unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* Using Guix inside a Guix container
@ 2023-02-03 16:52 Konrad Hinsen
  2023-02-03 17:35 ` Wojtek Kosior via Development of GNU Guix and the GNU System distribution.
                   ` (2 more replies)
  0 siblings, 3 replies; 10+ messages in thread
From: Konrad Hinsen @ 2023-02-03 16:52 UTC (permalink / raw)
  To: Guix Devel

Hi Guix,

I have been playing with nested Guix containers recently, with some
suprising findings, and I am wondering if what I am doing is considered
officially supported or not.

First: why? My use case is scientific workflows, for example using
snakemake. I want to run my workflows in Guix containers, for
reproducibility plus other reasons. But my workflows run other programs
in their tasks (basically just "shelling out"), and those tasks may use
their own Guix containers.

Superficially, this works fine if I add the "guix" package to my "outer"
container and expose the store plus the daemon's socket:

    guix shell -C guix \
      --expose=/var/guix/daemon-socket/socket \
      --expose=/gnu/store \
      -- \
      guix shell -C coreutils -- ls /

But now for the first surprise:

   $ guix describe
   Generation 35	janv. 19 2023 12:34:57	(current)
     guix 8221cb6
       repository URL: https://git.savannah.gnu.org/git/guix.git
       branch: master
       commit: 8221cb6d2ae5624829bf514d25ae234c073e35d5

   $ guix shell -C guix -- guix describe
     guix 9fe5b49
       repository URL: https://git.savannah.gnu.org/git/guix.git
       branch: master
       commit: 9fe5b490df83ff32e2e0a604bf636eca48b9e240

The Guix in my container is an older one, apparently the 1.4.0 release.
Why? Can I change this?

My first attempt was time-machine:

    guix shell -C -N guix nss-certs \
      --expose=/var/guix/daemon-socket/socket \
      --expose=/gnu/store \
      -- \
      guix time-machine -C channels.scm -- describe

   Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
   Authenticating channel 'guix', commits 9edb3f6 to 8221cb6 (331 new commits)...
   Computing Guix derivation for 'x86_64-linux'... |
     guix 8221cb6
       repository URL: https://git.savannah.gnu.org/git/guix.git
       branch: master
       commit: 8221cb6d2ae5624829bf514d25ae234c073e35d5

Great! Except that every time I run this command, it does the channel
update from scratch, so it's prohibitively slow. Sharing
${HOME}/.cache/guix seems to fix that. So... finally...

    guix shell -C -N guix nss-certs \
      --expose=/var/guix/daemon-socket/socket \
      --expose=/gnu/store \
      --share=${HOME}/.cache/guix \
      -- \
      guix time-machine -C channels.scm \
      -- \
      shell -C coreutils \
      -- \
      ls /

     guix shell: error: mount: mount "none" on
     "/tmp/guix-directory.vpOEDC/sys": Operation not permitted

Now I am lost. It doesn't matter which command I put on the last line,
it's creating a container via time-machine running in another container
that leads to the error.

Any ideas?

Cheers,
  Konrad.


^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: Using Guix inside a Guix container
  2023-02-03 16:52 Using Guix inside a Guix container Konrad Hinsen
@ 2023-02-03 17:35 ` Wojtek Kosior via Development of GNU Guix and the GNU System distribution.
  2023-02-13 11:21 ` James Thomas
  2023-02-21 22:50 ` Ludovic Courtès
  2 siblings, 0 replies; 10+ messages in thread
From: Wojtek Kosior via Development of GNU Guix and the GNU System distribution. @ 2023-02-03 17:35 UTC (permalink / raw)
  To: Konrad Hinsen; +Cc: Guix Devel

[-- Attachment #1: Type: text/plain, Size: 3899 bytes --]

Hi Konrad,

I wanted to try specifying currently used version of Guix in some other
way to avoid computing Guix inside the container. I tested first
without a container

guix shell -e '((@ (gnu packages package-management) current-guix))' -- guix describe

and the result is also bad — it still tries to compute Guix from
scratch every time.

So it seems exposing of folders is unlikely to help here because the
problem lies elsewhere :/

Perhaps someone else will be able to give a solution?

Wojtek


-- (sig_start)
website: https://koszko.org/koszko.html
PGP: https://koszko.org/key.gpg
fingerprint: E972 7060 E3C5 637C 8A4F  4B42 4BC5 221C 5A79 FD1A

♥ R29kIGlzIHRoZXJlIGFuZCBsb3ZlcyBtZQ== | ÷ c2luIHNlcGFyYXRlZCBtZSBmcm9tIEhpbQ==
✝ YnV0IEplc3VzIGRpZWQgdG8gc2F2ZSBtZQ== | ? U2hhbGwgSSBiZWNvbWUgSGlzIGZyaWVuZD8=
-- (sig_end)


On Fri, 03 Feb 2023 17:52:22 +0100
Konrad Hinsen <konrad.hinsen@fastmail.net> wrote:

> Hi Guix,
> 
> I have been playing with nested Guix containers recently, with some
> suprising findings, and I am wondering if what I am doing is considered
> officially supported or not.
> 
> First: why? My use case is scientific workflows, for example using
> snakemake. I want to run my workflows in Guix containers, for
> reproducibility plus other reasons. But my workflows run other programs
> in their tasks (basically just "shelling out"), and those tasks may use
> their own Guix containers.
> 
> Superficially, this works fine if I add the "guix" package to my "outer"
> container and expose the store plus the daemon's socket:
> 
>     guix shell -C guix \
>       --expose=/var/guix/daemon-socket/socket \
>       --expose=/gnu/store \
>       -- \
>       guix shell -C coreutils -- ls /
> 
> But now for the first surprise:
> 
>    $ guix describe
>    Generation 35	janv. 19 2023 12:34:57	(current)
>      guix 8221cb6
>        repository URL: https://git.savannah.gnu.org/git/guix.git
>        branch: master
>        commit: 8221cb6d2ae5624829bf514d25ae234c073e35d5
> 
>    $ guix shell -C guix -- guix describe
>      guix 9fe5b49
>        repository URL: https://git.savannah.gnu.org/git/guix.git
>        branch: master
>        commit: 9fe5b490df83ff32e2e0a604bf636eca48b9e240
> 
> The Guix in my container is an older one, apparently the 1.4.0 release.
> Why? Can I change this?
> 
> My first attempt was time-machine:
> 
>     guix shell -C -N guix nss-certs \
>       --expose=/var/guix/daemon-socket/socket \
>       --expose=/gnu/store \
>       -- \
>       guix time-machine -C channels.scm -- describe
> 
>    Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
>    Authenticating channel 'guix', commits 9edb3f6 to 8221cb6 (331 new commits)...
>    Computing Guix derivation for 'x86_64-linux'... |
>      guix 8221cb6
>        repository URL: https://git.savannah.gnu.org/git/guix.git
>        branch: master
>        commit: 8221cb6d2ae5624829bf514d25ae234c073e35d5
> 
> Great! Except that every time I run this command, it does the channel
> update from scratch, so it's prohibitively slow. Sharing
> ${HOME}/.cache/guix seems to fix that. So... finally...
> 
>     guix shell -C -N guix nss-certs \
>       --expose=/var/guix/daemon-socket/socket \
>       --expose=/gnu/store \
>       --share=${HOME}/.cache/guix \
>       -- \
>       guix time-machine -C channels.scm \
>       -- \
>       shell -C coreutils \
>       -- \
>       ls /
> 
>      guix shell: error: mount: mount "none" on
>      "/tmp/guix-directory.vpOEDC/sys": Operation not permitted
> 
> Now I am lost. It doesn't matter which command I put on the last line,
> it's creating a container via time-machine running in another container
> that leads to the error.
> 
> Any ideas?
> 
> Cheers,
>   Konrad.
> 



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: Using Guix inside a Guix container
  2023-02-03 16:52 Using Guix inside a Guix container Konrad Hinsen
  2023-02-03 17:35 ` Wojtek Kosior via Development of GNU Guix and the GNU System distribution.
@ 2023-02-13 11:21 ` James Thomas
  2023-02-13 12:35   ` Jim
  2023-02-15  9:49   ` Konrad Hinsen
  2023-02-21 22:50 ` Ludovic Courtès
  2 siblings, 2 replies; 10+ messages in thread
From: James Thomas @ 2023-02-13 11:21 UTC (permalink / raw)
  To: Konrad Hinsen; +Cc: Guix Devel

Konrad Hinsen wrote:

> Hi Guix,
>
> I have been playing with nested Guix containers recently, with some
> suprising findings, and I am wondering if what I am doing is considered
> officially supported or not.
>
> First: why? My use case is scientific workflows, for example using
> snakemake. I want to run my workflows in Guix containers, for
> reproducibility plus other reasons. But my workflows run other programs
> in their tasks (basically just "shelling out"), and those tasks may use
> their own Guix containers.
>
> Superficially, this works fine if I add the "guix" package to my "outer"
> container and expose the store plus the daemon's socket:
>
>     guix shell -C guix \
>       --expose=/var/guix/daemon-socket/socket \
>       --expose=/gnu/store \
>       -- \
>       guix shell -C coreutils -- ls /
>
> But now for the first surprise:
>
>    $ guix describe
>    Generation 35	janv. 19 2023 12:34:57	(current)
>      guix 8221cb6
>        repository URL: https://git.savannah.gnu.org/git/guix.git
>        branch: master
>        commit: 8221cb6d2ae5624829bf514d25ae234c073e35d5
>
>    $ guix shell -C guix -- guix describe
>      guix 9fe5b49
>        repository URL: https://git.savannah.gnu.org/git/guix.git
>        branch: master
>        commit: 9fe5b490df83ff32e2e0a604bf636eca48b9e240
>
> The Guix in my container is an older one, apparently the 1.4.0 release.
> Why? Can I change this?

Makes sense to me, because the guix package definition was only updated
with the new release (see 'guix edit guix'). Maybe you can try:

  guix shell -C guix --with-version=guix=VERSION -- guix describe

Or --with-commit etc.

>
> My first attempt was time-machine:
>
>     guix shell -C -N guix nss-certs \
>       --expose=/var/guix/daemon-socket/socket \
>       --expose=/gnu/store \
>       -- \
>       guix time-machine -C channels.scm -- describe
>
>    Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
>    Authenticating channel 'guix', commits 9edb3f6 to 8221cb6 (331 new commits)...
>    Computing Guix derivation for 'x86_64-linux'... |
>      guix 8221cb6
>        repository URL: https://git.savannah.gnu.org/git/guix.git
>        branch: master
>        commit: 8221cb6d2ae5624829bf514d25ae234c073e35d5
>
> Great! Except that every time I run this command, it does the channel
> update from scratch, so it's prohibitively slow. Sharing
> ${HOME}/.cache/guix seems to fix that. So... finally...
>
>     guix shell -C -N guix nss-certs \
>       --expose=/var/guix/daemon-socket/socket \
>       --expose=/gnu/store \
>       --share=${HOME}/.cache/guix \
>       -- \
>       guix time-machine -C channels.scm \
>       -- \
>       shell -C coreutils \
>       -- \
>       ls /
>
>      guix shell: error: mount: mount "none" on
>      "/tmp/guix-directory.vpOEDC/sys": Operation not permitted

Maybe --expose tmp is needed in the outer container.

--


^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: Using Guix inside a Guix container
  2023-02-13 11:21 ` James Thomas
@ 2023-02-13 12:35   ` Jim
  2023-02-15  9:49   ` Konrad Hinsen
  1 sibling, 0 replies; 10+ messages in thread
From: Jim @ 2023-02-13 12:35 UTC (permalink / raw)
  To: Konrad Hinsen; +Cc: Guix Devel

James Thomas wrote:

>   guix shell -C guix --with-version=guix=VERSION -- guix describe

Or even:

  guix shell -C -p /var/guix/profiles/per-user/.../current-guix -- guix
describe

--


^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: Using Guix inside a Guix container
  2023-02-13 11:21 ` James Thomas
  2023-02-13 12:35   ` Jim
@ 2023-02-15  9:49   ` Konrad Hinsen
  2023-02-17 15:41     ` Simon Tournier
  1 sibling, 1 reply; 10+ messages in thread
From: Konrad Hinsen @ 2023-02-15  9:49 UTC (permalink / raw)
  To: Guix Devel, James Thomas, Jim

James Thomas <jimjoe@gmx.net> writes:

> Makes sense to me, because the guix package definition was only updated
> with the new release (see 'guix edit guix'). Maybe you can try:

Indeed. That's at least an explanation, though I still don't see *why*
it is done this way. In fact, the role of the package "guix" isn't
really clear to me.\

>   guix shell -C guix --with-version=guix=VERSION -- guix describe
>
> Or --with-commit etc.

That's an interesting idea! I could also define my own package (in a
file) called "guix-current" or something like that, which inherits from
"guix" and updates the commit.


Jim <jimplyl@outlook.com> writes:

> Or even:
>
>   guix shell -C -p /var/guix/profiles/per-user/.../current-guix -- guix
> describe

That would create a container from the Guix profile. Not sure if this
works at all, but it's very probably not what I want because I have to
add other packages to my container, to get some real work done :-)

Thanks to both of you for your suggestions!

Cheers,
  Konrad


^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: Using Guix inside a Guix container
  2023-02-15  9:49   ` Konrad Hinsen
@ 2023-02-17 15:41     ` Simon Tournier
  2023-02-18  9:21       ` Konrad Hinsen
  0 siblings, 1 reply; 10+ messages in thread
From: Simon Tournier @ 2023-02-17 15:41 UTC (permalink / raw)
  To: Konrad Hinsen, Guix Devel, James Thomas, Jim

Hi Konrad,

On mer., 15 févr. 2023 at 10:49, Konrad Hinsen <konrad.hinsen@fastmail.net> wrote:

> That would create a container from the Guix profile. Not sure if this
> works at all, but it's very probably not what I want because I have to
> add other packages to my container, to get some real work done :-)

I am sure you have good reasons for doing this and I am lacking
imagination to find them. :-)

Which part of Guix do you need inside the containerized shell that you
cannot do outside?

Basically, you are authorizing the inside Guix to behave with the same
permissions as the outside Guix; therefore, why this dance?

Well, I understand the needs for running inside a containerized shell:
restricted permissions on filestystem, use of --emulate-fhs for allowing
untrusted binaries, etc.

But I miss what is the need to run Guix inside a containerized shell
where it has the permissions as the non-containerized shell.

Considering your use-case with Snakemake, what I am doing is to wrap
each rule with one containerized Guix shell which controls the
permissions, rule by rule; or a big containerized shell:

    guix shell -C -m manifest.scm --expose=…

where manifest.scm contains the tools of each rule and snakemake.

Could you provide some details about why you also need Guix?

Cheers,
simon


^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: Using Guix inside a Guix container
  2023-02-17 15:41     ` Simon Tournier
@ 2023-02-18  9:21       ` Konrad Hinsen
  2023-03-13 12:52         ` Simon Tournier
  0 siblings, 1 reply; 10+ messages in thread
From: Konrad Hinsen @ 2023-02-18  9:21 UTC (permalink / raw)
  To: Simon Tournier, Guix Devel

Hi Simon,

> Which part of Guix do you need inside the containerized shell that you
> cannot do outside?

That's not the right question. There's always a way to do what I want to
do outside. But that may be very inconvenient.

> Considering your use-case with Snakemake, what I am doing is to wrap
> each rule with one containerized Guix shell which controls the
> permissions, rule by rule; or a big containerized shell:
>
>     guix shell -C -m manifest.scm --expose=…

Nice example. I do the same: "guix shell" in every rule. Then I add
stuff to my Snakefile, which is a Python script after all. For example,
I import pandas to read a data frame from which I construct my workflow.
Now I am at the point where I'd like to run snakemake itself in a
container, to manage the dependencies of my Snakefile. In fact, given
that I have workflows that depend on specific Snakemake versions, I'd
really like to run Snakemake in a container all the time, even without
additional dependencies.

Without nested containers, I have to go through all the rules, collect
the packages from their manifest files (or command line), and add them
to the container in which I run the whole workflow. Possible, but not
convenient.

Another example: I run command-line programs from my Pharo image, and I
have developed the habit of doing this always through Guix. The
advantage is that my Pharo code becomes portable: it depends on Guix,
but not on my profile.

But if I want, one day, to move on to a full Guix system, I have to run
Pharo in a container with LFS simulation. And then all my command line
shell-outs will break.

Both examples are about composing tools freely, without worrying if they
use Guix internally or now.

Cheers,
  Konrad


^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: Using Guix inside a Guix container
  2023-02-03 16:52 Using Guix inside a Guix container Konrad Hinsen
  2023-02-03 17:35 ` Wojtek Kosior via Development of GNU Guix and the GNU System distribution.
  2023-02-13 11:21 ` James Thomas
@ 2023-02-21 22:50 ` Ludovic Courtès
  2023-02-27 14:27   ` Konrad Hinsen
  2 siblings, 1 reply; 10+ messages in thread
From: Ludovic Courtès @ 2023-02-21 22:50 UTC (permalink / raw)
  To: Konrad Hinsen; +Cc: Guix Devel

Hello!

Konrad Hinsen <konrad.hinsen@fastmail.net> skribis:

> I have been playing with nested Guix containers recently, with some
> suprising findings, and I am wondering if what I am doing is considered
> officially supported or not.
>
> First: why? My use case is scientific workflows, for example using
> snakemake. I want to run my workflows in Guix containers, for
> reproducibility plus other reasons. But my workflows run other programs
> in their tasks (basically just "shelling out"), and those tasks may use
> their own Guix containers.

That’s an interesting use case!  I guess we have a hard-enough time
getting the message through regarding the environment of tasks that we
didn’t really consider the environment of the “driver”.

(Well, in a way, GWL and Guix-Jupyter sidestep the issue by integrating
the mechanism to declare task environments.)

> Superficially, this works fine if I add the "guix" package to my "outer"
> container and expose the store plus the daemon's socket:
>
>     guix shell -C guix \
>       --expose=/var/guix/daemon-socket/socket \
>       --expose=/gnu/store \
>       -- \
>       guix shell -C coreutils -- ls /

I wasn’t sure ‘--expose=/gnu/store’ would even work… but it does!  Kinda
by chance though.

The thing is that ‘-C’ bind-mounts just the subset of the store that’s
needed.  To support nested containers, we need to bind-mount the whole
store because new store items may pop up in there over time.

I’d be inclined to add a new ‘-W’ (say) option to (1) share the whole
store, and (2) share the daemon socket.  That would be the documented
way to create a container with support for nested containers.


[...]

> Great! Except that every time I run this command, it does the channel
> update from scratch, so it's prohibitively slow. Sharing
> ${HOME}/.cache/guix seems to fix that. So... finally...
>
>     guix shell -C -N guix nss-certs \
>       --expose=/var/guix/daemon-socket/socket \
>       --expose=/gnu/store \
>       --share=${HOME}/.cache/guix \
>       -- \
>       guix time-machine -C channels.scm \
>       -- \
>       shell -C coreutils \
>       -- \
>       ls /
>
>      guix shell: error: mount: mount "none" on
>      "/tmp/guix-directory.vpOEDC/sys": Operation not permitted

That one’s interesting.  Reported here:

  https://issues.guix.gnu.org/61690

At least there’s a workaround: using ‘-CN’ in the nested container.

Ludo’.


^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: Using Guix inside a Guix container
  2023-02-21 22:50 ` Ludovic Courtès
@ 2023-02-27 14:27   ` Konrad Hinsen
  0 siblings, 0 replies; 10+ messages in thread
From: Konrad Hinsen @ 2023-02-27 14:27 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: Guix Devel

Ludovic Courtès <ludovic.courtes@inria.fr> writes:

> That’s an interesting use case!  I guess we have a hard-enough time
> getting the message through regarding the environment of tasks that we
> didn’t really consider the environment of the “driver”.

It takes something messy such as Snakemake to illustrate the importance
of this.

> (Well, in a way, GWL and Guix-Jupyter sidestep the issue by integrating
> the mechanism to declare task environments.)

OK, let's pass a law that workflows must be written in Guile or in a
language implemented in Guile ;-)

> I’d be inclined to add a new ‘-W’ (say) option to (1) share the whole
> store, and (2) share the daemon socket.  That would be the documented
> way to create a container with support for nested containers.

Sounds good to me!

> That one’s interesting.  Reported here:
>
>   https://issues.guix.gnu.org/61690
>
> At least there’s a workaround: using ‘-CN’ in the nested container.

That's already good to know.

Thanks,
  Konrad.


^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: Using Guix inside a Guix container
  2023-02-18  9:21       ` Konrad Hinsen
@ 2023-03-13 12:52         ` Simon Tournier
  0 siblings, 0 replies; 10+ messages in thread
From: Simon Tournier @ 2023-03-13 12:52 UTC (permalink / raw)
  To: Konrad Hinsen, Guix Devel

Hi Konrad,

On sam., 18 févr. 2023 at 10:21, Konrad Hinsen <konrad.hinsen@fastmail.net> wrote:

> Both examples are about composing tools freely, without worrying if they
> use Guix internally or now.

Thanks for explaining and the use-cases.  Well, maybe a discussion for
gwl-devel… well, I have started one. :-)


Cheers,
simon


^ permalink raw reply	[flat|nested] 10+ messages in thread

end of thread, other threads:[~2023-03-13 15:02 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-02-03 16:52 Using Guix inside a Guix container Konrad Hinsen
2023-02-03 17:35 ` Wojtek Kosior via Development of GNU Guix and the GNU System distribution.
2023-02-13 11:21 ` James Thomas
2023-02-13 12:35   ` Jim
2023-02-15  9:49   ` Konrad Hinsen
2023-02-17 15:41     ` Simon Tournier
2023-02-18  9:21       ` Konrad Hinsen
2023-03-13 12:52         ` Simon Tournier
2023-02-21 22:50 ` Ludovic Courtès
2023-02-27 14:27   ` Konrad Hinsen

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).