From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id INLpFAQgY2eOMQEAe85BDQ:P1 (envelope-from ) for ; Wed, 18 Dec 2024 19:18:28 +0000 Received: from aspmx1.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2.migadu.com with LMTPS id INLpFAQgY2eOMQEAe85BDQ (envelope-from ) for ; Wed, 18 Dec 2024 20:18:28 +0100 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers eddsa verify failed") header.d=josefsson.org header.s=ed2303 header.b=OfoHQqfz; dkim=fail ("headers rsa verify failed") header.d=josefsson.org header.s=rsa2303 header.b=MyTPTs3F; spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1734549507; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature:openpgp:openpgp; bh=oJuyxCFxKaP6/K6pxW+Lznn8LNj4uxY2a5U2IopbQe4=; b=t78duZyWzWmxmYbFEMaxQ8CLfowpiqhrDU6l+aqBo6uGJyVCc+hzidnG6h05ytbck3jIZ7 4y/E8GksPHUowkP3ts8sQOYR2HYedgRutctfD/Maf3hm0f6dzCL/umgL1YMVZNvlT9Xc3y lTVw5Toxf0+/WKDhUrMwlYH6zp5DLHs9stQhPmgM9h3UuYSFzxgLeLA2Jjq19FiecnfXdF IfCXK8kSCkxXikLLAwjCji7/FLgaVUjz00FC6FS+zoPf1KPpjHuu8bq6PfjbSNyE2y/zna 0t8b+LfO/UP3oCYhdMomYs7K31UVVvol1iflaZfxOqBwoht72YelUHtnW+iJJQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers eddsa verify failed") header.d=josefsson.org header.s=ed2303 header.b=OfoHQqfz; dkim=fail ("headers rsa verify failed") header.d=josefsson.org header.s=rsa2303 header.b=MyTPTs3F; spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org ARC-Seal: i=1; s=key1; d=yhetil.org; t=1734549507; a=rsa-sha256; cv=none; b=Cd3v2sk7zjzS59YTF/7OI0S8sYFUMiJCYD1AYEmPgZK1JXwrCR7lFowEQC6IHPkYETMNh7 OD7XIv+rhDOycGS/3zVWYCcMpPbv3vt6XkaqV4++w6FcBnhMmZGzrAgi8z0RZ2MikGKSLP dlPK7YCUf104fUypm18NwTLRz2BLL05BpRw6DTyETPLPJCK01IqJ8eZyI1aJAuD4i6ioSX bmZlyClnYtW0M2wQ82t6xL6xL1c6e+ozduqvBN7JFT7nNSGBk8sS/+5CAK1+CL6s0sr/cO CKJQbqoPqm+FU7beVlt2kcislBQWx+fc/gRlVlv4jm0f1FUTTDsxPsyX6cfnPA== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 29265565A1 for ; Wed, 18 Dec 2024 20:18:27 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tNzYi-0002Kn-M7; Wed, 18 Dec 2024 14:18:12 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tNzYc-0002Jh-Uf for help-guix@gnu.org; Wed, 18 Dec 2024 14:18:10 -0500 Received: from uggla.sjd.se ([2001:9b1:8633::107]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tNzYa-0001eY-53 for help-guix@gnu.org; Wed, 18 Dec 2024 14:18:06 -0500 DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=ed2303; h=Content-Type:MIME-Version:Message-ID:In-Reply-To :Date:References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding :Content-ID:Content-Description; bh=oJuyxCFxKaP6/K6pxW+Lznn8LNj4uxY2a5U2IopbQe4=; t=1734549473; x=1735759073; b=OfoHQqfz/4sz0H7Oa7VKO4kWnpd6LC8VFbJMr1T3Prn5J+A2H47Sd708itJv5sELuaeiQd/aqyy OrP4+WywKBw==; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=rsa2303; h=Content-Type:MIME-Version:Message-ID: In-Reply-To:Date:References:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=oJuyxCFxKaP6/K6pxW+Lznn8LNj4uxY2a5U2IopbQe4=; t=1734549473; x=1735759073; b=MyTPTs3F+hAn/1R7j6EMrDjDsZWyxVOK3Xb1ckEYmOjej5cJjrEhoD1ygoHD5/U5Iv7RPt5W7gJ 6FTMllvjquITnQ4XAl4vsR7kMj3ryosw7GHDll+zOD2nkEXkokXtRElaLu5B63CTAq8bq35qQ0aqx 5FvWs2CENghFXmDCf/7jnxqelrq/M8M9KCcgX0sWGQLfuq+ZsDa0GTzl+A7ZJyrHdXvKlIHKD56D9 /zqC2lLvHSYtzZrrXoJwHUgfe9R3c6dAKIioP80RqQhydZ2ddU3zojYRFPw6aa7gFjPZDuD32MT+K rBm/zJgcuevWwt7ia5D9YlGyMvzsTrMhtDyHBOczZq15sgoL7YiQ/dlg6bZJKIYH6j+GbF1wZU9x2 yezwCLcLZrQ58gl9wqDh+xHAdT36WbYZfvJGr1ZrFwFnTMYY6rRp2SZuXsIiUBBAZB0xXlawE; Received: from h-178-174-130-130.a498.priv.bahnhof.se ([178.174.130.130]:41642 helo=kaka) by uggla.sjd.se with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1tNzYC-00CvOY-UL; Wed, 18 Dec 2024 19:17:40 +0000 To: Andreas Enge Cc: help-guix@gnu.org, ludovic.courtes@inria.fr, suhail@bayesians.ca, Cayetano Santos Subject: Re: Building a Docker image for GitLab-CI References: <87ttb4d5c8.fsf@inventati.org> <87a5cwd4bn.fsf@inventati.org> <87ed27oqn9.fsf@kaka.sjd.se> OpenPGP: id=B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE; url=https://josefsson.org/key-20190320.txt X-Hashcash: 1:23:241218:help-guix@gnu.org::p7P2fBaVTjgefc28:1x3N X-Hashcash: 1:23:241218:csantosb@inventati.org::NtwhugA/kwnyMycl:1b4i X-Hashcash: 1:23:241218:suhail@bayesians.ca::vCCnyAivgtShBAEg:EbjN X-Hashcash: 1:23:241218:andreas@enge.fr::i2KS6HpwmpScTio1:KEBD X-Hashcash: 1:23:241218:ludovic.courtes@inria.fr::U0lrh8v+QxFZ8eVC:S7Vy Date: Wed, 18 Dec 2024 20:17:46 +0100 In-Reply-To: (Andreas Enge's message of "Mon, 16 Dec 2024 12:04:37 +0100") Message-ID: <87bjx8kdgl.fsf@kaka.sjd.se> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Received-SPF: pass client-ip=2001:9b1:8633::107; envelope-from=simon@josefsson.org; helo=uggla.sjd.se X-Spam_score_int: -43 X-Spam_score: -4.4 X-Spam_bar: ---- X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Simon Josefsson From: Simon Josefsson via Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: help-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Scanner: mx13.migadu.com X-Migadu-Spam-Score: -3.01 X-Spam-Score: -3.01 X-Migadu-Queue-Id: 29265565A1 X-TUID: G74NReH3g9n0 --=-=-= Content-Type: text/plain Andreas Enge writes: > Hello Simon, > > Am Mon, Dec 16, 2024 at 11:42:34AM +0100 schrieb Simon Josefsson via: >> I am trying to get a Guix container usable in GitLab, and thought I'd >> share my status. I have established working networking in the resulting >> Guix container, which seems like progress (whoohoo!). tl;dr: > > at work we are using gitlab CI to build guix docker containers and run a > node on openshift for the bordeaux build farm: > https://gitlab.inria.fr/enge/plm-guix > The README.md is completely outdated and serves mainly as a reminder to > myself on how this docker thing works; every time I look at it after a > break of a few months I have forgotten how to use a docker container... > > And of course I have already forgotten the details; probably we should > write a little blog post. I will talk about it with my colleague when I > meet him next year ;-) > > We also start with a Debian image and use a Dockerfile to install Guix > in it, as described in the Guix manual. Then for CI, we use this fixed > docker image to create a new one every time our repository (with a > channels.scm file and the plmshift.scm OS configuration file) changes. > In our case, this second docker image is the artefact that we then deploy. > We use "docker in docker" to create the images, and if I understood > correctly, this requires some privileges; these may not be given on > gitlab.com, but are available in our self-hosted instance. Hi Andreas! This all sounds quite similar to what I'm doing, although using a different software stack. I'm reading through your work now, after actually finishing my work which I've announced here: https://blog.josefsson.org/2024/12/18/guix-container-images-for-gitlab-ci-cd/ https://gitlab.com/debdistutils/guix/container Looking into details, it seems you run this command to create the image: https://gitlab.inria.fr/enge/plm-guix/-/blob/bf87f970c316f20cea2cf80f2511a280b5a71ed8/.gitlab-ci.yml#L44 docker run --privileged -v ./config:/config $CI_REGISTRY_IMAGE/builder:latest sh -c 'cd /config && /guix-daemon.sh guix time-machine -C channels.scm -- system image -t docker plmshift.scm >/dev/null 2>&1 && cat /gnu/store/*docker-image.tar.gz' > image/docker-image.tar.gz docker load -i image/docker-image.tar.gz Your docker file is here: https://gitlab.inria.fr/enge/plm-guix/-/blob/master/docker/Dockerfile?ref_type=heads The guix-daemon.sh script is here: https://gitlab.inria.fr/enge/plm-guix/-/blob/master/docker/guix-daemon.sh?ref_type=heads Your plmshift.scm file is here: https://gitlab.inria.fr/enge/plm-guix/-/blob/master/config/plmshift.scm?ref_type=heads For comparison, I'm creating the image like this: https://gitlab.com/debdistutils/guix/container/-/blob/main/.gitlab-ci.yml?ref_type=heads#L61 GUIX_PACKS_SLIM: guix bash-minimal coreutils-minimal net-base lndir GUIX_PACKS_LATEST: $GUIX_PACKS_SLIM git-minimal findutils diffutils gcc-toolchain make automake autoconf tar grep sed gawk m4 gzip xz bzip2 iproute2 inetutils libcap shadow wget nss-certs ... pack=$(guix pack $GUIX_PACKS --save-provenance -S /bin=bin -S /share=share -f docker --image-tag=guix --max-layers=8 --verbosity=0) podman load -i $pack My containerfile is here: https://gitlab.com/debdistutils/guix/container/-/blob/main/debian-with-guix/Containerfile?ref_type=heads Some of the stuff you resolve by using guix-daemon.sh and guix system image on the plmshift.scm I instead push onto the consumer of my work, as in these instructions: https://gitlab.com/debdistutils/guix/container#how-to-use One difference is that you are using your previous image as a basis for the next one, which means you are using native Guix to build the image, whereas I'm using Debian+Guix to build the image. There is no fundamental reason for this in my approach, so I opened an issue about it: https://gitlab.com/debdistutils/guix/container/-/issues/1 One more fundamental issue is that you are using 'guix system image' and I was inspired by Ludo's e-mail and used 'guix pack'. My experiments with system images were that they ended up being larger, but maybe that can be resolved by removing stuff. Are there any general thoughts on which is better to use? Guix system vs Guix pack? I kind of like the idea of adding on top off guix-pack rather than removing from guix-system. /Simon --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iIoEARYIADIWIQSjzJyHC50xCrrUzy9RcisI/kdFogUCZ2Mf2xQcc2ltb25Aam9z ZWZzc29uLm9yZwAKCRBRcisI/kdFoqjlAQDfTdQtUzwPPIbKER1NBAKhdWL5ofco oM06Ku57E0e3GQD9GgLCiz6VO5uu7PD/7CQ/JqzhIlvMBk2017xmOQ3l+wI= =rAaW -----END PGP SIGNATURE----- --=-=-=--