From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Thompson, David" Subject: Re: [PATCH 0/15] Add preliminary support for Linux containers Date: Tue, 7 Jul 2015 18:35:53 -0400 Message-ID: References: <87lhetcudk.fsf@izanagi.i-did-not-set--mail-host-address--so-tickle-me> <87h9pgl0s5.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:38611) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZCbT4-0004dk-FY for guix-devel@gnu.org; Tue, 07 Jul 2015 18:35:59 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZCbT0-0000JX-Cg for guix-devel@gnu.org; Tue, 07 Jul 2015 18:35:58 -0400 Received: from mail-lb0-f174.google.com ([209.85.217.174]:33115) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZCbT0-0000JC-5U for guix-devel@gnu.org; Tue, 07 Jul 2015 18:35:54 -0400 Received: by lbzd8 with SMTP id d8so229077lbz.0 for ; Tue, 07 Jul 2015 15:35:53 -0700 (PDT) In-Reply-To: <87h9pgl0s5.fsf@gnu.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: =?UTF-8?Q?Ludovic_Court=C3=A8s?= Cc: guix-devel On Tue, Jul 7, 2015 at 6:28 AM, Ludovic Court=C3=A8s wrote: > Howdy! > > In short, this is awesome! > > Here are random notes I took as I was playing with all this. > > David Thompson skribis: > >> The main interface to this functionality is the 'call-with-container' >> procedure in the (gnu build linux-container) module: >> >> (call-with-container > ^^ > Missing list of mounts here. Oof. Oversight while I was typing all this up. Sorry! >> (lambda () >> (sethostname "guix-0.8.3")) > > Surprisingly, calling =E2=80=98getpid=E2=80=99 in the thunk returns the P= ID of the > parent (I was expecting it to return 1.) Not sure why that is the > case. I=E2=80=99m still amazed that this works as non-root, BTW. The first process created inside the PID namespace gets the honor of being PID 1, not the process created with the 'clone' call. For more information, see: https://lwn.net/Articles/532748/ > There=E2=80=99s an issue when the parent=E2=80=99s Guile is not mapped in= to the > container=E2=80=99s file system: =E2=80=98use-modules=E2=80=99 forms and = auto-loading will fail. > For instance, I did (use-modules (ice-9 ftw)) in the parent and called > =E2=80=98scandir=E2=80=99 in the child, but that failed because of an att= empt to > auto-load (ice-9 i18n), which is unavailable in the container. Hmm, I don't know of a way to deal with that other than the user being careful to bind-mount in the Guile modules they need. Hmm, there's various reasons that EINVAL would be thrown. Could you readlink "those" files, that is /proc//ns/user and /proc//ns/user, and tell me if the contents are the same? They shouldn't be, but this will eliminate one of the possible causes of EINVAL. >> If that's not exciting enough, how about launching a new development >> environment inside a container? >> >> guix environment --container emacs > > This is wonderful. :-) > > Currently, $PWD is mapped to /env in the container. I think the default > should be to map $PWD to $PWD, because often build systems record > $top_srcdir and $top_builddir and would be confused if you work on a > given build tree both inside and outside the container. Sure, I didn't think of that. I will make change it. > Also, I think we should add --expose and --share as for =E2=80=98guix sys= tem=E2=80=99, > though that can come later. Yes, I also really want that, but it's a task for another time. > Last, I wonder if there should be an option to use a UID other than 0. > Then perhaps we=E2=80=99d need to create fake /etc/group and /etc/passwd,= as > done in build.cc. > > WDYT? > >> Here's how you build it: >> >> guix system container container.scm > > Very neat. I wonder if that should automatically override the > =E2=80=98file-systems=E2=80=99 field to be =E2=80=98%container-file-syste= ms=E2=80=99, so that one can > reuse existing OS declarations unmodified. WDYT? This would be a better user experience, for sure. I thought about this, but I don't know how to do it in a way that isn't surprising or just broken. Ideas? >> Unfortunately, there is still one blocker bug that I know of: The unit >> test for 'container-excursion' is non-deterministic. Once out of every >> 10 to 20 test runs, it fails, but I can't figure out why. For anyone >> interested, here are some strace snippets: > > Ouch, this one looks more difficult. :-) Yes, I have no idea what's wrong. Sapping... my... hack... energy... > I=E2=80=99ll comment on the individual patches. Much appreciated. > Thank you for the nice code! Thanks for sifting through all of this code! - Dave