Makefile: Use ssl certificates from within the container by default

When a guix-builder container runs without the store attached, it should still be able to use ssl certificates. This was not possible prior to this change without adjusting the SSL_CERT_FILE and SSL_CERT_DIR environment variables to be prefixed with '/guix-builder'. Preferably and as implemented in this commit, we can keep standard values of these environment variables and provide a link from /etc/ssl -> /guix-builder/etc/ssl where the certificate files reference /guix-builder/gnu/store instead of /gnu/store. This allows correct functioning in either case of the store being mounted or not. Its important to note that if a users mounts their guix hosts certificates, they must also mount its store as the certificate files in /etc/ssl/certs will be links to files in the store.
2024-01-01 15:08:20 -05:00 · 2024-01-01 15:08:20 -05:00 · c9b3062f11
parent e270484870
commit c9b3062f11
1 changed files with 7 additions and 4 deletions
--- a/11
+++ b/11
@ -13,8 +13,9 @@ $(PASSWD_FILE):

 $(LINKS_TARBALL):
 	ln -s /guix-builder/bin bin
-	tar -czvf $@ bin
-	rm bin
+	mkdir etc && ln -s /guix-builder/etc/ssl etc/ssl
+	tar -czvf $@ bin etc
+	rm -r etc bin

 $(TARBALL):
 	@cp $$(guix pack -RR -S /bin=bin -S /etc/ssl=etc/ssl -S /lib/locale=lib/locale -m $(GUIX_MANIFEST)) $@
@ -37,10 +38,12 @@ run: build
          -v /var/guix/daemon-socket/socket:/var/guix/daemon-socket/socket \
          -v /gnu/store:/gnu/store:ro \
          -v /etc/ssl:/etc/ssl:ro \
-          -e HOME=/tmp \
-          -w /tmp \
          $(IMAGE_TAG):latest

+.PHONY: run-no-store
+run-no-store: build
+	@docker run --rm -it $(IMAGE_TAG):latest
+
 .PHONY: shell
 shell:
 	@./shell.sh $(GUIX_MANIFEST) $(GUIX_MANIFEST_DEV)