amaharaneko/guix-mirrors
1
1
Fork 0
mirror of https://codeberg.org/guix/guix.git synced 2025-10-02 02:15:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

linux-container: Export ‘%writable-/tmp’ and use it.

Browse source 
Fixes guix/guix#1994.

* gnu/build/linux-container.scm (%writable-/tmp): New variable.
* guix/scripts/environment.scm (launch-environment/container): Remove ‘tmpfs’
and use it.  Adjust ‘file-system’ declaration for /run/user/$UID.
* guix/scripts/home.scm (spawn-home-container): Likewise.

Reported-by: Romain GARBAGE <romain.garbage@inria.fr>
Change-Id: Ia8289fb5386971738caf2ccc1e815daa6ac28459
This commit is contained in:
Ludovic Courtès 2025-08-29 11:13:05 +02:00
parent 6d242496db
commit c52a9cee53
No known key found for this signature in database
GPG key ID: 090B11993D9AEBB5
3 changed files with 21 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

11
gnu/build/linux-container.scm
View file

@ -30,6 +30,7 @@
unprivileged-user-namespace-supported? unprivileged-user-namespace-supported?
setgroups-supported? setgroups-supported?
%namespaces %namespaces
%writable-/tmp
run-container run-container
call-with-container call-with-container
container-excursion container-excursion
@ -387,6 +388,16 @@ if there are no child processes left."
(+ 128 (or (status:term-sig status) (+ 128 (or (status:term-sig status)
(status:stop-sig status))))) (status:stop-sig status)))))
(define %writable-/tmp
;; Writable and volatile /tmp.
(file-system
(device "none")
(mount-point "/tmp")
(type "tmpfs")
(flags '(no-suid no-dev))
(options "mode=755,size=10%")
(check? #f)))
(define* (call-with-container mounts thunk #:key (namespaces %namespaces) (define* (call-with-container mounts thunk #:key (namespaces %namespaces)
(host-uids 1) (guest-uid 0) (guest-gid 0) (host-uids 1) (guest-uid 0) (guest-gid 0)
(lock-mounts? #t) (lock-mounts? #t)

15
guix/scripts/environment.scm
View file

@ -40,6 +40,7 @@
#:autoload (ice-9 ftw) (scandir) #:autoload (ice-9 ftw) (scandir)
#:autoload (gnu build install) (evaluate-populate-directive) #:autoload (gnu build install) (evaluate-populate-directive)
#:autoload (gnu build linux-container) (call-with-container %namespaces #:autoload (gnu build linux-container) (call-with-container %namespaces
%writable-/tmp
user-namespace-supported? user-namespace-supported?
unprivileged-user-namespace-supported? unprivileged-user-namespace-supported?
setgroups-supported?) setgroups-supported?)
@ -771,13 +772,6 @@ added to the container.
Preserve environment variables whose name matches the one of the regexps in Preserve environment variables whose name matches the one of the regexps in
WHILE-LIST." WHILE-LIST."
(define tmpfs
(file-system
(device "none")
(mount-point "/tmp")
(type "tmpfs")
(check? #f)))
(define (optional-mapping->fs mapping) (define (optional-mapping->fs mapping)
(and (file-exists? (file-system-mapping-source mapping)) (and (file-exists? (file-system-mapping-source mapping))
(file-system-mapping->bind-mount mapping))) (file-system-mapping->bind-mount mapping)))
@ -875,9 +869,12 @@ WHILE-LIST."
(writable? #f))) (writable? #f)))
reqs))) reqs)))
(file-systems (append %container-file-systems (file-systems (append %container-file-systems
(list tmpfs ; RW /tmp (list %writable-/tmp
(file-system ; RW /run (file-system ; RW /run
(inherit tmpfs) (device "none")
(type "tmpfs")
(options "size=10%,mode=700")
(check? #f)
(mount-point (mount-point
(string-append "/run/user/" (string-append "/run/user/"
(number->string uid)))) (number->string uid))))

10
guix/scripts/home.scm
View file

@ -38,7 +38,9 @@
group-entry group-entry
write-passwd write-passwd
write-group) write-group)
#:autoload (gnu build linux-container) (call-with-container %namespaces) #:autoload (gnu build linux-container) (call-with-container
%namespaces
%writable-/tmp)
#:use-module ((gnu system) #:select (operating-system? #:use-module ((gnu system) #:select (operating-system?
operating-system-user-services)) operating-system-user-services))
#:autoload (gnu system linux-container) (eval/container) #:autoload (gnu system linux-container) (eval/container)
@ -353,11 +355,7 @@ immediately. Return the exit status of the process in the container."
#:namespaces (if network? #:namespaces (if network?
(delq 'net %namespaces) ; share host network (delq 'net %namespaces) ; share host network
%namespaces) %namespaces)
#:mounts (list (file-system ;writable /tmp #:mounts (list %writable-/tmp
(device "none")
(mount-point "/tmp")
(type "tmpfs")
(check? #f))
(file-system (file-system
(device "none") (device "none")
(mount-point (mount-point