Ludovic Courtès schreef op zo 10-04-2022 om 19:34 [+0200]: > Maxime Devos skribis: > > > Ludovic Courtès schreef op za 09-04-2022 om 22:30 [+0200]: > > > Maxime Devos skribis: > > > > > > > Ludovic Courtès schreef op za 09-04-2022 om 11:12 [+0200]: > > > > >   publish: Support systemd-style socket activation. > > > > > > > > Does this imply that, at least when avahi/--advertise isn't used, > > > > "guix publish" can be run in a container without network access, > > > > in a container that only has access to /gnu/store, the private/public > > > > key and wherever the nars are stored? > > > > > > I don’t think it makes any difference.  Or am I misunderstanding? > > > > Is ‘it’ = ‘the new socket activation support’, or ‘the avahi/-- > > advertise option being enabled or not’? > > “It” referred to the long condition you wrote.  :-) > > One thing is sure: when ‘--advertise’ is used, we shouldn’t use socket > activation or nothing will be advertised.  Is that what you mean? No, how would socket activation prevent advertising? How would guile- avahi even know that we are doing socket activation? What I mean was: * if guile-avahi sends messages to the network by itself, then it cannot be run inside a networkless container, otherwise only the container's loopback would receive them. * if guile-avahi talks to some daemon via a unix domain socket, then no problem * IIUC, previously, "guix publish" could not be run inside a network container, because it tried to listen by itself (and listening to a container's own loopback isn't useful). * but in case of socket activation, this problem disappears * bonus: except possibly for the secret key material, "guix publish" does not have to be started as root anymore even if uses a reserved port such as port 80 (assuming socket activation is used). Greetings, Maxime.