Merge branch 'master' into staging

2 files changed, 114 insertions, 1 deletions

diff --git a/gnu/services/auditd.scm b/gnu/services/auditd.scm
new file mode 100644
index 0000000000..8a9292015f
--- /dev/null
+++ b/gnu/services/auditd.scm
@@ -0,0 +1,54 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2019 Danny Milosavljevic <dannym@scratchpost.org>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu services auditd)
+  #:use-module (gnu services)
+  #:use-module (gnu services configuration)
+  #:use-module (gnu services base)
+  #:use-module (gnu services shepherd)
+  #:use-module (gnu packages admin)
+  #:use-module (guix records)
+  #:use-module (guix gexp)
+  #:use-module (guix packages)
+  #:export (auditd-configuration
+            auditd-service-type))
+
+; /etc/audit/audit.rules
+
+(define-configuration auditd-configuration
+  (audit
+   (package audit)
+   "Audit package."))
+
+(define (auditd-shepherd-service config)
+  (let* ((audit (auditd-configuration-audit config)))
+    (list (shepherd-service
+           (documentation "Auditd allows you to audit file system accesses.")
+           (provision '(auditd))
+           (start #~(make-forkexec-constructor
+                     (list (string-append #$audit "/sbin/auditd"))))
+           (stop #~(make-kill-destructor))))))
+
+(define auditd-service-type
+  (service-type (name 'auditd)
+                (description "Allows auditing file system accesses.")
+                (extensions
+                 (list
+                  (service-extension shepherd-root-service-type
+                                     auditd-shepherd-service)))
+                (default-value (auditd-configuration))))
diff --git a/gnu/services/docker.scm b/gnu/services/docker.scm
index 94a04c8996..04f9127346 100644
--- a/gnu/services/docker.scm
+++ b/gnu/services/docker.scm
@@ -24,12 +24,14 @@
   #:use-module (gnu services shepherd)
   #:use-module (gnu system shadow)
   #:use-module (gnu packages docker)
+  #:use-module (gnu packages linux)               ;singularity
   #:use-module (guix records)
   #:use-module (guix gexp)
   #:use-module (guix packages)
 
   #:export (docker-configuration
-            docker-service-type))
+            docker-service-type
+            singularity-service-type))
 
 ;;; We're not using serialize-configuration, but we must define this because
 ;;; the define-configuration macro validates it exists.
@@ -120,3 +122,60 @@ bundles in Docker containers.")
                   (service-extension account-service-type
                                      (const %docker-accounts))))
                 (default-value (docker-configuration))))
+
+
+;;;
+;;; Singularity.
+;;;
+
+(define %singularity-activation
+  (with-imported-modules '((guix build utils))
+    #~(begin
+        (use-modules (guix build utils))
+
+        (define %mount-directory
+          "/var/singularity/mnt/")
+
+        ;; Create the directories that Singularity 2.6 expects to find.  Make
+        ;; them #o755 like the 'install-data-hook' rule in 'Makefile.am' of
+        ;; Singularity 2.6.1.
+        (for-each (lambda (directory)
+                    (let ((directory (string-append %mount-directory
+                                                    directory)))
+                      (mkdir-p directory)
+                      (chmod directory #o755)))
+                  '("container" "final" "overlay" "session"))
+        (chmod %mount-directory #o755))))
+
+(define (singularity-setuid-programs singularity)
+  "Return the setuid-root programs that SINGULARITY needs."
+  (define helpers
+    ;; The helpers, under a meaningful name.
+    (computed-file "singularity-setuid-helpers"
+                   #~(begin
+                       (mkdir #$output)
+                       (for-each (lambda (program)
+                                   (symlink (string-append #$singularity
+                                                           "/libexec/singularity"
+                                                           "/bin/"
+                                                           program "-suid")
+                                            (string-append #$output
+                                                           "/singularity-"
+                                                           program
+                                                           "-helper")))
+                                 '("action" "mount" "start")))))
+
+  (list (file-append helpers "/singularity-action-helper")
+        (file-append helpers "/singularity-mount-helper")
+        (file-append helpers "/singularity-start-helper")))
+
+(define singularity-service-type
+  (service-type (name 'singularity)
+                (description
+                 "Install the Singularity application bundle tool.")
+                (extensions
+                 (list (service-extension setuid-program-service-type
+                                          singularity-setuid-programs)
+                       (service-extension activation-service-type
+                                          (const %singularity-activation))))
+                (default-value singularity)))