[bug#66160] [PATCH] gnu: Add oci-container-service-type.

[paul]

Hello Ludo’ ,

On 10/19/23 22:13, Ludovic Courtès wrote:

> Hello,
>
> paul <goodoldpaul@autistici.org> skribis:
>
>
> [...]
>
> > > Does ‘docker run’ necessarily need to run as root, or are there cases
> > > where one might want to run it as non-root?  (I expect the latter.)
> > >         
> > yes you are right, it's only required to be in the docker group or in
> > general have enough permission to operate on the docker daemon
> > socket. I added a new service extension setting up an oci-container
> > user, that it's just in the docker group and can not login, that runs
> > oci backed services. it is also overridable by the user
> >       
> In that case, maybe create an “oci-service” account part of the “docker”
> group, and run ‘docker run’ as that user instead of running it as root?
> Would that be OK or am I overlooking something?
>     
    I already added such user in the latest version of my patch. I
    probably made a mess with patch subjects.
> What I’m suggesting above is that one would build a list of
> ‘oci-container-service-type’ instances, like:
>
>   (list (service oci-container-service-type
>                  (oci-container-configuration …))
>         (service oci-container-service-type
>                  (oci-container-configuration …))
>         …)
>
> Each instance above would correspond to exactly one program in a Docker
> image.
>
> I feel it’s slightly more natural than having a service type that
> implements support for multiple OCI services at once.
>     
    I agree it's more natural but (list service-a service-b ...) it's
    the same interface exposed by the shepherd-root-service-type, I
    believe for the same reasons I need the oci-nextcloud-service-type
    to instantiate 3 shepherd services but only create a single account,
    activate a single data dir under /var/lib, something like this:
    
(define oci-nextcloud-service-type
  (service-type (name 'nextcloud)
                (extensions (list (service-extension oci-container-service-type
                                                     (lambda (config)
                                                       (make-nextcloud-container config)
                                                       (make-nextcloud-cron-container config)))
                                  (service-extension account-service-type
                                                     (const %nextcloud-accounts))
                                  (service-extension activation-service-type
                                                     %nextcloud-activation)))
                (default-value (nextcloud-configuration))
                (description
                 "This service provides the Nextcloud service as an OCI-backed container.")))

The only way where oci-container-service-type could support this use case by accepting a single configuration is I guess if multiple (service-extension oci-container-service-type ...) where allowed, am I understanding correctly? Is it legal in Guix to write somthing like:

(extensions (list (service-extension oci-container-service-type
                                     make-nextcloud-container)
                  (service-extension oci-container-service-type
                                     make-nextcloud-cron-container)
                  (service-extension account-service-type
                                     (const %nextcloud-accounts))
                  (service-extension activation-service-type
                                     %nextcloud-activation)))

> Check out under gnu/tests/*.scm, in particular (gnu tests docker).
>

Thank you for the pointer, I'll look into those.

giacomo