* Re: Help understand some guix concepts
2018-01-01 19:31 Help understand some guix concepts Amirouche Boubekki
@ 2018-01-01 20:49 ` Joshua Branson
2018-01-01 21:04 ` Martin Castillo
2018-01-01 21:39 ` Amirouche Boubekki
2 siblings, 0 replies; 6+ messages in thread
From: Joshua Branson @ 2018-01-01 20:49 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1: Type: text/plain, Size: 1961 bytes --]
By no means am I a developer, but I can try to explain some things...
A profile is a collection of packages. Each user on the system has a
profile of his packages. So Jerry has a profile of Emacs 24, Iceweasel
50, etc. Jill also uses the system, but she has packages Tetris 5.4,
Emacs 23, etc. Jerry's packages and Jill's packages are independent of
one another and cause no conflicts.
There is also a system profile. This is the collection of packages that
boots your system. For example if Jerry uses gnome, usually his profile
will not contain the gnome program. Instead gnome is found under the
system profile.
The root filesystem is everything under / right?
chroot is a way of letting applications thing that they are running with
full root privileges when they are not.
A container restricts what an application can access. Firefox for
example should only be able to access your Downloads directory. It
should not be able to read your gpg keys. One can run Firefox in a
container to limit the things that Firefox can access.
docker I believe is a way of running a web application. Web application
development is getting really hard these days. Your application can
have js dependencies, python dependencies, etc. Each language has its
own package manager, and if one packages gets updated your web
application can refuse to work. Docker just freezes everything so that
it works. Then you run that frozen image.
lxc? No idea.
On Mon, Jan 1, 2018, at 11:31 AM, Amirouche Boubekki wrote:
> Héllo,
>
> It's a long time I did not read the manual. So I read he manual this
> afternoon.>
> I have to say that I don't really understand some guix concepts and
> how they map to the rest of the world.>
> Can someone try to explain to me how the following concepts are
> related to each other:>
> Environments, profiles, gc roots, root filesystem, chroot, containers,
> docker and lxc>
> TIA
[-- Attachment #2: Type: text/html, Size: 3276 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Help understand some guix concepts
2018-01-01 19:31 Help understand some guix concepts Amirouche Boubekki
2018-01-01 20:49 ` Joshua Branson
@ 2018-01-01 21:04 ` Martin Castillo
2018-01-02 17:10 ` Martin Castillo
2018-01-01 21:39 ` Amirouche Boubekki
2 siblings, 1 reply; 6+ messages in thread
From: Martin Castillo @ 2018-01-01 21:04 UTC (permalink / raw)
To: Amirouche Boubekki, guix-devel
Hi,
I'll give it a shot.
On 01.01.2018 20:31, Amirouche Boubekki wrote:
> Héllo,
>
> It's a long time I did not read the manual. So I read he manual this
> afternoon.
>
> I have to say that I don't really understand some guix concepts and how
> they map to the rest of the world.
>
> Can someone try to explain to me how the following concepts are related
> to each other:
>
> Environments, profiles, gc roots, root filesystem, chroot, containers,
> docker and lxc
>
> TIA
Environment: Every process has an environment. It consists of key-value
pairs, where both are c-strings. A process can change it's own
environment and passes it to it's children. This can is used to pass
options to programs without the need to pass them on the commandline.
Profiles: A bit ambigous, but I think you mean guix profiles. One
feature of guix is that it allows every user to install the package they
want. Every such set of installed programs is a (generation of a)
profile. Your current profile (or generation) is linked to by
~/.guix-profile. Profiles consist of generations. Every time you add or
remove a package, you create a new generation. (You can have several
packages. Check the -p flag of `guix package`. If you want to switch to
it, make ~/.guix-profile link to the new profile.)
gc roots: Everything you install/build with guix gets stored in the
store. When you delete e.g. old profile generations, some files in the
store aren't used anymore. To find out what files can be removed from
the store, the garbage collector looks for all files in the store, that
are being referred to directly or indirectly by any link in or under
/var/guix/gcroots. Those are the live files. The other ones can be
removed to make space.
root filesystem: this is the filesystem that is mounted under `/`. it
has nothing to do with gc roots.
chroot: This is a mechanism to isolate programs And prevent them from
accessing (even seeing) some/many files. It works by changing the path
resolution mechanism. you can create one with chroot(1). A chroot makes
a chosen path to look like `/`. If you have a shelle in a chroot under
/var, `ls /` shows you the contents of /var; and `ls /../` shows the
same as `ls /`. IIRC, guix uses chroots to create a better isolation for
build processes (for better reproducibility). chroot helps to prevent
builds to access inputs (e.g. a library), that weren't declared in the
(package) definition.
container: not sure if I can explain that correct. I won't attempt it to
avoid confusion.
docker: Before guix was a thing (;-)), people used docker to assemble a
set of programs and files ("docker images") that would work always the
same way, no matter where they get executed. I think docker is one form
of container. IIRC, docker has some drawbacks: statically linked
programs -> big images, after a library updates, you need to create a
new image. guix provides another way to get reproducibility. and it
allows you to create docker images from guix profiles for systems that
don't have guix installed.
lxc: no idea. LinuXContainer?
Martin
--
GPG: 7FDE 7190 2F73 2C50 236E 403D CC13 48F1 E644 08EC
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Help understand some guix concepts
2018-01-01 19:31 Help understand some guix concepts Amirouche Boubekki
2018-01-01 20:49 ` Joshua Branson
2018-01-01 21:04 ` Martin Castillo
@ 2018-01-01 21:39 ` Amirouche Boubekki
2018-01-09 12:41 ` Ludovic Courtès
2 siblings, 1 reply; 6+ messages in thread
From: Amirouche Boubekki @ 2018-01-01 21:39 UTC (permalink / raw)
To: help-guix, guix-devel
[-- Attachment #1: Type: text/plain, Size: 4150 bytes --]
On Mon, Jan 1, 2018 at 8:31 PM Amirouche Boubekki <
amirouche.boubekki@gmail.com> wrote:
> Héllo,
>
> It's a long time I did not read the manual. So I read he manual this
> afternoon.
>
> I have to say that I don't really understand some guix concepts and how
> they map to the rest of the world.
>
> Can someone try to explain to me how the following concepts are related to
> each other:
>
> Environments, profiles, gc roots, root filesystem, chroot, containers,
> docker and lxc
>
> TIA
>
Sorry, it deserves a bit more explanation.
I know what *chroot* command is. It change the root directory. For
instance, I can do the following:
$ mkdir tmp && cd tmp
$ tar xvf $(guix pack --symlink=/bin=bin guile)
$ sudo chroot . /bin/guile
And then guile will be running inside the tmp directory without access to
the rest of the filesystem except if I mount --bind something inside the
tmp directory.
As wikipedia explains it <https://en.wikipedia.org/wiki/Chroot#Uses>, it
used for:
- Testing and development
- Dependency control
- Compatibility
- Recovery
- Privilege separation
In the past I used, chroot to run a gentoo build system on top of any other
distribution. The result is that the developer is free to use whatever
distribution they want as long as they can chroot inside the development
*rootfs* which is possibly another distro or another version of the same
distribution.
*Q:* Does chroot guix/sd use chroot?
*Q:* Do guix developers use chroot somehow?
In particular, using chroot, processus are not separated somehow from the
host system; You don't get another IP and you have the same ports namespace.
What I call *root filesystem* is what is found that / in the filesystem
where in debian there is /usr, /proc, /dev etc...
That's the result of the following command:
$ guix system init ~/src/guile/guix/git/gnu/system/install.scm .
Then I can chroot inside that directory if I want and I will be *somewhat*
like in a guixsd.
*Q:* Do guix developers use 'guix system init' in combination with chroot?
Now, I will mention containers. I know little about cgroups, but I know
it's a feature of the Linux kernel.
*Q: *Does guix/sd use cgroups <https://en.wikipedia.org/wiki/Cgroups>?
The most popular tools using cgroups are Docker
<https://en.wikipedia.org/wiki/Docker_(software)> and LXC
<https://en.wikipedia.org/wiki/LXC>. They have very different approach to
containers. AFAIU, Docker re-invent the wheel (?) of how networking,
filesystem and prolly how other stuff happens in the GNU/Linux world.
Whereas LXC re-use concepts with which people that used to play with VMs
are familiar with. For instance, LXC networking setup re-use commands like
ip <https://linux.die.net/man/8/ip> or brctl
<https://linux.die.net/man/8/brctl>. Docker use a concept of images that
made Docker famous and a single command to download & execute whatever
program you want... But the most intriguing thing in Docker, is that they
are against using systemd (or similar tool) inside containers to run
multiple procesus inside the container. Basically, PID 1 in the container
must be the PID of the application. That's why Docker call it: application
containers. Whereas LXC containers are system containers.
One thing that took me long time to understand regarding the distinction
between containers and simple chroot, is that in the case of chroot there
is no processus managing the chroot. Whereas a container appears as
processus in the host system.
*Q: *Does guix/sd containers enforce an image format?
*Q: *Can guix/sd use images? What are the advantages?
*Q: *How does networking happens in guix/sd?
*Q: *Is it possible to bind multiple interfaces via a bridge on the host
system to the container?
*Q: *Is it possible or recommended to run shepherd inside a guix container?
*Q:* isn't AppImage <https://en.wikipedia.org/wiki/AppImage> a
"combination" of 'guix pack' and 'guix container'.
*Q: *Is it possible to have Xorg running inside a container and then use
ssh -X to access it? Is there a way to avoid the ssh -X?
TIA
[-- Attachment #2: Type: text/html, Size: 5999 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Help understand some guix concepts
2018-01-01 21:39 ` Amirouche Boubekki
@ 2018-01-09 12:41 ` Ludovic Courtès
0 siblings, 0 replies; 6+ messages in thread
From: Ludovic Courtès @ 2018-01-09 12:41 UTC (permalink / raw)
To: Amirouche Boubekki; +Cc: guix-devel, help-guix
Hi,
Sorry for the late reply.
Amirouche Boubekki <amirouche.boubekki@gmail.com> skribis:
> *Q:* Does chroot guix/sd use chroot?
The build daemon, ‘guix-daemon’, uses chroot (among other tools) to
perform isolated builds:
https://www.gnu.org/software/guix/manual/html_node/Invoking-guix_002ddaemon.html
> *Q:* Do guix developers use chroot somehow?
[...]
> *Q:* Do guix developers use 'guix system init' in combination with chroot?
They could, but it’s not very useful or convenient. ‘guix system vm’ or
‘guix system container’ (the latter actually uses chroot(2)) are simpler
interfaces.
> *Q: *Does guix/sd use cgroups <https://en.wikipedia.org/wiki/Cgroups>?
No (not yet).
> *Q: *Does guix/sd containers enforce an image format?
No.
Docker & co. often associate “container” and “image format” because what
they deal with are binary images.
Conversely Guix and GuixSD have a detailed view of package composition,
service composition, etc. Thus, they can spawn a container that
contains everything you specified (see ‘guix system container’ and ‘guix
environment -C’), and they can also create binary images that contain
everything you want (see ‘guix pack’ and ‘guix system vm-image’).
However, neither Guix nor GuixSD is in the business of running software
from containers in the format defined by Docker & co.
> *Q: *Can guix/sd use images? What are the advantages?
> *Q: *How does networking happens in guix/sd?
> *Q: *Is it possible to bind multiple interfaces via a bridge on the host
> system to the container?
Not easily so.
> *Q: *Is it possible or recommended to run shepherd inside a guix container?
‘guix system container’ runs GuixSD in a container, and GuixSD uses the
Shepherd.
> *Q:* isn't AppImage <https://en.wikipedia.org/wiki/AppImage> a
> "combination" of 'guix pack' and 'guix container'.
AppImage is a *format* for distributing software, as Wikipedia notes.
‘guix pack’ is a tool to create images (“binary images”, “bundles”,
depending on the preferred terminology). See
<https://www.gnu.org/software/guix/blog/2017/creating-bundles-with-guix-pack/>.
> *Q: *Is it possible to have Xorg running inside a container and then use
> ssh -X to access it? Is there a way to avoid the ssh -X?
In theory we should be able to run Xorg in a ‘guix system container’,
but it would have to use a display different from that of the host.
Never tried though.
That said, you don’t need a running X server on the remote host to use
“ssh -X”.
HTH,
Ludo’.
^ permalink raw reply [flat|nested] 6+ messages in thread