|
From: | paul |
Subject: | [bug#66160] [PATCH] gnu: Add oci-container-service-type. |
Date: | Thu, 19 Oct 2023 23:16:35 +0200 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.15.0 |
Hello Ludo’ ,
I already added such user in the latest version of my patch. I probably made a mess with patch subjects.Hello, paul <goodoldpaul@autistici.org> skribis: [...]Does ‘docker run’ necessarily need to run as root, or are there cases where one might want to run it as non-root? (I expect the latter.)yes you are right, it's only required to be in the docker group or in general have enough permission to operate on the docker daemon socket. I added a new service extension setting up an oci-container user, that it's just in the docker group and can not login, that runs oci backed services. it is also overridable by the userIn that case, maybe create an “oci-service” account part of the “docker” group, and run ‘docker run’ as that user instead of running it as root? Would that be OK or am I overlooking something?
I agree it's more natural but (list service-a service-b ...) it's the same interface exposed by the shepherd-root-service-type, I believe for the same reasons I need the oci-nextcloud-service-type to instantiate 3 shepherd services but only create a single account, activate a single data dir under /var/lib, something like this:What I’m suggesting above is that one would build a list of ‘oci-container-service-type’ instances, like: (list (service oci-container-service-type (oci-container-configuration …)) (service oci-container-service-type (oci-container-configuration …)) …) Each instance above would correspond to exactly one program in a Docker image. I feel it’s slightly more natural than having a service type that implements support for multiple OCI services at once.
(define oci-nextcloud-service-type
(service-type (name 'nextcloud)
(extensions (list (service-extension oci-container-service-type
(lambda (config)
(make-nextcloud-container config)
(make-nextcloud-cron-container config)))
(service-extension account-service-type
(const %nextcloud-accounts))
(service-extension activation-service-type
%nextcloud-activation)))
(default-value (nextcloud-configuration))
(description
"This service provides the Nextcloud service as an OCI-backed container.")))
The only way where oci-container-service-type could support this use case by accepting a single configuration is I guess if multiple (service-extension oci-container-service-type ...) where allowed, am I understanding correctly? Is it legal in Guix to write somthing like:
(extensions (list (service-extension oci-container-service-type
make-nextcloud-container)
(service-extension oci-container-service-type
make-nextcloud-cron-container)
(service-extension account-service-type
(const %nextcloud-accounts))
(service-extension activation-service-type
%nextcloud-activation)))
Check out under gnu/tests/*.scm, in particular (gnu tests docker).
Thank you for the pointer, I'll look into those.
giacomo
[Prev in Thread] | Current Thread | [Next in Thread] |