[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
branch master updated: Instantiate nscd in each system container.
|
From: |
guix-commits |
|
Subject: |
branch master updated: Instantiate nscd in each system container. |
|
Date: |
Thu, 01 Oct 2020 03:27:57 -0400 |
This is an automated email from the git hooks/post-receive script.
mothacehe pushed a commit to branch master
in repository guix.
The following commit(s) were added to refs/heads/master by this push:
new 5627bfe Instantiate nscd in each system container.
5627bfe is described below
commit 5627bfe45ce46f498979b4ad2deab1fdfed22b6c
Author: Jason Conroy <jconroy@google.com>
AuthorDate: Sun Sep 27 13:16:39 2020 -0400
Instantiate nscd in each system container.
* gnu/system/linux-container.scm (%nscd-container-caches): New variable.
(containerized-operating-system): Instantiate nscd-service with smaller
caches
and add it to the generated operating-system, replacing any nscd-service
specified by the caller.
* gnu/system/file-systems.scm: (%network-file-mappings): Remove
"/var/run/nscd".
Signed-off-by: Mathieu Othacehe <othacehe@gnu.org>
---
gnu/system/file-systems.scm | 8 +++---
gnu/system/linux-container.scm | 59 ++++++++++++++++++++++++++++--------------
2 files changed, 43 insertions(+), 24 deletions(-)
diff --git a/gnu/system/file-systems.scm b/gnu/system/file-systems.scm
index 5c02dfa..464e87c 100644
--- a/gnu/system/file-systems.scm
+++ b/gnu/system/file-systems.scm
@@ -1,5 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès
<ludo@gnu.org>
+;;; Copyright © 2020 Google LLC
;;; Copyright © 2020 Jakub Kądziołka <kuba@kadziolka.net>
;;; Copyright © 2020 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;;
@@ -590,11 +591,8 @@ a bind mount."
;; XXX: On some GNU/Linux systems, /etc/resolv.conf is a
;; symlink to a file in a tmpfs which, for an unknown reason,
;; cannot be bind mounted read-only within the container.
- ;; The same goes with /var/run/nscd, as discussed in
- ;; <https://bugs.gnu.org/37967>.
- (writable? (or (string=? file "/etc/resolv.conf")
- (string=? file "/var/run/nscd")))))
- (cons "/var/run/nscd" %network-configuration-files)))
+ (writable? (string=? file "/etc/resolv.conf"))))
+ %network-configuration-files))
(define (file-system-type-predicate type)
"Return a predicate that, when passed a file system, returns #t if that file
diff --git a/gnu/system/linux-container.scm b/gnu/system/linux-container.scm
index c5e2e4b..4a9cd0e 100644
--- a/gnu/system/linux-container.scm
+++ b/gnu/system/linux-container.scm
@@ -3,6 +3,7 @@
;;; Copyright © 2016, 2017, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2019 Arun Isaac <arunisaac@systemreboot.net>
;;; Copyright © 2020 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2020 Google LLC
;;;
;;; This file is part of GNU Guix.
;;;
@@ -77,6 +78,15 @@ doing anything.")
(start #~(const #t))))
#f))
+(define %nscd-container-caches
+ ;; Similar to %nscd-default-caches but with smaller cache sizes. This allows
+ ;; many containers to coexist on the same machine without exhausting RAM.
+ (map (lambda (cache)
+ (nscd-cache
+ (inherit cache)
+ (max-database-size (expt 2 18)))) ;256KiB
+ %nscd-default-caches))
+
(define* (containerized-operating-system os mappings
#:key
shared-network?
@@ -100,22 +110,39 @@ containerized OS. EXTRA-FILE-SYSTEMS is a list of file
systems to add to OS."
(file-system (inherit (file-system-mapping->bind-mount fs))
(needed-for-boot? #t)))
- (define useless-services
- ;; Services that make no sense in a container. Those that attempt to
- ;; access /dev/tty[0-9] in particular cannot work in a container.
+ (define services-to-drop
+ ;; Service types to filter from the original operating-system. Some of
+ ;; these make no sense in a container (e.g., those that access
+ ;; /dev/tty[0-9]), while others just need to be reinstantiated with
+ ;; different configs that are better suited to containers.
(append (list console-font-service-type
mingetty-service-type
- agetty-service-type)
- ;; Remove nscd service if network is shared with the host.
+ agetty-service-type
+ ;; Reinstantiated below with smaller caches.
+ nscd-service-type)
(if shared-network?
- (list nscd-service-type
- static-networking-service-type
- dhcp-client-service-type
- network-manager-service-type
- connman-service-type
- wicd-service-type)
+ ;; Replace these with dummy-networking-service-type below.
+ (list
+ static-networking-service-type
+ dhcp-client-service-type
+ network-manager-service-type
+ connman-service-type
+ wicd-service-type)
(list))))
+ (define services-to-add
+ (append
+ ;; Many Guix services depend on a 'networking' shepherd
+ ;; service, so make sure to provide a dummy 'networking'
+ ;; service when we are sure that networking is already set up
+ ;; in the host and can be used. That prevents double setup.
+ (if shared-network?
+ (list (service dummy-networking-service-type))
+ '())
+ (list
+ (nscd-service (nscd-configuration
+ (caches %nscd-container-caches))))))
+
(operating-system
(inherit os)
(swap-devices '()) ; disable swap
@@ -124,15 +151,9 @@ containerized OS. EXTRA-FILE-SYSTEMS is a list of file
systems to add to OS."
#:shared-network? shared-network?))
(services (append (remove (lambda (service)
(memq (service-kind service)
- useless-services))
+ services-to-drop))
(operating-system-user-services os))
- ;; Many Guix services depend on a 'networking' shepherd
- ;; service, so make sure to provide a dummy 'networking'
- ;; service when we are sure that networking is already
set up
- ;; in the host and can be used. That prevents double
setup.
- (if shared-network?
- (list (service dummy-networking-service-type))
- '())))
+ services-to-add))
(file-systems (append (map mapping->fs
(if shared-network?
(append %network-file-mappings mappings)
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- branch master updated: Instantiate nscd in each system container.,
guix-commits <=