diff options
| author | Ludovic Courtès <ludo@gnu.org> | 2025-04-08 13:50:59 +0200 |
|---|---|---|
| committer | Ludovic Courtès <ludo@gnu.org> | 2025-05-05 14:34:00 +0200 |
| commit | e1a0171a56602ecba193975ea2438329abb51c94 (patch) | |
| tree | 748bafd6719f3eef7656ac1cea58c44cb8e8231a /gnu/build/linux-container.scm | |
| parent | 3aa132e8c30658019281d51caa28b0fb41bab24d (diff) | |
linux-container: Set up “lo” and generate /etc/hosts by default.
* gnu/build/linux-container.scm (run-container): Add #:loopback-network?
and honor it via #:populate-file-system.
(call-with-container): Add #:loopback-network? and pass it to
‘run-container’.
* guix/scripts/environment.scm (launch-environment/container): Remove
call to ‘set-network-interface-up’ and remove generation of /etc/hosts.
* guix/scripts/home.scm (spawn-home-container): Likewise.
Change-Id: I5933a4e8dc6d8e19235a79696b62299d74d1ba21
Diffstat (limited to 'gnu/build/linux-container.scm')
| -rw-r--r-- | gnu/build/linux-container.scm | 25 |
1 files changed, 24 insertions, 1 deletions
diff --git a/gnu/build/linux-container.scm b/gnu/build/linux-container.scm index 4dcdaa8f334..345ce2de08a 100644 --- a/gnu/build/linux-container.scm +++ b/gnu/build/linux-container.scm @@ -237,6 +237,7 @@ corresponds to the symbols in NAMESPACES." (define* (run-container root mounts namespaces host-uids thunk #:key (guest-uid 0) (guest-gid 0) (populate-file-system (const #t)) + (loopback-network? #t) writable-root?) "Run THUNK in a new container process and return its PID. ROOT specifies the root directory for the container. MOUNTS is a list of <file-system> @@ -244,6 +245,9 @@ objects that specify file systems to mount inside the container. NAMESPACES is a list of symbols that correspond to the possible Linux namespaces: mnt, ipc, uts, user, and net. +When LOOPBACK-NETWORK? is true and 'net is amount NAMESPACES, set up the +loopback device (\"lo\") and a minimal /etc/hosts. + When WRITABLE-ROOT? is false, remount the container's root as read-only before calling THUNK. Call POPULATE-FILE-SYSTEM before the root is (potentially) made read-only. @@ -275,7 +279,21 @@ that host UIDs (respectively GIDs) map to in the namespace." #:mount-/sys? (memq 'net namespaces) #:populate-file-system - populate-file-system + (lambda () + (populate-file-system) + (when (and (memq 'net namespaces) + loopback-network?) + (set-network-interface-up "lo") + + ;; When isolated from the + ;; network, provide a minimal + ;; /etc/hosts to resolve + ;; "localhost". + (mkdir-p "/etc") + (call-with-output-file "/etc/hosts" + (lambda (port) + (display "127.0.0.1 localhost\n" port) + (chmod port #o444))))) #:writable-root? (or writable-root? (not (memq 'mnt namespaces))))) @@ -350,6 +368,7 @@ if there are no child processes left." (relayed-signals (list SIGINT SIGTERM)) (child-is-pid1? #t) (populate-file-system (const #t)) + (loopback-network? #t) writable-root? (process-spawned-hook (const #t))) "Run THUNK in a new container process and return its exit status; call @@ -371,6 +390,9 @@ UIDs (respectively GIDs) map to in the namespace. RELAYED-SIGNALS is the list of signals that are \"relayed\" to the container process when caught by its parent. +When LOOPBACK-NETWORK? is true and 'net is amount NAMESPACES, set up the +loopback device (\"lo\") and a minimal /etc/hosts. + When WRITABLE-ROOT? is false, remount the container's root as read-only before calling THUNK. Call POPULATE-FILE-SYSTEM before the root is (potentially) made read-only. @@ -430,6 +452,7 @@ load path must be adjusted as needed." #:guest-uid guest-uid #:guest-gid guest-gid #:populate-file-system populate-file-system + #:loopback-network? loopback-network? #:writable-root? writable-root?))) (install-signal-handlers pid) (process-spawned-hook pid) |