From 08814aec6ae75adcd059c5235c90ad26e5d5607e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludovic.courtes@inria.fr>
Date: Tue, 4 Jun 2019 22:29:40 +0200
Subject: services: Add Singularity.

* gnu/packages/linux.scm (singularity)[source](snippet): Change file
name of setuid helpers in libexec/cli/*.exec.
[arguments]: Remove "--disable-suid".
* gnu/services/docker.scm (%singularity-activation): New variable.
(singularity-setuid-programs): New procedure.
(singularity-service-type): New variable.
* gnu/tests/singularity.scm: New file.
* gnu/local.mk (GNU_SYSTEM_MODULES): Add it.
* doc/guix.texi (Miscellaneous Services): Document it.
---
 gnu/tests/singularity.scm | 128 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 128 insertions(+)
 create mode 100644 gnu/tests/singularity.scm

(limited to 'gnu/tests')

diff --git a/gnu/tests/singularity.scm b/gnu/tests/singularity.scm
new file mode 100644
index 0000000000..55324ef9ea
--- /dev/null
+++ b/gnu/tests/singularity.scm
@@ -0,0 +1,128 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2019 Ludovic Courtès <ludo@gnu.org>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu tests singularity)
+  #:use-module (gnu tests)
+  #:use-module (gnu system)
+  #:use-module (gnu system vm)
+  #:use-module (gnu system shadow)
+  #:use-module (gnu services)
+  #:use-module (gnu services docker)
+  #:use-module (gnu packages bash)
+  #:use-module (gnu packages guile)
+  #:use-module (gnu packages linux)               ;singularity
+  #:use-module (guix gexp)
+  #:use-module (guix store)
+  #:use-module (guix grafts)
+  #:use-module (guix monads)
+  #:use-module (guix packages)
+  #:use-module (guix profiles)
+  #:use-module (guix scripts pack)
+  #:export (%test-singularity))
+
+(define %singularity-os
+  (simple-operating-system
+   (service singularity-service-type)
+   (simple-service 'guest-account
+                   account-service-type
+                   (list (user-account (name "guest") (uid 1000) (group "guest"))
+                         (user-group (name "guest") (id 1000))))))
+
+(define (run-singularity-test image)
+  "Load IMAGE, a Squashfs image, as a Singularity image and run it inside
+%SINGULARITY-OS."
+  (define os
+    (marionette-operating-system %singularity-os))
+
+  (define singularity-exec
+    #~(begin
+        (use-modules (ice-9 popen) (rnrs io ports))
+
+        (let* ((pipe (open-pipe* OPEN_READ
+                                 #$(file-append singularity
+                                                "/bin/singularity")
+                                 "exec" #$image "/bin/guile"
+                                 "-c" "(display \"hello, world\")"))
+               (str  (get-string-all pipe))
+               (status (close-pipe pipe)))
+          (and (zero? status)
+               (string=? str "hello, world")))))
+
+  (define test
+    (with-imported-modules '((gnu build marionette))
+      #~(begin
+          (use-modules (srfi srfi-11) (srfi srfi-64)
+                       (gnu build marionette))
+
+          (define marionette
+            (make-marionette (list #$(virtual-machine os))))
+
+          (mkdir #$output)
+          (chdir #$output)
+
+          (test-begin "singularity")
+
+          (test-assert "singularity exec /bin/guile (as root)"
+            (marionette-eval '#$singularity-exec
+                             marionette))
+
+          (test-equal "singularity exec /bin/guile (unprivileged)"
+            0
+            (marionette-eval
+             `(begin
+                (use-modules (ice-9 match))
+
+                (match (primitive-fork)
+                  (0
+                   (dynamic-wind
+                     (const #f)
+                     (lambda ()
+                       (setgid 1000)
+                       (setuid 1000)
+                       (execl #$(program-file "singularity-exec-test"
+                                              #~(exit #$singularity-exec))
+                              "test"))
+                     (lambda ()
+                       (primitive-exit 127))))
+                  (pid
+                   (cdr (waitpid pid)))))
+             marionette))
+
+          (test-end)
+          (exit (= (test-runner-fail-count (test-runner-current)) 0)))))
+
+  (gexp->derivation "singularity-test" test))
+
+(define (build-tarball&run-singularity-test)
+  (mlet* %store-monad
+      ((_        (set-grafting #f))
+       (guile    (set-guile-for-build (default-guile)))
+       ;; 'singularity exec' insists on having /bin/sh in the image.
+       (profile  (profile-derivation (packages->manifest
+                                      (list bash-minimal guile-2.2))
+                                     #:hooks '()
+                                     #:locales? #f))
+       (tarball  (squashfs-image "singularity-pack" profile
+                                 #:symlinks '(("/bin" -> "bin")))))
+    (run-singularity-test tarball)))
+
+(define %test-singularity
+  (system-test
+   (name "singularity")
+   (description "Test Singularity container of Guix.")
+   (value (build-tarball&run-singularity-test))))
-- 
cgit v1.2.3