From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id CDARDHSLul97GQAA0tVLHw (envelope-from ) for ; Sun, 22 Nov 2020 16:01:56 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id MJ7eB3SLul8TGAAAB5/wlQ (envelope-from ) for ; Sun, 22 Nov 2020 16:01:56 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id E216F94043B for ; Sun, 22 Nov 2020 16:01:55 +0000 (UTC) Received: from localhost ([::1]:49780 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kgroI-0002NX-Tp for larch@yhetil.org; Sun, 22 Nov 2020 11:01:54 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:59096) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kgrnd-0002Mx-1u for guix-devel@gnu.org; Sun, 22 Nov 2020 11:01:13 -0500 Received: from dd26836.kasserver.com ([85.13.145.193]:50514) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kgrna-0003aJ-F8; Sun, 22 Nov 2020 11:01:12 -0500 Received: from localhost (80-110-126-103.cgn.dynamic.surfer.at [80.110.126.103]) by dd26836.kasserver.com (Postfix) with ESMTPSA id 5860F3361A11; Sun, 22 Nov 2020 17:01:01 +0100 (CET) Date: Sun, 22 Nov 2020 17:00:55 +0100 From: Danny Milosavljevic To: Ludovic =?ISO-8859-1?Q?Court=E8s?= Subject: Re: /etc/passwd & co. in Docker images Message-ID: <20201122165841.348c802a@scratchpost.org> In-Reply-To: <874klkfej4.fsf_-_@gnu.org> References: <20200922115019.08d40bec@scratchpost.org> <86tuu5fklj.fsf@gmail.com> <20201104155010.0b83ab17@scratchpost.org> <86k0ums3xw.fsf@gmail.com> <20201117173103.31703c84@scratchpost.org> <868sazoppq.fsf@gmail.com> <20201117202320.3e12fff0@scratchpost.org> <86zh3d1z3n.fsf@gmail.com> <20201119114829.5f77f516@scratchpost.org> <874klkfej4.fsf_-_@gnu.org> X-Mailer: Claws Mail 3.17.7 (GTK+ 2.24.32; x86_64-unknown-linux-gnu) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_/Mw8B/GjL=7xYCwSnn60kOCF"; protocol="application/pgp-signature"; micalg=pgp-sha512 Received-SPF: none client-ip=85.13.145.193; envelope-from=dannym@scratchpost.org; helo=dd26836.kasserver.com X-Spam_score_int: -25 X-Spam_score: -2.6 X-Spam_bar: -- X-Spam_report: (-2.6 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org, Ryan Prior Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Scanner: ns3122888.ip-94-23-21.eu Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Spam-Score: -1.11 X-TUID: zaCfCvLauI2O --Sig_/Mw8B/GjL=7xYCwSnn60kOCF Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi Ludo, On Fri, 20 Nov 2020 12:34:07 +0100 Ludovic Court=C3=A8s wrote: > Danny Milosavljevic skribis: >=20 > > After Ryan Prior's E-Mail I'm pretty sure my workaround of creating /tm= p, > > /etc/passwd, /etc/group etc is what Docker actually expects one to do. = =20 >=20 > I=E2=80=99ve been pondering whether to create those files in =E2=80=98gui= x pack -f > docker=E2=80=99 and=E2=80=A6 >=20 > > ADD etc/passwd /etc > > ADD etc/group /etc > > ADD etc/services /etc > > ADD with-guix-daemon.scm / > > RUN ["/usr/local/bin/guix", "repl", "/set-mtimes.scm"] =20 >=20 > =E2=80=A6 what you=E2=80=99re doing here suggest that =E2=80=98guix pack= =E2=80=99 should indeed create > those files. >=20 > Thoughts? If guix pack can be used to put multiple packages into one pack, are then packs like profiles, or would that be too much? Because the question is what to do if you invoke guix pack -f docker guix postgresql . Both need user accounts--and thus the total required user accounts (and thus the contents of /etc/passwd) are the union of the respective required user accounts of both packages. So someone needs to merge those, and for that the packages need to require these user accounts in the first place. But usually in Guix it's Guix *services* that require user accounts and not Guix packages. (which makes sense!) So I would suggest that guix system docker-image ... create /etc/passwd by merging the required user accounts like described above, but guix pack -f docker a b c really can't do that. I mean where would it know the requirements from? But creating /tmp with the right permissions should be easy enough (?). That leaves how we want to do a Guix release to a Docker registry. I think if you pack guix-the-package-manager, the question is whether there are scenarios (100% offloading for example) that allow you to use guix without the guix daemon also running inside the docker container. If so, it doesn't make sense to add /etc/passwd and /etc/services and so on for guix-daemon in the guix pack case, especially since it singles out one Guix package, guix, for special consideration. Then you'd use the guix pack'ed image for using guix-the-package-manager with 100% offload. We should release a minimal guix-the-operating-system to a docker registry so the guix-daemon also works (i.e. built using guix system docker-image). You'd use this Docker system image when you want to use both guix and guix-daemon. =20 Are there any downsides to just using a trimmed-down operating-system definition in order to have a docker image with a working guix-daemon ? Or we can instead add a static /etc/passwd in Docker after the fact and then release that to a Docker registry--that's what guix-on-docker does now (though that doubles the size of the result because Docker is being silly). --Sig_/Mw8B/GjL=7xYCwSnn60kOCF Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEds7GsXJ0tGXALbPZ5xo1VCwwuqUFAl+6izcACgkQ5xo1VCww uqW2uwf/drHqNgvC+Ulh9mGEe9sxfkjHFc5vCEVqGLo1bpRbQr3O22YMYqBVtGA5 NXMmgBmneVVGLpClUsKdKAoIK7RVepw9h8dmGF3SH5VmhOfqXcifYZbOw+D5RB/w 2KdWXfvj2FVNJeFe0Yvv/XlHzqjdeUAjRPxE8BSHmeZT8RmsACK9dZHbCqaLW/mT mBW0rlHguCXg6Q4wdZoK4VWzwMyobKNO79rmH66gbyQXUx6ZZk2pOQGQs583Mjsz he9A6uiPD8lBzWCgnFBlPtkAOj57Jackd6UB8iSSkw1UxxUvcuvip5BqEA2WEfl8 KrkNX8p3btPbKUSVLQ2Ep/Ux9eeoSg== =Li7T -----END PGP SIGNATURE----- --Sig_/Mw8B/GjL=7xYCwSnn60kOCF--