unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* Environment containers
@ 2015-10-26  1:27 Thompson, David
  2015-10-26 10:45 ` Daniel Pimentel
                   ` (4 more replies)
  0 siblings, 5 replies; 29+ messages in thread
From: Thompson, David @ 2015-10-26  1:27 UTC (permalink / raw)
  To: guix-devel

Hello Guix hackers,

I am pleased to announce that the patch for adding Linux container
support to 'guix environment' has just landed in master!

Why is this cool, you ask?  Well, it enables one to truly isolate
development environments from the rest of the system, much more so
than --pure does.  The --pure option only clears the environment
variables, but --container goes further and "unshares" kernel
resources (such as the user, mount, and pid namespaces) and creates a
chroot environment that has no file system access to what might be
considered "impurities."  The only file systems from the host that
make it into the container by default are the current working
directory and the store paths for all of the needed software.  This is
especially useful when running Guix on top of another host distro,
where sometimes things from the host sneak into your build environment
because a tool decided to inspect the contents of /usr or something.

You can use it like this:

    guix environment --container guix

The above command will create an isolated container with everything
you need to build Guix from source.

There's more fun to be had, too.  Sometimes it's nice to make ad-hoc
sandboxes just to play around in.  The below command will run a
sandboxed Guile REPL:

    guix environment --container --ad-hoc guile -- guile

By default, containers have no network access.  To share the host
network, use the --network flag.

This is just the beginning!  There's lots more to do.  It would be
nice to be able to create a network bridge so that the container can
have network access without sharing the host devices, a la Docker and
friends.  It would also be great to incorporate cgroups to arbitrarily
restrict container resources.

Coming soon is 'guix system container', which creates full-blown
GuixSD containers.

Since I mentioned Docker, I'd like to point some significant
advantages that Guix containers have over other implementations:

1) The container tools I'm working on are completely declarative.  No
imperative Dockerfiles!  This means that you don't have to worry about
order of operations, something that you have to think about constantly
when using Docker, especially when trying to maximize the use of the
image cache.

2) There are no disk images.  Disk images are opaque blobs that are
often not reproducible, whereas the items in the Guix store tell you
the full story of how the software came to be.  Thus, Guix containers
do not worry at all about the complications involved with layering
disk images in an overlayfs-style setup.  They are simply not needed.

3) Software and other files shared amongst many containers are
deduplicated system-wide.  This is a big deal from my perspective.
With Docker, container images *must* share as many base image layers
as possible to take advantage of deduplication, and there's
limitations to how smart overlay file systems can be to do
deduplication in memory (citation missing because I can't find the
article that explained the issues.)  Some people say that Docker is a
higher-level form of static linking, but instead of static linking the
executables, you "statically link" an entire, albeit more minimal,
operating system for each application that you run.  I'm inclined to
agree, and I'm happy to say that Guix doesn't have this problem.  A
store item present in N containers exists in exactly one place: in the
host store.  We take great advantage of bind mounts to share
everything without duplication.  Once again the fundamental building
block of every Guix tool, the immutable store, proves to be an
invaluable asset in overcoming the problems of our imperative
predecessors and contemporaries.

I hope this excites some of you.  Containers are all the rage right
now, and they have some seriously good properties if you can look past
the Docker hype.  I'd love to get some more hands to help make Guix
containers more featureful and robust in order to compete with the
mainstream tools.

Until next time, happy hacking!

- Dave

^ permalink raw reply	[flat|nested] 29+ messages in thread

* Re: Environment containers
  2015-10-26  1:27 Environment containers Thompson, David
@ 2015-10-26 10:45 ` Daniel Pimentel
  2015-10-26 12:16   ` Alex Vong
  2015-10-26 14:33 ` Ludovic Courtès
                   ` (3 subsequent siblings)
  4 siblings, 1 reply; 29+ messages in thread
From: Daniel Pimentel @ 2015-10-26 10:45 UTC (permalink / raw)
  To: Thompson, David; +Cc: guix-devel, guix-devel-bounces+d4n1=opmbx.org

It's great!

Thanks,

-- 
Daniel Pimentel (d4n1 3:)

^ permalink raw reply	[flat|nested] 29+ messages in thread

* Re: Environment containers
  2015-10-26 10:45 ` Daniel Pimentel
@ 2015-10-26 12:16   ` Alex Vong
  0 siblings, 0 replies; 29+ messages in thread
From: Alex Vong @ 2015-10-26 12:16 UTC (permalink / raw)
  To: Daniel Pimentel; +Cc: guix-devel, guix-devel-bounces+d4n1=opmbx.org

On 26/10/2015, Daniel Pimentel <d4n1@openmailbox.org> wrote:
> It's great!
>
> Thanks,
>
> --
> Daniel Pimentel (d4n1 3:)
>
>

Indeed. With my limited disk space, I find point 3 most attractive. I
also like how the store immutability avoids the duplication problem.
The latest version is not yet available from guix pull though.

Cheers,
Alex

^ permalink raw reply	[flat|nested] 29+ messages in thread

* Re: Environment containers
  2015-10-26  1:27 Environment containers Thompson, David
  2015-10-26 10:45 ` Daniel Pimentel
@ 2015-10-26 14:33 ` Ludovic Courtès
  2015-10-26 14:37 ` Taylan Ulrich Bayırlı/Kammer
                   ` (2 subsequent siblings)
  4 siblings, 0 replies; 29+ messages in thread
From: Ludovic Courtès @ 2015-10-26 14:33 UTC (permalink / raw)
  To: Thompson, David; +Cc: guix-devel

"Thompson, David" <dthompson2@worcester.edu> skribis:

> I am pleased to announce that the patch for adding Linux container
> support to 'guix environment' has just landed in master!

Thanks for all the work, this is all very exciting!

Ludo’.

^ permalink raw reply	[flat|nested] 29+ messages in thread

* Re: Environment containers
  2015-10-26  1:27 Environment containers Thompson, David
  2015-10-26 10:45 ` Daniel Pimentel
  2015-10-26 14:33 ` Ludovic Courtès
@ 2015-10-26 14:37 ` Taylan Ulrich Bayırlı/Kammer
  2015-10-26 14:38   ` Thompson, David
  2015-10-29 10:25   ` Taylan Ulrich Bayırlı/Kammer
  2015-10-26 16:23 ` Christopher Allan Webber
  2015-10-28 15:32 ` Ricardo Wurmus
  4 siblings, 2 replies; 29+ messages in thread
From: Taylan Ulrich Bayırlı/Kammer @ 2015-10-26 14:37 UTC (permalink / raw)
  To: Thompson, David; +Cc: guix-devel

"Thompson, David" <dthompson2@worcester.edu> writes:

> Hello Guix hackers,
>
> I am pleased to announce that the patch for adding Linux container
> support to 'guix environment' has just landed in master!
>
> Why is this cool, you ask?  Well, it enables one to truly isolate
> development environments from the rest of the system, much more so
> than --pure does.  The --pure option only clears the environment
> variables, but --container goes further and "unshares" kernel
> resources (such as the user, mount, and pid namespaces) and creates a
> chroot environment that has no file system access to what might be
> considered "impurities."  The only file systems from the host that
> make it into the container by default are the current working
> directory and the store paths for all of the needed software.  This is
> especially useful when running Guix on top of another host distro,
> where sometimes things from the host sneak into your build environment
> because a tool decided to inspect the contents of /usr or something.
>
> You can use it like this:
>
>     guix environment --container guix
>
> The above command will create an isolated container with everything
> you need to build Guix from source.
>
> There's more fun to be had, too.  Sometimes it's nice to make ad-hoc
> sandboxes just to play around in.  The below command will run a
> sandboxed Guile REPL:
>
>     guix environment --container --ad-hoc guile -- guile
>
> By default, containers have no network access.  To share the host
> network, use the --network flag.
>
> This is just the beginning!  There's lots more to do.  It would be
> nice to be able to create a network bridge so that the container can
> have network access without sharing the host devices, a la Docker and
> friends.  It would also be great to incorporate cgroups to arbitrarily
> restrict container resources.
>
> Coming soon is 'guix system container', which creates full-blown
> GuixSD containers.
>
> Since I mentioned Docker, I'd like to point some significant
> advantages that Guix containers have over other implementations:
>
> 1) The container tools I'm working on are completely declarative.  No
> imperative Dockerfiles!  This means that you don't have to worry about
> order of operations, something that you have to think about constantly
> when using Docker, especially when trying to maximize the use of the
> image cache.
>
> 2) There are no disk images.  Disk images are opaque blobs that are
> often not reproducible, whereas the items in the Guix store tell you
> the full story of how the software came to be.  Thus, Guix containers
> do not worry at all about the complications involved with layering
> disk images in an overlayfs-style setup.  They are simply not needed.
>
> 3) Software and other files shared amongst many containers are
> deduplicated system-wide.  This is a big deal from my perspective.
> With Docker, container images *must* share as many base image layers
> as possible to take advantage of deduplication, and there's
> limitations to how smart overlay file systems can be to do
> deduplication in memory (citation missing because I can't find the
> article that explained the issues.)  Some people say that Docker is a
> higher-level form of static linking, but instead of static linking the
> executables, you "statically link" an entire, albeit more minimal,
> operating system for each application that you run.  I'm inclined to
> agree, and I'm happy to say that Guix doesn't have this problem.  A
> store item present in N containers exists in exactly one place: in the
> host store.  We take great advantage of bind mounts to share
> everything without duplication.  Once again the fundamental building
> block of every Guix tool, the immutable store, proves to be an
> invaluable asset in overcoming the problems of our imperative
> predecessors and contemporaries.
>
> I hope this excites some of you.  Containers are all the rage right
> now, and they have some seriously good properties if you can look past
> the Docker hype.  I'd love to get some more hands to help make Guix
> containers more featureful and robust in order to compete with the
> mainstream tools.
>
> Until next time, happy hacking!
>
> - Dave

After some PEBKAC David helped me sort out over IRC, I got this running.
Thanks! :-)


Also, for Debian 8 users and maybe others, this might help:

    sudo sysctl -w kernel.unprivileged_userns_clone=1

Credit goes to Efraim.

Taylan

^ permalink raw reply	[flat|nested] 29+ messages in thread

* Re: Environment containers
  2015-10-26 14:37 ` Taylan Ulrich Bayırlı/Kammer
@ 2015-10-26 14:38   ` Thompson, David
  2015-10-27  5:11     ` Alex Vong
  2015-10-29 10:25   ` Taylan Ulrich Bayırlı/Kammer
  1 sibling, 1 reply; 29+ messages in thread
From: Thompson, David @ 2015-10-26 14:38 UTC (permalink / raw)
  To: Taylan Ulrich Bayırlı/Kammer; +Cc: guix-devel

On Mon, Oct 26, 2015 at 10:37 AM, Taylan Ulrich Bayırlı/Kammer
<taylanbayirli@gmail.com> wrote:

> Also, for Debian 8 users and maybe others, this might help:
>
>     sudo sysctl -w kernel.unprivileged_userns_clone=1

Yes, user namespaces are a must-have for this to work.  I will prepare
patches that mention this in the manual and add a test to 'guix
environment' that can detect if user namespaces are unavailable and
display a more helpful error message.

Thanks for bring the UX issues to my attention!

- Dave

^ permalink raw reply	[flat|nested] 29+ messages in thread

* Re: Environment containers
  2015-10-26  1:27 Environment containers Thompson, David
                   ` (2 preceding siblings ...)
  2015-10-26 14:37 ` Taylan Ulrich Bayırlı/Kammer
@ 2015-10-26 16:23 ` Christopher Allan Webber
  2015-10-26 17:50   ` Thompson, David
  2015-10-28 15:32 ` Ricardo Wurmus
  4 siblings, 1 reply; 29+ messages in thread
From: Christopher Allan Webber @ 2015-10-26 16:23 UTC (permalink / raw)
  To: Thompson, David; +Cc: guix-devel

David, you are kicking ass on this.  *Thank you* so much for working so
hard to get this in... I know it was a challenging task, but I think
this helps pave the way for even greater things!

Keep on rocking for the free world,
 - Chris

^ permalink raw reply	[flat|nested] 29+ messages in thread

* Re: Environment containers
  2015-10-26 16:23 ` Christopher Allan Webber
@ 2015-10-26 17:50   ` Thompson, David
  0 siblings, 0 replies; 29+ messages in thread
From: Thompson, David @ 2015-10-26 17:50 UTC (permalink / raw)
  To: Christopher Allan Webber; +Cc: guix-devel

On Mon, Oct 26, 2015 at 12:23 PM, Christopher Allan Webber
<cwebber@dustycloud.org> wrote:
> David, you are kicking ass on this.  *Thank you* so much for working so
> hard to get this in... I know it was a challenging task, but I think
> this helps pave the way for even greater things!

Thanks for your kind words, Chris!  Much appreciated.

- Dave

^ permalink raw reply	[flat|nested] 29+ messages in thread

* Re: Environment containers
  2015-10-26 14:38   ` Thompson, David
@ 2015-10-27  5:11     ` Alex Vong
  2015-10-27 10:58       ` Ludovic Courtès
  0 siblings, 1 reply; 29+ messages in thread
From: Alex Vong @ 2015-10-27  5:11 UTC (permalink / raw)
  To: Thompson, David; +Cc: guix-devel

On 26/10/2015, Thompson, David <dthompson2@worcester.edu> wrote:
> On Mon, Oct 26, 2015 at 10:37 AM, Taylan Ulrich Bayırlı/Kammer
> <taylanbayirli@gmail.com> wrote:
>
>> Also, for Debian 8 users and maybe others, this might help:
>>
>>     sudo sysctl -w kernel.unprivileged_userns_clone=1
>
> Yes, user namespaces are a must-have for this to work.  I will prepare
> patches that mention this in the manual and add a test to 'guix
> environment' that can detect if user namespaces are unavailable and
> display a more helpful error message.
>
I think the patch could be considered a fix for
<https://debbugs.gnu.org/cgi/bugreport.cgi?bug=21410> as well. How do
you think?

Thanks!

> Thanks for bring the UX issues to my attention!
>
> - Dave
>
>

^ permalink raw reply	[flat|nested] 29+ messages in thread

* Re: Environment containers
  2015-10-27  5:11     ` Alex Vong
@ 2015-10-27 10:58       ` Ludovic Courtès
  2015-10-28 13:10         ` Alex Vong
  0 siblings, 1 reply; 29+ messages in thread
From: Ludovic Courtès @ 2015-10-27 10:58 UTC (permalink / raw)
  To: Alex Vong; +Cc: guix-devel

Alex Vong <alexvong1995@gmail.com> skribis:

> On 26/10/2015, Thompson, David <dthompson2@worcester.edu> wrote:
>> On Mon, Oct 26, 2015 at 10:37 AM, Taylan Ulrich Bayırlı/Kammer
>> <taylanbayirli@gmail.com> wrote:
>>
>>> Also, for Debian 8 users and maybe others, this might help:
>>>
>>>     sudo sysctl -w kernel.unprivileged_userns_clone=1
>>
>> Yes, user namespaces are a must-have for this to work.  I will prepare
>> patches that mention this in the manual and add a test to 'guix
>> environment' that can detect if user namespaces are unavailable and
>> display a more helpful error message.
>>
> I think the patch could be considered a fix for
> <https://debbugs.gnu.org/cgi/bugreport.cgi?bug=21410> as well. How do
> you think?

Do you still experience the test failures mentioned in that report?  If
not, could you email 21410@debbugs.gnu.org, specifying which commit
works for you?

I suspect 0e3cc31 helped.

Thanks,
Ludo’.

^ permalink raw reply	[flat|nested] 29+ messages in thread

* Re: Environment containers
  2015-10-27 10:58       ` Ludovic Courtès
@ 2015-10-28 13:10         ` Alex Vong
  2015-10-28 14:45           ` bug#21410: " Ludovic Courtès
  0 siblings, 1 reply; 29+ messages in thread
From: Alex Vong @ 2015-10-28 13:10 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel, 21410

[-- Attachment #1: Type: text/plain, Size: 1498 bytes --]

Hi everyone,

On 27/10/2015, Ludovic Courtès <ludo@gnu.org> wrote:
> Alex Vong <alexvong1995@gmail.com> skribis:
>
>> On 26/10/2015, Thompson, David <dthompson2@worcester.edu> wrote:
>>> On Mon, Oct 26, 2015 at 10:37 AM, Taylan Ulrich Bayırlı/Kammer
>>> <taylanbayirli@gmail.com> wrote:
>>>
>>>> Also, for Debian 8 users and maybe others, this might help:
>>>>
>>>>     sudo sysctl -w kernel.unprivileged_userns_clone=1
>>>
>>> Yes, user namespaces are a must-have for this to work.  I will prepare
>>> patches that mention this in the manual and add a test to 'guix
>>> environment' that can detect if user namespaces are unavailable and
>>> display a more helpful error message.
>>>
>> I think the patch could be considered a fix for
>> <https://debbugs.gnu.org/cgi/bugreport.cgi?bug=21410> as well. How do
>> you think?
>
> Do you still experience the test failures mentioned in that report?  If
> not, could you email 21410@debbugs.gnu.org, specifying which commit
> works for you?
>
Yes, there are 4 tests still failing with the latest master branch
without unprivileged container.
But there is a new problem, tests/guix-environment-container.sh fails
even when running the tests as root. The test log is in the
attachment. I am running Debian 8, could anyone verify this? I would
also like to try it on Debian unstable, but currently my PC cannot
boot, I am using my old laptop.

> I suspect 0e3cc31 helped.
>
> Thanks,
> Ludo’.
>

Cheers,
Alex

[-- Attachment #2: guix-environment-container.log --]
[-- Type: text/x-log, Size: 2326 bytes --]

+ set -e
+ guix environment --version
warning: daemon is running as root, so using `--build-users-group' is highly recommended
guix environment (GNU Guix) 0.9.0
Copyright (C) 2015 the Guix authors
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
+ tmpdir=t-guix-environment-9613
+ trap 'rm -r "$tmpdir"' EXIT
+ mkdir t-guix-environment-9613
+ guix environment --container --ad-hoc --bootstrap guile-bootstrap -- guile -c '(exit 42)'
accepted connection from pid 9621, user root (trusted)
+ test 42 = 42
+ mount_test_code='
(use-modules (ice-9 rdelim)
             (ice-9 match)
             (srfi srfi-1))

(define mappings
  (filter-map (lambda (line)
                (match (string-split line #\space)
                  ;; Empty line.
                  (("") #f)
                  ;; Ignore these types of file systems.
                  ((_ _ (or "tmpfs" "proc" "sysfs" "devtmpfs"
                            "devpts" "cgroup" "mqueue") _ _ _)
                   #f)
                  ((_ mount _ _ _ _)
                   mount)))
              (string-split (call-with-input-file "/proc/mounts" read-string)
                            #\newline)))

(for-each (lambda (mount)
            (display mount)
            (newline))
          mappings)'
+ guix environment --container --ad-hoc --bootstrap guile-bootstrap -- guile -c '
(use-modules (ice-9 rdelim)
             (ice-9 match)
             (srfi srfi-1))

(define mappings
  (filter-map (lambda (line)
                (match (string-split line #\space)
                  ;; Empty line.
                  (("") #f)
                  ;; Ignore these types of file systems.
                  ((_ _ (or "tmpfs" "proc" "sysfs" "devtmpfs"
                            "devpts" "cgroup" "mqueue") _ _ _)
                   #f)
                  ((_ mount _ _ _ _)
                   mount)))
              (string-split (call-with-input-file "/proc/mounts" read-string)
                            #\newline)))

(for-each (lambda (mount)
            (display mount)
            (newline))
          mappings)'
accepted connection from pid 9627, user root (trusted)
++ wc -l
+ test 4 -eq 3
+ rm -r t-guix-environment-9613

^ permalink raw reply	[flat|nested] 29+ messages in thread

* bug#21410: Environment containers
  2015-10-28 13:10         ` Alex Vong
@ 2015-10-28 14:45           ` Ludovic Courtès
  2015-10-28 15:14             ` Alex Vong
  0 siblings, 1 reply; 29+ messages in thread
From: Ludovic Courtès @ 2015-10-28 14:45 UTC (permalink / raw)
  To: Alex Vong; +Cc: guix-devel, 21410

[-- Attachment #1: Type: text/plain, Size: 1045 bytes --]

Alex Vong <alexvong1995@gmail.com> skribis:

> On 27/10/2015, Ludovic Courtès <ludo@gnu.org> wrote:

[...]

>> Do you still experience the test failures mentioned in that report?  If
>> not, could you email 21410@debbugs.gnu.org, specifying which commit
>> works for you?
>>
> Yes, there are 4 tests still failing with the latest master branch
> without unprivileged container.

Which tests?  Does tests/container.scm pass?

> But there is a new problem, tests/guix-environment-container.sh fails
> even when running the tests as root. The test log is in the
> attachment.

[...]

> (for-each (lambda (mount)
>             (display mount)
>             (newline))
>           mappings)'
> accepted connection from pid 9627, user root (trusted)
> ++ wc -l
> + test 4 -eq 3

Could you apply the patch below, run:

  make check TESTS=tests/guix-environment-container.sh

and send ‘guix-environment-container.log’?

Also, what does:

  make check TESTS=tests/container.scm

report?

TIA!

Ludo’.


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: Type: text/x-patch, Size: 356 bytes --]

--- a/tests/guix-environment-container.sh
+++ b/tests/guix-environment-container.sh
@@ -66,6 +66,7 @@ mount_test_code="
 guix environment --container --ad-hoc --bootstrap guile-bootstrap \
      -- guile -c "$mount_test_code" > $tmpdir/mounts
 
+cat $tmpdir/mounts
 test `wc -l < $tmpdir/mounts` -eq 3
 
 grep -e "$PWD$" $tmpdir/mounts # current directory

^ permalink raw reply	[flat|nested] 29+ messages in thread

* bug#21410: Environment containers
  2015-10-28 14:45           ` bug#21410: " Ludovic Courtès
@ 2015-10-28 15:14             ` Alex Vong
  2015-10-28 15:20               ` Thompson, David
  0 siblings, 1 reply; 29+ messages in thread
From: Alex Vong @ 2015-10-28 15:14 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel, 21410

[-- Attachment #1: Type: text/plain, Size: 1464 bytes --]

On 28/10/2015, Ludovic Courtès <ludo@gnu.org> wrote:
> Alex Vong <alexvong1995@gmail.com> skribis:
>
>> On 27/10/2015, Ludovic Courtès <ludo@gnu.org> wrote:
>
> [...]
>
>>> Do you still experience the test failures mentioned in that report?  If
>>> not, could you email 21410@debbugs.gnu.org, specifying which commit
>>> works for you?
>>>
>> Yes, there are 4 tests still failing with the latest master branch
>> without unprivileged container.
>
> Which tests?  Does tests/container.scm pass?
>
It doesn't pass if I run as unprivileged user. It passes if I run as
root. I will be mailing the test logs on another mail.

>> But there is a new problem, tests/guix-environment-container.sh fails
>> even when running the tests as root. The test log is in the
>> attachment.
>
> [...]
>
>> (for-each (lambda (mount)
>>             (display mount)
>>             (newline))
>>           mappings)'
>> accepted connection from pid 9627, user root (trusted)
>> ++ wc -l
>> + test 4 -eq 3
>
> Could you apply the patch below, run:
>
>   make check TESTS=tests/guix-environment-container.sh
>
> and send ‘guix-environment-container.log’?
>
Sure! It is in the attachment. (Note that I run the test as root to
bypass the unprivileged container issue.)

> Also, what does:
>
>   make check TESTS=tests/container.scm
>
> report?
>
I will send the test log in another mail.

> TIA!
>
> Ludo’.
>
>

Cheers,
Alex

[-- Attachment #2: guix-environment-container.log --]
[-- Type: text/x-log, Size: 2564 bytes --]

+ set -e
+ guix environment --version
warning: daemon is running as root, so using `--build-users-group' is highly recommended
guix environment (GNU Guix) 0.9.0
Copyright (C) 2015 the Guix authors
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
+ tmpdir=t-guix-environment-12182
+ trap 'rm -r "$tmpdir"' EXIT
+ mkdir t-guix-environment-12182
+ guix environment --container --ad-hoc --bootstrap guile-bootstrap -- guile -c '(exit 42)'
accepted connection from pid 12190, user root (trusted)
+ test 42 = 42
+ mount_test_code='
(use-modules (ice-9 rdelim)
             (ice-9 match)
             (srfi srfi-1))

(define mappings
  (filter-map (lambda (line)
                (match (string-split line #\space)
                  ;; Empty line.
                  (("") #f)
                  ;; Ignore these types of file systems.
                  ((_ _ (or "tmpfs" "proc" "sysfs" "devtmpfs"
                            "devpts" "cgroup" "mqueue") _ _ _)
                   #f)
                  ((_ mount _ _ _ _)
                   mount)))
              (string-split (call-with-input-file "/proc/mounts" read-string)
                            #\newline)))

(for-each (lambda (mount)
            (display mount)
            (newline))
          mappings)'
+ guix environment --container --ad-hoc --bootstrap guile-bootstrap -- guile -c '
(use-modules (ice-9 rdelim)
             (ice-9 match)
             (srfi srfi-1))

(define mappings
  (filter-map (lambda (line)
                (match (string-split line #\space)
                  ;; Empty line.
                  (("") #f)
                  ;; Ignore these types of file systems.
                  ((_ _ (or "tmpfs" "proc" "sysfs" "devtmpfs"
                            "devpts" "cgroup" "mqueue") _ _ _)
                   #f)
                  ((_ mount _ _ _ _)
                   mount)))
              (string-split (call-with-input-file "/proc/mounts" read-string)
                            #\newline)))

(for-each (lambda (mount)
            (display mount)
            (newline))
          mappings)'
accepted connection from pid 12196, user root (trusted)
+ cat t-guix-environment-12182/mounts
/
/home/alexvong1995/guix
/home/alexvong1995/guix/test-tmp/store/bdg31cb28ki1b0xi4rqrc721hadn3lfw-bash
/home/alexvong1995/guix/test-tmp/store/92vjphkx545ndw82vn4fp9m3xxkv3mzd-guile-bootstrap-2.0
++ wc -l
+ test 4 -eq 3
+ rm -r t-guix-environment-12182

^ permalink raw reply	[flat|nested] 29+ messages in thread

* Re: Environment containers
  2015-10-28 15:14             ` Alex Vong
@ 2015-10-28 15:20               ` Thompson, David
  2015-10-28 15:56                 ` Ludovic Courtès
  0 siblings, 1 reply; 29+ messages in thread
From: Thompson, David @ 2015-10-28 15:20 UTC (permalink / raw)
  To: Alex Vong; +Cc: guix-devel, 21410

On Wed, Oct 28, 2015 at 11:14 AM, Alex Vong <alexvong1995@gmail.com> wrote:
> On 28/10/2015, Ludovic Courtès <ludo@gnu.org> wrote:
>> Alex Vong <alexvong1995@gmail.com> skribis:
>>
>>> On 27/10/2015, Ludovic Courtès <ludo@gnu.org> wrote:
>>
>> [...]
>>
>>>> Do you still experience the test failures mentioned in that report?  If
>>>> not, could you email 21410@debbugs.gnu.org, specifying which commit
>>>> works for you?
>>>>
>>> Yes, there are 4 tests still failing with the latest master branch
>>> without unprivileged container.
>>
>> Which tests?  Does tests/container.scm pass?
>>
> It doesn't pass if I run as unprivileged user. It passes if I run as
> root. I will be mailing the test logs on another mail.

This is because Debian doesn't let unprivileged users create user
namespaces without explicitly overriding some configuration.

- Dave

^ permalink raw reply	[flat|nested] 29+ messages in thread

* Re: Environment containers
  2015-10-26  1:27 Environment containers Thompson, David
                   ` (3 preceding siblings ...)
  2015-10-26 16:23 ` Christopher Allan Webber
@ 2015-10-28 15:32 ` Ricardo Wurmus
  2015-10-28 19:09   ` Efraim Flashner
  4 siblings, 1 reply; 29+ messages in thread
From: Ricardo Wurmus @ 2015-10-28 15:32 UTC (permalink / raw)
  To: Thompson, David; +Cc: guix-devel


Thompson, David <dthompson2@worcester.edu> writes:

> Hello Guix hackers,
>
> I am pleased to announce that the patch for adding Linux container
> support to 'guix environment' has just landed in master!

Yay!  Thank you so much for your work on this!

> 2) There are no disk images.  Disk images are opaque blobs that are
> often not reproducible, whereas the items in the Guix store tell you
> the full story of how the software came to be.  Thus, Guix containers
> do not worry at all about the complications involved with layering
> disk images in an overlayfs-style setup.  They are simply not needed.

Beautiful!

~~ Ricardo

^ permalink raw reply	[flat|nested] 29+ messages in thread

* Re: Environment containers
  2015-10-28 15:20               ` Thompson, David
@ 2015-10-28 15:56                 ` Ludovic Courtès
  2015-10-28 16:08                   ` Thompson, David
  0 siblings, 1 reply; 29+ messages in thread
From: Ludovic Courtès @ 2015-10-28 15:56 UTC (permalink / raw)
  To: Thompson, David; +Cc: guix-devel, 21410

"Thompson, David" <dthompson2@worcester.edu> skribis:

> On Wed, Oct 28, 2015 at 11:14 AM, Alex Vong <alexvong1995@gmail.com> wrote:
>> On 28/10/2015, Ludovic Courtès <ludo@gnu.org> wrote:
>>> Alex Vong <alexvong1995@gmail.com> skribis:
>>>
>>>> On 27/10/2015, Ludovic Courtès <ludo@gnu.org> wrote:
>>>
>>> [...]
>>>
>>>>> Do you still experience the test failures mentioned in that report?  If
>>>>> not, could you email 21410@debbugs.gnu.org, specifying which commit
>>>>> works for you?
>>>>>
>>>> Yes, there are 4 tests still failing with the latest master branch
>>>> without unprivileged container.
>>>
>>> Which tests?  Does tests/container.scm pass?
>>>
>> It doesn't pass if I run as unprivileged user. It passes if I run as
>> root. I will be mailing the test logs on another mail.
>
> This is because Debian doesn't let unprivileged users create user
> namespaces without explicitly overriding some configuration.

How could we determine whether this restriction is in place?  That would
allow us to skip the test on these systems.

Ludo’.

^ permalink raw reply	[flat|nested] 29+ messages in thread

* Re: Environment containers
  2015-10-28 15:56                 ` Ludovic Courtès
@ 2015-10-28 16:08                   ` Thompson, David
  2015-10-28 16:20                     ` Alex Vong
  2015-10-29 19:24                     ` Ludovic Courtès
  0 siblings, 2 replies; 29+ messages in thread
From: Thompson, David @ 2015-10-28 16:08 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel, 21410

On Wed, Oct 28, 2015 at 11:56 AM, Ludovic Courtès <ludo@gnu.org> wrote:
> "Thompson, David" <dthompson2@worcester.edu> skribis:
>
>> On Wed, Oct 28, 2015 at 11:14 AM, Alex Vong <alexvong1995@gmail.com> wrote:
>>> On 28/10/2015, Ludovic Courtès <ludo@gnu.org> wrote:
>>>> Alex Vong <alexvong1995@gmail.com> skribis:
>>>>
>>>>> On 27/10/2015, Ludovic Courtès <ludo@gnu.org> wrote:
>>>>
>>>> [...]
>>>>
>>>>>> Do you still experience the test failures mentioned in that report?  If
>>>>>> not, could you email 21410@debbugs.gnu.org, specifying which commit
>>>>>> works for you?
>>>>>>
>>>>> Yes, there are 4 tests still failing with the latest master branch
>>>>> without unprivileged container.
>>>>
>>>> Which tests?  Does tests/container.scm pass?
>>>>
>>> It doesn't pass if I run as unprivileged user. It passes if I run as
>>> root. I will be mailing the test logs on another mail.
>>
>> This is because Debian doesn't let unprivileged users create user
>> namespaces without explicitly overriding some configuration.
>
> How could we determine whether this restriction is in place?  That would
> allow us to skip the test on these systems.

I think it is /proc/sys/kernel/unprivileged_userns_clone, but I don't
know what the contents are exactly.  0 when off, 1 when on?  Can
someone on Debian confirm?

If we can get the test suite passing, I'd like to extract these user
namespace presence tests to a procedure that 'guix environment' can
use to give the user an informative error message in these cases.

- Dave

^ permalink raw reply	[flat|nested] 29+ messages in thread

* Re: Environment containers
  2015-10-28 16:08                   ` Thompson, David
@ 2015-10-28 16:20                     ` Alex Vong
  2015-10-29 19:24                     ` Ludovic Courtès
  1 sibling, 0 replies; 29+ messages in thread
From: Alex Vong @ 2015-10-28 16:20 UTC (permalink / raw)
  To: Thompson, David; +Cc: guix-devel, 21410

On 29/10/2015, Thompson, David <dthompson2@worcester.edu> wrote:
> On Wed, Oct 28, 2015 at 11:56 AM, Ludovic Courtès <ludo@gnu.org> wrote:
>> "Thompson, David" <dthompson2@worcester.edu> skribis:
>>
>>> On Wed, Oct 28, 2015 at 11:14 AM, Alex Vong <alexvong1995@gmail.com>
>>> wrote:
>>>> On 28/10/2015, Ludovic Courtès <ludo@gnu.org> wrote:
>>>>> Alex Vong <alexvong1995@gmail.com> skribis:
>>>>>
>>>>>> On 27/10/2015, Ludovic Courtès <ludo@gnu.org> wrote:
>>>>>
>>>>> [...]
>>>>>
>>>>>>> Do you still experience the test failures mentioned in that report?
>>>>>>> If
>>>>>>> not, could you email 21410@debbugs.gnu.org, specifying which commit
>>>>>>> works for you?
>>>>>>>
>>>>>> Yes, there are 4 tests still failing with the latest master branch
>>>>>> without unprivileged container.
>>>>>
>>>>> Which tests?  Does tests/container.scm pass?
>>>>>
>>>> It doesn't pass if I run as unprivileged user. It passes if I run as
>>>> root. I will be mailing the test logs on another mail.
>>>
>>> This is because Debian doesn't let unprivileged users create user
>>> namespaces without explicitly overriding some configuration.
>>
>> How could we determine whether this restriction is in place?  That would
>> allow us to skip the test on these systems.
>
> I think it is /proc/sys/kernel/unprivileged_userns_clone, but I don't
> know what the contents are exactly.  0 when off, 1 when on?  Can
> someone on Debian confirm?
>
Yes, I think that's the case.
Before I run `$ sysctl -w kernel.unprivileged_userns_clone=1',
`$ cat /proc/sys/kernel/unprivileged_userns_clone' returns 0.
After I run `$ sysctl -w kernel.unprivileged_userns_clone=1',
`$ cat /proc/sys/kernel/unprivileged_userns_clone' returns 1.

> If we can get the test suite passing, I'd like to extract these user
> namespace presence tests to a procedure that 'guix environment' can
> use to give the user an informative error message in these cases.
>
> - Dave
>

^ permalink raw reply	[flat|nested] 29+ messages in thread

* Re: Environment containers
  2015-10-28 15:32 ` Ricardo Wurmus
@ 2015-10-28 19:09   ` Efraim Flashner
  2015-10-29 12:36     ` Thompson, David
  0 siblings, 1 reply; 29+ messages in thread
From: Efraim Flashner @ 2015-10-28 19:09 UTC (permalink / raw)
  To: Ricardo Wurmus; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 1649 bytes --]

On Wed, 28 Oct 2015 16:32:54 +0100
Ricardo Wurmus <ricardo.wurmus@mdc-berlin.de> wrote:

> Thompson, David <dthompson2@worcester.edu> writes:
> 
> > Hello Guix hackers,
> >
> > I am pleased to announce that the patch for adding Linux container
> > support to 'guix environment' has just landed in master!  
> 
> Yay!  Thank you so much for your work on this!
> 
> > 2) There are no disk images.  Disk images are opaque blobs that are
> > often not reproducible, whereas the items in the Guix store tell you
> > the full story of how the software came to be.  Thus, Guix containers
> > do not worry at all about the complications involved with layering
> > disk images in an overlayfs-style setup.  They are simply not needed.  
> 
> Beautiful!

agreed.

efraim@debian-netbook:~$ ls -la /gnu/store/*sh
-r-xr-xr-x 27 root root         1425560 Jan  1  1970 /gnu/store/gvwf71vddp8c1d7ydqg02p43mgdjrx6s-bash
-r--r--r--  2 root root            1153 Jan  1  1970 /gnu/store/jd51fxgzf2bj3v9naliq44vgcib06ay9-build-bootstrap-guile.sh
-r-xr-xr-x 27 root root         1351732 Jan  1  1970 /gnu/store/mzfkrxd4w8vqrmyrx169wj8wyw7r8i37-bash
-r--r--r--  2 root root            1153 Jan  1  1970 /gnu/store/x06d80rn9lxbh3305pkizf4k2dswsbn1-build-bootstrap-guile.sh
-r-xr-xr-x  2 root guix-builder     765 Jan  1  1970 /gnu/store/zrnjijsg19f52ficwlk4n5cccf6smhya-run-vm.sh

765 bytes is the smallest VM I've ever seen :)


-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

^ permalink raw reply	[flat|nested] 29+ messages in thread

* Re: Environment containers
  2015-10-26 14:37 ` Taylan Ulrich Bayırlı/Kammer
  2015-10-26 14:38   ` Thompson, David
@ 2015-10-29 10:25   ` Taylan Ulrich Bayırlı/Kammer
  1 sibling, 0 replies; 29+ messages in thread
From: Taylan Ulrich Bayırlı/Kammer @ 2015-10-29 10:25 UTC (permalink / raw)
  To: Thompson, David; +Cc: guix-devel

taylanbayirli@gmail.com (Taylan Ulrich "Bayırlı/Kammer") writes:

> After some PEBKAC David helped me sort out over IRC, I got this running.
> Thanks! :-)

I just (partly) figured out the reason of one of the mysterious problems
I was encountering.

taylan@T420:~$ cd ~
taylan@T420:~$ guix environment --container --ad-hoc bash -- bash -c 'echo foo' || echo FAIL
FAIL
taylan@T420:~$ mkdir TEST; cd TEST
taylan@T420:~/TEST$ guix environment --container --ad-hoc bash -- bash -c 'echo foo' || echo FAIL
foo
taylan@T420:~/TEST$

When I use strace -f, I see the following in the failing variant:

mount("/home/taylan", "/tmp/guix-directory.wfzVlc//home/taylan", 0x17db9f0, MS_BIND, NULL) = -1 EINVAL (Invalid argument)

The two directories have the exact same permission bits (0755), UID, and
GID, as per stat(1).

When I create another directory with the same owner and permissions in
/home, it works fine there.

/home/taylan has some mount-points of its own, e.g. ~/media is a
mount-point.  My best guess is that it's related to that.  /home/taylan
itself is not a mount-point, FYI.


I wish C had a proper error reporting system. :-)

Taylan

^ permalink raw reply	[flat|nested] 29+ messages in thread

* Re: Environment containers
  2015-10-28 19:09   ` Efraim Flashner
@ 2015-10-29 12:36     ` Thompson, David
  0 siblings, 0 replies; 29+ messages in thread
From: Thompson, David @ 2015-10-29 12:36 UTC (permalink / raw)
  To: Efraim Flashner; +Cc: guix-devel

On Wed, Oct 28, 2015 at 3:09 PM, Efraim Flashner <efraim@flashner.co.il> wrote:

> efraim@debian-netbook:~$ ls -la /gnu/store/*sh
> -r-xr-xr-x 27 root root         1425560 Jan  1  1970 /gnu/store/gvwf71vddp8c1d7ydqg02p43mgdjrx6s-bash
> -r--r--r--  2 root root            1153 Jan  1  1970 /gnu/store/jd51fxgzf2bj3v9naliq44vgcib06ay9-build-bootstrap-guile.sh
> -r-xr-xr-x 27 root root         1351732 Jan  1  1970 /gnu/store/mzfkrxd4w8vqrmyrx169wj8wyw7r8i37-bash
> -r--r--r--  2 root root            1153 Jan  1  1970 /gnu/store/x06d80rn9lxbh3305pkizf4k2dswsbn1-build-bootstrap-guile.sh
> -r-xr-xr-x  2 root guix-builder     765 Jan  1  1970 /gnu/store/zrnjijsg19f52ficwlk4n5cccf6smhya-run-vm.sh
>
> 765 bytes is the smallest VM I've ever seen :)

Do note that this is just a *script* to boot a virtual machine, which
is completely different from the scripts that boot GuixSD containers.
What you're not seeing in that directory listing is the disk image
that was generated for qemu to boot.  Guix environment containers do
not generate scripts like this.

- Dave

^ permalink raw reply	[flat|nested] 29+ messages in thread

* Re: Environment containers
  2015-10-28 16:08                   ` Thompson, David
  2015-10-28 16:20                     ` Alex Vong
@ 2015-10-29 19:24                     ` Ludovic Courtès
  2015-10-29 19:25                       ` Thompson, David
  1 sibling, 1 reply; 29+ messages in thread
From: Ludovic Courtès @ 2015-10-29 19:24 UTC (permalink / raw)
  To: Thompson, David; +Cc: guix-devel, 21410

"Thompson, David" <dthompson2@worcester.edu> skribis:

> I think it is /proc/sys/kernel/unprivileged_userns_clone, but I don't
> know what the contents are exactly.  0 when off, 1 when on?  Can
> someone on Debian confirm?
>
> If we can get the test suite passing, I'd like to extract these user
> namespace presence tests to a procedure that 'guix environment' can
> use to give the user an informative error message in these cases.

That would be perfect.

The test machinery would still need to test them explicitly, though, to
mark tests as skipped instead of failed.

Ludo’.

^ permalink raw reply	[flat|nested] 29+ messages in thread

* Re: Environment containers
  2015-10-29 19:24                     ` Ludovic Courtès
@ 2015-10-29 19:25                       ` Thompson, David
  2015-11-20 14:51                         ` bug#21410: " Ludovic Courtès
  0 siblings, 1 reply; 29+ messages in thread
From: Thompson, David @ 2015-10-29 19:25 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel, 21410

On Thu, Oct 29, 2015 at 3:24 PM, Ludovic Courtès <ludo@gnu.org> wrote:
> "Thompson, David" <dthompson2@worcester.edu> skribis:
>
>> I think it is /proc/sys/kernel/unprivileged_userns_clone, but I don't
>> know what the contents are exactly.  0 when off, 1 when on?  Can
>> someone on Debian confirm?
>>
>> If we can get the test suite passing, I'd like to extract these user
>> namespace presence tests to a procedure that 'guix environment' can
>> use to give the user an informative error message in these cases.
>
> That would be perfect.
>
> The test machinery would still need to test them explicitly, though, to
> mark tests as skipped instead of failed.

Yes, of course.  I have no intention of removing those checks from the tests.

- Dave

^ permalink raw reply	[flat|nested] 29+ messages in thread

* Re: bug#21410: Environment containers
  2015-10-29 19:25                       ` Thompson, David
@ 2015-11-20 14:51                         ` Ludovic Courtès
  2015-11-21 13:36                           ` Alex Vong
  0 siblings, 1 reply; 29+ messages in thread
From: Ludovic Courtès @ 2015-11-20 14:51 UTC (permalink / raw)
  To: Thompson, David; +Cc: guix-devel, 21410

What’s the status of this now?  I would think b7d48312 addressed at
least part of it?

Alex: Are you still getting test failures with current ‘master’?

TIA,
Ludo’.

^ permalink raw reply	[flat|nested] 29+ messages in thread

* Re: bug#21410: Environment containers
  2015-11-20 14:51                         ` bug#21410: " Ludovic Courtès
@ 2015-11-21 13:36                           ` Alex Vong
  2015-11-21 15:57                             ` Ludovic Courtès
  0 siblings, 1 reply; 29+ messages in thread
From: Alex Vong @ 2015-11-21 13:36 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel, 21410

[-- Attachment #1: Type: text/plain, Size: 376 bytes --]

Hi,

On 20/11/2015, Ludovic Courtès <ludo@gnu.org> wrote:
> What’s the status of this now?  I would think b7d48312 addressed at
> least part of it?
>
> Alex: Are you still getting test failures with current ‘master’?
>
> TIA,
> Ludo’.
>

Yes, I still get a test failure with the latest master branch, the
test log is in the attachment.

Cheers,
Alex

[-- Attachment #2: test-suite.log --]
[-- Type: text/x-log, Size: 1342 bytes --]

======================================
   GNU Guix 0.9.0: ./test-suite.log
======================================

# TOTAL: 54
# PASS:  52
# SKIP:  1
# XFAIL: 0
# FAIL:  1
# XPASS: 0
# ERROR: 0

.. contents:: :depth: 2

SKIP: tests/containers
======================

;;; note: source file ./srfi/srfi-64.scm
;;;       newer than compiled /gnu/store/5i87jzm90nw8j692y7z1j2qfx16h6ni3-guile-2.0.11/lib/guile/2.0/ccache/srfi/srfi-64.go
SKIP tests/containers.scm (exit status: 77)

FAIL: tests/guix-environment-container
======================================

+ set -e
+ guix environment --version
guix environment (GNU Guix) 0.9.0
Copyright (C) 2015 the Guix authors
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
+ tmpdir=t-guix-environment-29930
+ trap 'rm -r "$tmpdir"' EXIT
+ mkdir t-guix-environment-29930
+ guix environment --container --ad-hoc --bootstrap guile-bootstrap -- guile -c '(exit 42)'
guix environment: error: cannot create container: unprivileged user cannot create user namespaces
guix environment: error: please set /proc/sys/kernel/unprivileged_userns_clone to "1"
+ test 1 = 42
+ rm -r t-guix-environment-29930
FAIL tests/guix-environment-container.sh (exit status: 1)


^ permalink raw reply	[flat|nested] 29+ messages in thread

* Re: bug#21410: Environment containers
  2015-11-21 13:36                           ` Alex Vong
@ 2015-11-21 15:57                             ` Ludovic Courtès
  2015-11-21 17:47                               ` Mathieu Lirzin
  0 siblings, 1 reply; 29+ messages in thread
From: Ludovic Courtès @ 2015-11-21 15:57 UTC (permalink / raw)
  To: Alex Vong; +Cc: guix-devel, 21410

[-- Attachment #1: Type: text/plain, Size: 994 bytes --]

Alex Vong <alexvong1995@gmail.com> skribis:

> FAIL: tests/guix-environment-container
> ======================================
>
> + set -e
> + guix environment --version
> guix environment (GNU Guix) 0.9.0
> Copyright (C) 2015 the Guix authors
> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
> + tmpdir=t-guix-environment-29930
> + trap 'rm -r "$tmpdir"' EXIT
> + mkdir t-guix-environment-29930
> + guix environment --container --ad-hoc --bootstrap guile-bootstrap -- guile -c '(exit 42)'
> guix environment: error: cannot create container: unprivileged user cannot create user namespaces
> guix environment: error: please set /proc/sys/kernel/unprivileged_userns_clone to "1"

Oh I see, that part fell through the cracks.

Could you confirm that the test is skipped with the attached patch?

TIA!

Ludo’.


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: Type: text/x-patch, Size: 365 bytes --]

--- a/tests/guix-environment-container.sh
+++ b/tests/guix-environment-container.sh
@@ -24,6 +24,12 @@ set -e
 
 guix environment --version
 
+if ! guile -c '((@@ (guix scripts environment) assert-container-features))'
+then
+    # User containers are not supported; skip this test.
+    exit 77
+fi
+
 tmpdir="t-guix-environment-$$"
 trap 'rm -r "$tmpdir"' EXIT
 

^ permalink raw reply	[flat|nested] 29+ messages in thread

* Re: bug#21410: Environment containers
  2015-11-21 15:57                             ` Ludovic Courtès
@ 2015-11-21 17:47                               ` Mathieu Lirzin
  2015-11-21 21:27                                 ` Ludovic Courtès
  0 siblings, 1 reply; 29+ messages in thread
From: Mathieu Lirzin @ 2015-11-21 17:47 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel, 21410

ludo@gnu.org (Ludovic Courtès) writes:

>
>> FAIL: tests/guix-environment-container
>> ======================================
>>
>> + set -e
>> + guix environment --version
>> guix environment (GNU Guix) 0.9.0
>> Copyright (C) 2015 the Guix authors
>> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
>> This is free software: you are free to change and redistribute it.
>> There is NO WARRANTY, to the extent permitted by law.
>> + tmpdir=t-guix-environment-29930
>> + trap 'rm -r "$tmpdir"' EXIT
>> + mkdir t-guix-environment-29930
>> + guix environment --container --ad-hoc --bootstrap guile-bootstrap -- guile -c '(exit 42)'
>> guix environment: error: cannot create container: unprivileged user cannot create user namespaces
>> guix environment: error: please set /proc/sys/kernel/unprivileged_userns_clone to "1"
>
> Oh I see, that part fell through the cracks.
>
> Could you confirm that the test is skipped with the attached patch?

this test was failing on my system too, and it is skipped successfully
with this patch.

--
Mathieu Lirzin

^ permalink raw reply	[flat|nested] 29+ messages in thread

* Re: bug#21410: Environment containers
  2015-11-21 17:47                               ` Mathieu Lirzin
@ 2015-11-21 21:27                                 ` Ludovic Courtès
  2015-11-23 15:08                                   ` Alex Vong
  0 siblings, 1 reply; 29+ messages in thread
From: Ludovic Courtès @ 2015-11-21 21:27 UTC (permalink / raw)
  To: Mathieu Lirzin; +Cc: guix-devel, 21410-done

Mathieu Lirzin <mthl@gnu.org> skribis:

> ludo@gnu.org (Ludovic Courtès) writes:
>
>>
>>> FAIL: tests/guix-environment-container
>>> ======================================
>>>
>>> + set -e
>>> + guix environment --version
>>> guix environment (GNU Guix) 0.9.0
>>> Copyright (C) 2015 the Guix authors
>>> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
>>> This is free software: you are free to change and redistribute it.
>>> There is NO WARRANTY, to the extent permitted by law.
>>> + tmpdir=t-guix-environment-29930
>>> + trap 'rm -r "$tmpdir"' EXIT
>>> + mkdir t-guix-environment-29930
>>> + guix environment --container --ad-hoc --bootstrap guile-bootstrap -- guile -c '(exit 42)'
>>> guix environment: error: cannot create container: unprivileged user cannot create user namespaces
>>> guix environment: error: please set /proc/sys/kernel/unprivileged_userns_clone to "1"
>>
>> Oh I see, that part fell through the cracks.
>>
>> Could you confirm that the test is skipped with the attached patch?
>
> this test was failing on my system too, and it is skipped successfully
> with this patch.

Thanks, pushed as 6493fd0.

Ludo’.

^ permalink raw reply	[flat|nested] 29+ messages in thread

* Re: bug#21410: Environment containers
  2015-11-21 21:27                                 ` Ludovic Courtès
@ 2015-11-23 15:08                                   ` Alex Vong
  0 siblings, 0 replies; 29+ messages in thread
From: Alex Vong @ 2015-11-23 15:08 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel

Sorry for late reply. I can confirm the two tests are now skipped with
the latest master.

Cheers,
Alex

On 22/11/2015, Ludovic Courtès <ludo@gnu.org> wrote:
> Mathieu Lirzin <mthl@gnu.org> skribis:
>
>> ludo@gnu.org (Ludovic Courtès) writes:
>>
>>>
>>>> FAIL: tests/guix-environment-container
>>>> ======================================
>>>>
>>>> + set -e
>>>> + guix environment --version
>>>> guix environment (GNU Guix) 0.9.0
>>>> Copyright (C) 2015 the Guix authors
>>>> License GPLv3+: GNU GPL version 3 or later
>>>> <http://gnu.org/licenses/gpl.html>
>>>> This is free software: you are free to change and redistribute it.
>>>> There is NO WARRANTY, to the extent permitted by law.
>>>> + tmpdir=t-guix-environment-29930
>>>> + trap 'rm -r "$tmpdir"' EXIT
>>>> + mkdir t-guix-environment-29930
>>>> + guix environment --container --ad-hoc --bootstrap guile-bootstrap --
>>>> guile -c '(exit 42)'
>>>> guix environment: error: cannot create container: unprivileged user
>>>> cannot create user namespaces
>>>> guix environment: error: please set
>>>> /proc/sys/kernel/unprivileged_userns_clone to "1"
>>>
>>> Oh I see, that part fell through the cracks.
>>>
>>> Could you confirm that the test is skipped with the attached patch?
>>
>> this test was failing on my system too, and it is skipped successfully
>> with this patch.
>
> Thanks, pushed as 6493fd0.
>
> Ludo’.
>

^ permalink raw reply	[flat|nested] 29+ messages in thread

end of thread, other threads:[~2015-11-23 15:08 UTC | newest]

Thread overview: 29+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-10-26  1:27 Environment containers Thompson, David
2015-10-26 10:45 ` Daniel Pimentel
2015-10-26 12:16   ` Alex Vong
2015-10-26 14:33 ` Ludovic Courtès
2015-10-26 14:37 ` Taylan Ulrich Bayırlı/Kammer
2015-10-26 14:38   ` Thompson, David
2015-10-27  5:11     ` Alex Vong
2015-10-27 10:58       ` Ludovic Courtès
2015-10-28 13:10         ` Alex Vong
2015-10-28 14:45           ` bug#21410: " Ludovic Courtès
2015-10-28 15:14             ` Alex Vong
2015-10-28 15:20               ` Thompson, David
2015-10-28 15:56                 ` Ludovic Courtès
2015-10-28 16:08                   ` Thompson, David
2015-10-28 16:20                     ` Alex Vong
2015-10-29 19:24                     ` Ludovic Courtès
2015-10-29 19:25                       ` Thompson, David
2015-11-20 14:51                         ` bug#21410: " Ludovic Courtès
2015-11-21 13:36                           ` Alex Vong
2015-11-21 15:57                             ` Ludovic Courtès
2015-11-21 17:47                               ` Mathieu Lirzin
2015-11-21 21:27                                 ` Ludovic Courtès
2015-11-23 15:08                                   ` Alex Vong
2015-10-29 10:25   ` Taylan Ulrich Bayırlı/Kammer
2015-10-26 16:23 ` Christopher Allan Webber
2015-10-26 17:50   ` Thompson, David
2015-10-28 15:32 ` Ricardo Wurmus
2015-10-28 19:09   ` Efraim Flashner
2015-10-29 12:36     ` Thompson, David

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).