f43710d33a7bc9dfdd913f4ca113525.1724196105.git.goodoldpaul@autistici.org> References: <7f30738a5f43710d33a7bc9dfdd913f4ca113525.1724196105.git.goodoldpaul@autistici.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 72740 Cc: Giacomo Leidi X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) * gnu/services/pam.scm (pam-limits-service-type): Allow extension of pam limits rules from users and services. Change-Id: I93a363d1a2887493d52ef3ae32fc9721f81ddfa8 --- gnu/services/base.scm | 2 ++ 1 file changed, 2 insertions(+) diff --git a/gnu/services/base.scm b/gnu/services/base.scm index 4b5b103cc3..e4e59da433 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -1680,6 +1680,8 @@ (define pam-limits-service-type (service-type (name 'limits) + (compose concatenate) + (extend append) (extensions (list (service-extension pam-root-service-type (lambda (config) -- 2.45.2 From debbugs-submit-bounces@debbugs.gnu.org Tue Aug 20 19:23:10 2024 Received: (at 72740) by debbugs.gnu.org; 20 Aug 2024 23:23:10 +0000 Received: from localhost ([127.0.0.1]:34022 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sgYBy-0001kM-4f for submit@debbugs.gnu.org; Tue, 20 Aug 2024 19:23:10 -0400 Received: from confino.investici.org ([93.190.126.19]:61573) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sgYBv-0001kC-Sv for 72740@debbugs.gnu.org; Tue, 20 Aug 2024 19:23:08 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=autistici.org; s=stigmate; t=1724196136; bh=YEE9mshXV/4KY9GTgv2LBkb4SrYcy5bZmlewtKPE6O4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=M+VXZl5sloXfRV5nHO+nPITbK023tIeKqz7DNottB7qYB5/h53r9OGuvoLwGKwyKP 58MciNQsnFpIgrbo70wGV9eJIsy55wu/r0nlWKJgwUcXt7V8QRZLj9B4bEqtP9RabJ /OJyw2k7kCPXARyKAq8bbYtjrqC8rMKmUJVht4/c= Received: from mx1.investici.org (unknown [127.0.0.1]) by confino.investici.org (Postfix) with ESMTP id 4WpQV04XFgz10yj; Tue, 20 Aug 2024 23:22:16 +0000 (UTC) Received: from [93.190.126.19] (mx1.investici.org [93.190.126.19]) (Authenticated sender: goodoldpaul@autistici.org) by localhost (Postfix) with ESMTPSA id 4WpQV03pNnz10yR; Tue, 20 Aug 2024 23:22:16 +0000 (UTC) From: Giacomo Leidi To: 72740@debbugs.gnu.org Subject: [PATCH 3/4] services: iptables: Provide a default value. Date: Wed, 21 Aug 2024 01:21:44 +0200 Message-ID: X-Mailer: git-send-email 2.45.2 In-Reply-To: <7f30738a5f43710d33a7bc9dfdd913f4ca113525.1724196105.git.goodoldpaul@autistici.org> References: <7f30738a5f43710d33a7bc9dfdd913f4ca113525.1724196105.git.goodoldpaul@autistici.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 72740 Cc: Giacomo Leidi X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) There doesn't seem to be a reason to force users to write (service iptables-service-type (iptables-configuration)) instead of simply (service iptables-service-type) This patch provides a default value for the iptables-service-type. * gnu/services/networking.scm (iptables-service-type): Set default-value. Change-Id: I93b6c544dfb064c7a0a999549dff61007a38f842 --- gnu/services/networking.scm | 1 + 1 file changed, 1 insertion(+) diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index 12d8934e43..c70fea7813 100644 --- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -2055,6 +2055,7 @@ (define (iptables-shepherd-service config) (define iptables-service-type (service-type (name 'iptables) + (default-value (iptables-configuration)) (description "Run @command{iptables-restore}, setting up the specified rules.") (extensions -- 2.45.2 From debbugs-submit-bounces@debbugs.gnu.org Tue Aug 20 19:23:14 2024 Received: (at 72740) by debbugs.gnu.org; 20 Aug 2024 23:23:14 +0000 Received: from localhost ([127.0.0.1]:34025 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sgYC0-0001kj-Jn for submit@debbugs.gnu.org; Tue, 20 Aug 2024 19:23:14 -0400 Received: from confino.investici.org ([93.190.126.19]:55873) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sgYBw-0001kD-D4 for 72740@debbugs.gnu.org; Tue, 20 Aug 2024 19:23:10 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=autistici.org; s=stigmate; t=1724196136; bh=C/wU/e62MpB+UIzfWA5Bky2mCr/S9rWuiVK/AzcwajA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=pQ3CYEkCNsEbWdedHvI5lt1h6+4ZrBEPBx2WOAdCpxsjWwUwTnexgZeJIkUH4F0lE uVfuTVTRfpluuQbBIFfpDoD9VLjdprO9mocygsA7LZB7U138nW4q6fRjJ0QOcGUjg7 UaWYyJQSIptP6va7tbs+v6iz6dL7Yo6cTOfwCRHU= Received: from mx1.investici.org (unknown [127.0.0.1]) by confino.investici.org (Postfix) with ESMTP id 4WpQV0717Tz10ys; Tue, 20 Aug 2024 23:22:16 +0000 (UTC) Received: from [93.190.126.19] (mx1.investici.org [93.190.126.19]) (Authenticated sender: goodoldpaul@autistici.org) by localhost (Postfix) with ESMTPSA id 4WpQV065gQz10yR; Tue, 20 Aug 2024 23:22:16 +0000 (UTC) From: Giacomo Leidi To: 72740@debbugs.gnu.org Subject: [PATCH 4/4] services: Add rootless-podman-service-type. Date: Wed, 21 Aug 2024 01:21:45 +0200 Message-ID: <963d3a543a90656a38c0ba4c603b012b6bb93738.1724196105.git.goodoldpaul@autistici.org> X-Mailer: git-send-email 2.45.2 In-Reply-To: <7f30738a5f43710d33a7bc9dfdd913f4ca113525.1724196105.git.goodoldpaul@autistici.org> References: <7f30738a5f43710d33a7bc9dfdd913f4ca113525.1724196105.git.goodoldpaul@autistici.org> MIME-Version: 1.0 X-Debbugs-Cc: Florian Pelz , Ludovic Courtès , Matthew Trzcinski , Maxim Cournoyer Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 72740 Cc: Giacomo Leidi X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) * gnu/services/containers.scm: New file; (rootless-podman-configuration): new variable; (rootless-podman-service-subids): new variable; (rootless-podman-service-accounts): new variable; (rootless-podman-service-profile): new variable; (rootless-podman-shepherd-services): new variable; (rootless-podman-service-etc): new variable; (rootless-podman-service-type): new variable. * gnu/local.mk: Test it. * gnu/local.mk: Add them. * doc/guix.texi (Miscellaneous Services): Document it. Change-Id: I041496474c1027da353bd6852f2554a065914d7a --- doc/guix.texi | 104 +++++++++++ gnu/local.mk | 2 + gnu/services/containers.scm | 216 +++++++++++++++++++++ gnu/tests/containers.scm | 361 ++++++++++++++++++++++++++++++++++++ 4 files changed, 683 insertions(+) create mode 100644 gnu/services/containers.scm create mode 100644 gnu/tests/containers.scm diff --git a/doc/guix.texi b/doc/guix.texi index 0e1e253b02..eb6a1b2442 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -40852,6 +40852,110 @@ Miscellaneous Services invoke @command{singularity run} and similar commands. @end defvar +@cindex Rootless Podman +@subsubheading Rootless Podman Service + +The @code{(gnu services containers)} module provides the following service. + + +@cindex Rootless Podman, container management tool +@defvar rootless-podman-service-type + +@url{https://www.sylabs.io/singularity/, Singularity} is a container management +tool. In addition to providing a drop-in replacement for Docker, Podman offers +the ability to run containers in rootless mode. This allows regular users to +deploy containers without elevated privileges. + +The @code{rootless-podman-service-type} sets up the Guix System to allow +unprivileged users to run @command{podman} commands: + +@lisp +(use-service-modules containers networking @dots{}) + +(operating-system + ;; @dots{} + (users (cons (user-account + (name "alice") + (comment "Bob's sister") + (group "users") + + ;; Adding the account to the "cgroup" group + ;; makes it possible to run podman commands. + (supplementary-groups '("cgroup" "wheel" + "audio" "video"))) + %base-user-accounts)) + (services + (list + (service iptables-service-type) + (service rootless-podman-service-type + (rootless-podman-configuration + (subgids + (list (subid-range (name "alice")))) + (subuids + (list (subid-range (name "alice"))))))))) +@end lisp + +The @code{iptables-service-type} is required for Podman to be able to setup its +own networks. Due to the change in user groups and file systems it is +recommended to reboot (or at least logout), before trying to run Podman commands. + +To test your installation you can run: + +@example +$ podman run -it --rm docker.io/alpine cat /etc/*release* +NAME="Alpine Linux" +ID=alpine +VERSION_ID=3.20.2 +PRETTY_NAME="Alpine Linux v3.20" +HOME_URL="https://alpinelinux.org/" +BUG_REPORT_URL="https://gitlab.alpinelinux.org/alpine/aports/-/issues" +@end example + +@end defvar + +@c %start of fragment + +@deftp {Data Type} rootless-podman-configuration +Available @code{rootless-podman-configuration} fields are: + +@table @asis +@item @code{podman} (default: @code{podman}) (type: package) +The Podman package that will be installed in the system profile. + +@item @code{group-name} (default: @code{"cgroup"}) (type: string) +The name of the group that will own /sys/fs/cgroup resources. Users that +want to use rootless Podman have to be in this group. + +@item @code{containers-registries} (type: lowerable) +A string or a gexp evaluating to the path of Podman's +@code{containers/registries.conf} configuration file. + +@item @code{containers-storage} (type: lowerable) +A string or a gexp evaluating to the path of Podman's +@code{containers/storage.conf} configuration file. + +@item @code{containers-policy} (type: lowerable) +A string or a gexp evaluating to the path of Podman's +@code{containers/policy.json} configuration file. + +@item @code{pam-limits} (type: list-of-pam-limits-entries) +The PAM limits to be set for rootless Podman. + +@item @code{subgids} (default: @code{()}) (type: list-of-subid-ranges) +A list of subid ranges representing the subgids that will be +available for each configured user. + +@item @code{subuids} (default: @code{()}) (type: list-of-subid-ranges) +A list of subid ranges representing the subuids that will be +available for each configured user. + +@end table + +@end deftp + + +@c %end of fragment + @cindex OCI-backed, Shepherd services @subsubheading OCI backed services diff --git a/gnu/local.mk b/gnu/local.mk index 3b0a3858f7..a543f1ddc9 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -708,6 +708,7 @@ GNU_SYSTEM_MODULES = \ %D%/services/cgit.scm \ %D%/services/ci.scm \ %D%/services/configuration.scm \ + %D%/services/containers.scm \ %D%/services/cuirass.scm \ %D%/services/cups.scm \ %D%/services/databases.scm \ @@ -813,6 +814,7 @@ GNU_SYSTEM_MODULES = \ %D%/tests/base.scm \ %D%/tests/cachefilesd.scm \ %D%/tests/ci.scm \ + %D%/tests/containers.scm \ %D%/tests/cups.scm \ %D%/tests/databases.scm \ %D%/tests/desktop.scm \ diff --git a/gnu/services/containers.scm b/gnu/services/containers.scm new file mode 100644 index 0000000000..2337a4a001 --- /dev/null +++ b/gnu/services/containers.scm @@ -0,0 +1,216 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2024 Giacomo Leidi +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu services containers) + #:use-module (gnu packages containers) + #:use-module (gnu packages file-systems) + #:use-module (gnu services) + #:use-module (gnu services base) + #:use-module (gnu services configuration) + #:use-module (gnu services shepherd) + #:use-module (gnu system accounts) + #:use-module (gnu system shadow) + #:use-module (gnu system pam) + #:use-module (guix gexp) + #:use-module (guix packages) + #:use-module (srfi srfi-1) + #:export (rootless-podman-configuration + rootless-podman-configuration? + rootless-podman-configuration-fields + rootless-podman-configuration-podman + rootless-podman-configuration-group-name + rootless-podman-configuration-containers-registries + rootless-podman-configuration-containers-storage + rootless-podman-configuration-containers-policy + rootless-podman-configuration-pam-limits + rootless-podman-configuration-subgids + rootless-podman-configuration-subuids + + rootless-podman-service-subids + rootless-podman-service-accounts + rootless-podman-service-profile + rootless-podman-shepherd-services + rootless-podman-service-etc + + rootless-podman-service-type)) + +(define (gexp-or-string? value) + (or (gexp? value) + (string? value))) + +(define (lowerable? value) + (or (file-like? value) + (gexp-or-string? value))) + +(define list-of-pam-limits-entries? + (list-of pam-limits-entry?)) + +(define list-of-subid-ranges? + (list-of subid-range?)) + +(define-configuration/no-serialization rootless-podman-configuration + (podman + (package podman) + "The Podman package that will be installed in the system profile.") + (group-name + (string "cgroup") + "The name of the group that will own /sys/fs/cgroup resources. Users that +want to use rootless Podman have to be in this group.") + (containers-registries + (lowerable + (plain-file "registries.conf" + (string-append "unqualified-search-registries = ['docker.io','" + "registry.fedora.org','registry.opensuse.org']"))) + "A string or a gexp evaluating to the path of Podman's +@code{containers/registries.conf} configuration file.") + (containers-storage + (lowerable + (plain-file "storage.conf" + "[storage] +driver = \"overlay\"")) + "A string or a gexp evaluating to the path of Podman's +@code{containers/storage.conf} configuration file.") + (containers-policy + (lowerable + (plain-file "policy.json" + "{\"default\": [{\"type\": \"insecureAcceptAnything\"}]}")) + "A string or a gexp evaluating to the path of Podman's +@code{containers/policy.json} configuration file.") + (pam-limits + (list-of-pam-limits-entries + (list (pam-limits-entry "*" 'both 'nofile 100000))) + "The PAM limits to be set for rootless Podman.") + (subgids + (list-of-subid-ranges '()) + "A list of subid ranges representing the subgids that will be +available for each configured user.") + (subuids + (list-of-subid-ranges '()) + "A list of subid ranges representing the subuids that will be +available for each configured user.")) + +(define rootless-podman-service-profile + (lambda (config) + (list + (rootless-podman-configuration-podman config)))) + +(define rootless-podman-service-etc + (lambda (config) + (list `("containers/registries.conf" + ,(rootless-podman-configuration-containers-registries config)) + `("containers/storage.conf" + ,(rootless-podman-configuration-containers-storage config)) + `("containers/policy.json" + ,(rootless-podman-configuration-containers-policy config))))) + +(define rootless-podman-service-subids + (lambda (config) + (subids-extension + (subgids (rootless-podman-configuration-subgids config)) + (subuids (rootless-podman-configuration-subuids config))))) + +(define rootless-podman-service-accounts + (lambda (config) + (list (user-group (name (rootless-podman-configuration-group-name config)) + (system? #t))))) + +(define (cgroups-fs-owner-entrypoint config) + (define group + (rootless-podman-configuration-group-name config)) + (program-file "cgroups2-fs-owner-entrypoint" + #~(system* + "bash" "-c" + (string-append "echo Setting /sys/fs/cgroup " + "group ownership to " #$group " && chown -v " + "root:" #$group " /sys/fs/cgroup && " + "chmod -v 775 /sys/fs/cgroup && chown -v " + "root:" #$group " /sys/fs/cgroup/cgroup." + "{procs,subtree_control,threads} && " + "chmod -v 664 /sys/fs/cgroup/cgroup." + "{procs,subtree_control,threads}")))) + +(define (rootless-podman-cgroups-fs-owner-service config) + (shepherd-service (provision '(cgroups2-fs-owner)) + (requirement + '(dbus-system + elogind + networking + udev + file-system-/sys/fs/cgroup + cgroups2-limits)) + (one-shot? #t) + (documentation + "Set ownership of /sys/fs/cgroup to the configured group.") + (start + #~(make-forkexec-constructor + (list + #$(cgroups-fs-owner-entrypoint config)))) + (stop + #~(make-kill-destructor)))) + +(define cgroups-limits-entrypoint + (program-file "cgroups2-limits-entrypoint" + #~(system* + "bash" "-c" + (string-append "echo Setting cgroups v2 limits && " + "echo +cpu +cpuset +memory +pids" + " >> /sys/fs/cgroup/cgroup.subtree_control")))) + +(define (rootless-podman-cgroups-limits-service config) + (shepherd-service (provision '(cgroups2-limits)) + (requirement + '(dbus-system + elogind + networking + udev + file-system-/sys/fs/cgroup)) + (one-shot? #t) + (documentation + "Allow setting cgroups limits: cpu, cpuset, memory and +pids.") + (start + #~(make-forkexec-constructor + (list + #$cgroups-limits-entrypoint))) + (stop + #~(make-kill-destructor)))) + +(define (rootless-podman-shepherd-services config) + (list + (rootless-podman-cgroups-limits-service config) + (rootless-podman-cgroups-fs-owner-service config))) + +(define rootless-podman-service-type + (service-type (name 'rootless-podman) + (extensions + (list + (service-extension subids-service-type + rootless-podman-service-subids) + (service-extension account-service-type + rootless-podman-service-accounts) + (service-extension profile-service-type + rootless-podman-service-profile) + (service-extension shepherd-root-service-type + rootless-podman-shepherd-services) + (service-extension pam-limits-service-type + rootless-podman-configuration-pam-limits) + (service-extension etc-service-type + rootless-podman-service-etc))) + (default-value (rootless-podman-configuration)) + (description + "This service configures rootless @code{podman} on the Guix System."))) diff --git a/gnu/tests/containers.scm b/gnu/tests/containers.scm new file mode 100644 index 0000000000..e60b5e5b8d --- /dev/null +++ b/gnu/tests/containers.scm @@ -0,0 +1,361 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2024 Giacomo Leidi +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu tests containers) + #:use-module (gnu) + #:use-module (gnu tests) + #:use-module (guix build-system trivial) + #:use-module (gnu packages bash) + #:use-module (gnu packages containers) + #:use-module (gnu packages guile) + #:use-module (gnu packages guile-xyz) + #:use-module (gnu services) + #:use-module (gnu services containers) + #:use-module (gnu services desktop) + #:use-module (gnu services dbus) + #:use-module (gnu services networking) + #:use-module (gnu services shepherd) + #:use-module (gnu system) + #:use-module (gnu system accounts) + #:use-module (gnu system vm) + #:use-module (guix gexp) + #:use-module ((guix licenses) #:prefix license:) + #:use-module (guix monads) + #:use-module (guix packages) + #:use-module (guix profiles) + #:use-module ((guix scripts pack) #:prefix pack:) + #:use-module (guix store) + #:export (%test-rootless-podman)) + + +(define %rootless-podman-os + (simple-operating-system + (service rootless-podman-service-type + (rootless-podman-configuration + (subgids + (list (subid-range (name "dummy")))) + (subuids + (list (subid-range (name "dummy")))))) + + (service dhcp-client-service-type) + (service dbus-root-service-type) + (service polkit-service-type) + (service elogind-service-type) + + (simple-service 'shared-root-service + shepherd-root-service-type + (list + (shepherd-service + (provision '(rootless-podman-shared-root-fs)) + (requirement + '(file-systems)) + (one-shot? #t) + (documentation + "Buildah/Podman running as rootless expects the bind mount +to be shared. This service sets it so.") + (start + #~(make-forkexec-constructor + (list + #$(program-file "rootless-podman-shared-root-fs-entrypoint" + #~(system* + "mount" "--make-shared" "/"))))) + (stop + #~(make-kill-destructor))))) + + (simple-service 'accounts + account-service-type + (list (user-account + (name "dummy") + (group "users") + (supplementary-groups '("wheel" "netdev" "cgroup" + "audio" "video"))))))) + +(define (run-rootless-podman-test oci-tarball) + + (define os + (marionette-operating-system + (operating-system-with-gc-roots + %rootless-podman-os + (list oci-tarball)) + #:imported-modules '((gnu services herd) + (guix combinators)))) + + (define vm + (virtual-machine + (operating-system os) + (volatile? #f) + (memory-size 1024) + (disk-image-size (* 3000 (expt 2 20))) + (port-forwardings '()))) + + (define test + (with-imported-modules '((gnu build marionette) + (gnu services herd)) + #~(begin + (use-modules (srfi srfi-11) (srfi srfi-64) + (gnu build marionette)) + + (define marionette + ;; Relax timeout to accommodate older systems and + ;; allow for pulling the image. + (make-marionette (list #$vm) #:timeout 60)) + (define out-dir "/tmp") + + (test-runner-current (system-test-runner #$output)) + (test-begin "rootless-podman") + + (test-assert "service started" + (marionette-eval + '(begin + (use-modules (gnu services herd)) + (match (start-service 'cgroups2-fs-owner) + (#f #f) + ;; herd returns (running #f), likely because of one shot, + ;; so consider any non-error a success. + (('service response-parts ...) #t))) + marionette)) + + (test-equal "/sys/fs/cgroup/cgroup.subtree_control content is sound" + (list "cpu" "cpuset" "memory" "pids") + (marionette-eval + `(begin + (use-modules (srfi srfi-1) + (ice-9 popen) + (ice-9 match) + (ice-9 rdelim)) + + (define (read-lines file-or-port) + (define (loop-lines port) + (let loop ((lines '())) + (match (read-line port) + ((? eof-object?) + (reverse lines)) + (line + (loop (cons line lines)))))) + + (if (port? file-or-port) + (loop-lines file-or-port) + (call-with-input-file file-or-port + loop-lines))) + + (define slurp + (lambda args + (let* ((port (apply open-pipe* OPEN_READ args)) + (output (read-lines port)) + (status (close-pipe port))) + output))) + (let* ((response1 (slurp + ,(string-append #$coreutils "/bin/cat") + "/sys/fs/cgroup/cgroup.subtree_control"))) + (sort-list (string-split (first response1) #\space) stringscm (scm->json-string \"JSON!\")))'")) + + ;; Check whether /tmp exists. + (response4 (slurp + ,(string-append #$podman "/bin/podman") + "run" "--pull" "never" repository&tag "-c" + "'(display (stat:perms (lstat \"/tmp\")))'"))) + (call-with-output-file (string-append ,out-dir "/response1") + (lambda (port) + (display (string-join response1 " ") port))) + (call-with-output-file (string-append ,out-dir "/response2") + (lambda (port) + (display (string-join response2 " ") port))) + (call-with-output-file (string-append ,out-dir "/response3") + (lambda (port) + (display (string-join response3 " ") port))) + (call-with-output-file (string-append ,out-dir "/response4") + (lambda (port) + (display (string-join response4 " ") port))))) + (lambda () + (primitive-exit 127)))) + (pid + (cdr (waitpid pid)))) + (wait-for-file (string-append ,out-dir "/response4")) + (append + (slurp "cat" (string-append ,out-dir "/response1")) + (slurp "cat" (string-append ,out-dir "/response2")) + (slurp "cat" (string-append ,out-dir "/response3")) + (map string->number (slurp "cat" (string-append ,out-dir "/response4"))))) + marionette)) + + (test-end)))) + + (gexp->derivation "rootless-podman-test" test)) + +(define (build-tarball&run-rootless-podman-test) + (mlet* %store-monad + ((_ (set-grafting #f)) + (guile (set-guile-for-build (default-guile))) + (guest-script-package -> + (package + (name "guest-script") + (version "0") + (source #f) + (build-system trivial-build-system) + (arguments `(#:guile ,guile-3.0 + #:builder + (let ((out (assoc-ref %outputs "out"))) + (mkdir out) + (call-with-output-file (string-append out "/a.scm") + (lambda (port) + (display "(display \"hello world\n\")" port))) + #t))) + (synopsis "Display hello world using Guile") + (description "This package displays the text \"hello world\" on the +standard output device and then enters a new line.") + (home-page #f) + (license license:public-domain))) + (profile (profile-derivation (packages->manifest + (list guile-3.0 guile-json-3 + guest-script-package)) + #:hooks '() + #:locales? #f)) + (tarball (pack:docker-image + "docker-pack" profile + #:symlinks '(("/bin/Guile" -> "bin/guile") + ("aa.scm" -> "a.scm")) + #:extra-options + '(#:image-tag "guile-guest") + #:entry-point "bin/guile" + #:localstatedir? #t))) + (run-rootless-podman-test tarball))) + +(define %test-rootless-podman + (system-test + (name "rootless-podman") + (description "Test rootless Podman service.") + (value (build-tarball&run-rootless-podman-test)))) -- 2.45.2 From debbugs-submit-bounces@debbugs.gnu.org Wed Aug 21 04:19:40 2024 Received: (at 72740) by debbugs.gnu.org; 21 Aug 2024 08:19:40 +0000 Received: from localhost ([127.0.0.1]:34878 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sggZA-0001lt-6k for submit@debbugs.gnu.org; Wed, 21 Aug 2024 04:19:40 -0400 Received: from confino.investici.org ([93.190.126.19]:64059) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sggZ7-0001lk-Bt for 72740@debbugs.gnu.org; Wed, 21 Aug 2024 04:19:38 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=autistici.org; s=stigmate; t=1724228324; bh=Yqo83SswVKr1gsT46+YFO3OQnUXlpq7m8O0dE3UcVuk=; h=Date:To:From:Subject:From; b=U95Cj87d7rfr6NXt2NDtcxf5khdi5u8guqROm298qIWeGLtqfTeo0E+CTnUGdykgz wy2GH04WEwYuhUdATOcBSr9DRLj+ZDfNxYa5+MbV/Usu1NYt+PwOn/UFQhI9WTwBv5 lh6sKZpLH5umOId1xf1KxxLYvqa1AKHQ2Sguerts= Received: from mx1.investici.org (unknown [127.0.0.1]) by confino.investici.org (Postfix) with ESMTP id 4WpfP03vVKz110S for <72740@debbugs.gnu.org>; Wed, 21 Aug 2024 08:18:44 +0000 (UTC) Received: from [93.190.126.19] (mx1.investici.org [93.190.126.19]) (Authenticated sender: goodoldpaul@autistici.org) by localhost (Postfix) with ESMTPSA id 4WpfP03Wzvz110C for <72740@debbugs.gnu.org>; Wed, 21 Aug 2024 08:18:44 +0000 (UTC) Message-ID: Date: Wed, 21 Aug 2024 10:18:44 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.15.0 To: 72740@debbugs.gnu.org Content-Language: en-US From: paul Subject: Re: Add rootless-podman-service-type Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Score: 1.8 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Dear Guixers, I'm sending a v2. This revision contains a small change: Buildah/Podman running as rootless expects the bind mount to be shared.  This patchset contains a Shepherd service that sets it so. Content analysis details: (1.8 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [93.190.126.19 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 2.5 FAKE_REPLY_A1 No description available. X-Debbugs-Envelope-To: 72740 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.8 (/) Dear Guixers, I'm sending a v2. This revision contains a small change: Buildah/Podman running as rootless expects the bind mount to be shared.  This patchset contains a Shepherd service that sets it so. Thank you very much for your help, giacomo From debbugs-submit-bounces@debbugs.gnu.org Wed Aug 21 04:20:43 2024 Received: (at 72740) by debbugs.gnu.org; 21 Aug 2024 08:20:44 +0000 Received: from localhost ([127.0.0.1]:34882 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sggaB-0001oE-IY for submit@debbugs.gnu.org; Wed, 21 Aug 2024 04:20:43 -0400 Received: from confino.investici.org ([93.190.126.19]:31731) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sggaA-0001o5-9Z for 72740@debbugs.gnu.org; Wed, 21 Aug 2024 04:20:42 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=autistici.org; s=stigmate; t=1724228397; bh=8g73toAfE/xtZ8PWBrZviMHfwJmvzIl81nmJRW70e3Q=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=OHfp7vkcizz1DB48F6zYjc1srTTnORNeJVgeTEciHkPamllu9dPccdKTjxkHu8cQF RQBnx2dFKmzE+71oK/kafUYOnpjVwdCIws7aM1TTym2odhH2k/EaZS+ZVyrUD901J8 fU57FgphMf/xWrMdGT7+Z0uUskHtNBtwFm1bUS4Y= Received: from mx1.investici.org (unknown [127.0.0.1]) by confino.investici.org (Postfix) with ESMTP id 4WpfQP443Lz110b; Wed, 21 Aug 2024 08:19:57 +0000 (UTC) Received: from [93.190.126.19] (mx1.investici.org [93.190.126.19]) (Authenticated sender: goodoldpaul@autistici.org) by localhost (Postfix) with ESMTPSA id 4WpfQP31fWz110F; Wed, 21 Aug 2024 08:19:57 +0000 (UTC) From: Giacomo Leidi To: 72740@debbugs.gnu.org Subject: [PATCH v2 2/4] services: pam: Allow extension of pam limits. Date: Wed, 21 Aug 2024 10:19:25 +0200 Message-ID: <64764a5380a386c62b2e23eba17b30af0abad819.1724228367.git.goodoldpaul@autistici.org> X-Mailer: git-send-email 2.45.2 In-Reply-To: <31446889c1e46a461dd4569dd154851357d6d82c.1724228367.git.goodoldpaul@autistici.org> References: <31446889c1e46a461dd4569dd154851357d6d82c.1724228367.git.goodoldpaul@autistici.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 72740 Cc: Giacomo Leidi X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) * gnu/services/pam.scm (pam-limits-service-type): Allow extension of pam limits rules from users and services. Change-Id: I93a363d1a2887493d52ef3ae32fc9721f81ddfa8 --- gnu/services/base.scm | 2 ++ 1 file changed, 2 insertions(+) diff --git a/gnu/services/base.scm b/gnu/services/base.scm index 4b5b103cc3..e4e59da433 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -1680,6 +1680,8 @@ (define pam-limits-service-type (service-type (name 'limits) + (compose concatenate) + (extend append) (extensions (list (service-extension pam-root-service-type (lambda (config) -- 2.45.2 From debbugs-submit-bounces@debbugs.gnu.org Wed Aug 21 04:20:51 2024 Received: (at 72740) by debbugs.gnu.org; 21 Aug 2024 08:20:51 +0000 Received: from localhost ([127.0.0.1]:34887 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sggaI-0001oi-Uv for submit@debbugs.gnu.org; Wed, 21 Aug 2024 04:20:51 -0400 Received: from confino.investici.org ([93.190.126.19]:37935) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sggaH-0001oS-0k for 72740@debbugs.gnu.org; Wed, 21 Aug 2024 04:20:49 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=autistici.org; s=stigmate; t=1724228397; bh=4XovS601RWwNTXDlPjrcAWDfEF2V0eS8kozEuQzK9ug=; h=From:To:Cc:Subject:Date:From; b=s0Dz+eLbDhtNEWXFXojHkIeaEjv4Ey9lxxw9x/nc6lSxVzN3vz2TVKfoALLjTaX3n HDUAWzMpIO7yxIa7VyecCcp8qiQMKYLMcKuQ500qQuVcaiR4gyNoWXeA3xs37h0DNF 001FKUcsQC8FwBerwRADO28OF2bPKad/YPD1upXM= Received: from mx1.investici.org (unknown [127.0.0.1]) by confino.investici.org (Postfix) with ESMTP id 4WpfQP1mYJz110X; Wed, 21 Aug 2024 08:19:57 +0000 (UTC) Received: from [93.190.126.19] (mx1.investici.org [93.190.126.19]) (Authenticated sender: goodoldpaul@autistici.org) by localhost (Postfix) with ESMTPSA id 4WpfQP11b9z110F; Wed, 21 Aug 2024 08:19:57 +0000 (UTC) From: Giacomo Leidi To: 72740@debbugs.gnu.org Subject: [PATCH v2 1/4] system: pam: Export pam records predicates. Date: Wed, 21 Aug 2024 10:19:24 +0200 Message-ID: <31446889c1e46a461dd4569dd154851357d6d82c.1724228367.git.goodoldpaul@autistici.org> X-Mailer: git-send-email 2.45.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 72740 Cc: Giacomo Leidi X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) * gnu/system/pam.scm: Export pam-service-name?, pam-entry? and pam-limits-entry?. Change-Id: I609acfcaae85b4969dc385b72b307e470f5a246e --- gnu/system/pam.scm | 3 +++ 1 file changed, 3 insertions(+) diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm index a035a92e25..5c7c4e8153 100644 --- a/gnu/system/pam.scm +++ b/gnu/system/pam.scm @@ -34,6 +34,7 @@ (define-module (gnu system pam) #:use-module ((guix utils) #:select (%current-system)) #:use-module (gnu packages linux) #:export (pam-service + pam-service-name? pam-service-name pam-service-account pam-service-auth @@ -41,11 +42,13 @@ (define-module (gnu system pam) pam-service-session pam-entry + pam-entry? pam-entry-control pam-entry-module pam-entry-arguments pam-limits-entry + pam-limits-entry? pam-limits-entry-domain pam-limits-entry-type pam-limits-entry-item base-commit: 00245fdcd4909d7e6b20fe88f5d089717115adc1 -- 2.45.2 From debbugs-submit-bounces@debbugs.gnu.org Wed Aug 21 04:20:51 2024 Received: (at 72740) by debbugs.gnu.org; 21 Aug 2024 08:20:51 +0000 Received: from localhost ([127.0.0.1]:34889 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sggaJ-0001ol-Aq for submit@debbugs.gnu.org; Wed, 21 Aug 2024 04:20:51 -0400 Received: from confino.investici.org ([93.190.126.19]:23189) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sggaH-0001oU-Ox for 72740@debbugs.gnu.org; Wed, 21 Aug 2024 04:20:50 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=autistici.org; s=stigmate; t=1724228397; bh=YEE9mshXV/4KY9GTgv2LBkb4SrYcy5bZmlewtKPE6O4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=f/RWhCDSWwwXrtE5FH78Q7+4y2SDaG+xzoiHEt+cfnDW9EI+iueYX+4BuWv31I/H2 0+awKeZcgOwQJqTOxCX8wY88sBs3knb2oaaonCcMxOCEOsPnzY/U0tydl5GMa5EMvB z4eOwCHZBW9P7nSZWsHNoRkndzrpm1kipRDFcL6M= Received: from mx1.investici.org (unknown [127.0.0.1]) by confino.investici.org (Postfix) with ESMTP id 4WpfQP63gTz110f; Wed, 21 Aug 2024 08:19:57 +0000 (UTC) Received: from [93.190.126.19] (mx1.investici.org [93.190.126.19]) (Authenticated sender: goodoldpaul@autistici.org) by localhost (Postfix) with ESMTPSA id 4WpfQP5Kxpz110F; Wed, 21 Aug 2024 08:19:57 +0000 (UTC) From: Giacomo Leidi To: 72740@debbugs.gnu.org Subject: [PATCH v2 3/4] services: iptables: Provide a default value. Date: Wed, 21 Aug 2024 10:19:26 +0200 Message-ID: <20e290aba0c41223dfe2c3bb94e4f7d6398bb06f.1724228367.git.goodoldpaul@autistici.org> X-Mailer: git-send-email 2.45.2 In-Reply-To: <31446889c1e46a461dd4569dd154851357d6d82c.1724228367.git.goodoldpaul@autistici.org> References: <31446889c1e46a461dd4569dd154851357d6d82c.1724228367.git.goodoldpaul@autistici.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 72740 Cc: Giacomo Leidi X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) There doesn't seem to be a reason to force users to write (service iptables-service-type (iptables-configuration)) instead of simply (service iptables-service-type) This patch provides a default value for the iptables-service-type. * gnu/services/networking.scm (iptables-service-type): Set default-value. Change-Id: I93b6c544dfb064c7a0a999549dff61007a38f842 --- gnu/services/networking.scm | 1 + 1 file changed, 1 insertion(+) diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index 12d8934e43..c70fea7813 100644 --- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -2055,6 +2055,7 @@ (define (iptables-shepherd-service config) (define iptables-service-type (service-type (name 'iptables) + (default-value (iptables-configuration)) (description "Run @command{iptables-restore}, setting up the specified rules.") (extensions -- 2.45.2 From debbugs-submit-bounces@debbugs.gnu.org Wed Aug 21 04:20:57 2024 Received: (at 72740) by debbugs.gnu.org; 21 Aug 2024 08:20:57 +0000 Received: from localhost ([127.0.0.1]:34891 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sggaN-0001p6-Pw for submit@debbugs.gnu.org; Wed, 21 Aug 2024 04:20:57 -0400 Received: from confino.investici.org ([93.190.126.19]:20161) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sggaI-0001ob-95 for 72740@debbugs.gnu.org; Wed, 21 Aug 2024 04:20:52 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=autistici.org; s=stigmate; t=1724228398; bh=PAWkKaXoRcatfyDs1NVXOY2w07uOZcc4n1t2ABYwKeM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=b2LDF5ijvbDYnpN5tuHmHJiVe0T1eicH85BFNb8ofaEULss+ZOlQlMmn1zy+JVmMT Q44vujm6fJEnAsFXGKlIbfLurLtXEeb+3+RrQ5CDh6a1mF+eE+gM7AfpUyobpiYlaZ q1aU8FwVHG1C3S4naNx2J4TxMIEnkOG5KyL62Mvo= Received: from mx1.investici.org (unknown [127.0.0.1]) by confino.investici.org (Postfix) with ESMTP id 4WpfQQ2XVbz110g; Wed, 21 Aug 2024 08:19:58 +0000 (UTC) Received: from [93.190.126.19] (mx1.investici.org [93.190.126.19]) (Authenticated sender: goodoldpaul@autistici.org) by localhost (Postfix) with ESMTPSA id 4WpfQQ0Skzz110F; Wed, 21 Aug 2024 08:19:58 +0000 (UTC) From: Giacomo Leidi To: 72740@debbugs.gnu.org Subject: [PATCH v2 4/4] services: Add rootless-podman-service-type. Date: Wed, 21 Aug 2024 10:19:27 +0200 Message-ID: <98f29c9144e862337e417e700867e1d03625e89e.1724228367.git.goodoldpaul@autistici.org> X-Mailer: git-send-email 2.45.2 In-Reply-To: <31446889c1e46a461dd4569dd154851357d6d82c.1724228367.git.goodoldpaul@autistici.org> References: <31446889c1e46a461dd4569dd154851357d6d82c.1724228367.git.goodoldpaul@autistici.org> MIME-Version: 1.0 X-Debbugs-Cc: Florian Pelz , Ludovic Courtès , Matthew Trzcinski , Maxim Cournoyer Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 72740 Cc: Giacomo Leidi X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) * gnu/services/containers.scm: New file; (rootless-podman-configuration): new variable; (rootless-podman-service-subids): new variable; (rootless-podman-service-accounts): new variable; (rootless-podman-service-profile): new variable; (rootless-podman-shepherd-services): new variable; (rootless-podman-service-etc): new variable; (rootless-podman-service-type): new variable. * gnu/local.mk: Test it. * gnu/local.mk: Add them. * doc/guix.texi (Miscellaneous Services): Document it. Change-Id: I041496474c1027da353bd6852f2554a065914d7a --- doc/guix.texi | 104 +++++++++++ gnu/local.mk | 2 + gnu/services/containers.scm | 238 +++++++++++++++++++++++++ gnu/tests/containers.scm | 340 ++++++++++++++++++++++++++++++++++++ 4 files changed, 684 insertions(+) create mode 100644 gnu/services/containers.scm create mode 100644 gnu/tests/containers.scm diff --git a/doc/guix.texi b/doc/guix.texi index 0e1e253b02..eb6a1b2442 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -40852,6 +40852,110 @@ Miscellaneous Services invoke @command{singularity run} and similar commands. @end defvar +@cindex Rootless Podman +@subsubheading Rootless Podman Service + +The @code{(gnu services containers)} module provides the following service. + + +@cindex Rootless Podman, container management tool +@defvar rootless-podman-service-type + +@url{https://www.sylabs.io/singularity/, Singularity} is a container management +tool. In addition to providing a drop-in replacement for Docker, Podman offers +the ability to run containers in rootless mode. This allows regular users to +deploy containers without elevated privileges. + +The @code{rootless-podman-service-type} sets up the Guix System to allow +unprivileged users to run @command{podman} commands: + +@lisp +(use-service-modules containers networking @dots{}) + +(operating-system + ;; @dots{} + (users (cons (user-account + (name "alice") + (comment "Bob's sister") + (group "users") + + ;; Adding the account to the "cgroup" group + ;; makes it possible to run podman commands. + (supplementary-groups '("cgroup" "wheel" + "audio" "video"))) + %base-user-accounts)) + (services + (list + (service iptables-service-type) + (service rootless-podman-service-type + (rootless-podman-configuration + (subgids + (list (subid-range (name "alice")))) + (subuids + (list (subid-range (name "alice"))))))))) +@end lisp + +The @code{iptables-service-type} is required for Podman to be able to setup its +own networks. Due to the change in user groups and file systems it is +recommended to reboot (or at least logout), before trying to run Podman commands. + +To test your installation you can run: + +@example +$ podman run -it --rm docker.io/alpine cat /etc/*release* +NAME="Alpine Linux" +ID=alpine +VERSION_ID=3.20.2 +PRETTY_NAME="Alpine Linux v3.20" +HOME_URL="https://alpinelinux.org/" +BUG_REPORT_URL="https://gitlab.alpinelinux.org/alpine/aports/-/issues" +@end example + +@end defvar + +@c %start of fragment + +@deftp {Data Type} rootless-podman-configuration +Available @code{rootless-podman-configuration} fields are: + +@table @asis +@item @code{podman} (default: @code{podman}) (type: package) +The Podman package that will be installed in the system profile. + +@item @code{group-name} (default: @code{"cgroup"}) (type: string) +The name of the group that will own /sys/fs/cgroup resources. Users that +want to use rootless Podman have to be in this group. + +@item @code{containers-registries} (type: lowerable) +A string or a gexp evaluating to the path of Podman's +@code{containers/registries.conf} configuration file. + +@item @code{containers-storage} (type: lowerable) +A string or a gexp evaluating to the path of Podman's +@code{containers/storage.conf} configuration file. + +@item @code{containers-policy} (type: lowerable) +A string or a gexp evaluating to the path of Podman's +@code{containers/policy.json} configuration file. + +@item @code{pam-limits} (type: list-of-pam-limits-entries) +The PAM limits to be set for rootless Podman. + +@item @code{subgids} (default: @code{()}) (type: list-of-subid-ranges) +A list of subid ranges representing the subgids that will be +available for each configured user. + +@item @code{subuids} (default: @code{()}) (type: list-of-subid-ranges) +A list of subid ranges representing the subuids that will be +available for each configured user. + +@end table + +@end deftp + + +@c %end of fragment + @cindex OCI-backed, Shepherd services @subsubheading OCI backed services diff --git a/gnu/local.mk b/gnu/local.mk index 3b0a3858f7..a543f1ddc9 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -708,6 +708,7 @@ GNU_SYSTEM_MODULES = \ %D%/services/cgit.scm \ %D%/services/ci.scm \ %D%/services/configuration.scm \ + %D%/services/containers.scm \ %D%/services/cuirass.scm \ %D%/services/cups.scm \ %D%/services/databases.scm \ @@ -813,6 +814,7 @@ GNU_SYSTEM_MODULES = \ %D%/tests/base.scm \ %D%/tests/cachefilesd.scm \ %D%/tests/ci.scm \ + %D%/tests/containers.scm \ %D%/tests/cups.scm \ %D%/tests/databases.scm \ %D%/tests/desktop.scm \ diff --git a/gnu/services/containers.scm b/gnu/services/containers.scm new file mode 100644 index 0000000000..03f0649c0d --- /dev/null +++ b/gnu/services/containers.scm @@ -0,0 +1,238 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2024 Giacomo Leidi +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu services containers) + #:use-module (gnu packages containers) + #:use-module (gnu packages file-systems) + #:use-module (gnu services) + #:use-module (gnu services base) + #:use-module (gnu services configuration) + #:use-module (gnu services shepherd) + #:use-module (gnu system accounts) + #:use-module (gnu system shadow) + #:use-module (gnu system pam) + #:use-module (guix gexp) + #:use-module (guix packages) + #:use-module (srfi srfi-1) + #:export (rootless-podman-configuration + rootless-podman-configuration? + rootless-podman-configuration-fields + rootless-podman-configuration-podman + rootless-podman-configuration-group-name + rootless-podman-configuration-containers-registries + rootless-podman-configuration-containers-storage + rootless-podman-configuration-containers-policy + rootless-podman-configuration-pam-limits + rootless-podman-configuration-subgids + rootless-podman-configuration-subuids + + rootless-podman-service-subids + rootless-podman-service-accounts + rootless-podman-service-profile + rootless-podman-shepherd-services + rootless-podman-service-etc + + rootless-podman-service-type)) + +(define (gexp-or-string? value) + (or (gexp? value) + (string? value))) + +(define (lowerable? value) + (or (file-like? value) + (gexp-or-string? value))) + +(define list-of-pam-limits-entries? + (list-of pam-limits-entry?)) + +(define list-of-subid-ranges? + (list-of subid-range?)) + +(define-configuration/no-serialization rootless-podman-configuration + (podman + (package podman) + "The Podman package that will be installed in the system profile.") + (group-name + (string "cgroup") + "The name of the group that will own /sys/fs/cgroup resources. Users that +want to use rootless Podman have to be in this group.") + (containers-registries + (lowerable + (plain-file "registries.conf" + (string-append "unqualified-search-registries = ['docker.io','" + "registry.fedora.org','registry.opensuse.org']"))) + "A string or a gexp evaluating to the path of Podman's +@code{containers/registries.conf} configuration file.") + (containers-storage + (lowerable + (plain-file "storage.conf" + "[storage] +driver = \"overlay\"")) + "A string or a gexp evaluating to the path of Podman's +@code{containers/storage.conf} configuration file.") + (containers-policy + (lowerable + (plain-file "policy.json" + "{\"default\": [{\"type\": \"insecureAcceptAnything\"}]}")) + "A string or a gexp evaluating to the path of Podman's +@code{containers/policy.json} configuration file.") + (pam-limits + (list-of-pam-limits-entries + (list (pam-limits-entry "*" 'both 'nofile 100000))) + "The PAM limits to be set for rootless Podman.") + (subgids + (list-of-subid-ranges '()) + "A list of subid ranges representing the subgids that will be +available for each configured user.") + (subuids + (list-of-subid-ranges '()) + "A list of subid ranges representing the subuids that will be +available for each configured user.")) + +(define rootless-podman-service-profile + (lambda (config) + (list + (rootless-podman-configuration-podman config)))) + +(define rootless-podman-service-etc + (lambda (config) + (list `("containers/registries.conf" + ,(rootless-podman-configuration-containers-registries config)) + `("containers/storage.conf" + ,(rootless-podman-configuration-containers-storage config)) + `("containers/policy.json" + ,(rootless-podman-configuration-containers-policy config))))) + +(define rootless-podman-service-subids + (lambda (config) + (subids-extension + (subgids (rootless-podman-configuration-subgids config)) + (subuids (rootless-podman-configuration-subuids config))))) + +(define rootless-podman-service-accounts + (lambda (config) + (list (user-group (name (rootless-podman-configuration-group-name config)) + (system? #t))))) + +(define (cgroups-fs-owner-entrypoint config) + (define group + (rootless-podman-configuration-group-name config)) + (program-file "cgroups2-fs-owner-entrypoint" + #~(system* + "bash" "-c" + (string-append "echo Setting /sys/fs/cgroup " + "group ownership to " #$group " && chown -v " + "root:" #$group " /sys/fs/cgroup && " + "chmod -v 775 /sys/fs/cgroup && chown -v " + "root:" #$group " /sys/fs/cgroup/cgroup." + "{procs,subtree_control,threads} && " + "chmod -v 664 /sys/fs/cgroup/cgroup." + "{procs,subtree_control,threads}")))) + +(define (rootless-podman-cgroups-fs-owner-service config) + (shepherd-service (provision '(cgroups2-fs-owner)) + (requirement + '(dbus-system + elogind + file-system-/sys/fs/cgroup + networking + udev + cgroups2-limits)) + (one-shot? #t) + (documentation + "Set ownership of /sys/fs/cgroup to the configured group.") + (start + #~(make-forkexec-constructor + (list + #$(cgroups-fs-owner-entrypoint config)))) + (stop + #~(make-kill-destructor)))) + +(define cgroups-limits-entrypoint + (program-file "cgroups2-limits-entrypoint" + #~(system* + "bash" "-c" + (string-append "echo Setting cgroups v2 limits && " + "echo +cpu +cpuset +memory +pids" + " >> /sys/fs/cgroup/cgroup.subtree_control")))) + +(define (rootless-podman-cgroups-limits-service config) + (shepherd-service (provision '(cgroups2-limits)) + (requirement + '(dbus-system + elogind + networking + udev + file-system-/sys/fs/cgroup + rootless-podman-shared-root-fs)) + (one-shot? #t) + (documentation + "Allow setting cgroups limits: cpu, cpuset, memory and +pids.") + (start + #~(make-forkexec-constructor + (list + #$cgroups-limits-entrypoint))) + (stop + #~(make-kill-destructor)))) + +(define rootless-podman-shared-root-fs-entrypoint + (program-file "rootless-podman-shared-root-fs-entrypoint" + #~(system* + "mount" "--make-shared" "/"))) + +(define (rootless-podman-shared-root-fs-service config) + (shepherd-service (provision '(rootless-podman-shared-root-fs)) + (requirement + '(user-processes)) + (one-shot? #t) + (documentation + "Buildah/Podman running as rootless expects the bind mount +to be shared. This service sets it so.") + (start + #~(make-forkexec-constructor + (list + #$rootless-podman-shared-root-fs-entrypoint))) + (stop + #~(make-kill-destructor)))) + +(define (rootless-podman-shepherd-services config) + (list + (rootless-podman-shared-root-fs-service config) + (rootless-podman-cgroups-limits-service config) + (rootless-podman-cgroups-fs-owner-service config))) + +(define rootless-podman-service-type + (service-type (name 'rootless-podman) + (extensions + (list + (service-extension subids-service-type + rootless-podman-service-subids) + (service-extension account-service-type + rootless-podman-service-accounts) + (service-extension profile-service-type + rootless-podman-service-profile) + (service-extension shepherd-root-service-type + rootless-podman-shepherd-services) + (service-extension pam-limits-service-type + rootless-podman-configuration-pam-limits) + (service-extension etc-service-type + rootless-podman-service-etc))) + (default-value (rootless-podman-configuration)) + (description + "This service configures rootless @code{podman} on the Guix System."))) diff --git a/gnu/tests/containers.scm b/gnu/tests/containers.scm new file mode 100644 index 0000000000..ba2fb22df6 --- /dev/null +++ b/gnu/tests/containers.scm @@ -0,0 +1,340 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2024 Giacomo Leidi +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu tests containers) + #:use-module (gnu) + #:use-module (gnu tests) + #:use-module (guix build-system trivial) + #:use-module (gnu packages bash) + #:use-module (gnu packages containers) + #:use-module (gnu packages guile) + #:use-module (gnu packages guile-xyz) + #:use-module (gnu services) + #:use-module (gnu services containers) + #:use-module (gnu services desktop) + #:use-module (gnu services dbus) + #:use-module (gnu services networking) + #:use-module (gnu system) + #:use-module (gnu system accounts) + #:use-module (gnu system vm) + #:use-module (guix gexp) + #:use-module ((guix licenses) #:prefix license:) + #:use-module (guix monads) + #:use-module (guix packages) + #:use-module (guix profiles) + #:use-module ((guix scripts pack) #:prefix pack:) + #:use-module (guix store) + #:export (%test-rootless-podman)) + + +(define %rootless-podman-os + (simple-operating-system + (service rootless-podman-service-type + (rootless-podman-configuration + (subgids + (list (subid-range (name "dummy")))) + (subuids + (list (subid-range (name "dummy")))))) + + (service dhcp-client-service-type) + (service dbus-root-service-type) + (service polkit-service-type) + (service elogind-service-type) + + (simple-service 'accounts + account-service-type + (list (user-account + (name "dummy") + (group "users") + (supplementary-groups '("wheel" "netdev" "cgroup" + "audio" "video"))))))) + +(define (run-rootless-podman-test oci-tarball) + + (define os + (marionette-operating-system + (operating-system-with-gc-roots + %rootless-podman-os + (list oci-tarball)) + #:imported-modules '((gnu services herd) + (guix combinators)))) + + (define vm + (virtual-machine + (operating-system os) + (volatile? #f) + (memory-size 1024) + (disk-image-size (* 3000 (expt 2 20))) + (port-forwardings '()))) + + (define test + (with-imported-modules '((gnu build marionette) + (gnu services herd)) + #~(begin + (use-modules (srfi srfi-11) (srfi srfi-64) + (gnu build marionette)) + + (define marionette + ;; Relax timeout to accommodate older systems and + ;; allow for pulling the image. + (make-marionette (list #$vm) #:timeout 60)) + (define out-dir "/tmp") + + (test-runner-current (system-test-runner #$output)) + (test-begin "rootless-podman") + + (test-assert "service started" + (marionette-eval + '(begin + (use-modules (gnu services herd)) + (match (start-service 'cgroups2-fs-owner) + (#f #f) + ;; herd returns (running #f), likely because of one shot, + ;; so consider any non-error a success. + (('service response-parts ...) #t))) + marionette)) + + (test-equal "/sys/fs/cgroup/cgroup.subtree_control content is sound" + (list "cpu" "cpuset" "memory" "pids") + (marionette-eval + `(begin + (use-modules (srfi srfi-1) + (ice-9 popen) + (ice-9 match) + (ice-9 rdelim)) + + (define (read-lines file-or-port) + (define (loop-lines port) + (let loop ((lines '())) + (match (read-line port) + ((? eof-object?) + (reverse lines)) + (line + (loop (cons line lines)))))) + + (if (port? file-or-port) + (loop-lines file-or-port) + (call-with-input-file file-or-port + loop-lines))) + + (define slurp + (lambda args + (let* ((port (apply open-pipe* OPEN_READ args)) + (output (read-lines port)) + (status (close-pipe port))) + output))) + (let* ((response1 (slurp + ,(string-append #$coreutils "/bin/cat") + "/sys/fs/cgroup/cgroup.subtree_control"))) + (sort-list (string-split (first response1) #\space) stringscm (scm->json-string \"JSON!\")))'")) + + ;; Check whether /tmp exists. + (response4 (slurp + ,(string-append #$podman "/bin/podman") + "run" "--pull" "never" repository&tag "-c" + "'(display (stat:perms (lstat \"/tmp\")))'"))) + (call-with-output-file (string-append ,out-dir "/response1") + (lambda (port) + (display (string-join response1 " ") port))) + (call-with-output-file (string-append ,out-dir "/response2") + (lambda (port) + (display (string-join response2 " ") port))) + (call-with-output-file (string-append ,out-dir "/response3") + (lambda (port) + (display (string-join response3 " ") port))) + (call-with-output-file (string-append ,out-dir "/response4") + (lambda (port) + (display (string-join response4 " ") port))))) + (lambda () + (primitive-exit 127)))) + (pid + (cdr (waitpid pid)))) + (wait-for-file (string-append ,out-dir "/response4")) + (append + (slurp "cat" (string-append ,out-dir "/response1")) + (slurp "cat" (string-append ,out-dir "/response2")) + (slurp "cat" (string-append ,out-dir "/response3")) + (map string->number (slurp "cat" (string-append ,out-dir "/response4"))))) + marionette)) + + (test-end)))) + + (gexp->derivation "rootless-podman-test" test)) + +(define (build-tarball&run-rootless-podman-test) + (mlet* %store-monad + ((_ (set-grafting #f)) + (guile (set-guile-for-build (default-guile))) + (guest-script-package -> + (package + (name "guest-script") + (version "0") + (source #f) + (build-system trivial-build-system) + (arguments `(#:guile ,guile-3.0 + #:builder + (let ((out (assoc-ref %outputs "out"))) + (mkdir out) + (call-with-output-file (string-append out "/a.scm") + (lambda (port) + (display "(display \"hello world\n\")" port))) + #t))) + (synopsis "Display hello world using Guile") + (description "This package displays the text \"hello world\" on the +standard output device and then enters a new line.") + (home-page #f) + (license license:public-domain))) + (profile (profile-derivation (packages->manifest + (list guile-3.0 guile-json-3 + guest-script-package)) + #:hooks '() + #:locales? #f)) + (tarball (pack:docker-image + "docker-pack" profile + #:symlinks '(("/bin/Guile" -> "bin/guile") + ("aa.scm" -> "a.scm")) + #:extra-options + '(#:image-tag "guile-guest") + #:entry-point "bin/guile" + #:localstatedir? #t))) + (run-rootless-podman-test tarball))) + +(define %test-rootless-podman + (system-test + (name "rootless-podman") + (description "Test rootless Podman service.") + (value (build-tarball&run-rootless-podman-test)))) -- 2.45.2 From debbugs-submit-bounces@debbugs.gnu.org Fri Aug 23 07:40:36 2024 Received: (at 72740) by debbugs.gnu.org; 23 Aug 2024 11:40:36 +0000 Received: from localhost ([127.0.0.1]:39093 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1shSeh-0005EV-Qq for submit@debbugs.gnu.org; Fri, 23 Aug 2024 07:40:36 -0400 Received: from confino.investici.org ([93.190.126.19]:63251) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1shSef-0005EI-1Z for 72740@debbugs.gnu.org; Fri, 23 Aug 2024 07:40:34 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=autistici.org; s=stigmate; t=1724413176; bh=dLrl8QBB5nhE/4kxB0YRee41Y2XdvClyD7mjvZ+ZP9E=; h=Date:Subject:From:To:References:In-Reply-To:From; b=D2xfa/JMzlYXqRkQpJuZbeE0fTUE7mYbI1zW1MfYaM41L3Dg1MnbMZyPODy37q2Cs bGTkoKfwGfEXwA/veZ4UejXT1tSXiykDOUNA8q/VQUxFX4Mb0dbNKJ9fdSEGDPjYTZ o4+kc+omys3gnMRLbIu+xwEFVc9AHY9gZ3+vZi6c= Received: from mx1.investici.org (unknown [127.0.0.1]) by confino.investici.org (Postfix) with ESMTP id 4Wqylr5kdbz11HV for <72740@debbugs.gnu.org>; Fri, 23 Aug 2024 11:39:36 +0000 (UTC) Received: from [93.190.126.19] (mx1.investici.org [93.190.126.19]) (Authenticated sender: goodoldpaul@autistici.org) by localhost (Postfix) with ESMTPSA id 4Wqylr5Kwxz11HR for <72740@debbugs.gnu.org>; Fri, 23 Aug 2024 11:39:36 +0000 (UTC) Message-ID: Date: Fri, 23 Aug 2024 13:39:36 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.15.0 Subject: Re: Add rootless-podman-service-type From: paul To: 72740@debbugs.gnu.org References: Content-Language: en-US In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: -1.9 (-) X-Debbugs-Envelope-To: 72740 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.9 (--) Dear Guixers, I'm sending a v3. The only fix in this revision is that instead of exporting the (non-existing) pam-service-name? procedure, the pam-service? predicate is rightly exposed with the other pam-service* procedures. Thank you for your work, giacomo From debbugs-submit-bounces@debbugs.gnu.org Fri Aug 23 07:42:17 2024 Received: (at 72740) by debbugs.gnu.org; 23 Aug 2024 11:42:17 +0000 Received: from localhost ([127.0.0.1]:39104 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1shSgK-0005I8-L1 for submit@debbugs.gnu.org; Fri, 23 Aug 2024 07:42:17 -0400 Received: from confino.investici.org ([93.190.126.19]:38697) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1shSgI-0005Hm-Sl for 72740@debbugs.gnu.org; Fri, 23 Aug 2024 07:42:15 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=autistici.org; s=stigmate; t=1724413280; bh=PD52W/bFVhozNokgADJksQ6ZDeMAdRYkXPXlB+KUmfY=; h=From:To:Cc:Subject:Date:From; b=igU3ziUJ/R4rCZL1OrC6pUWMKtCvTGDYPiClP1E7vv/2BCDFlV3UozxzYb+hTHNk8 FmH7ah+OuTXqLj0CukTBo1u21FVIsz6e3ogqArTNiOgdDD2qPyLKEbJEQ+OZ6qZN06 ZnM3ZgOP0i4G51Mci3w9CxQ5EwnpEZDo7nu46zG4= Received: from mx1.investici.org (unknown [127.0.0.1]) by confino.investici.org (Postfix) with ESMTP id 4Wqynr0dlRz11HS; Fri, 23 Aug 2024 11:41:20 +0000 (UTC) Received: from [93.190.126.19] (mx1.investici.org [93.190.126.19]) (Authenticated sender: goodoldpaul@autistici.org) by localhost (Postfix) with ESMTPSA id 4Wqynq6vtwz11GF; Fri, 23 Aug 2024 11:41:19 +0000 (UTC) From: Giacomo Leidi To: 72740@debbugs.gnu.org Subject: [PATCH v3 1/4] system: pam: Export pam records predicates. Date: Fri, 23 Aug 2024 13:40:54 +0200 Message-ID: <1af98aa934040d79301c290acd719a7710e09800.1724413257.git.goodoldpaul@autistici.org> X-Mailer: git-send-email 2.45.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 72740 Cc: Giacomo Leidi X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) * gnu/system/pam.scm: Export pam-service-name?, pam-entry? and pam-limits-entry?. Change-Id: I609acfcaae85b4969dc385b72b307e470f5a246e --- gnu/system/pam.scm | 3 +++ 1 file changed, 3 insertions(+) diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm index a035a92e25..07b84b04ef 100644 --- a/gnu/system/pam.scm +++ b/gnu/system/pam.scm @@ -34,6 +34,7 @@ (define-module (gnu system pam) #:use-module ((guix utils) #:select (%current-system)) #:use-module (gnu packages linux) #:export (pam-service + pam-service? pam-service-name pam-service-account pam-service-auth @@ -41,11 +42,13 @@ (define-module (gnu system pam) pam-service-session pam-entry + pam-entry? pam-entry-control pam-entry-module pam-entry-arguments pam-limits-entry + pam-limits-entry? pam-limits-entry-domain pam-limits-entry-type pam-limits-entry-item base-commit: 00245fdcd4909d7e6b20fe88f5d089717115adc1 -- 2.45.2 From debbugs-submit-bounces@debbugs.gnu.org Fri Aug 23 07:42:19 2024 Received: (at 72740) by debbugs.gnu.org; 23 Aug 2024 11:42:19 +0000 Received: from localhost ([127.0.0.1]:39106 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1shSgN-0005IO-5G for submit@debbugs.gnu.org; Fri, 23 Aug 2024 07:42:19 -0400 Received: from confino.investici.org ([93.190.126.19]:44875) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1shSgJ-0005Hn-5R for 72740@debbugs.gnu.org; Fri, 23 Aug 2024 07:42:15 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=autistici.org; s=stigmate; t=1724413280; bh=8g73toAfE/xtZ8PWBrZviMHfwJmvzIl81nmJRW70e3Q=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=nmh7ZO/M71Bn0+DvymspHVsT1PhgkKSjt7RKZjpIbikskvq1X7NlilnbMeuNM35A7 8u0AR4DPclBAaSv5iff/7jdlOX7PCMJxCUD6IWk+mbB/Ce+SLY8EbThOIR5qCdRJP9 cnW4bLjfld/07kvklyN8XIMZ1pwjOYSiSHMeM2tU= Received: from mx1.investici.org (unknown [127.0.0.1]) by confino.investici.org (Postfix) with ESMTP id 4Wqynr30Xfz11HV; Fri, 23 Aug 2024 11:41:20 +0000 (UTC) Received: from [93.190.126.19] (mx1.investici.org [93.190.126.19]) (Authenticated sender: goodoldpaul@autistici.org) by localhost (Postfix) with ESMTPSA id 4Wqynr1sZjz11GF; Fri, 23 Aug 2024 11:41:20 +0000 (UTC) From: Giacomo Leidi To: 72740@debbugs.gnu.org Subject: [PATCH v3 2/4] services: pam: Allow extension of pam limits. Date: Fri, 23 Aug 2024 13:40:55 +0200 Message-ID: X-Mailer: git-send-email 2.45.2 In-Reply-To: <1af98aa934040d79301c290acd719a7710e09800.1724413257.git.goodoldpaul@autistici.org> References: <1af98aa934040d79301c290acd719a7710e09800.1724413257.git.goodoldpaul@autistici.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 72740 Cc: Giacomo Leidi X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) * gnu/services/pam.scm (pam-limits-service-type): Allow extension of pam limits rules from users and services. Change-Id: I93a363d1a2887493d52ef3ae32fc9721f81ddfa8 --- gnu/services/base.scm | 2 ++ 1 file changed, 2 insertions(+) diff --git a/gnu/services/base.scm b/gnu/services/base.scm index 4b5b103cc3..e4e59da433 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -1680,6 +1680,8 @@ (define pam-limits-service-type (service-type (name 'limits) + (compose concatenate) + (extend append) (extensions (list (service-extension pam-root-service-type (lambda (config) -- 2.45.2 From debbugs-submit-bounces@debbugs.gnu.org Fri Aug 23 07:42:19 2024 Received: (at 72740) by debbugs.gnu.org; 23 Aug 2024 11:42:19 +0000 Received: from localhost ([127.0.0.1]:39108 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1shSgN-0005IQ-Fq for submit@debbugs.gnu.org; Fri, 23 Aug 2024 07:42:19 -0400 Received: from confino.investici.org ([93.190.126.19]:29363) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1shSgJ-0005Ho-DD for 72740@debbugs.gnu.org; Fri, 23 Aug 2024 07:42:15 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=autistici.org; s=stigmate; t=1724413280; bh=YEE9mshXV/4KY9GTgv2LBkb4SrYcy5bZmlewtKPE6O4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=IojpX7MM8tdyTVJUdqgpf6IcSEsWXOM7H13kh4SD+uqWXGva7Eu8OMnphdhPWi+Oe e7K+rZtEDWCyaElHTpQJiyBheCaC6RQVxlKo+dJKMbl0ML7I/6IZXLS53qjAEwkWVT crxm1JTGbZGCFSrtsTwcQl1CKXxRWb84RIHdgs20= Received: from mx1.investici.org (unknown [127.0.0.1]) by confino.investici.org (Postfix) with ESMTP id 4Wqynr5234z11HW; Fri, 23 Aug 2024 11:41:20 +0000 (UTC) Received: from [93.190.126.19] (mx1.investici.org [93.190.126.19]) (Authenticated sender: goodoldpaul@autistici.org) by localhost (Postfix) with ESMTPSA id 4Wqynr4G3Zz11GF; Fri, 23 Aug 2024 11:41:20 +0000 (UTC) From: Giacomo Leidi To: 72740@debbugs.gnu.org Subject: [PATCH v3 3/4] services: iptables: Provide a default value. Date: Fri, 23 Aug 2024 13:40:56 +0200 Message-ID: <8e8423f103140769e6cc40b022bd53567ba43541.1724413257.git.goodoldpaul@autistici.org> X-Mailer: git-send-email 2.45.2 In-Reply-To: <1af98aa934040d79301c290acd719a7710e09800.1724413257.git.goodoldpaul@autistici.org> References: <1af98aa934040d79301c290acd719a7710e09800.1724413257.git.goodoldpaul@autistici.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 72740 Cc: Giacomo Leidi X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) There doesn't seem to be a reason to force users to write (service iptables-service-type (iptables-configuration)) instead of simply (service iptables-service-type) This patch provides a default value for the iptables-service-type. * gnu/services/networking.scm (iptables-service-type): Set default-value. Change-Id: I93b6c544dfb064c7a0a999549dff61007a38f842 --- gnu/services/networking.scm | 1 + 1 file changed, 1 insertion(+) diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index 12d8934e43..c70fea7813 100644 --- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -2055,6 +2055,7 @@ (define (iptables-shepherd-service config) (define iptables-service-type (service-type (name 'iptables) + (default-value (iptables-configuration)) (description "Run @command{iptables-restore}, setting up the specified rules.") (extensions -- 2.45.2 From debbugs-submit-bounces@debbugs.gnu.org Fri Aug 23 07:42:21 2024 Received: (at 72740) by debbugs.gnu.org; 23 Aug 2024 11:42:21 +0000 Received: from localhost ([127.0.0.1]:39110 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1shSgN-0005IY-QB for submit@debbugs.gnu.org; Fri, 23 Aug 2024 07:42:21 -0400 Received: from confino.investici.org ([93.190.126.19]:23325) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1shSgJ-0005Hw-Sg for 72740@debbugs.gnu.org; Fri, 23 Aug 2024 07:42:17 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=autistici.org; s=stigmate; t=1724413281; bh=PAWkKaXoRcatfyDs1NVXOY2w07uOZcc4n1t2ABYwKeM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=tZSWE2H+IPPljvFXyAGqI/hC0WYFl8lN5/viZhdb3x9548sKQSAFIiH0UyhD08XET tj9Ri6zmNm/KW9vQg3hj0D43r07MQUfdD32+ZNsZ+LXmsTZRvDzl81P5HQ2CU2MsvW dvpjWPhz6JWH42y1arFKbRGNg9WXcRM0AnuTrELI= Received: from mx1.investici.org (unknown [127.0.0.1]) by confino.investici.org (Postfix) with ESMTP id 4Wqyns0SZ1z11HX; Fri, 23 Aug 2024 11:41:21 +0000 (UTC) Received: from [93.190.126.19] (mx1.investici.org [93.190.126.19]) (Authenticated sender: goodoldpaul@autistici.org) by localhost (Postfix) with ESMTPSA id 4Wqynr6XD9z11GF; Fri, 23 Aug 2024 11:41:20 +0000 (UTC) From: Giacomo Leidi To: 72740@debbugs.gnu.org Subject: [PATCH v3 4/4] services: Add rootless-podman-service-type. Date: Fri, 23 Aug 2024 13:40:57 +0200 Message-ID: <8b98dbb863b7cca61be7006a0e52de76f2ad98af.1724413257.git.goodoldpaul@autistici.org> X-Mailer: git-send-email 2.45.2 In-Reply-To: <1af98aa934040d79301c290acd719a7710e09800.1724413257.git.goodoldpaul@autistici.org> References: <1af98aa934040d79301c290acd719a7710e09800.1724413257.git.goodoldpaul@autistici.org> MIME-Version: 1.0 X-Debbugs-Cc: Florian Pelz , Ludovic Courtès , Matthew Trzcinski , Maxim Cournoyer Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 72740 Cc: Giacomo Leidi X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) * gnu/services/containers.scm: New file; (rootless-podman-configuration): new variable; (rootless-podman-service-subids): new variable; (rootless-podman-service-accounts): new variable; (rootless-podman-service-profile): new variable; (rootless-podman-shepherd-services): new variable; (rootless-podman-service-etc): new variable; (rootless-podman-service-type): new variable. * gnu/local.mk: Test it. * gnu/local.mk: Add them. * doc/guix.texi (Miscellaneous Services): Document it. Change-Id: I041496474c1027da353bd6852f2554a065914d7a --- doc/guix.texi | 104 +++++++++++ gnu/local.mk | 2 + gnu/services/containers.scm | 238 +++++++++++++++++++++++++ gnu/tests/containers.scm | 340 ++++++++++++++++++++++++++++++++++++ 4 files changed, 684 insertions(+) create mode 100644 gnu/services/containers.scm create mode 100644 gnu/tests/containers.scm diff --git a/doc/guix.texi b/doc/guix.texi index 0e1e253b02..eb6a1b2442 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -40852,6 +40852,110 @@ Miscellaneous Services invoke @command{singularity run} and similar commands. @end defvar +@cindex Rootless Podman +@subsubheading Rootless Podman Service + +The @code{(gnu services containers)} module provides the following service. + + +@cindex Rootless Podman, container management tool +@defvar rootless-podman-service-type + +@url{https://www.sylabs.io/singularity/, Singularity} is a container management +tool. In addition to providing a drop-in replacement for Docker, Podman offers +the ability to run containers in rootless mode. This allows regular users to +deploy containers without elevated privileges. + +The @code{rootless-podman-service-type} sets up the Guix System to allow +unprivileged users to run @command{podman} commands: + +@lisp +(use-service-modules containers networking @dots{}) + +(operating-system + ;; @dots{} + (users (cons (user-account + (name "alice") + (comment "Bob's sister") + (group "users") + + ;; Adding the account to the "cgroup" group + ;; makes it possible to run podman commands. + (supplementary-groups '("cgroup" "wheel" + "audio" "video"))) + %base-user-accounts)) + (services + (list + (service iptables-service-type) + (service rootless-podman-service-type + (rootless-podman-configuration + (subgids + (list (subid-range (name "alice")))) + (subuids + (list (subid-range (name "alice"))))))))) +@end lisp + +The @code{iptables-service-type} is required for Podman to be able to setup its +own networks. Due to the change in user groups and file systems it is +recommended to reboot (or at least logout), before trying to run Podman commands. + +To test your installation you can run: + +@example +$ podman run -it --rm docker.io/alpine cat /etc/*release* +NAME="Alpine Linux" +ID=alpine +VERSION_ID=3.20.2 +PRETTY_NAME="Alpine Linux v3.20" +HOME_URL="https://alpinelinux.org/" +BUG_REPORT_URL="https://gitlab.alpinelinux.org/alpine/aports/-/issues" +@end example + +@end defvar + +@c %start of fragment + +@deftp {Data Type} rootless-podman-configuration +Available @code{rootless-podman-configuration} fields are: + +@table @asis +@item @code{podman} (default: @code{podman}) (type: package) +The Podman package that will be installed in the system profile. + +@item @code{group-name} (default: @code{"cgroup"}) (type: string) +The name of the group that will own /sys/fs/cgroup resources. Users that +want to use rootless Podman have to be in this group. + +@item @code{containers-registries} (type: lowerable) +A string or a gexp evaluating to the path of Podman's +@code{containers/registries.conf} configuration file. + +@item @code{containers-storage} (type: lowerable) +A string or a gexp evaluating to the path of Podman's +@code{containers/storage.conf} configuration file. + +@item @code{containers-policy} (type: lowerable) +A string or a gexp evaluating to the path of Podman's +@code{containers/policy.json} configuration file. + +@item @code{pam-limits} (type: list-of-pam-limits-entries) +The PAM limits to be set for rootless Podman. + +@item @code{subgids} (default: @code{()}) (type: list-of-subid-ranges) +A list of subid ranges representing the subgids that will be +available for each configured user. + +@item @code{subuids} (default: @code{()}) (type: list-of-subid-ranges) +A list of subid ranges representing the subuids that will be +available for each configured user. + +@end table + +@end deftp + + +@c %end of fragment + @cindex OCI-backed, Shepherd services @subsubheading OCI backed services diff --git a/gnu/local.mk b/gnu/local.mk index 3b0a3858f7..a543f1ddc9 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -708,6 +708,7 @@ GNU_SYSTEM_MODULES = \ %D%/services/cgit.scm \ %D%/services/ci.scm \ %D%/services/configuration.scm \ + %D%/services/containers.scm \ %D%/services/cuirass.scm \ %D%/services/cups.scm \ %D%/services/databases.scm \ @@ -813,6 +814,7 @@ GNU_SYSTEM_MODULES = \ %D%/tests/base.scm \ %D%/tests/cachefilesd.scm \ %D%/tests/ci.scm \ + %D%/tests/containers.scm \ %D%/tests/cups.scm \ %D%/tests/databases.scm \ %D%/tests/desktop.scm \ diff --git a/gnu/services/containers.scm b/gnu/services/containers.scm new file mode 100644 index 0000000000..03f0649c0d --- /dev/null +++ b/gnu/services/containers.scm @@ -0,0 +1,238 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2024 Giacomo Leidi +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu services containers) + #:use-module (gnu packages containers) + #:use-module (gnu packages file-systems) + #:use-module (gnu services) + #:use-module (gnu services base) + #:use-module (gnu services configuration) + #:use-module (gnu services shepherd) + #:use-module (gnu system accounts) + #:use-module (gnu system shadow) + #:use-module (gnu system pam) + #:use-module (guix gexp) + #:use-module (guix packages) + #:use-module (srfi srfi-1) + #:export (rootless-podman-configuration + rootless-podman-configuration? + rootless-podman-configuration-fields + rootless-podman-configuration-podman + rootless-podman-configuration-group-name + rootless-podman-configuration-containers-registries + rootless-podman-configuration-containers-storage + rootless-podman-configuration-containers-policy + rootless-podman-configuration-pam-limits + rootless-podman-configuration-subgids + rootless-podman-configuration-subuids + + rootless-podman-service-subids + rootless-podman-service-accounts + rootless-podman-service-profile + rootless-podman-shepherd-services + rootless-podman-service-etc + + rootless-podman-service-type)) + +(define (gexp-or-string? value) + (or (gexp? value) + (string? value))) + +(define (lowerable? value) + (or (file-like? value) + (gexp-or-string? value))) + +(define list-of-pam-limits-entries? + (list-of pam-limits-entry?)) + +(define list-of-subid-ranges? + (list-of subid-range?)) + +(define-configuration/no-serialization rootless-podman-configuration + (podman + (package podman) + "The Podman package that will be installed in the system profile.") + (group-name + (string "cgroup") + "The name of the group that will own /sys/fs/cgroup resources. Users that +want to use rootless Podman have to be in this group.") + (containers-registries + (lowerable + (plain-file "registries.conf" + (string-append "unqualified-search-registries = ['docker.io','" + "registry.fedora.org','registry.opensuse.org']"))) + "A string or a gexp evaluating to the path of Podman's +@code{containers/registries.conf} configuration file.") + (containers-storage + (lowerable + (plain-file "storage.conf" + "[storage] +driver = \"overlay\"")) + "A string or a gexp evaluating to the path of Podman's +@code{containers/storage.conf} configuration file.") + (containers-policy + (lowerable + (plain-file "policy.json" + "{\"default\": [{\"type\": \"insecureAcceptAnything\"}]}")) + "A string or a gexp evaluating to the path of Podman's +@code{containers/policy.json} configuration file.") + (pam-limits + (list-of-pam-limits-entries + (list (pam-limits-entry "*" 'both 'nofile 100000))) + "The PAM limits to be set for rootless Podman.") + (subgids + (list-of-subid-ranges '()) + "A list of subid ranges representing the subgids that will be +available for each configured user.") + (subuids + (list-of-subid-ranges '()) + "A list of subid ranges representing the subuids that will be +available for each configured user.")) + +(define rootless-podman-service-profile + (lambda (config) + (list + (rootless-podman-configuration-podman config)))) + +(define rootless-podman-service-etc + (lambda (config) + (list `("containers/registries.conf" + ,(rootless-podman-configuration-containers-registries config)) + `("containers/storage.conf" + ,(rootless-podman-configuration-containers-storage config)) + `("containers/policy.json" + ,(rootless-podman-configuration-containers-policy config))))) + +(define rootless-podman-service-subids + (lambda (config) + (subids-extension + (subgids (rootless-podman-configuration-subgids config)) + (subuids (rootless-podman-configuration-subuids config))))) + +(define rootless-podman-service-accounts + (lambda (config) + (list (user-group (name (rootless-podman-configuration-group-name config)) + (system? #t))))) + +(define (cgroups-fs-owner-entrypoint config) + (define group + (rootless-podman-configuration-group-name config)) + (program-file "cgroups2-fs-owner-entrypoint" + #~(system* + "bash" "-c" + (string-append "echo Setting /sys/fs/cgroup " + "group ownership to " #$group " && chown -v " + "root:" #$group " /sys/fs/cgroup && " + "chmod -v 775 /sys/fs/cgroup && chown -v " + "root:" #$group " /sys/fs/cgroup/cgroup." + "{procs,subtree_control,threads} && " + "chmod -v 664 /sys/fs/cgroup/cgroup." + "{procs,subtree_control,threads}")))) + +(define (rootless-podman-cgroups-fs-owner-service config) + (shepherd-service (provision '(cgroups2-fs-owner)) + (requirement + '(dbus-system + elogind + file-system-/sys/fs/cgroup + networking + udev + cgroups2-limits)) + (one-shot? #t) + (documentation + "Set ownership of /sys/fs/cgroup to the configured group.") + (start + #~(make-forkexec-constructor + (list + #$(cgroups-fs-owner-entrypoint config)))) + (stop + #~(make-kill-destructor)))) + +(define cgroups-limits-entrypoint + (program-file "cgroups2-limits-entrypoint" + #~(system* + "bash" "-c" + (string-append "echo Setting cgroups v2 limits && " + "echo +cpu +cpuset +memory +pids" + " >> /sys/fs/cgroup/cgroup.subtree_control")))) + +(define (rootless-podman-cgroups-limits-service config) + (shepherd-service (provision '(cgroups2-limits)) + (requirement + '(dbus-system + elogind + networking + udev + file-system-/sys/fs/cgroup + rootless-podman-shared-root-fs)) + (one-shot? #t) + (documentation + "Allow setting cgroups limits: cpu, cpuset, memory and +pids.") + (start + #~(make-forkexec-constructor + (list + #$cgroups-limits-entrypoint))) + (stop + #~(make-kill-destructor)))) + +(define rootless-podman-shared-root-fs-entrypoint + (program-file "rootless-podman-shared-root-fs-entrypoint" + #~(system* + "mount" "--make-shared" "/"))) + +(define (rootless-podman-shared-root-fs-service config) + (shepherd-service (provision '(rootless-podman-shared-root-fs)) + (requirement + '(user-processes)) + (one-shot? #t) + (documentation + "Buildah/Podman running as rootless expects the bind mount +to be shared. This service sets it so.") + (start + #~(make-forkexec-constructor + (list + #$rootless-podman-shared-root-fs-entrypoint))) + (stop + #~(make-kill-destructor)))) + +(define (rootless-podman-shepherd-services config) + (list + (rootless-podman-shared-root-fs-service config) + (rootless-podman-cgroups-limits-service config) + (rootless-podman-cgroups-fs-owner-service config))) + +(define rootless-podman-service-type + (service-type (name 'rootless-podman) + (extensions + (list + (service-extension subids-service-type + rootless-podman-service-subids) + (service-extension account-service-type + rootless-podman-service-accounts) + (service-extension profile-service-type + rootless-podman-service-profile) + (service-extension shepherd-root-service-type + rootless-podman-shepherd-services) + (service-extension pam-limits-service-type + rootless-podman-configuration-pam-limits) + (service-extension etc-service-type + rootless-podman-service-etc))) + (default-value (rootless-podman-configuration)) + (description + "This service configures rootless @code{podman} on the Guix System."))) diff --git a/gnu/tests/containers.scm b/gnu/tests/containers.scm new file mode 100644 index 0000000000..ba2fb22df6 --- /dev/null +++ b/gnu/tests/containers.scm @@ -0,0 +1,340 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2024 Giacomo Leidi +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu tests containers) + #:use-module (gnu) + #:use-module (gnu tests) + #:use-module (guix build-system trivial) + #:use-module (gnu packages bash) + #:use-module (gnu packages containers) + #:use-module (gnu packages guile) + #:use-module (gnu packages guile-xyz) + #:use-module (gnu services) + #:use-module (gnu services containers) + #:use-module (gnu services desktop) + #:use-module (gnu services dbus) + #:use-module (gnu services networking) + #:use-module (gnu system) + #:use-module (gnu system accounts) + #:use-module (gnu system vm) + #:use-module (guix gexp) + #:use-module ((guix licenses) #:prefix license:) + #:use-module (guix monads) + #:use-module (guix packages) + #:use-module (guix profiles) + #:use-module ((guix scripts pack) #:prefix pack:) + #:use-module (guix store) + #:export (%test-rootless-podman)) + + +(define %rootless-podman-os + (simple-operating-system + (service rootless-podman-service-type + (rootless-podman-configuration + (subgids + (list (subid-range (name "dummy")))) + (subuids + (list (subid-range (name "dummy")))))) + + (service dhcp-client-service-type) + (service dbus-root-service-type) + (service polkit-service-type) + (service elogind-service-type) + + (simple-service 'accounts + account-service-type + (list (user-account + (name "dummy") + (group "users") + (supplementary-groups '("wheel" "netdev" "cgroup" + "audio" "video"))))))) + +(define (run-rootless-podman-test oci-tarball) + + (define os + (marionette-operating-system + (operating-system-with-gc-roots + %rootless-podman-os + (list oci-tarball)) + #:imported-modules '((gnu services herd) + (guix combinators)))) + + (define vm + (virtual-machine + (operating-system os) + (volatile? #f) + (memory-size 1024) + (disk-image-size (* 3000 (expt 2 20))) + (port-forwardings '()))) + + (define test + (with-imported-modules '((gnu build marionette) + (gnu services herd)) + #~(begin + (use-modules (srfi srfi-11) (srfi srfi-64) + (gnu build marionette)) + + (define marionette + ;; Relax timeout to accommodate older systems and + ;; allow for pulling the image. + (make-marionette (list #$vm) #:timeout 60)) + (define out-dir "/tmp") + + (test-runner-current (system-test-runner #$output)) + (test-begin "rootless-podman") + + (test-assert "service started" + (marionette-eval + '(begin + (use-modules (gnu services herd)) + (match (start-service 'cgroups2-fs-owner) + (#f #f) + ;; herd returns (running #f), likely because of one shot, + ;; so consider any non-error a success. + (('service response-parts ...) #t))) + marionette)) + + (test-equal "/sys/fs/cgroup/cgroup.subtree_control content is sound" + (list "cpu" "cpuset" "memory" "pids") + (marionette-eval + `(begin + (use-modules (srfi srfi-1) + (ice-9 popen) + (ice-9 match) + (ice-9 rdelim)) + + (define (read-lines file-or-port) + (define (loop-lines port) + (let loop ((lines '())) + (match (read-line port) + ((? eof-object?) + (reverse lines)) + (line + (loop (cons line lines)))))) + + (if (port? file-or-port) + (loop-lines file-or-port) + (call-with-input-file file-or-port + loop-lines))) + + (define slurp + (lambda args + (let* ((port (apply open-pipe* OPEN_READ args)) + (output (read-lines port)) + (status (close-pipe port))) + output))) + (let* ((response1 (slurp + ,(string-append #$coreutils "/bin/cat") + "/sys/fs/cgroup/cgroup.subtree_control"))) + (sort-list (string-split (first response1) #\space) stringscm (scm->json-string \"JSON!\")))'")) + + ;; Check whether /tmp exists. + (response4 (slurp + ,(string-append #$podman "/bin/podman") + "run" "--pull" "never" repository&tag "-c" + "'(display (stat:perms (lstat \"/tmp\")))'"))) + (call-with-output-file (string-append ,out-dir "/response1") + (lambda (port) + (display (string-join response1 " ") port))) + (call-with-output-file (string-append ,out-dir "/response2") + (lambda (port) + (display (string-join response2 " ") port))) + (call-with-output-file (string-append ,out-dir "/response3") + (lambda (port) + (display (string-join response3 " ") port))) + (call-with-output-file (string-append ,out-dir "/response4") + (lambda (port) + (display (string-join response4 " ") port))))) + (lambda () + (primitive-exit 127)))) + (pid + (cdr (waitpid pid)))) + (wait-for-file (string-append ,out-dir "/response4")) + (append + (slurp "cat" (string-append ,out-dir "/response1")) + (slurp "cat" (string-append ,out-dir "/response2")) + (slurp "cat" (string-append ,out-dir "/response3")) + (map string->number (slurp "cat" (string-append ,out-dir "/response4"))))) + marionette)) + + (test-end)))) + + (gexp->derivation "rootless-podman-test" test)) + +(define (build-tarball&run-rootless-podman-test) + (mlet* %store-monad + ((_ (set-grafting #f)) + (guile (set-guile-for-build (default-guile))) + (guest-script-package -> + (package + (name "guest-script") + (version "0") + (source #f) + (build-system trivial-build-system) + (arguments `(#:guile ,guile-3.0 + #:builder + (let ((out (assoc-ref %outputs "out"))) + (mkdir out) + (call-with-output-file (string-append out "/a.scm") + (lambda (port) + (display "(display \"hello world\n\")" port))) + #t))) + (synopsis "Display hello world using Guile") + (description "This package displays the text \"hello world\" on the +standard output device and then enters a new line.") + (home-page #f) + (license license:public-domain))) + (profile (profile-derivation (packages->manifest + (list guile-3.0 guile-json-3 + guest-script-package)) + #:hooks '() + #:locales? #f)) + (tarball (pack:docker-image + "docker-pack" profile + #:symlinks '(("/bin/Guile" -> "bin/guile") + ("aa.scm" -> "a.scm")) + #:extra-options + '(#:image-tag "guile-guest") + #:entry-point "bin/guile" + #:localstatedir? #t))) + (run-rootless-podman-test tarball))) + +(define %test-rootless-podman + (system-test + (name "rootless-podman") + (description "Test rootless Podman service.") + (value (build-tarball&run-rootless-podman-test)))) -- 2.45.2 From debbugs-submit-bounces@debbugs.gnu.org Wed Dec 18 11:22:45 2024 Received: (at 72740-done) by debbugs.gnu.org; 18 Dec 2024 16:22:45 +0000 Received: from localhost ([127.0.0.1]:35710 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tNwou-0003qV-Ve for submit@debbugs.gnu.org; Wed, 18 Dec 2024 11:22:45 -0500 Received: from eggs.gnu.org ([209.51.188.92]:46340) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tNwoq-0003qA-Iq for 72740-done@debbugs.gnu.org; Wed, 18 Dec 2024 11:22:44 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tNwoi-0007Ao-Ri; Wed, 18 Dec 2024 11:22:33 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=8UvDeqVbh9uVDFlYU2wJC7m2pxQ7RtRS6oaF4owIU3s=; b=S4KQrnuHc7T4yJgBmGsW iUUXD3ueuA+HKmz5Smi0arsDU1fBAOnjE24G5ohe0NZp4V4RqxXnmIjQQC66j+UpZqwSrKO6QzOuC 5zJXhwTPlm8mwyhJ0UoVHTIOfN9L6bISXrsMlWEI0L6OiFlADi4G9mzeuoYkT1SQL4LZEnhBzm8nU tdSsNehe598jXi9tHvR5xUGeYSU3l9N2gOaqmiGm0LuhBbZfFmQBHuxifzoOqRRo8LTyUlHsDtUtR t/USXUOewmPpau3z4nafNCoX449AAXsx4Oj5NnY3l+mNduzYesG0apvf7OtNhx3C6Xa39fMdOWcO6 eUB34ESvMDM5Pw==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Giacomo Leidi Subject: Re: bug#72740: Add rootless-podman-service-type In-Reply-To: <8b98dbb863b7cca61be7006a0e52de76f2ad98af.1724413257.git.goodoldpaul@autistici.org> (Giacomo Leidi's message of "Fri, 23 Aug 2024 13:40:57 +0200") References: <1af98aa934040d79301c290acd719a7710e09800.1724413257.git.goodoldpaul@autistici.org> <8b98dbb863b7cca61be7006a0e52de76f2ad98af.1724413257.git.goodoldpaul@autistici.org> Date: Wed, 18 Dec 2024 17:21:50 +0100 Message-ID: <87r065j71d.fsf_-_@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Score: -1.6 (-) X-Debbugs-Envelope-To: 72740-done Cc: 72740-done@debbugs.gnu.org, Maxim Cournoyer , Florian Pelz , Matthew Trzcinski X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.6 (--) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi, Giacomo Leidi skribis: > * gnu/services/containers.scm: New file; > (rootless-podman-configuration): new variable; > (rootless-podman-service-subids): new variable; > (rootless-podman-service-accounts): new variable; > (rootless-podman-service-profile): new variable; > (rootless-podman-shepherd-services): new variable; > (rootless-podman-service-etc): new variable; > (rootless-podman-service-type): new variable. > * gnu/local.mk: Test it. > * gnu/local.mk: Add them. > * doc/guix.texi (Miscellaneous Services): Document it. > > Change-Id: I041496474c1027da353bd6852f2554a065914d7a Applied at long last, with the changes below to the manual. Thank you! Ludo=E2=80=99. --=-=-= Content-Type: text/x-patch Content-Disposition: inline diff --git a/doc/guix.texi b/doc/guix.texi index a05fa68c05..ee2002a712 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -41295,18 +41295,24 @@ Miscellaneous Services @cindex Rootless Podman @subsubheading Rootless Podman Service +@cindex rootless podman, container management tool +@cindex podman, rootless +@cindex container management, podman The @code{(gnu services containers)} module provides the following service. -@cindex Rootless Podman, container management tool @defvar rootless-podman-service-type +This is the service type for @url{https://podman.io, Podman} is a +container management tool. -@url{https://www.sylabs.io/singularity/, Singularity} is a container management -tool. In addition to providing a drop-in replacement for Docker, Podman offers -the ability to run containers in rootless mode. This allows regular users to -deploy containers without elevated privileges. +In addition to providing a drop-in replacement for Docker, Podman offers +the ability to run containers in ``root-less'' mode, meaning that regular users can +deploy containers without elevated privileges. It does so mainly by leveraging +two Linux kernel features: unprivileged user namespaces, and subordinate +user and group IDs (@pxref{subordinate-user-group-ids, the subordinate +user and group ID service}). -The @code{rootless-podman-service-type} sets up the Guix System to allow +The @code{rootless-podman-service-type} sets up the system to allow unprivileged users to run @command{podman} commands: @lisp @@ -41325,14 +41331,14 @@ Miscellaneous Services "audio" "video"))) %base-user-accounts)) (services - (list - (service iptables-service-type) - (service rootless-podman-service-type - (rootless-podman-configuration - (subgids - (list (subid-range (name "alice")))) - (subuids - (list (subid-range (name "alice"))))))))) + (append (list (service iptables-service-type) + (service rootless-podman-service-type + (rootless-podman-configuration + (subgids + (list (subid-range (name "alice")))) + (subuids + (list (subid-range (name "alice"))))))) + %base-services))) @end lisp The @code{iptables-service-type} is required for Podman to be able to setup its --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Sun Dec 29 05:36:47 2024 Received: (at 72740) by debbugs.gnu.org; 29 Dec 2024 10:36:47 +0000 Received: from localhost ([127.0.0.1]:53870 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tRqf9-0008Qi-0d for submit@debbugs.gnu.org; Sun, 29 Dec 2024 05:36:47 -0500 Received: from eggs.gnu.org ([209.51.188.92]:34664) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tRqf7-0008QW-Dt for 72740@debbugs.gnu.org; Sun, 29 Dec 2024 05:36:45 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tRqf2-00041c-63; Sun, 29 Dec 2024 05:36:40 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=Gp+r3zEAlU9Jt1cXjpI7RXSdq1gVLXWd9ZJoCmczSlA=; b=Z6Zr5tv8oS8RBWo2TCa9 V4nquIGNQA6/nAKpjhboYhYF2AMNKo6c9rMUz01D0PzHxDvfst/NtPPXKWe8h79988yIPGXVXKmbN q9t+Lu4C2IIMx+gC6EFw6IXDTmdh19vfJpTU1oftd3coNbMcUvpUD+LBoSfdB2qrDQk394iiMjEAT Bpfi/Xfm3bCuFas6/ZxQGQD1BEpXtgohTwv8JElhzCcxNFem/NwHBY+hmIoXONMpRR8OuBovhVj4u 3HufiSl6spHGZpIgR7slqBPpCpdjNWLNb5ide5HA58PhvSO3OuijoV8crYstOO2MGv2Asr/sxa3uF zy9B66mnghOF+A==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Giacomo Leidi Subject: Re: bug#72740: Add rootless-podman-service-type In-Reply-To: <8b98dbb863b7cca61be7006a0e52de76f2ad98af.1724413257.git.goodoldpaul@autistici.org> (Giacomo Leidi's message of "Fri, 23 Aug 2024 13:40:57 +0200") References: <1af98aa934040d79301c290acd719a7710e09800.1724413257.git.goodoldpaul@autistici.org> <8b98dbb863b7cca61be7006a0e52de76f2ad98af.1724413257.git.goodoldpaul@autistici.org> Date: Sun, 29 Dec 2024 11:36:37 +0100 Message-ID: <87r05qrd1m.fsf_-_@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 72740 Cc: 72740@debbugs.gnu.org, Maxim Cournoyer , Florian Pelz , Matthew Trzcinski X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi Giacomo, I noticed that the test is currently failing: --8<---------------cut here---------------start------------->8--- shepherd: Service rootless-podman-shared-root-fs has been started. shepherd: Starting service cgroups2-fs-owner... shepherd: Service cgroups2-fs-owner started. shepherd: Service cgroups2-fs-owner running with value #< id: 178 = command: ("/gnu/store/vq4rfvdj6xbrpclwmpdvp6ydxsggwvkh-cgroups2-fs-owner-en= trypoint")>. shepherd: Service cgroups2-limits has been started. shepherd: Starting service cgroups2-fs-owner... shepherd: Service cgroups2-fs-owner has been started. ice-9/eval.scm:159:9: In procedure car: Wrong type (expecting pair): () Getting image source signatures Copying blob 2e9a3fc88c27 [=3D>-----------------] 11.8MiB / 138.8MiB | 170.= 3 MiB/s [1A[JCopying blob 2e9a3fc88c27 [=3D=3D>----------------] 23.8MiB / 138.8MiB= | 171.4 MiB/s [=E2=80=A6] Test begin: test-name: "/sys/fs/cgroup/cgroup.subtree_control content is sound" source-file: "/gnu/store/mdx7id4501d4sj71zlgdx9qa31f0rspp-rootless-podman= -test-builder" source-line: 1 source-form: (test-equal "/sys/fs/cgroup/cgroup.subtree_control content i= s sound" (list "cpu" "cpuset" "memory" "pids") (marionette-eval (quasiquote= (begin (use-modules (srfi srfi-1) (ice-9 popen) (ice-9 match) (ice-9 rdeli= m)) (define (read-lines file-or-port) (define (loop-lines port) (let loop (= (lines (quote ()))) (match (read-line port) ((? eof-object?) (reverse lines= )) (line (loop (cons line lines)))))) (if (port? file-or-port) (loop-lines = file-or-port) (call-with-input-file file-or-port loop-lines))) (define slur= p (lambda args (let* ((port (apply open-pipe* OPEN_READ args)) (output (rea= d-lines port)) (status (close-pipe port))) output))) (let* ((response1 (slu= rp (unquote (string-append "/gnu/store/fk39d3y3zyr6ajyzy8d6ghd0sj524cs5-cor= eutils-9.1" "/bin/cat")) "/sys/fs/cgroup/cgroup.subtree_control"))) (sort-l= ist (string-split (first response1) #\space) string8--- (From .) Notice the =E2=80=9CWrong type=E2=80=9D error. Could you take a look? Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Sun Dec 29 16:58:29 2024 Received: (at 72740) by debbugs.gnu.org; 29 Dec 2024 21:58:29 +0000 Received: from localhost ([127.0.0.1]:56446 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tS1Iq-0007sN-Oq for submit@debbugs.gnu.org; Sun, 29 Dec 2024 16:58:29 -0500 Received: from confino.investici.org ([93.190.126.19]:21335) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tS1Io-0007sE-Rg for 72740@debbugs.gnu.org; Sun, 29 Dec 2024 16:58:27 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=autistici.org; s=stigmate; t=1735509498; bh=70UtuaCKwC1wOrGPoGAP5dNWPWCFBBH89XRSesUexXA=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=CONeTwKL49OevMwBwdWCYFRoVfxcaYSmLsKYGvJ49ZzU6WKBRCak2CtDw6vVqDl+2 JJbyIRD/t1FgtCD7SLol4/Q9qIRzwILT37t6fMKcywInSAO0YNk7/QT8VfNkkCUmYK lFwjNYO2OFVHfzawI/zDzutTtCUhWSpBXXwurhmo= Received: from mx1.investici.org (unknown [127.0.0.1]) by confino.investici.org (Postfix) with ESMTP id 4YLtQf3qMkz10yY; Sun, 29 Dec 2024 21:58:18 +0000 (UTC) Received: from [93.190.126.19] (mx1.investici.org [93.190.126.19]) (Authenticated sender: goodoldpaul@autistici.org) by localhost (Postfix) with ESMTPSA id 4YLtQf2BFxz10sP; Sun, 29 Dec 2024 21:58:18 +0000 (UTC) Content-Type: multipart/alternative; boundary="------------NGwTE9SqfJiXrI0qxDgzYFDm" Message-ID: Date: Sun, 29 Dec 2024 22:58:17 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: bug#72740: Add rootless-podman-service-type To: =?UTF-8?Q?Ludovic_Court=C3=A8s?= References: <1af98aa934040d79301c290acd719a7710e09800.1724413257.git.goodoldpaul@autistici.org> <8b98dbb863b7cca61be7006a0e52de76f2ad98af.1724413257.git.goodoldpaul@autistici.org> <87r05qrd1m.fsf_-_@gnu.org> Content-Language: en-US From: paul In-Reply-To: <87r05qrd1m.fsf_-_@gnu.org> X-Spam-Score: -0.2 (/) X-Debbugs-Envelope-To: 72740 Cc: 72740@debbugs.gnu.org, Maxim Cournoyer , Florian Pelz , Matthew Trzcinski X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.2 (-) This is a multi-part message in MIME format. --------------NGwTE9SqfJiXrI0qxDgzYFDm Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Hi Ludo' , it works on my laptop (I'm trying on commit 0d4af3c55c7fd75f03a0b6ecc059720657268ff3 ), so I believe it is just a matter of increasing timeouts, I'm creating a new patch to increase them GC Warning: pthread_getattr_np or pthread_attr_getstack failed for main thread GC Warning: Could not open /proc/stat Welcome, this is GNU's early boot Guile. Use 'gnu.repl' for an initrd REPL. loading kernel modules... Guix_image: clean, 74861/192000 files, 529473/768000 blocks loading '/gnu/store/88p4hfc4bb3vgbdl5wbzp32iz5paddk5-system/boot'... making '/gnu/store/88p4hfc4bb3vgbdl5wbzp32iz5paddk5-system' the current system... populating /etc from /gnu/store/xzdyagi33ab00lzcanr9day1pym4s116-etc... setting up privileged programs in '/run/privileged/bin'... Please wait while gathering entropy to generate the key pair; this may take time... creating /etc/machine-id... [    9.126087] udevd[96]: specified group 'sgx' unknown [    9.513326] udevd[96]: no sender credentials received, message ignored [   11.933576] Error: Driver 'pcspkr' is already registered, aborting... Dec 29 22:54:06 localhost vmunix: [    9.126087] udevd[96]: specified group 'sgx' unknown Dec 29 22:54:06 localhost vmunix: [    9.513326] udevd[96]: no sender credentials received, message ignored Dec 29 22:54:06 localhost vmunix: [   11.933576] Error: Driver 'pcspkr' is already registered, aborting... This is the GNU system.  Welcome. komputilo login: Getting image source signatures Copying blob 2e9a3fc88c27 done   | Copying config 6143ce0196 done   | Writing manifest to image destination ;;; note: auto-compilation is enabled, set GUILE_AUTO_COMPILE=0 ;;;       or pass the --no-auto-compile argument to disable. ;;; compiling /aa.scm ;;; compiled /.cache/guile/ccache/3.0-LE-8-4.6/gnu/store/94fibvjivrc2phgm90kc6ka3jjysgg6h-guest-script-0/a.scm.go shepherd: Starting service cgroups2-fs-owner... shepherd: Service cgroups2-fs-owner started. shepherd: Service cgroups2-fs-owner running with value #< id: 180 command: ("/gnu/store/89mgs6sgfgd7vhcb8w7j6fsz6vpwp4. shepherd: Service user-homes has been started. shepherd: Service rootless-podman-shared-root-fs has been started. shepherd: Service cgroups2-limits has been started. shepherd: Starting service cgroups2-fs-owner... shepherd: Service cgroups2-fs-owner has been started. QEMU runs as PID 18 connected to QEMU's monitor read QEMU monitor prompt connected to guest REPL %%%% Starting test rootless-podman  (Writing full log to "/gnu/store/6ga9q0nwl3ccwpkba73rmls41vg86b20-rootless-podman-test/root) marionette is ready PASS: service started PASS: /sys/fs/cgroup/cgroup.subtree_control content is sound PASS: /sys/fs/cgroup has correct permissions PASS: Load oci image and run it (unprivileged) # of expected passes      4 successfully built /gnu/store/3h3xhr7wdnd8w79bfarqfhjfwgzd91ad-rootless-podman-test.drv /gnu/store/6ga9q0nwl3ccwpkba73rmls41vg86b20-rootless-podman-test Thank you for bringing this up, cheers giacomo --------------NGwTE9SqfJiXrI0qxDgzYFDm Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit

Hi Ludo' ,

it works on my laptop (I'm trying on commit 0d4af3c55c7fd75f03a0b6ecc059720657268ff3 ), so I believe it is just a matter of increasing timeouts, I'm creating a new patch to increase them


    
GC Warning: pthread_getattr_np or pthread_attr_getstack failed for main thread
GC Warning: Could not open /proc/stat
Welcome, this is GNU's early boot Guile.
Use 'gnu.repl' for an initrd REPL.

loading kernel modules...
Guix_image: clean, 74861/192000 files, 529473/768000 blocks
loading '/gnu/store/88p4hfc4bb3vgbdl5wbzp32iz5paddk5-system/boot'...
making '/gnu/store/88p4hfc4bb3vgbdl5wbzp32iz5paddk5-system' the current system...
populating /etc from /gnu/store/xzdyagi33ab00lzcanr9day1pym4s116-etc...
setting up privileged programs in '/run/privileged/bin'...
Please wait while gathering entropy to generate the key pair;
this may take time...
creating /etc/machine-id...
[    9.126087] udevd[96]: specified group 'sgx' unknown
[    9.513326] udevd[96]: no sender credentials received, message ignored
[   11.933576] Error: Driver 'pcspkr' is already registered, aborting...
Dec 29 22:54:06 localhost vmunix: [    9.126087] udevd[96]: specified group 'sgx' unknown
Dec 29 22:54:06 localhost vmunix: [    9.513326] udevd[96]: no sender credentials received, message ignored
Dec 29 22:54:06 localhost vmunix: [   11.933576] Error: Driver 'pcspkr' is already registered, aborting...


This is the GNU system.  Welcome.
komputilo login: Getting image source signatures
Copying blob 2e9a3fc88c27 done   | 
Copying config 6143ce0196 done   | 
Writing manifest to image destination
;;; note: auto-compilation is enabled, set GUILE_AUTO_COMPILE=0
;;;       or pass the --no-auto-compile argument to disable.
;;; compiling /aa.scm
;;; compiled /.cache/guile/ccache/3.0-LE-8-4.6/gnu/store/94fibvjivrc2phgm90kc6ka3jjysgg6h-guest-script-0/a.scm.go
shepherd: Starting service cgroups2-fs-owner...
shepherd: Service cgroups2-fs-owner started.
shepherd: Service cgroups2-fs-owner running with value #<<process> id: 180 command: ("/gnu/store/89mgs6sgfgd7vhcb8w7j6fsz6vpwp4.
shepherd: Service user-homes has been started.
shepherd: Service rootless-podman-shared-root-fs has been started.
shepherd: Service cgroups2-limits has been started.
shepherd: Starting service cgroups2-fs-owner...
shepherd: Service cgroups2-fs-owner has been started.
QEMU runs as PID 18
connected to QEMU's monitor
read QEMU monitor prompt
connected to guest REPL
%%%% Starting test rootless-podman  (Writing full log to "/gnu/store/6ga9q0nwl3ccwpkba73rmls41vg86b20-rootless-podman-test/root)
marionette is ready
PASS: service started
PASS: /sys/fs/cgroup/cgroup.subtree_control content is sound
PASS: /sys/fs/cgroup has correct permissions
PASS: Load oci image and run it (unprivileged)
# of expected passes      4
successfully built /gnu/store/3h3xhr7wdnd8w79bfarqfhjfwgzd91ad-rootless-podman-test.drv
/gnu/store/6ga9q0nwl3ccwpkba73rmls41vg86b20-rootless-podman-test





    
Thank you for bringing this up,

    
cheers

    
giacomo

    

    


    

  


--------------NGwTE9SqfJiXrI0qxDgzYFDm--




From unknown Mon Aug 11 19:05:26 2025
Received: (at fakecontrol) by fakecontrolmessage;
To: internal_control@debbugs.gnu.org
From: Debbugs Internal Request 
Subject: Internal Control
Message-Id: bug archived.
Date: Mon, 27 Jan 2025 12:24:09 +0000
User-Agent: Fakemail v42.6.9

# This is a fake control message.
#
# The action:
# bug archived.
thanks
# This fakemail brought to you by your local debbugs
# administrator