From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id cA12OQ3gZmfoTAEAe85BDQ:P1 (envelope-from ) for ; Sat, 21 Dec 2024 15:34:38 +0000 Received: from aspmx1.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2.migadu.com with LMTPS id cA12OQ3gZmfoTAEAe85BDQ (envelope-from ) for ; Sat, 21 Dec 2024 16:34:38 +0100 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=gnu.org header.s=fencepost-gnu-org header.b=lUnlPUx4; spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1734795277; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=QMFY8qEr4Hn9UpBA7R39SUHC8fvbgEFQ31N3mjQH2Ts=; b=rofjAZR9W9lux8xJgeebrkcFb8jY37KDWKWdnHuFOobbbLWFXnCTzVXdiRrYcnvdNRb5fJ XDKBe/Xc8DXaQxoBhRpoS+XQJ81TUj3NufhRPYdQ5VkdECOb0hpYjXk5RmF8Pi18fEiV7b tOm6X3ZsvLAwj3Yi1nI91q7J4I01g5+7psCEcfN8X+uQd1t+ujbogsngRNmrOQwsR1tafq bTVLGNQ6QeGW18JSQtmtQl0STXNz7ddty8ZEOrmi8YrNEdVm1Z+SwknGFBI15iCHShCBjV TMIIv2p0+msk3EOMgcayA2kJsKHyRRimvIn0obsn4YFwXfNcfV9/1vD3gtGlfA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=gnu.org header.s=fencepost-gnu-org header.b=lUnlPUx4; spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org ARC-Seal: i=1; s=key1; d=yhetil.org; t=1734795277; a=rsa-sha256; cv=none; b=puBodMg1TMEFfoiRpwrCxPW3FuiBlx1ymMCLfDtKGaW+oxuAg4u3KVvC++xiA4QZA+OIMK R5qwuT0EdJLsESTvjLntjm0AwPh6LqF/EIxOmMsNDx1m39sHS6vmUYteShWk9e3DZpc3Y3 O04p1CrBRdvuZBwi5vEqmatYvKnfu/f7+nJ6sLq3dPO2FOwwkCcIqJXtHr9mW/EBrgi5QK hmxWJwZiHGZurMPxy8356gujzVEcxLaqxqIWSbxFOnJuR/yllVc5XVkQEM2HGfK/HzA0JI a+j8e4ivlel8Ol8YuMW8GtL3OdG5/nHG4hkcC9yym9wjmtBj8PeDHYjWkQAejw== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 5272A8E5B5 for ; Sat, 21 Dec 2024 16:34:37 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tP1UV-0004sa-Ch; Sat, 21 Dec 2024 10:34:07 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tP1US-0004s7-Am for help-guix@gnu.org; Sat, 21 Dec 2024 10:34:05 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tP1UQ-0004vm-9s; Sat, 21 Dec 2024 10:34:02 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=QMFY8qEr4Hn9UpBA7R39SUHC8fvbgEFQ31N3mjQH2Ts=; b=lUnlPUx4YFgnRiSpwBv2 joqB7HZeRQcB4BoAeZRkC7205iBi874vbxP0GGmbFyp+vul6a+rj7qzcZzahlK6DAA2SlnuiHX9WK OR8xQSJoQMyoggj/4s/yreq77in8ipyV1IVqn0ROMOa9/1rDoOcry4n8fiuCqkn//JZDcOrVG4pMx 6EENOpBIRyTSUgFbXRp9i9ApACp5IiRvT2qCS79CCrvrynHsHNrs4pVqENtu0QG/BV3Nxwcge7sdq Ui+lb/67pCjfTnNOQcBQp12n+k/NMggAD7/V6DANeaS/mZTINTqzFrxPQCcoCOXmeilAo7TwtmxHG ZAIItrp/YqeMAw==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Simon Josefsson Cc: help-guix@gnu.org, suhail@bayesians.ca, Cayetano Santos Subject: Re: Building a Docker image for GitLab-CI In-Reply-To: <87ed25lvol.fsf@kaka.sjd.se> (Simon Josefsson's message of "Wed, 18 Dec 2024 00:46:34 +0100") References: <87ttb4d5c8.fsf@inventati.org> <87a5cwd4bn.fsf@inventati.org> <87ed27oqn9.fsf@kaka.sjd.se> <87zfkurbja.fsf@inria.fr> <87zfkulolb.fsf@kaka.sjd.se> <87o71ar4j5.fsf@inria.fr> <87ed25lvol.fsf@kaka.sjd.se> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: Primidi 1 =?utf-8?Q?Niv=C3=B4se?= an 233 de la =?utf-8?Q?R=C3=A9volution=2C?= jour de la Tourbe X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Sat, 21 Dec 2024 16:33:50 +0100 Message-ID: <87h66xgie9.fsf@inria.fr> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: help-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Scanner: mx11.migadu.com X-Migadu-Spam-Score: -10.39 X-Spam-Score: -10.39 X-Migadu-Queue-Id: 5272A8E5B5 X-TUID: SoH1sXchEEnL Hi Simon! Simon Josefsson skribis: > I am happy to announce Guix container images: > > https://gitlab.com/debdistutils/guix/container/ > > They are suitable for use in GitLab pipelines. Yay! > - guix package -i fails: `guix perform-download: error: refusing to > run with elevated privileges (UID 0)` Should be fixed by running guix-daemon with =E2=80=9C--build-users-group=3Dwhatever=E2=80=9D so that downloads run as o= ne of the build users, not as root. > - GitLab pipeline job entrypoints: three possible entry-point usages > behave somewhat different depending on how `guix pack` was invoked This image uses Guix installed on Debian though, no? > - Adding `nss-certs` to the `guix pack` command breaks: `(symlink > "NetLock_Arany_=3DClass_Gold=3D_F?tan?s?tv?ny.pem" #) Throw to key > encoding-error' with args ("scm_to_stringn" "cannot convert wide > string to output locale" 84 #f #f)'.` You need to run guix-daemon in a UTF-8 locale like =E2=80=9CC.UTF-8=E2=80= =9D (which is supported out-of-the-box). See also . > Finally, you may wonder why things didn't work before. Some of the > major reasons: 1) --max-layer=3D100 and 2) -S /etc=3Detc and 3) Missing > /etc/protocols etc. GitLab's docker setup doesn't handle many layers, > and it happens to just mount a sub-set of layers (see mount output, > missing a lot of layers). Which files are put at which layer seems to > vary between `guix pack` runs for some reason, making it really hard to > debug (sometimes things worked partially, sometimes not, depending on > which files ended up visible). I use --max-layers=3D8 now. Interesting. Did you find points in the code (Docker? GitLab?) about this subset of layers being mounted? > Re /etc=3Detc it seems GitLab's docker setup bind-mounts things below > /etc/ and it cannot handle the root /etc symlink. A workaround is to > use `lndir` which I use in the `test-amd64-package-install` job. This > is limitation of GitLab's docker setup: I tried running a `-S > /etc=3Detc` image on my own GitLab runner based on Trisquel [1] and it > worked fine, it mounted things below the symlinked tree properly. > Could `guix pack` be teached how to do a lndir-approach for /etc > instead of symlink, perhaps? It could symlink individual files and make /etc a directory. (What=E2=80= =99s =E2=80=98lndir=E2=80=99, if I may ask?) Thanks for the investigation and all! Ludo=E2=80=99.