From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id SD4tLv56Jl9wNwAA0tVLHw (envelope-from ) for ; Sun, 02 Aug 2020 08:36:14 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id eDvcKf56Jl83SwAAbx9fmQ (envelope-from ) for ; Sun, 02 Aug 2020 08:36:14 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id ED42C940539 for ; Sun, 2 Aug 2020 08:36:13 +0000 (UTC) Received: from localhost ([::1]:60906 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1k29TY-00078d-O0 for larch@yhetil.org; Sun, 02 Aug 2020 04:36:12 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:57598) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k29TR-00078W-7z for help-guix@gnu.org; Sun, 02 Aug 2020 04:36:05 -0400 Received: from flashner.co.il ([178.62.234.194]:57432) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1k29TP-00005P-8W for help-guix@gnu.org; Sun, 02 Aug 2020 04:36:04 -0400 Received: from localhost (unknown [31.210.177.175]) by flashner.co.il (Postfix) with ESMTPSA id 7221E40422; Sun, 2 Aug 2020 08:35:30 +0000 (UTC) Date: Sun, 2 Aug 2020 11:34:52 +0300 From: Efraim Flashner To: conjaroy Subject: Re: Is anyone using `guix system container` in production? Message-ID: <20200802083452.GA1134@E5400> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="HcAYCG3uE/tztfnV" Content-Disposition: inline In-Reply-To: X-PGP-Key-ID: 0x41AAE7DCCA3D8351 X-PGP-Key: https://flashner.co.il/~efraim/efraim_flashner.asc X-PGP-Fingerprint: A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Received-SPF: pass client-ip=178.62.234.194; envelope-from=efraim@flashner.co.il; helo=flashner.co.il X-detected-operating-system: by eggs.gnu.org: First seen = 2020/08/02 04:35:30 X-ACL-Warn: Detected OS = ??? X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: help-guix@gnu.org Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Spam-Score: -1.61 X-TUID: YuPZa6ph9mxn --HcAYCG3uE/tztfnV Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable We've switched from using systemd to manage guix containers and services to using systemd user services to launch an instance of shepherd which manages guix containers and services, with some custom sudo rules. As far as using systemd and guix containers, here's one config that I still have around=C2=B9 Our upgrade scheme was to run 'guix pull' about weekly and then restart the container. Assuming it didn't break we'd let it ride. If it did break then we'd have 'guix pull --roll-back' to roll-back and wait it out or fix it. On Wed, Jul 29, 2020 at 06:17:44PM -0400, conjaroy wrote: > I'm interested in deploying several system containers to a single cloud > VPS, and I had originally planned to build those via `guix system > docker-image`. Although Docker has some nice CLI tools for > starting/stopping/listing active containers, it occurs to me that an > alternative (`guix system container`) has at least one significant > advantage: containers come online in seconds, as opposed to the minutes it > takes to build and import a Docker image (or tens of minutes, if the build > host is a VM without /dev/kvm.) It might also be the case that using > /gnu/store for all containers is more disk-space-efficient than creating > self-contained Docker images for each one. >=20 > So I was wondering if anyone has experience running long-lived containers > built via `guix system container` in a production setting. Since I'm > running Guix on a foreign distro (Debian 10), it seems reasonable to build > a systemd service around the container script, but there may be pitfalls I > haven't considered: >=20 > # build container script and register it as a gc root with a well-known > name. > guix build --root=3D/home/guix/my-awesome-container $(guix system contain= er > -d my-awesome-container.scm) >=20 > cat << EOF > /etc/systemd/system/my-awesome-container.service > [Unit] > Description=3DMy Awesome Container >=20 > [Service] > ExecStart=3D/home/guix/my-awesome-container > TimeoutStopSec=3D30 > StandardOutput=3Dsyslog > StandardError=3Dsyslog >=20 > [Install] > WantedBy=3Dmulti-user.target > EOF =C2=B9 http://git.genenetwork.org/guix-bioinformatics/guix-bioinformatics/s= rc/branch/master/gn/services/bnw.service --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --HcAYCG3uE/tztfnV Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAl8meqkACgkQQarn3Mo9 g1FGeQ/8DZaSvDyCdW2Jx7QXR3z0cpEXdvKynCOilPYcdSf7TzP35EC3ZxXU9K9E p7YftFlkrybwusNSgQE2CL4qRrAXyaZBAVdDu4nlisZtq9fEoteIZfoET/bFpLz+ hlO+y9HOqMwPSOF+IqAnF/tn3tT2/c5T6exNq8JkpfCKAvFgr2C1tmU4NAaHRwa0 lyRAroZPqekVfxkKt8Q2zgNPKlKBx1W6G4+XnlHdoKsyvp7HTDtDNdYbiLd3hV9t tD26IcLCjsbxHPHaMCmDfD5ZI5a8DDZ4hYlIee5eZzBsULCvKI6mkhVfjFhIteGR nVWfXQYm3aAlogNlr8Zb5gyGbZ5P7o07kRbKlyDkyTbTmdBPVNnwssLrUF1TDPpv 7zqVoRwbxmDpVzkn/qsJSk3HNpCvhUSh+aIEAIlvylZ8lYEEjChoZPXcWgVvq/6/ TQRRS4CHT2zi0CcRiConC5zLb3SmJnMpE5Ml3koMd5NvsHuoowZLmQVNgyhbBVub lxsPVRbLHFrqFM8aDaGYs53wn86b3GfcoSVRH8L97TcV6Ec9oL9dGz8nBmELbzFT sQ0IisJel/b0MRimh47GB4978OsESWQPpCBoUsZD7yyUIlKfzGGty8TL3a1XC5Hy vC5/ezJguPfPbJe3PI/0uZTinrHIoPiovHttDFae6n386JXk9sw= =FkGj -----END PGP SIGNATURE----- --HcAYCG3uE/tztfnV--