From 5627bfe45ce46f498979b4ad2deab1fdfed22b6c Mon Sep 17 00:00:00 2001 From: Jason Conroy Date: Sun, 27 Sep 2020 13:16:39 -0400 Subject: Instantiate nscd in each system container. * gnu/system/linux-container.scm (%nscd-container-caches): New variable. (containerized-operating-system): Instantiate nscd-service with smaller caches and add it to the generated operating-system, replacing any nscd-service specified by the caller. * gnu/system/file-systems.scm: (%network-file-mappings): Remove "/var/run/nscd". Signed-off-by: Mathieu Othacehe --- gnu/system/file-systems.scm | 8 +++--- gnu/system/linux-container.scm | 59 ++++++++++++++++++++++++++++-------------- 2 files changed, 43 insertions(+), 24 deletions(-) (limited to 'gnu/system') diff --git a/gnu/system/file-systems.scm b/gnu/system/file-systems.scm index 5c02dfac93..464e87cb18 100644 --- a/gnu/system/file-systems.scm +++ b/gnu/system/file-systems.scm @@ -1,5 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès +;;; Copyright © 2020 Google LLC ;;; Copyright © 2020 Jakub Kądziołka ;;; Copyright © 2020 Maxim Cournoyer ;;; @@ -590,11 +591,8 @@ a bind mount." ;; XXX: On some GNU/Linux systems, /etc/resolv.conf is a ;; symlink to a file in a tmpfs which, for an unknown reason, ;; cannot be bind mounted read-only within the container. - ;; The same goes with /var/run/nscd, as discussed in - ;; . - (writable? (or (string=? file "/etc/resolv.conf") - (string=? file "/var/run/nscd"))))) - (cons "/var/run/nscd" %network-configuration-files))) + (writable? (string=? file "/etc/resolv.conf")))) + %network-configuration-files)) (define (file-system-type-predicate type) "Return a predicate that, when passed a file system, returns #t if that file diff --git a/gnu/system/linux-container.scm b/gnu/system/linux-container.scm index c5e2e4bf9c..4a9cd0efe2 100644 --- a/gnu/system/linux-container.scm +++ b/gnu/system/linux-container.scm @@ -3,6 +3,7 @@ ;;; Copyright © 2016, 2017, 2019, 2020 Ludovic Courtès ;;; Copyright © 2019 Arun Isaac ;;; Copyright © 2020 Efraim Flashner +;;; Copyright © 2020 Google LLC ;;; ;;; This file is part of GNU Guix. ;;; @@ -77,6 +78,15 @@ doing anything.") (start #~(const #t)))) #f)) +(define %nscd-container-caches + ;; Similar to %nscd-default-caches but with smaller cache sizes. This allows + ;; many containers to coexist on the same machine without exhausting RAM. + (map (lambda (cache) + (nscd-cache + (inherit cache) + (max-database-size (expt 2 18)))) ;256KiB + %nscd-default-caches)) + (define* (containerized-operating-system os mappings #:key shared-network? @@ -100,22 +110,39 @@ containerized OS. EXTRA-FILE-SYSTEMS is a list of file systems to add to OS." (file-system (inherit (file-system-mapping->bind-mount fs)) (needed-for-boot? #t))) - (define useless-services - ;; Services that make no sense in a container. Those that attempt to - ;; access /dev/tty[0-9] in particular cannot work in a container. + (define services-to-drop + ;; Service types to filter from the original operating-system. Some of + ;; these make no sense in a container (e.g., those that access + ;; /dev/tty[0-9]), while others just need to be reinstantiated with + ;; different configs that are better suited to containers. (append (list console-font-service-type mingetty-service-type - agetty-service-type) - ;; Remove nscd service if network is shared with the host. + agetty-service-type + ;; Reinstantiated below with smaller caches. + nscd-service-type) (if shared-network? - (list nscd-service-type - static-networking-service-type - dhcp-client-service-type - network-manager-service-type - connman-service-type - wicd-service-type) + ;; Replace these with dummy-networking-service-type below. + (list + static-networking-service-type + dhcp-client-service-type + network-manager-service-type + connman-service-type + wicd-service-type) (list)))) + (define services-to-add + (append + ;; Many Guix services depend on a 'networking' shepherd + ;; service, so make sure to provide a dummy 'networking' + ;; service when we are sure that networking is already set up + ;; in the host and can be used. That prevents double setup. + (if shared-network? + (list (service dummy-networking-service-type)) + '()) + (list + (nscd-service (nscd-configuration + (caches %nscd-container-caches)))))) + (operating-system (inherit os) (swap-devices '()) ; disable swap @@ -124,15 +151,9 @@ containerized OS. EXTRA-FILE-SYSTEMS is a list of file systems to add to OS." #:shared-network? shared-network?)) (services (append (remove (lambda (service) (memq (service-kind service) - useless-services)) + services-to-drop)) (operating-system-user-services os)) - ;; Many Guix services depend on a 'networking' shepherd - ;; service, so make sure to provide a dummy 'networking' - ;; service when we are sure that networking is already set up - ;; in the host and can be used. That prevents double setup. - (if shared-network? - (list (service dummy-networking-service-type)) - '()))) + services-to-add)) (file-systems (append (map mapping->fs (if shared-network? (append %network-file-mappings mappings) -- cgit v1.2.3