From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:403:4789::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms8.migadu.com with LMTPS id aIvZAJUIK2UI+AAAG6o9tA:P1 (envelope-from ) for ; Sat, 14 Oct 2023 23:31:01 +0200 Received: from aspmx1.migadu.com ([2001:41d0:403:4789::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id aIvZAJUIK2UI+AAAG6o9tA (envelope-from ) for ; Sat, 14 Oct 2023 23:31:01 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 333F263AB3 for ; Sat, 14 Oct 2023 23:31:00 +0200 (CEST) Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=autistici.org header.s=stigmate header.b=Hfluur7n; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" ARC-Seal: i=1; s=key1; d=yhetil.org; t=1697319060; a=rsa-sha256; cv=none; b=qW7CL5aoL/xnnISbXIV9DObJVBgyDsdH8YTLR5FWs2TDh9vJW4hIV1MXNcRFHhrguYB8u5 Qo208SK5IYTe9TrrjVVJwo056D0rkME0YI38aFpketRcP7J2w6x+Qs+HCELZm/CmwCexqW HMfj1ZfHzzE00N39wUYuZI9/LZVu+1isikoTTcxQBI9M57gmieckDWqdeUZGCuGTVOzy2/ CG12oQiR1WD+NYQV94gvjaqVIXwPPYf2TAj9qTmLv0wy7yC6Blgx3Y3hj4/Uxg/ARun+48 QZgnROTDPCVzKGxDHRfXKSd57IUiZ7DOgS8TuGCWAPoofg6vFbtvR2MB0o4NhQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=autistici.org header.s=stigmate header.b=Hfluur7n; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1697319060; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=DzK9usJyXiyn+szmKqVwzCIOHWTwdV49vy1xpQSwHps=; b=ijuN5PPB03AR4y5Ifg5P76ZS6PlDEG3HjqrUkwFvPiGZEFN8RNbdypeIaZFpe8V+w93XgX 4Z/CHo3KhVYMHCehr3zXKuUC5Rv/g/b8jHbDn03XGqm8C5rKHSGiPB58Tcec/saRWNfOSx rGJcycxM32CqoxKlhmBvhU7VazzxfSOp6wlNLf/tOEBu3PzGh1e8GdtmEDg+8kN8JHlwVy 2iyViU1OpkbeQKicpbYVbHReAlB3q6aXJISNIKHq7M7JYAw3yBvW5BpgqdvTs9TcYCBtF2 ltz2usi2R8cMnXtj1gA0IybZpFu0GyxZzvi583xXChgjOLbifdWgzM56SGLT3Q== Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qrmDk-0002nk-Ho; Sat, 14 Oct 2023 17:30:53 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qrmDX-0002iL-19 for guix-patches@gnu.org; Sat, 14 Oct 2023 17:30:49 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qrmDW-0004ls-Pq for guix-patches@gnu.org; Sat, 14 Oct 2023 17:30:38 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1qrmDu-0005kT-1E for guix-patches@gnu.org; Sat, 14 Oct 2023 17:31:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#66160] [PATCH] gnu: Add oci-container-service-type. Resent-From: paul Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 14 Oct 2023 21:31:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 66160 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 66160@debbugs.gnu.org Received: via spool by 66160-submit@debbugs.gnu.org id=B66160.169731903122041 (code B ref 66160); Sat, 14 Oct 2023 21:31:02 +0000 Received: (at 66160) by debbugs.gnu.org; 14 Oct 2023 21:30:31 +0000 Received: from localhost ([127.0.0.1]:50752 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qrmDO-0005jP-SX for submit@debbugs.gnu.org; Sat, 14 Oct 2023 17:30:31 -0400 Received: from confino.investici.org ([2a11:7980:1::2:0]:22799) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qrmDK-0005j4-QA for 66160@debbugs.gnu.org; Sat, 14 Oct 2023 17:30:28 -0400 Received: from mx1.investici.org (unknown [127.0.0.1]) by confino.investici.org (Postfix) with ESMTP id 4S7Gk005pHz112P; Sat, 14 Oct 2023 21:30:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=autistici.org; s=stigmate; t=1697319000; bh=DzK9usJyXiyn+szmKqVwzCIOHWTwdV49vy1xpQSwHps=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=Hfluur7ny2+YgOh9WqtShoLvoNuQ91G4QcqQVGrK7k4mx80dqw06zgHFAGmPEEjdF nrBTZ7PsraXiL5UnA9fIoeyRpD7+XdbI6DfldCIGc6G9GQRJhSbfMHajGADuZjHDid fBDm/SZDbiyWic2n/8Kr0/U+ErmTS/WfiH1COfTM= Received: from [93.190.126.19] (mx1.investici.org [93.190.126.19]) (Authenticated sender: goodoldpaul@autistici.org) by localhost (Postfix) with ESMTPSA id 4S7Gjz6hxTz10yP; Sat, 14 Oct 2023 21:29:59 +0000 (UTC) Message-ID: <604138b9-a567-68eb-82fe-d205390636e7@autistici.org> Date: Sat, 14 Oct 2023 23:29:59 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.15.0 References: <650a02e2-9425-a7fd-2014-7cf6e17ee65b@autistici.org> <8b8a0eed3b02cfd2edb94859da83032c96ee5616.1696619356.git.goodoldpaul@autistici.org> <875y39fao8.fsf@gnu.org> Content-Language: en-US In-Reply-To: <875y39fao8.fsf@gnu.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: paul X-ACL-Warn: , paul via Guix-patches From: paul via Guix-patches via Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Scanner: mx1.migadu.com X-Migadu-Spam-Score: -6.69 X-Spam-Score: -6.69 X-Migadu-Queue-Id: 333F263AB3 X-TUID: +KJHu10g46oY Hi Ludo’ , > We’re almost there! There’s a couple of things I overlooked before (my > apologies), so here we go: Thank you for your help and the time you spent reviewing this! >> +@table @asis >> +@item @code{command} (default: @code{()}) (type: list-of-strings) >> +Overwrite the default command (@code{CMD}) of the image. >> + >> +@item @code{entrypoint} (default: @code{""}) (type: string) >> +Overwrite the default entrypoint (@code{ENTRYPOINT}) of the image. > Apparently this doesn’t match the docstring that’s in > ‘define-configuration’. > > Could you make sure the docstring is the canonical source? Then you can > use ‘generate-documentation’ to generate the bit that you’ll paste in > guix.texi (info "(guix) Complex Configurations"). I should have aligned the code and documentation. > >> + (entrypoint >> + (string "") >> + "Overwrite the default ENTRYPOINT of the image.") >> + (environment >> + (list '()) >> + "Set environment variables." >> + (sanitizer oci-sanitize-environment)) >> + (image >> + (string) >> + "The image used to build the container.") >> + (name >> + (string "") >> + "Set a name for the spawned container.") > Please use ‘maybe-string’ in cases where it’s either the Docker default > (default ENTRYPOINT, default CMD, etc.) or some user-provided value. > I find it clearer or at least more conventional than using the empty > string to denote default values. I don't know why I didn't do it in the first place, thank you. fixed >> + #~(make-forkexec-constructor >> + ;; docker run [OPTIONS] IMAGE [COMMAND] [ARG...] >> + (list #$docker-command >> + "run" >> + "--rm" >> + "--name" #$name >> + #$@(oci-container-configuration->options config) >> + #$(oci-container-configuration-image config) >> + #$@(oci-container-configuration-command config)) >> + #:user "root" >> + #:group "root")) > Does ‘docker run’ necessarily need to run as root, or are there cases > where one might want to run it as non-root? (I expect the latter.) yes you are right, it's only required to be in the docker group or in general have enough permission to operate on the docker daemon socket. I added a new service extension setting up an oci-container user, that it's just in the docker group and can not login, that runs oci backed services. it is also overridable by the user > >> +(define oci-container-service-type >> + (service-type (name 'oci-container) >> + (extensions (list (service-extension profile-service-type >> + (lambda _ (list docker-cli))) >> + (service-extension shepherd-root-service-type >> + configs->shepherd-services))) >> + (default-value '()) > I wonder if it should take a list of configs and be extensible, or > simply take a single config. Users would write: > > (service oci-container-service-type > (oci-container-configuration …)) > > WDYT? I get that it's not super consistent with other services but for example Nextcloud in some case require 3 containers: nextcloud itself, redis and a cron container. in this case i suppose one would define an oci-nextcloud-service-type which maybe extends an oci-redis-service-type. in this case the oci-nextcloud-service-type would define the 2 shepherd services for nextcloud and the cron process and the oci-redis-service-type would define one redis service. Right now we can already do: (service oci-container-service-type (list (oci-container-configuration …))) and i updated the documentation accordingly. do you have any suggestion for changing the api of oci-container-configuration to support having different shepherd oci backed services behind a guix system service? This way we could remove the (list) call. > > Last thing: there’s no system test (something we normally require), but > since I forgot about it before and I’m already asking for more than I > should :-) I propose to leave it for later. I actually looked around but didn't find them, but it was a long time ago and I certainly didn't look very well. I'm definitely up for testing this (maybe it's possible to use swineherd? could we use it for automating integration tests?), could you point me to something similar i can look to as an example? Thank you for your time and effort, i'm sending an updated patch giacomo