From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id gGDsMrC0J18ACAAA0tVLHw (envelope-from ) for ; Mon, 03 Aug 2020 06:54:40 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id eMq7LrC0J1+DNAAAbx9fmQ (envelope-from ) for ; Mon, 03 Aug 2020 06:54:40 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 3692294066A for ; Mon, 3 Aug 2020 06:54:39 +0000 (UTC) Received: from localhost ([::1]:50824 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1k2UMm-0005VT-Jx for larch@yhetil.org; Mon, 03 Aug 2020 02:54:36 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:50682) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k2UMf-0005VJ-Pu for help-guix@gnu.org; Mon, 03 Aug 2020 02:54:29 -0400 Received: from flashner.co.il ([178.62.234.194]:59794) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1k2UMd-0001bj-RG for help-guix@gnu.org; Mon, 03 Aug 2020 02:54:29 -0400 Received: from localhost (unknown [31.210.177.175]) by flashner.co.il (Postfix) with ESMTPSA id 323BF4007B; Mon, 3 Aug 2020 06:54:26 +0000 (UTC) Date: Mon, 3 Aug 2020 09:53:53 +0300 From: Efraim Flashner To: conjaroy Subject: Re: Is anyone using `guix system container` in production? Message-ID: <20200803065353.GG1134@E5400> References: <20200802083452.GA1134@E5400> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="nqkreNcslJAfgyzk" Content-Disposition: inline In-Reply-To: X-PGP-Key-ID: 0x41AAE7DCCA3D8351 X-PGP-Key: https://flashner.co.il/~efraim/efraim_flashner.asc X-PGP-Fingerprint: A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Received-SPF: pass client-ip=178.62.234.194; envelope-from=efraim@flashner.co.il; helo=flashner.co.il X-detected-operating-system: by eggs.gnu.org: First seen = 2020/08/03 02:40:59 X-ACL-Warn: Detected OS = ??? X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: help-guix@gnu.org Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Spam-Score: -0.11 X-TUID: 3Tnxty66tO4K --nqkreNcslJAfgyzk Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I found the systemd approach actually worked fairly well. The downsides were that the containers needed to be run as root and then have their permissions dropped which wasn't always easy for me. I also didn't really like using root systemd units to start user-specific services. We tried to give each service or similar group of services a user which started adding some overhead. We're currently using one user named 'shepherd' who has as user systemd service which starts GNU Shepherd as the shepherd user and runs all the services, with the passwordless sudo help. The individual shepherd services are a bit more complex to write than the simple systemd services we had before, but when we upgrade to the next server we plan on using Guix System so we wanted to make sure that it was all working anyway. The repo for those services is here=C2=B9. The README is missing th= at I had to enable linger for shepherd (something like systemctl enable-linger shepherd) for the user systemd service to start. It's not necessarily easier to setup but I've found it easier to manage. =C2=B9 http://git.genenetwork.org/efraim/shepherd-services On Sun, Aug 02, 2020 at 11:40:52AM -0400, conjaroy wrote: > Hi Efraim, thanks for sharing your experience. Was your change in order to > adopt more Guix-centric tools, or to address specific bugs/limitations of > systemd in the initial approach? >=20 > Jason >=20 >=20 > On Sun, Aug 2, 2020 at 4:35 AM Efraim Flashner > wrote: >=20 > > We've switched from using systemd to manage guix containers and services > > to using systemd user services to launch an instance of shepherd which > > manages guix containers and services, with some custom sudo rules. As > > far as using systemd and guix containers, here's one config that I still > > have around=C2=B9 > > > > Our upgrade scheme was to run 'guix pull' about weekly and then restart > > the container. Assuming it didn't break we'd let it ride. If it did > > break then we'd have 'guix pull --roll-back' to roll-back and wait it > > out or fix it. > > > > On Wed, Jul 29, 2020 at 06:17:44PM -0400, conjaroy wrote: > > > I'm interested in deploying several system containers to a single clo= ud > > > VPS, and I had originally planned to build those via `guix system > > > docker-image`. Although Docker has some nice CLI tools for > > > starting/stopping/listing active containers, it occurs to me that an > > > alternative (`guix system container`) has at least one significant > > > advantage: containers come online in seconds, as opposed to the minut= es > > it > > > takes to build and import a Docker image (or tens of minutes, if the > > build > > > host is a VM without /dev/kvm.) It might also be the case that using > > > /gnu/store for all containers is more disk-space-efficient than creat= ing > > > self-contained Docker images for each one. > > > > > > So I was wondering if anyone has experience running long-lived contai= ners > > > built via `guix system container` in a production setting. Since I'm > > > running Guix on a foreign distro (Debian 10), it seems reasonable to > > build > > > a systemd service around the container script, but there may be pitfa= lls > > I > > > haven't considered: > > > > > > # build container script and register it as a gc root with a well-kno= wn > > > name. > > > guix build --root=3D/home/guix/my-awesome-container $(guix system con= tainer > > > -d my-awesome-container.scm) > > > > > > cat << EOF > /etc/systemd/system/my-awesome-container.service > > > [Unit] > > > Description=3DMy Awesome Container > > > > > > [Service] > > > ExecStart=3D/home/guix/my-awesome-container > > > TimeoutStopSec=3D30 > > > StandardOutput=3Dsyslog > > > StandardError=3Dsyslog > > > > > > [Install] > > > WantedBy=3Dmulti-user.target > > > EOF > > > > =C2=B9 > > http://git.genenetwork.org/guix-bioinformatics/guix-bioinformatics/src/= branch/master/gn/services/bnw.service > > > > > > -- > > Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7= =9D =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 > > GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 > > Confidentiality cannot be guaranteed on emails sent or received unencry= pted > > --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --nqkreNcslJAfgyzk Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAl8ntH4ACgkQQarn3Mo9 g1F6kQ//UyGDPNcGvzNUjhEmQ16zFtygbY7ONcTcTgSSNmcsK/tv8v5B0de8SgCE Clx6n2iaxRFnRYEGz3VJZRQtOureIXI5FcoY3oM6zigJPI6mLuQBVbFpHN87Rsik pAkPPKfGk1AIIAkoNEny7K68QqUL8W/b1+Dri546VKU1KYT3Jz5GLbs721a/gMIc zRlrpytFdNlhmfp6WbonLQwJaloKEy7g0RbpHelEwJ26Z/yzyxw98fcYLuhcnEPI +rDxku7IJp13IyZtMGx44bewZJicksxkx/1Tnq9UxP8P5LyqYxxRHbWaMHMOBxmh AwE3gGeMfph0frdb2MhVQGpwoqZnnfBmRmNh1lIWTzjZtsBYo3c7If5rIM5uQSua pFMbvGjbqXeAe8pxZXTqUDho3k7KX4hPwWHJOEBp7f39EMlz1HRaSLekkEtmrfFz p9TSCrTSHnRWVfEs7vhPb1dShAWyNw+nZ3XnjpUqZPDXu+po+S5cJa7W/JgmiBH7 hC+Cp5kW35bKC0BnSlmB0cFqsDokcwD+rpLNjmQsaJDNonCgwbA6O28tpbt4hQbd H9iD2VxJQJx/bqmAnOn/8xFPcLM3C6mjVRgzgXQ34OrFaqPh2NYSA9nnzf795gSU U8cenMLqYhg5CeBrOtjAnJKnMgNcMyZZgncfd28r+48GMUkU5Bw= =0ta9 -----END PGP SIGNATURE----- --nqkreNcslJAfgyzk--