;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2021 Timmy Douglas ;;; Copyright © 2022 Tobias Geerinckx-Rice ;;; Copyright © 2022 Zhu Zihao ;;; Copyright © 2022 Michael Rohleder ;;; Copyright © 2023 Zongyuan Li ;;; Copyright © 2023 Ricardo Wurmus ;;; Copyright © 2024 Tomas Volf <~@wolfsden.cz> ;;; Copyright © 2024 Foundation Devices, Inc. ;;; ;;; This file is part of GNU Guix. ;;; ;;; GNU Guix is free software; you can redistribute it and/or modify it ;;; under the terms of the GNU General Public License as published by ;;; the Free Software Foundation; either version 3 of the License, or (at ;;; your option) any later version. ;;; ;;; GNU Guix is distributed in the hope that it will be useful, but ;;; WITHOUT ANY WARRANTY; without even the implied warranty of ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ;;; GNU General Public License for more details. ;;; ;;; You should have received a copy of the GNU General Public License ;;; along with GNU Guix. If not, see . (define-module (gnu packages containers) #:use-module (guix gexp) #:use-module ((guix licenses) #:prefix license:) #:use-module (gnu packages) #:use-module (guix packages) #:use-module (guix download) #:use-module (guix git-download) #:use-module (guix build-system copy) #:use-module (guix build-system gnu) #:use-module (guix build-system go) #:use-module (guix build-system meson) #:use-module (guix utils) #:use-module (gnu packages admin) #:use-module (gnu packages autotools) #:use-module (gnu packages base) #:use-module (gnu packages bash) #:use-module (gnu packages check) #:use-module (gnu packages compression) #:use-module (gnu packages glib) #:use-module (gnu packages gnupg) #:use-module (gnu packages golang) #:use-module (gnu packages guile) #:use-module (gnu packages linux) #:use-module (gnu packages python) #:use-module (gnu packages networking) #:use-module (gnu packages pkg-config) #:use-module (gnu packages selinux) #:use-module (gnu packages version-control) #:use-module (gnu packages virtualization) #:use-module (gnu packages web) #:use-module (gnu packages wget)) (define-public crun (package (name "crun") (version "1.14.1") (source (origin (method url-fetch) (uri (string-append "https://github.com/containers/crun/releases/download/" version "/crun-" version ".tar.gz")) (sha256 (base32 "02lplc2asyllb58mvy7l8b9gsk7fxs95g928xk28yzmf592ay33x")))) (build-system gnu-build-system) (arguments `(#:configure-flags '("--disable-systemd") #:tests? #f ; XXX: needs /sys/fs/cgroup mounted #:phases (modify-phases %standard-phases (add-after 'unpack 'fix-tests (lambda _ (substitute* (find-files "tests" "\\.(c|py)") (("/bin/true") (which "true")) (("/bin/false") (which "false")) ; relies on sd_notify which requires systemd? (("\"sd-notify\" : test_sd_notify,") "") (("\"sd-notify-file\" : test_sd_notify_file,") ""))))))) (inputs (list libcap libseccomp yajl)) (native-inputs (list automake autoconf git libtool pkg-config python-3)) (home-page "https://github.com/containers/crun") (synopsis "Open Container Initiative (OCI) Container runtime") (description "crun is a fast and low-memory footprint Open Container Initiative (OCI) Container Runtime fully written in C.") (license license:gpl2+))) (define-public conmon (package (name "conmon") (version "2.0.31") (source (origin (method git-fetch) (uri (git-reference (url "https://github.com/containers/conmon") (commit (string-append "v" version)))) (sha256 (base32 "1cxklcihb2i4ywli0fxafkp2gi1x831r37z7spnigaj6pzj1517w")) (file-name (git-file-name name version)))) (build-system gnu-build-system) (arguments (list #:make-flags #~(list (string-append "CC=" #$(cc-for-target)) (string-append "PREFIX=" #$output)) ;; XXX: uses `go get` to download 50 packages, runs a ginkgo test suite ;; then tries to download busybox and use a systemd logging library ;; see also https://github.com/containers/conmon/blob/main/nix/derivation.nix #:tests? #f #:test-target "test" #:phases #~(modify-phases %standard-phases (delete 'configure) (add-after 'unpack 'set-env (lambda _ ;; when running go, things fail because ;; HOME=/homeless-shelter. (setenv "HOME" "/tmp")))))) (inputs (list crun glib libseccomp)) (native-inputs (list git go pkg-config)) (home-page "https://github.com/containers/conmon") (synopsis "Monitoring tool for Open Container Initiative (OCI) runtime") (description "Conmon is a monitoring program and communication tool between a container manager (like Podman or CRI-O) and an Open Container Initiative (OCI) runtime (like runc or crun) for a single container.") (license license:asl2.0))) (define-public distrobox (package (name "distrobox") (version "1.7.0") (source (origin (method git-fetch) (uri (git-reference (url "https://github.com/89luca89/distrobox") (commit version))) (sha256 (base32 "1g14q1sm3026h9n85v1gc3m2v9sgrac2mr9yrkh98qg5yahzmpc3")) (file-name (git-file-name name version)))) (build-system copy-build-system) (arguments (list #:phases #~(modify-phases %standard-phases ;; Use WRAP-SCRIPT to wrap all of the scripts of distrobox, ;; excluding the host side ones. (add-after 'install 'wrap-scripts (lambda _ (let ((path (search-path-as-list (list "bin") (list #$(this-package-input "podman") #$(this-package-input "wget"))))) (for-each (lambda (script) (wrap-script (string-append #$output "/bin/distrobox-" script) `("PATH" ":" prefix ,path))) '("assemble" "create" "enter" "ephemeral" "generate-entry" "list" "rm" "stop" "upgrade"))))) ;; These scripts are used in the container side and the ;; /gnu/store path is not shared with the containers. (add-after 'patch-shebangs 'unpatch-shebangs (lambda _ (for-each (lambda (script) (substitute* (string-append #$output "/bin/distrobox-" script) (("#!.*/bin/sh") "#!/bin/sh\n"))) '("export" "host-exec" "init")))) (replace 'install (lambda _ (invoke "./install" "--prefix" #$output)))))) (inputs (list guile-3.0 ; for wrap-script podman wget)) (home-page "https://distrobox.privatedns.org/") (synopsis "Create and start containers highly integrated with the hosts") (description "Distrobox is a fancy wrapper around Podman or Docker to create and start containers highly integrated with the hosts.") (license license:gpl3))) (define-public libslirp (package (name "libslirp") (version "4.7.0") (source (origin (method git-fetch) (uri (git-reference (url "https://gitlab.freedesktop.org/slirp/libslirp") (commit (string-append "v" version)))) (sha256 (base32 "0dny8187a8qh6akaa37aa9b5pjxx88f02wh6achp4mygff0ipxba")) (file-name (git-file-name name version)))) (build-system meson-build-system) (propagated-inputs ;; In Requires of slirp.pc. (list glib)) (native-inputs (list pkg-config)) (home-page "https://gitlab.freedesktop.org/slirp/libslirp") (synopsis "User-mode networking library") (description "libslirp is a user-mode networking library used by virtual machines, containers or various tools.") (license license:bsd-3))) (define-public slirp4netns (package (name "slirp4netns") (version "1.2.3") (source (origin (method git-fetch) (uri (git-reference (url "https://github.com/rootless-containers/slirp4netns") (commit (string-append "v" version)))) (sha256 (base32 "0czvdsdv821fz4jd9rgrlkdhhjna6frawr8klvx3k2cfh444fbii")) (file-name (git-file-name name version)))) (build-system gnu-build-system) (arguments '(#:tests? #f ; XXX: open("/dev/net/tun"): No such file or directory #:phases (modify-phases %standard-phases (add-after 'unpack 'fix-hardcoded-paths (lambda _ (substitute* (find-files "tests" "\\.sh") (("ping") "/run/setuid-programs/ping"))))))) (inputs (list glib libcap libseccomp libslirp)) (native-inputs (list automake autoconf iproute ; iproute, jq, nmap (ncat) and util-linux are for tests jq nmap pkg-config util-linux)) (home-page "https://github.com/rootless-containers/slirp4netns") (synopsis "User-mode networking for unprivileged network namespaces") (description "slirp4netns provides user-mode networking (\"slirp\") for unprivileged network namespaces.") (license license:gpl2+))) (define-public passt (package (name "passt") (version "2023_12_30.f091893") (source (origin (method url-fetch) (uri (string-append "https://passt.top/passt/snapshot/passt-" version ".tar.gz")) (sha256 (base32 "1nyd4h93qlxn1r01ffijpsd7r7ny62phki5j58in8gz021jj4f3d")))) (build-system gnu-build-system) (arguments (list #:make-flags #~(list (string-append "CC=" #$(cc-for-target)) "RLIMIT_STACK_VAL=1024" ; ¯\_ (ツ)_/¯ (string-append "VERSION=" #$version) (string-append "prefix=" #$output)) #:tests? #f #:phases #~(modify-phases %standard-phases (delete 'configure)))) (home-page "https://passt.top") (synopsis "Plug A Simple Socket Transport") (description "passt implements a thin layer between guest and host, that only implements what's strictly needed to pretend processes are running locally. The TCP adaptation doesn't keep per-connection packet buffers, and reflects observed sending windows and acknowledgements between the two sides. This TCP adaptation is needed as passt runs without the CAP_NET_RAW capability: it can't create raw IP sockets on the pod, and therefore needs to map packets at Layer-2 to Layer-4 sockets offered by the host kernel. Also provides pasta, which similarly to slirp4netns, provides networking to containers by creating a tap interface available to processes in the namespace, and mapping network traffic outside the namespace using native Layer-4 sockets.") (license (list license:gpl2+ license:bsd-3)))) (define-public cni-plugins (package (name "cni-plugins") (version "1.4.1") (source (origin (method git-fetch) (uri (git-reference (url "https://github.com/containernetworking/plugins") (commit (string-append "v" version)))) (sha256 (base32 "0l6f4z762n8blak41wcxdmdhm92gqw2qcxcqd3s4wiql3d7273kj")) (file-name (git-file-name name version)))) (build-system go-build-system) (arguments `(#:unpack-path "github.com/containernetworking/plugins" #:tests? #f ; XXX: see stat /var/run below #:phases (modify-phases %standard-phases (replace 'build (lambda _ (with-directory-excursion "src/github.com/containernetworking/plugins" (invoke "./build_linux.sh")))) (replace 'check (lambda* (#:key tests? #:allow-other-keys) ; only pkg/ns tests run without root (when tests? (with-directory-excursion "src/github.com/containernetworking/plugins/pkg/ns" (invoke "stat" "/var/run") ; XXX: test tries to stat this directory (invoke "unshare" "-rmn" "go" "test"))))) (add-before 'check 'set-test-environment (lambda _ (setenv "XDG_RUNTIME_DIR" "/tmp/cni-rootless"))) (replace 'install (lambda* (#:key outputs #:allow-other-keys) (copy-recursively "src/github.com/containernetworking/plugins/bin" (string-append (assoc-ref outputs "out") "/bin"))))))) (native-inputs (list util-linux)) (home-page "https://github.com/containernetworking/plugins") (synopsis "Container Network Interface (CNI) network plugins") (description "This package provides Container Network Interface (CNI) plugins to configure network interfaces in Linux containers.") (license license:asl2.0))) (define-public gvisor-tap-vsock (package (name "gvisor-tap-vsock") (version "0.7.3") (source (origin (method git-fetch) (uri (git-reference (url "https://github.com/containers/gvisor-tap-vsock") (commit (string-append "v" version)))) (file-name (git-file-name name version)) (sha256 (base32 "1q1zism0c63k2aq6yhkjqc3b2zsm4lwn0bk39p2kl79h798wfyp4")))) (build-system gnu-build-system) (arguments (list #:make-flags `(list ,(string-append "GIT_VERSION=v" version)) #:test-target "test" #:phases #~(modify-phases %standard-phases (delete 'configure) (add-before 'build 'setenv (lambda _ ;; For golang toolchain. (setenv "HOME" "/tmp"))) (add-before 'check 'prune-tests (lambda _ ;; Requires internet connection to fetch QEMU image. (invoke "rm" "-r" "test"))) (replace 'install (lambda _ (install-file "bin/gvproxy" (string-append #$output "/bin"))))))) (native-inputs (list go-1.20)) (home-page "https://github.com/containers/gvisor-tap-vsock") (synopsis "Network stack for virtualization based on gVisor") (description "This package provides a replacement for @code{libslirp} and @code{VPNKit}, written in pure Go. It is based on the network stack of gVisor and brings a configurable DNS server and dynamic port forwarding. It can be used with QEMU, Hyperkit, Hyper-V and User-Mode Linux. The binary is called @command{gvproxy}.") (license license:asl2.0))) ;; For podman to work, the user needs to run ;; `sudo mount -t cgroup2 none /sys/fs/cgroup` (define-public podman (package (name "podman") (version "4.9.3") (source (origin (method git-fetch) (uri (git-reference (url "https://github.com/containers/podman") (commit (string-append "v" version)))) (modules '((guix build utils))) ;; FIXME: Btrfs libraries not detected by these scripts. (snippet '(substitute* "Makefile" ((".*hack/btrfs.*") ""))) (patches (search-patches "podman-program-lookup.patch")) (sha256 (base32 "17g7n09ndxhpjr39s9qwxdcv08wavjj0g5nmnrvrkz2wgdqigl1x")) (file-name (git-file-name name version)))) (build-system gnu-build-system) (arguments (list #:make-flags #~(list #$(string-append "CC=" (cc-for-target)) (string-append "PREFIX=" #$output)) #:tests? #f ; /sys/fs/cgroup not set up in guix sandbox #:test-target "test" #:phases #~(modify-phases %standard-phases (delete 'configure) (add-after 'unpack 'set-env (lambda* (#:key inputs #:allow-other-keys) ;; when running go, things fail because ;; HOME=/homeless-shelter. (setenv "HOME" "/tmp"))) (replace 'check (lambda* (#:key tests? #:allow-other-keys) (when tests? ;; (invoke "strace" "-f" "bin/podman" "version") (invoke "make" "localsystem") (invoke "make" "remotesystem")))) (add-after 'unpack 'fix-hardcoded-paths (lambda _ (substitute* "vendor/github.com/containers/common/pkg/config/config.go" (("@SLIRP4NETNS_DIR@") (string-append #$slirp4netns "/bin")) (("@PASST_DIR@") (string-append #$passt "/bin"))) (substitute* "hack/install_catatonit.sh" (("CATATONIT_PATH=\"[^\"]+\"") (string-append "CATATONIT_PATH=" (which "true")))) (substitute* "vendor/github.com/containers/common/pkg/config/config_linux.go" (("/usr/local/libexec/podman") (string-append #$output "/libexec/podman")) (("/usr/local/lib/podman") (string-append #$output "/bin"))) (substitute* "vendor/github.com/containers/common/pkg/config/default.go" (("/usr/libexec/podman/conmon") (which "conmon")) (("/usr/local/libexec/cni") (string-append #$(this-package-input "cni-plugins") "/bin")) (("/usr/bin/crun") (which "crun"))))) (add-after 'install 'install-completions (lambda _ (invoke "make" "install.completions" (string-append "PREFIX=" #$output))))))) (inputs (list btrfs-progs cni-plugins conmon crun gpgme go-github-com-go-md2man iptables libassuan libseccomp libselinux passt slirp4netns)) (native-inputs (list bats git go-1.21 ; strace ; XXX debug pkg-config python)) (home-page "https://podman.io") (synopsis "Manage containers, images, pods, and their volumes") (description "Podman (the POD MANager) is a tool for managing containers and images, volumes mounted into those containers, and pods made from groups of containers. The @code{machine} subcommand is not supported due to gvproxy not being packaged.") (license license:asl2.0))) (define-public buildah (package (name "buildah") (version "1.29.1") (source (origin (method git-fetch) (uri (git-reference (url "https://github.com/containers/buildah") (commit (string-append "v" version)))) (file-name (git-file-name name version)) (sha256 (base32 "1mcqkz68fjccdla1bgxw57w268a586brm6x28fcm6x425ah0w07h")))) (build-system go-build-system) (arguments (list #:import-path "github.com/containers/buildah/cmd/buildah" #:unpack-path "github.com/containers/buildah" ;; Some dependencies require go-1.18 to build. #:go go-1.18 #:tests? #f #:install-source? #f #:phases #~(modify-phases %standard-phases (add-after 'unpack 'prepare-install-docs (lambda* (#:key unpack-path #:allow-other-keys) (substitute* (string-append "src/" unpack-path "/docs/Makefile") (("../tests/tools/build/go-md2man") (which "go-md2man"))) (substitute* (string-append "src/" unpack-path "/docs/Makefile") (("/usr/local") (string-append #$output))))) (add-after 'build 'build-docs (lambda* (#:key unpack-path #:allow-other-keys) (let ((doc (string-append "src/" unpack-path "/docs"))) (invoke "make" "-C" doc)))) (add-after 'install 'install-docs (lambda* (#:key unpack-path #:allow-other-keys) (let ((doc (string-append "src/" unpack-path "/docs"))) (invoke "make" "-C" doc "install"))))))) (inputs (list btrfs-progs cni-plugins conmon eudev glib gpgme libassuan libseccomp lvm2 runc)) (native-inputs (list go-github-com-go-md2man gnu-make pkg-config)) (synopsis "Build @acronym{OCI, Open Container Initiative} images") (description "Buildah is a command-line tool to build @acronym{OCI, Open Container Initiative} container images. More generally, it can be used to: @itemize @item create a working container, either from scratch or using an image as a starting point; @item create an image, either from a working container or via the instructions in a @file{Dockerfile}; @item mount a working container's root filesystem for manipulation; @item use the updated contents of a container's root filesystem as a filesystem layer to create a new image. @end itemize") (home-page "https://buildah.io") (license license:asl2.0)))