From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id eFSfLxAPYmd/lwAAe85BDQ:P1 (envelope-from ) for ; Tue, 17 Dec 2024 23:53:53 +0000 Received: from aspmx1.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2.migadu.com with LMTPS id eFSfLxAPYmd/lwAAe85BDQ (envelope-from ) for ; Wed, 18 Dec 2024 00:53:52 +0100 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers eddsa verify failed") header.d=josefsson.org header.s=ed2303 header.b=jvJiXQts; dkim=fail ("headers rsa verify failed") header.d=josefsson.org header.s=rsa2303 header.b=J8KL5zA2; spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1734479632; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature:openpgp:openpgp; bh=Z71q/2vQsquGi16LKVO4eguBZINA4d8MADxM398mn8k=; b=pfWQI3VmABoyvZZ7wOCUP8MRrbcpuucPUfgSRpvVt1COvCQFOsWa36dGKCMmxitG8tG3C0 MiGYXnUG+Gws1bjrEEL389LRYJ75B0uS+WZq/Uv5k4C5bNrWgUQLnbmuPgEVsrbTsB7Sks OmzqFfjheOu1GWVpdO/cEIsm3f0h4ThQWu7yYbvnyfOcuSF3mF+MWRK+2Vv+UPqQjCxN8s 21ndyOor9vOk4zvW/6rUrB6ZSI3U2jsMyJpWiCFnkNF1ABorhh0afQyV5axJUpEdK3K180 FnzSJUxdJkAtmBJLBB01VhBuBuUM4kzDPdJu3q76LPbeZMxG5Fr4YcRMK+niIg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers eddsa verify failed") header.d=josefsson.org header.s=ed2303 header.b=jvJiXQts; dkim=fail ("headers rsa verify failed") header.d=josefsson.org header.s=rsa2303 header.b=J8KL5zA2; spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org ARC-Seal: i=1; s=key1; d=yhetil.org; t=1734479632; a=rsa-sha256; cv=none; b=anjCQVzzorepi/J+GnbfZG3jaCL3ukn8tuRkPpZQE7lkei6+zbSmwyPfre/wWkZ2yY/TdA vsh5GXb7mfU4IPL7oLq9SgGDmfe01ZqObtrDUsFchtSTXJJ/tFnl8oZMJ/ChcxCQK34qH2 1f2OxpifHX91921DC/Gy7f6TPpZpNWt8ySlFCwobHStLD/C8mDGy/XxG0zg7uwx+C/3KxS DoAjUuKI5Ko0HkshG5yAKWyRWtRRUhu6/IVJ838Rcak9m0Ojn80AAWBK9G7MmAklwZDJ/M B1SWit6lZYm6Y8WTLMz7M31Qyvgo111cSiVL1zNph/zWxK+F6dI2NdkEZuEEaQ== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 1AB103790C for ; Wed, 18 Dec 2024 00:53:51 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tNhNL-0007iH-7v; Tue, 17 Dec 2024 18:53:15 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tNhNG-0007i4-M1 for help-guix@gnu.org; Tue, 17 Dec 2024 18:53:10 -0500 Received: from uggla.sjd.se ([2001:9b1:8633::107]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tNhNB-00053M-9C for help-guix@gnu.org; Tue, 17 Dec 2024 18:53:10 -0500 DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=ed2303; h=Content-Type:MIME-Version:Message-ID:In-Reply-To :Date:References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding :Content-ID:Content-Description; bh=Z71q/2vQsquGi16LKVO4eguBZINA4d8MADxM398mn8k=; t=1734479578; x=1735689178; b=jvJiXQtsH/4sUH1Yzbw+0N7C2YRtWXa64iesJ2lbitLZoxoakY64VapsFZTs7kBXNBL8RQpe/uA hWXfOumg2BQ==; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=rsa2303; h=Content-Type:MIME-Version:Message-ID: In-Reply-To:Date:References:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=Z71q/2vQsquGi16LKVO4eguBZINA4d8MADxM398mn8k=; t=1734479578; x=1735689178; b=J8KL5zA2pL42balxXOYoBuX82hd/6GTfrDYFI5gu+ZOSDm8LVTA1dQN79fO+ZrgIg1pIBy4xEBL 3cixa0fJz/U4zYFKciTEVNz9p0VjN/+P6l/bCC/I0/g+0PAlbGL8nZbc/cVhYwov8KoHEfvrWG26T 7JO2li2E6KZYz4Wc+ZgrCKKBdt8RgSKRCCIDzEoaTEMNG6LBU6mI0IrBZ9lziTXsiARXBD7Hjl98e GdmsIvtf0XxMvxIFDfHGvqsLJBT810bAXgxz5mU2mLp6L6T4xl7nQw1DgM9Y/nI8tDxyqSH9gBQtE 2ri8oPsr9+gmrQyf1r0lTLSa6o5XtkJFHJpvLzjRekEmI8+Z4ZoAjIV5BoHgJxDywzKM9Ai6c8P+b +q8JClx59i9eioYSBnUfMDKdX5RCWtlCOOQPn8/Qd4Fb9bwC9nEzjYjsxcJu+8d4VoR0yJqXZ; Received: from h-178-174-130-130.a498.priv.bahnhof.se ([178.174.130.130]:47066 helo=kaka) by uggla.sjd.se with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1tNhMz-00BU1g-Qo; Tue, 17 Dec 2024 23:52:53 +0000 To: Ludovic =?iso-8859-1?Q?Court=E8s?= Cc: help-guix@gnu.org, suhail@bayesians.ca, Cayetano Santos Subject: Re: Building a Docker image for GitLab-CI References: <87ttb4d5c8.fsf@inventati.org> <87a5cwd4bn.fsf@inventati.org> <87ed27oqn9.fsf@kaka.sjd.se> <87zfkurbja.fsf@inria.fr> <87zfkulolb.fsf@kaka.sjd.se> <87o71ar4j5.fsf@inria.fr> OpenPGP: id=B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE; url=https://josefsson.org/key-20190320.txt X-Hashcash: 1:23:241217:ludovic.courtes@inria.fr::wLCZeHQa9sfqupTx:NHN X-Hashcash: 1:23:241217:suhail@bayesians.ca::WgofmWyJ6v9pauhV:4uG7 X-Hashcash: 1:23:241217:csantosb@inventati.org::GQ9j4x2Se6XbLKfw:3B4e X-Hashcash: 1:23:241217:help-guix@gnu.org::aOtj9IVAbRrwQ6h3:A+K/ Date: Wed, 18 Dec 2024 00:46:34 +0100 In-Reply-To: <87o71ar4j5.fsf@inria.fr> ("Ludovic =?iso-8859-1?Q?Court=E8s?= =?iso-8859-1?Q?=22's?= message of "Tue, 17 Dec 2024 11:24:14 +0100") Message-ID: <87ed25lvol.fsf@kaka.sjd.se> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Received-SPF: pass client-ip=2001:9b1:8633::107; envelope-from=simon@josefsson.org; helo=uggla.sjd.se X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Simon Josefsson From: Simon Josefsson via Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: help-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Scanner: mx12.migadu.com X-Migadu-Spam-Score: -6.51 X-Spam-Score: -6.51 X-Migadu-Queue-Id: 1AB103790C X-TUID: QERhH3BfAFHo --=-=-= Content-Type: text/plain I am happy to announce Guix container images: https://gitlab.com/debdistutils/guix/container/ They are suitable for use in GitLab pipelines. There are many things to continue discuss and resolve. However it is now possible to start a GitLab pipeline job that uses an 'image:' pointing to a container file that were created by `guix pack` and it has network access. Andreas Enge posted a link on how to achieve this with non-free 'docker' and some custom hosted gitlab runners with extra permissions, but my variant uses only free software and the images can be reproduced solely on the GitLab public runners (i.e., no image uploading from a local laptop). As far as I know this hasn't been done before. Successful example job that runs a Guix environment: https://gitlab.com/debdistutils/guix/container/-/jobs/8670483694 Start the container like this: sudo apt-get install podman || guix package -i podman podman run -it registry.gitlab.com/debdistutils/guix/container:latest The README mentions a few works that you will appreciate -- can you suggest ways to resolve these matters? - `export HOME=/` - `export CWD=/` - `guix-daemon --disable-chroot &` - `GUIX_PROFILE=/root/.config/guix/current; . "$GUIX_PROFILE/etc/profile"` - guix package -i fails: `guix perform-download: error: refusing to run with elevated privileges (UID 0)` - GitLab pipeline job entrypoints: three possible entry-point usages behave somewhat different depending on how `guix pack` was invoked - Adding `nss-certs` to the `guix pack` command breaks: `(symlink "NetLock_Arany_=Class_Gold=_F?tan?s?tv?ny.pem" #) Throw to key encoding-error' with args ("scm_to_stringn" "cannot convert wide string to output locale" 84 #f #f)'.` Those things aside, the main problem right now is that I would expect 'guix package -i gcc automake autoconf' to work. However as you can see in the `test-amd64-package-install` job things fail to download seamingly from an intentional privilege check: guix perform-download: error: refusing to run with elevated privileges (UID 0) https://gitlab.com/debdistutils/guix/container/-/jobs/8670514009 What is the best way to resolve this? Ugly insecure workarounds are acceptable too, I didn't find any --insecure or similar. It would be nice to publish a couple of different images, one minimal and one more complete with, say, gcc on it. Thoughts on what packages to include and how to name the images? Doing arm64 images should be straight forward but I get an error running 'guix pull' in the Debian image: https://issues.guix.gnu.org/74925 -- Also I do not know how to push a combined amd64+arm64 image like Debian do with the 'debian:trixie' image doing the right thing for both amd64 and arm64 under the same name. Ideas? Can someone try to use them in some other environments, maybe GitHub actions or Codeberg Woodpecker? Finally, you may wonder why things didn't work before. Some of the major reasons: 1) --max-layer=100 and 2) -S /etc=etc and 3) Missing /etc/protocols etc. GitLab's docker setup doesn't handle many layers, and it happens to just mount a sub-set of layers (see mount output, missing a lot of layers). Which files are put at which layer seems to vary between `guix pack` runs for some reason, making it really hard to debug (sometimes things worked partially, sometimes not, depending on which files ended up visible). I use --max-layers=8 now. Re /etc=etc it seems GitLab's docker setup bind-mounts things below /etc/ and it cannot handle the root /etc symlink. A workaround is to use `lndir` which I use in the `test-amd64-package-install` job. This is limitation of GitLab's docker setup: I tried running a `-S /etc=etc` image on my own GitLab runner based on Trisquel [1] and it worked fine, it mounted things below the symlinked tree properly. Could `guix pack` be teached how to do a lndir-approach for /etc instead of symlink, perhaps? Happy hacking, /Simon [1] https://gitlab.com/debdistutils/debdistreproduce/-/blob/main/gitlab-runner-with-podman-on-trisquel-aramo.md?ref_type=heads --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iIoEARYIADIWIQSjzJyHC50xCrrUzy9RcisI/kdFogUCZ2INWhQcc2ltb25Aam9z ZWZzc29uLm9yZwAKCRBRcisI/kdFolLAAQD8HmenqJfFmYcd+/7glNnmCg3JgN2+ L9YcpyAj0zBMLAD+PbZuqQ9ocHyqbfc93nOA6Csw15/VM3nI2Y2DZfd9nQc= =2E6w -----END PGP SIGNATURE----- --=-=-=--