From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id wH6uK7XeJl+oZQAA0tVLHw (envelope-from ) for ; Sun, 02 Aug 2020 15:41:41 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id SHeMJ7XeJl94ZQAA1q6Kng (envelope-from ) for ; Sun, 02 Aug 2020 15:41:41 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 2997E94060D for ; Sun, 2 Aug 2020 15:41:41 +0000 (UTC) Received: from localhost ([::1]:33228 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1k2G7G-00057B-R1 for larch@yhetil.org; Sun, 02 Aug 2020 11:41:38 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:44252) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k2G7A-000570-PC for help-guix@gnu.org; Sun, 02 Aug 2020 11:41:32 -0400 Received: from mail-ed1-x52c.google.com ([2a00:1450:4864:20::52c]:40495) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1k2G78-00070A-SX for help-guix@gnu.org; Sun, 02 Aug 2020 11:41:32 -0400 Received: by mail-ed1-x52c.google.com with SMTP id a14so8562593edx.7 for ; Sun, 02 Aug 2020 08:41:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=mH80/KDKCwNSnrbQVf65y6rIe/tKkywNHtfL/lxNtQU=; b=FvYLK6lnm0J78QxW/fJ9xIMsIy6vIMZXyH9RsxOGsDQcW/tljD8DLobxU60Tl93R8n pz9mSCyRxgRMGFg0nWYk5+o4CvyEWN/btCJXVpGQlqA7LJe2G3BMVj8i+f+gFi64vqy4 LKw/7d5MCJEQr8Dhn2KwfGtfsyQZo/28Hv5pBWlYdOYZRLc8sWeMsQbl77WLjON86s1L 3gsTIWHEHEEuAreZmNVJX/UaQHo/lWMqpU2mYkkK2f6aUf9TyJFDCmzlCNcHHUzqLrDK wBUdU5YIQyEXNsjZfIJgdAnBHjHfgcKmQAi2yqeyZz3nc/QN/tQ607xP5VLUbjwExeNr WnbQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=mH80/KDKCwNSnrbQVf65y6rIe/tKkywNHtfL/lxNtQU=; b=mORF+8ererPZHgfFpFlDu/Nj320L+1DxaqSzd6CaXbekejNVq3VAuuYl3ycF/FrtvS 3ItyUiLBhkocXWqJuSLpmAN+kn2bATom/qXvMHOS5WF207cAMSoWLqrCc5Xy+8Si3GEU sprqDw2AoB4ea1SU2swwe+lBOm0eYsSI2IaUOVxlucLYBWYF4A7SBoDkFj2MmLeivaI3 YxrNowSyz2mIxKhPvAwE7LvK1/bmnO3qRyAqi+Im5WwS3i18hl3dvDcFsb+0bTKu/7XI 0Gu3RaUbmbffXQGNBSRHtxanYx0rvRv98zbemcr6ZVyDhQYb16Svy3NDsAUaxxM0dl5T B3KA== X-Gm-Message-State: AOAM532A+x7SZMWLEG6p9XILEbYq7DTZ6KrgNLFkKiV2RNJ8QhFTmJSK XUwK5zec1FeiPLGetOssqI8yinOfAcshvWqmMjQ= X-Google-Smtp-Source: ABdhPJzqe/9XZu/bDB34SL6hUH9ltnJ5AdzdZfrbE6anI7+Z6gEuXzeIBg+JeAfAk5aXBUp4iI2xZiS1ZgnSMzd+/To= X-Received: by 2002:aa7:d387:: with SMTP id x7mr12076924edq.219.1596382888314; Sun, 02 Aug 2020 08:41:28 -0700 (PDT) MIME-Version: 1.0 References: <20200802083452.GA1134@E5400> In-Reply-To: <20200802083452.GA1134@E5400> From: conjaroy Date: Sun, 2 Aug 2020 11:40:52 -0400 Message-ID: Subject: Re: Is anyone using `guix system container` in production? To: Efraim Flashner Received-SPF: pass client-ip=2a00:1450:4864:20::52c; envelope-from=conjaroy@gmail.com; helo=mail-ed1-x52c.google.com X-detected-operating-system: by eggs.gnu.org: No matching host in p0f cache. That's all we know. X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: help-guix@gnu.org Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=fail (body hash did not verify) header.d=gmail.com header.s=20161025 header.b=FvYLK6ln; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Spam-Score: 1.09 X-TUID: /rJX9GoZ/eDa Hi Efraim, thanks for sharing your experience. Was your change in order to adopt more Guix-centric tools, or to address specific bugs/limitations of systemd in the initial approach? Jason On Sun, Aug 2, 2020 at 4:35 AM Efraim Flashner wrote: > We've switched from using systemd to manage guix containers and services > to using systemd user services to launch an instance of shepherd which > manages guix containers and services, with some custom sudo rules. As > far as using systemd and guix containers, here's one config that I still > have around=C2=B9 > > Our upgrade scheme was to run 'guix pull' about weekly and then restart > the container. Assuming it didn't break we'd let it ride. If it did > break then we'd have 'guix pull --roll-back' to roll-back and wait it > out or fix it. > > On Wed, Jul 29, 2020 at 06:17:44PM -0400, conjaroy wrote: > > I'm interested in deploying several system containers to a single cloud > > VPS, and I had originally planned to build those via `guix system > > docker-image`. Although Docker has some nice CLI tools for > > starting/stopping/listing active containers, it occurs to me that an > > alternative (`guix system container`) has at least one significant > > advantage: containers come online in seconds, as opposed to the minutes > it > > takes to build and import a Docker image (or tens of minutes, if the > build > > host is a VM without /dev/kvm.) It might also be the case that using > > /gnu/store for all containers is more disk-space-efficient than creatin= g > > self-contained Docker images for each one. > > > > So I was wondering if anyone has experience running long-lived containe= rs > > built via `guix system container` in a production setting. Since I'm > > running Guix on a foreign distro (Debian 10), it seems reasonable to > build > > a systemd service around the container script, but there may be pitfall= s > I > > haven't considered: > > > > # build container script and register it as a gc root with a well-known > > name. > > guix build --root=3D/home/guix/my-awesome-container $(guix system conta= iner > > -d my-awesome-container.scm) > > > > cat << EOF > /etc/systemd/system/my-awesome-container.service > > [Unit] > > Description=3DMy Awesome Container > > > > [Service] > > ExecStart=3D/home/guix/my-awesome-container > > TimeoutStopSec=3D30 > > StandardOutput=3Dsyslog > > StandardError=3Dsyslog > > > > [Install] > > WantedBy=3Dmulti-user.target > > EOF > > =C2=B9 > http://git.genenetwork.org/guix-bioinformatics/guix-bioinformatics/src/br= anch/master/gn/services/bnw.service > > > -- > Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7= =9D =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 > GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 > Confidentiality cannot be guaranteed on emails sent or received unencrypt= ed >