From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id OKFeIntXKV+aSwAA0tVLHw (envelope-from ) for ; Tue, 04 Aug 2020 12:41:31 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id KKZFHntXKV+DPgAA1q6Kng (envelope-from ) for ; Tue, 04 Aug 2020 12:41:31 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id F413E9401CB for ; Tue, 4 Aug 2020 12:41:30 +0000 (UTC) Received: from localhost ([::1]:58884 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1k2wG0-0000Cp-Bn for larch@yhetil.org; Tue, 04 Aug 2020 08:41:28 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:39792) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k2wFh-0000Cf-5G for help-guix@gnu.org; Tue, 04 Aug 2020 08:41:09 -0400 Received: from mail-ed1-x535.google.com ([2a00:1450:4864:20::535]:35759) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1k2wFe-0008DF-Jz for help-guix@gnu.org; Tue, 04 Aug 2020 08:41:08 -0400 Received: by mail-ed1-x535.google.com with SMTP id m20so20248015eds.2 for ; Tue, 04 Aug 2020 05:41:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=CdKV5pOOwMGGkjuYw1DxsXvfyiNen+K2OTyObuOvkf8=; b=SZ0GGtTAREJ5OjCeV2t4rgYI3axX1Nh6XVqkDIJearwweK/FK7q9u7FBa5L7xKZE/Z Yzctf9pwQULTx1bi7gKCjt6e9m+crfLjwsIabtwDQB7GIqbQWiG/oC8oFsXOLtVSdqgH 5n/Wak5nF2zWYZZHsj4GXCEHrbmi6t3gfbI0evZdLSXGUWqPkiQK9fWB6tilv2Hlm1tL 45DBleKffINsTBo+jQwvj0EWBt/5PBl4N5QhBHZpAIaXhmfACoV6iiBrn+CZKwfFsfEB 7I/7zsCnY7+97XR/q5P0DwGH/qJSdd069x2A2M6/tCzlRRSQtsz6NbAqNzCu5JQvVk1z l9oA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=CdKV5pOOwMGGkjuYw1DxsXvfyiNen+K2OTyObuOvkf8=; b=h9Hh9tLbYJlHf/ciDZFsHxdelCsS1CafIagDuWb/uRNMPc2Nxb9CuI4Pht1fr+bix0 ioZeN9LQ9OXI/AdGoxKH0XTUh0qZwATvd4gVp4L1v+92lySNrpHF8u97vQ4Jmb6rYb0N vT1WOfH1m+TmYY1Q7SDFLkzLHhyxeR56aTvtpAFjCjmD4UcjB0o1gA2jj4UEvrW36/Ls n+1P/HxXUiOl01r9sAfOEvit8lGpQHyw7z8tFJ3CVf2o+gBHYDCH08DI71Xv7WEjU0/L w4n7yiYeyQikeBOa7TDTnoYTbXPgrCbRrQWZC7HlweSksG/4O3yaPPceToBh/+tkj/zw jnfQ== X-Gm-Message-State: AOAM532oYru3MM9Dh1Zz0ttmaGf8m9HSCDOm6N7L2eCGHa9WGOZOmtLT oEepMlr39ijcJiB+86oDXtqI/VDIH5aTnCWDD+Y= X-Google-Smtp-Source: ABdhPJxK4wT0E9hqy2xxEa64U5Jy5EZDbpoy64LuMrMC2jbLkwu0abtdi1qw5ZwK9RYGZovv46eTFJD6Os2khB2mfCc= X-Received: by 2002:aa7:ccd5:: with SMTP id y21mr19738989edt.91.1596544863700; Tue, 04 Aug 2020 05:41:03 -0700 (PDT) MIME-Version: 1.0 References: <20200802083452.GA1134@E5400> <20200803065353.GG1134@E5400> In-Reply-To: <20200803065353.GG1134@E5400> From: conjaroy Date: Tue, 4 Aug 2020 08:40:27 -0400 Message-ID: Subject: Re: Is anyone using `guix system container` in production? To: Efraim Flashner Received-SPF: pass client-ip=2a00:1450:4864:20::535; envelope-from=conjaroy@gmail.com; helo=mail-ed1-x535.google.com X-detected-operating-system: by eggs.gnu.org: No matching host in p0f cache. That's all we know. X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: help-guix@gnu.org Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=fail (body hash did not verify) header.d=gmail.com header.s=20161025 header.b=SZ0GGtTA; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Spam-Score: 1.09 X-TUID: B6TP+DbfAgo9 Thanks Efraim, that repo is a useful resource. As it happens, I've also discovered your recent blog post on this topic, included here for posterity= : https://guix.gnu.org/blog/2020/gnu-shepherd-user-services/ I especially like the advice on modularizing the Shepherd init file. Cheers, Jason On Mon, Aug 3, 2020 at 2:54 AM Efraim Flashner wrote: > I found the systemd approach actually worked fairly well. The downsides > were that the containers needed to be run as root and then have their > permissions dropped which wasn't always easy for me. I also didn't > really like using root systemd units to start user-specific services. We > tried to give each service or similar group of services a user which > started adding some overhead. > > We're currently using one user named 'shepherd' who has as user systemd > service which starts GNU Shepherd as the shepherd user and runs all the > services, with the passwordless sudo help. The individual shepherd > services are a bit more complex to write than the simple systemd > services we had before, but when we upgrade to the next server we plan > on using Guix System so we wanted to make sure that it was all working > anyway. The repo for those services is here=C2=B9. The README is missing = that > I had to enable linger for shepherd (something like systemctl > enable-linger shepherd) for the user systemd service to start. It's not > necessarily easier to setup but I've found it easier to manage. > > =C2=B9 http://git.genenetwork.org/efraim/shepherd-services > > On Sun, Aug 02, 2020 at 11:40:52AM -0400, conjaroy wrote: > > Hi Efraim, thanks for sharing your experience. Was your change in order > to > > adopt more Guix-centric tools, or to address specific bugs/limitations = of > > systemd in the initial approach? > > > > Jason > > > > > > On Sun, Aug 2, 2020 at 4:35 AM Efraim Flashner > > wrote: > > > > > We've switched from using systemd to manage guix containers and > services > > > to using systemd user services to launch an instance of shepherd whic= h > > > manages guix containers and services, with some custom sudo rules. As > > > far as using systemd and guix containers, here's one config that I > still > > > have around=C2=B9 > > > > > > Our upgrade scheme was to run 'guix pull' about weekly and then resta= rt > > > the container. Assuming it didn't break we'd let it ride. If it did > > > break then we'd have 'guix pull --roll-back' to roll-back and wait it > > > out or fix it. > > > > > > On Wed, Jul 29, 2020 at 06:17:44PM -0400, conjaroy wrote: > > > > I'm interested in deploying several system containers to a single > cloud > > > > VPS, and I had originally planned to build those via `guix system > > > > docker-image`. Although Docker has some nice CLI tools for > > > > starting/stopping/listing active containers, it occurs to me that a= n > > > > alternative (`guix system container`) has at least one significant > > > > advantage: containers come online in seconds, as opposed to the > minutes > > > it > > > > takes to build and import a Docker image (or tens of minutes, if th= e > > > build > > > > host is a VM without /dev/kvm.) It might also be the case that usin= g > > > > /gnu/store for all containers is more disk-space-efficient than > creating > > > > self-contained Docker images for each one. > > > > > > > > So I was wondering if anyone has experience running long-lived > containers > > > > built via `guix system container` in a production setting. Since I'= m > > > > running Guix on a foreign distro (Debian 10), it seems reasonable t= o > > > build > > > > a systemd service around the container script, but there may be > pitfalls > > > I > > > > haven't considered: > > > > > > > > # build container script and register it as a gc root with a > well-known > > > > name. > > > > guix build --root=3D/home/guix/my-awesome-container $(guix system > container > > > > -d my-awesome-container.scm) > > > > > > > > cat << EOF > /etc/systemd/system/my-awesome-container.service > > > > [Unit] > > > > Description=3DMy Awesome Container > > > > > > > > [Service] > > > > ExecStart=3D/home/guix/my-awesome-container > > > > TimeoutStopSec=3D30 > > > > StandardOutput=3Dsyslog > > > > StandardError=3Dsyslog > > > > > > > > [Install] > > > > WantedBy=3Dmulti-user.target > > > > EOF > > > > > > =C2=B9 > > > > http://git.genenetwork.org/guix-bioinformatics/guix-bioinformatics/src/br= anch/master/gn/services/bnw.service > > > > > > > > > -- > > > Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99= =D7=9D =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 > > > GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 > > > Confidentiality cannot be guaranteed on emails sent or received > unencrypted > > > > > -- > Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7= =9D =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 > GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 > Confidentiality cannot be guaranteed on emails sent or received unencrypt= ed >