GitLab container /etc symlink problem (was: Re: Building a Docker image for GitLab-CI)

[Simon Josefsson via <help-guix@gnu.org>]

[-- Attachment #1: Type: text/plain, Size: 4001 bytes --]

Simon Josefsson via <help-guix@gnu.org> writes:

>>> Re /etc=etc it seems GitLab's docker setup bind-mounts things below
>>> /etc/ and it cannot handle the root /etc symlink.  A workaround is to
>>> use `lndir` which I use in the `test-amd64-package-install` job.  This
>>> is limitation of GitLab's docker setup: I tried running a `-S
>>> /etc=etc` image on my own GitLab runner based on Trisquel [1] and it
>>> worked fine, it mounted things below the symlinked tree properly.
>>> Could `guix pack` be teached how to do a lndir-approach for /etc
>>> instead of symlink, perhaps?
>>
>> It could symlink individual files and make /etc a directory.
>
> Is this possible now?  How?
>
> The --symlink is defined like this now:
>
> ‘-S SPEC’
>      Add the symlinks specified by SPEC to the pack.  This option can
>      appear several times.
>      SPEC has the form ‘SOURCE=TARGET’, where SOURCE is the symlink that
>      will be created and TARGET is the symlink target.
>      For instance, ‘-S /opt/gnu/bin=bin’ creates a ‘/opt/gnu/bin’
>      symlink pointing to the ‘bin’ sub-directory of the profile.
>
> Could we extend that somehow to support the model of recursively
> creating directories, but symlink files within them?
>
> Or a new --symlink-mkdir parameter or similar?
>
>> (What’s ‘lndir’, if I may ask?)
>
> Exactly that :)

I found out that the lndir approach doesn't work.  The /etc symlinks are
modified by 'guix package -i'.  It only occurs sometimes, probably
depending on if it happens to pull in a new version of 'net-base'.  It
seems 'guix package -i hello' works but 'guix package -i skopeo'
doesn't.

https://gitlab.com/debdistutils/guix/container/-/jobs/8713723100

...
substitute: updating substitutes from 'https://bordeaux.guix.gnu.org'... 100.0%
substitute: updating substitutes from 'https://ci.guix.gnu.org'... 100.0%
61.5 MB will be downloaded
retrying download of '/gnu/store/bfp25w47fxn8z0fdwj45prx2609sx59j-net-base-5.3' with other substitute URLs...
guix substitute: warning: ci.guix.gnu.org: host not found: Servname not supported for ai_socktype
guix substitute: error: failed to find alternative substitute for '/gnu/store/bfp25w47fxn8z0fdwj45prx2609sx59j-net-base-5.3'
substitution of /gnu/store/bfp25w47fxn8z0fdwj45prx2609sx59j-net-base-5.3 failed
guix package: error: some substitutes for the outputs of derivation `/gnu/store/cviappwxgh7ilhprl44x5ya2nypwlcj7-skopeo-1.17.0.drv' failed (usually happens due to networking issues); try `--fallback' to build derivation from source 

You can see that networking worked initially, but broke down later on.

lrwxrwxrwx 1 root 0   70 Dec 23 18:24 protocols -> /gnu/store/bfp25w47fxn8z0fdwj45prx2609sx59j-net-base-5.3/etc/protocols

After running 'guix package -i skopeo' that symlink is danling:

++ echo '$ ls -ld /gnu/store/*net-base*'
++ ls -ld /gnu/store/bfp25w47fxn8z0fdwj45prx2609sx59j-net-base-5.3.lock /gnu/store/i705faz4w4wnq1frrbbrk2jnhwhsr2k9-net-base-5.3-builder /gnu/store/kaqyk1rn9f4q36h8nc0919wrlam0xl0g-net-base-5.3.drv
-rw------- 1 root 0   0 Dec 23 18:26 /gnu/store/bfp25w47fxn8z0fdwj45prx2609sx59j-net-base-5.3.lock
-r--r--r-- 1 root 0 893 Jan  1  1970 /gnu/store/i705faz4w4wnq1frrbbrk2jnhwhsr2k9-net-base-5.3-builder
-r--r--r-- 1 root 0 990 Jan  1  1970 /gnu/store/kaqyk1rn9f4q36h8nc0919wrlam0xl0g-net-base-5.3.drv
++ echo '$ ls -ld /gnu/store/*profile*'

I've reverted back to this hack:

cp -rL /gnu/store/*profile/etc/* /etc/

Is there a clean solution to this?  Perhaps we could debug further why
GitLab/docker barfs on a /etc symlink.  It is probably related to them
having these mount points:

/dev/sda1 /etc/hostname ext4 rw,nosuid,nodev,relatime,commit=30 0 0
/dev/sda1 /etc/hosts ext4 rw,nosuid,nodev,relatime,commit=30 0 0
/dev/sda1 /etc/resolv.conf ext4 rw,nosuid,nodev,relatime,commit=30 0 0

Maybe -S /etc=etc works if we make sure to remove just those three
files..

/Simon

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 255 bytes --]