def _parser_add_nspawn

def _parser_add_nspawn_opts()

in antlir/nspawn_in_subvol/args.py [0:0]
139 lines of code
5 McCabe index (conditional complexity)

def _parser_add_nspawn_opts(parser: argparse.ArgumentParser):
    "Keep in sync with `_NspawnOpts`"
    defaults = _NspawnOpts._field_defaults
    parser.add_argument(
        "--boot",
        action="store_true",
        default=defaults["boot"],
        help="Boot the container with nspawn.  This means invoke `systemd` "
        "as PID 1 and let it start up services",
    )
    parser.add_argument(
        "--chdir",
        required=False,
        type=Path.from_argparse,
        help="ABS path for working directory when running a command",
    ),
    parser.add_argument(
        "--layer",
        required=True,
        dest="layer_path",
        help="An `image.layer` output path (`buck targets --show-output`)",
    )
    parser.add_argument(
        "--bind-repo-ro",
        action="store_true",
        help="Makes a read-only recursive bind-mount of the current Buck "
        "project into the container at the same location as it is on "
        "the host. Needed to run in-place binaries. The default is to "
        "make this bind-mount only if `--layer` artifacts need access "
        "to the repo.",
    )
    parser.add_argument(
        "--bind-artifacts-dir-rw",
        action="store_true",
        help="Makes a read-write recursive bind-mount of the current artifacts "
        "directory into the container at the same location as it is on "
        "the host.",
    )
    assert defaults["bindmount_ro"] == ()  # argparse default must be mutable
    parser.add_argument(
        "--bindmount-ro",
        action="append",
        nargs=2,
        default=[],
        help="Read-only bindmounts (DEST is relative to the container "
        "root) to create",
    )
    assert defaults["bindmount_rw"] == ()  # argparse default must be mutable
    parser.add_argument(
        "--bindmount-rw",
        action="append",
        nargs=2,
        default=[],
        help="Read-writable bindmounts (DEST is relative to the container "
        "root) to create",
    )
    parser.add_argument(
        # The default deliberately diverges from that of `_NspawnOpts` --
        # internal users **must** set a `cmd`, while the CLIs start a shell.
        "cmd",
        nargs="*",
        default=_DEFAULT_LOGIN_SHELL,
        help="The command to run in the container. The command is run using "
        "`nsenter` inside the cgroups & namespaces of the `systemd-nspawn` "
        "container -- we use `nspawn` for container setup only, it is not "
        "suitable for terminal management, see systemd PR 17070.  If a command "
        "is not specified the default is to start `bash` as a login shell.",
    )
    assert defaults["forward_fd"] == ()  # The argparse default must be mutable
    parser.add_argument(
        "--forward-fd",
        type=int,
        action="append",
        default=[],
        help="SECURITY RISK: Your container gets access to any privileges "
        "attached to these FDs. For example, if one is a terminal, "
        "the container may be able to synthesize keystrokes and escape. "
        "These FDs will be copied into the container with sequential "
        "FD numbers starting from 3, in the order they were listed "
        "on the command-line. Repeat to pass multiple FDs.",
    )
    parser.add_argument(
        "--hostname",
        help="Sets hostname within the container, thus causing it to differ "
        "from `machine`.",
    )
    parser.add_argument(
        "--quiet",
        default=True,
        action="store_false",
        help="See `man systemd-nspawn`.",
    )
    assert defaults["setenv"] == ()  # The argparse default must be mutable
    parser.add_argument(
        "--setenv",
        action="append",
        default=[],
        help="See `man systemd-nspawn`.",
    )
    parser.add_argument(
        "--snapshot",
        default=defaults["snapshot"],
        action="store_true",
        help="Make an snapshot of the layer before `nspawn`ing a container. "
        "By default, the snapshot is ephemeral, but you can also pass "
        "`--snapshot-into` to retain it (e.g. for debugging).",
    )
    parser.add_argument(
        "--no-snapshot",
        action="store_false",
        dest="snapshot",
        help="Run directly in the layer. Since layer filesystems are "
        "read-only, this only works if `nspawn` does not feel the "
        "need to modify the container filesystem. If it works for "
        "your layer today, it may still break in a future version "
        "`systemd` :/ ... but PLEASE do not even think about marking "
        "a layer subvolume read-write. That voids all warranties.",
    )
    parser.add_argument(
        # Get the pw database info for the requested user.  We need it to:
        #  - use use the uid/gid for the /logs tmpfs mount,
        #  - execute the command as the right user,
        #  - set HOME properly.
        # Future: Don't assume that the image password DB is compatible with
        # the host's, and look there instead.
        "--user",
        default=defaults["user"],
        type=pwd.getpwnam,
        help="Changes to the specified user once in the nspawn container. "
        'Defaults to `{defaults["user"]}` to give you a mostly read-only '
        "view of the OS.  This is honored when using the --boot option as "
        "well.",
    )
    parser.add_argument(
        "--no-private-network",
        action="store_false",
        dest="private_network",
        help="Do not pass `--private-network` to `systemd-nspawn`, letting "
        "container use the host network. You may also want to pass "
        "`--forward-tls-env`.",
    )
    parser.add_argument(
        "--allow-mknod",
        action="store_true",
        help="Do not pass `--drop-capability=CAP_MKNOD` to `systemd-nspawn`, "
        "allowing the use of the mknod() system call",
    )