Re: Help understand some guix concepts

[Amirouche Boubekki <amirouche.boubekki@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 4150 bytes --]

On Mon, Jan 1, 2018 at 8:31 PM Amirouche Boubekki <
amirouche.boubekki@gmail.com> wrote:

> Héllo,
>
> It's a long time I did not read the manual. So I read he manual this
> afternoon.
>
> I have to say that I don't really understand some guix concepts and how
> they map to the rest of the world.
>
> Can someone try to explain to me how the following concepts are related to
> each other:
>
> Environments, profiles, gc roots, root filesystem, chroot, containers,
> docker and lxc
>
> TIA
>

Sorry, it deserves a bit more explanation.

I know what *chroot* command is. It change the root directory. For
instance, I can do the following:

$ mkdir tmp && cd tmp
$ tar xvf $(guix pack --symlink=/bin=bin guile)
$ sudo chroot . /bin/guile

And then guile will be running inside the tmp directory without access to
the rest of the filesystem except if I mount --bind something inside the
tmp directory.

As wikipedia explains it <https://en.wikipedia.org/wiki/Chroot#Uses>, it
used for:

- Testing and development
- Dependency control
- Compatibility
- Recovery
- Privilege separation

In the past I used, chroot to run a gentoo build system on top of any other
distribution. The result is that the developer is free to use whatever
distribution they want as long as they can chroot inside the development
*rootfs* which is possibly another distro or another version of the same
distribution.

*Q:* Does chroot guix/sd use chroot?
*Q:* Do guix developers use chroot somehow?

In particular, using chroot, processus are not separated somehow from the
host system; You don't get another IP and you have the same ports namespace.

What I call *root filesystem* is what is found that / in the filesystem
where in debian there is /usr, /proc, /dev etc...

That's the result of the following command:

$ guix system init ~/src/guile/guix/git/gnu/system/install.scm .

Then I can chroot inside that directory if I want and I will be *somewhat*
like in a guixsd.

*Q:* Do guix developers use 'guix system init' in combination with chroot?

Now, I will mention containers. I know little about cgroups, but I know
it's a feature of the Linux kernel.

*Q: *Does guix/sd use cgroups <https://en.wikipedia.org/wiki/Cgroups>?

The most popular tools using cgroups are Docker
<https://en.wikipedia.org/wiki/Docker_(software)> and LXC
<https://en.wikipedia.org/wiki/LXC>. They have very different approach to
containers. AFAIU, Docker re-invent the wheel (?) of how networking,
filesystem and prolly how other stuff happens in the GNU/Linux world.
Whereas LXC re-use concepts with which people that used to play with VMs
are familiar with. For instance, LXC networking setup re-use commands like
ip <https://linux.die.net/man/8/ip> or brctl
<https://linux.die.net/man/8/brctl>. Docker use a concept of images that
made Docker famous and a single command to download & execute whatever
program you want... But the most intriguing thing in Docker, is that they
are against using systemd (or similar tool) inside containers to run
multiple procesus inside the container. Basically, PID 1 in the container
must be the PID of the application. That's why Docker call it: application
containers. Whereas LXC containers are system containers.

One thing that took me long time to understand regarding the distinction
between containers and simple chroot, is that in the case of chroot there
is no processus managing the chroot. Whereas a container appears as
processus in the host system.


*Q: *Does guix/sd containers enforce an image format?
*Q: *Can guix/sd use images? What are the advantages?
*Q: *How does networking happens in guix/sd?
*Q: *Is it possible to bind multiple interfaces via a bridge on the host
system to the container?
*Q: *Is it possible or recommended to run shepherd inside a guix container?

*Q:* isn't AppImage <https://en.wikipedia.org/wiki/AppImage> a
"combination" of 'guix pack' and 'guix container'.

*Q: *Is it possible to have Xorg running inside a container and then use
ssh -X to access it? Is there a way to avoid the ssh -X?

TIA

[-- Attachment #2: Type: text/html, Size: 5999 bytes --]