diff options
| author | Ludovic Courtès <ludo@gnu.org> | 2025-04-04 16:36:17 +0200 |
|---|---|---|
| committer | Ludovic Courtès <ludo@gnu.org> | 2025-05-05 14:33:59 +0200 |
| commit | a391394a22f76e29459132888f9950ad74993c5f (patch) | |
| tree | 1bffa4e09ffb41f97b7cf3311940ac52c02b7f0f /tests | |
| parent | acc4215644a8730e69ab1127e897d7eed56db952 (diff) | |
linux-container: Support having a read-only root file system.
Until now, the read-only file system set up by ‘call-with-container’
would always be writable. With this change, it can be made read-only.
With this patch, only ‘least-authority-wrapper’ switches to a read-only
root file system.
* gnu/build/linux-container.scm (remount-read-only): New procedure.
(mount-file-systems): Add #:writable-root? and #:populate-file-system
and honor them.
(run-container): Likewise.
(call-with-container): Likewise.
* gnu/system/linux-container.scm (container-script): Pass #:writable-root?
to ‘call-with-container’.
(eval/container): Add #:populate-file-system and #:writable-root? and
honor them.
* guix/scripts/environment.scm (launch-environment/container):
Pass #:writable-root? to ‘call-with-container’.
* guix/scripts/home.scm (spawn-home-container): Likewise.
* tests/containers.scm ("call-with-container, mnt namespace, read-only root")
("call-with-container, mnt namespace, writable root"): New tests.
Change-Id: I603e2fd08851338b737bb16c8af3f765e2538906
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/containers.scm | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/tests/containers.scm b/tests/containers.scm index 70d5ba2d30..1e915d517e 100644 --- a/tests/containers.scm +++ b/tests/containers.scm @@ -143,6 +143,32 @@ #:namespaces '(user mnt)))) (skip-if-unsupported) +(test-assert "call-with-container, mnt namespace, read-only root" + (zero? + (call-with-container '() + (lambda () + (assert-exit (and (file-is-directory? "/witness") + (catch 'system-error + (lambda () + (mkdir "/whatever") + #f) + (lambda args + (= (system-error-errno args) EROFS)))))) + #:populate-file-system (lambda () + (mkdir "/witness")) + #:namespaces '(user mnt)))) + +(skip-if-unsupported) +(test-assert "call-with-container, mnt namespace, writable root" + (zero? + (call-with-container '() + (lambda () + (mkdir "whatever") + (assert-exit (file-is-directory? "/whatever"))) + #:writable-root? #t + #:namespaces '(user mnt)))) + +(skip-if-unsupported) (test-assert "container-excursion" (call-with-temporary-directory (lambda (root) |