Re: Help understand some guix concepts

Re: Help understand some guix concepts

[Amirouche Boubekki]

[-- Attachment #1: Type: text/plain, Size: 4150 bytes --]

On Mon, Jan 1, 2018 at 8:31 PM Amirouche Boubekki <
amirouche.boubekki@gmail.com> wrote:

> Héllo,
>
> It's a long time I did not read the manual. So I read he manual this
> afternoon.
>
> I have to say that I don't really understand some guix concepts and how
> they map to the rest of the world.
>
> Can someone try to explain to me how the following concepts are related to
> each other:
>
> Environments, profiles, gc roots, root filesystem, chroot, containers,
> docker and lxc
>
> TIA
>

Sorry, it deserves a bit more explanation.

I know what *chroot* command is. It change the root directory. For
instance, I can do the following:

$ mkdir tmp && cd tmp
$ tar xvf $(guix pack --symlink=/bin=bin guile)
$ sudo chroot . /bin/guile

And then guile will be running inside the tmp directory without access to
the rest of the filesystem except if I mount --bind something inside the
tmp directory.

As wikipedia explains it <https://en.wikipedia.org/wiki/Chroot#Uses>, it
used for:

- Testing and development
- Dependency control
- Compatibility
- Recovery
- Privilege separation

In the past I used, chroot to run a gentoo build system on top of any other
distribution. The result is that the developer is free to use whatever
distribution they want as long as they can chroot inside the development
*rootfs* which is possibly another distro or another version of the same
distribution.

*Q:* Does chroot guix/sd use chroot?
*Q:* Do guix developers use chroot somehow?

In particular, using chroot, processus are not separated somehow from the
host system; You don't get another IP and you have the same ports namespace.

What I call *root filesystem* is what is found that / in the filesystem
where in debian there is /usr, /proc, /dev etc...

That's the result of the following command:

$ guix system init ~/src/guile/guix/git/gnu/system/install.scm .

Then I can chroot inside that directory if I want and I will be *somewhat*
like in a guixsd.

*Q:* Do guix developers use 'guix system init' in combination with chroot?

Now, I will mention containers. I know little about cgroups, but I know
it's a feature of the Linux kernel.

*Q: *Does guix/sd use cgroups <https://en.wikipedia.org/wiki/Cgroups>?

The most popular tools using cgroups are Docker
<https://en.wikipedia.org/wiki/Docker_(software)> and LXC
<https://en.wikipedia.org/wiki/LXC>. They have very different approach to
containers. AFAIU, Docker re-invent the wheel (?) of how networking,
filesystem and prolly how other stuff happens in the GNU/Linux world.
Whereas LXC re-use concepts with which people that used to play with VMs
are familiar with. For instance, LXC networking setup re-use commands like
ip <https://linux.die.net/man/8/ip> or brctl
<https://linux.die.net/man/8/brctl>. Docker use a concept of images that
made Docker famous and a single command to download & execute whatever
program you want... But the most intriguing thing in Docker, is that they
are against using systemd (or similar tool) inside containers to run
multiple procesus inside the container. Basically, PID 1 in the container
must be the PID of the application. That's why Docker call it: application
containers. Whereas LXC containers are system containers.

One thing that took me long time to understand regarding the distinction
between containers and simple chroot, is that in the case of chroot there
is no processus managing the chroot. Whereas a container appears as
processus in the host system.


*Q: *Does guix/sd containers enforce an image format?
*Q: *Can guix/sd use images? What are the advantages?
*Q: *How does networking happens in guix/sd?
*Q: *Is it possible to bind multiple interfaces via a bridge on the host
system to the container?
*Q: *Is it possible or recommended to run shepherd inside a guix container?

*Q:* isn't AppImage <https://en.wikipedia.org/wiki/AppImage> a
"combination" of 'guix pack' and 'guix container'.

*Q: *Is it possible to have Xorg running inside a container and then use
ssh -X to access it? Is there a way to avoid the ssh -X?

TIA

[-- Attachment #2: Type: text/html, Size: 5999 bytes --]

Re: Help understand some guix concepts

[Ludovic Courtès]

Hi,

Sorry for the late reply.

Amirouche Boubekki <amirouche.boubekki@gmail.com> skribis:

> *Q:* Does chroot guix/sd use chroot?

The build daemon, ‘guix-daemon’, uses chroot (among other tools) to
perform isolated builds:

  https://www.gnu.org/software/guix/manual/html_node/Invoking-guix_002ddaemon.html

> *Q:* Do guix developers use chroot somehow?

[...]

> *Q:* Do guix developers use 'guix system init' in combination with chroot?

They could, but it’s not very useful or convenient.  ‘guix system vm’ or
‘guix system container’ (the latter actually uses chroot(2)) are simpler
interfaces.

> *Q: *Does guix/sd use cgroups <https://en.wikipedia.org/wiki/Cgroups>?

No (not yet).

> *Q: *Does guix/sd containers enforce an image format?

No.

Docker & co. often associate “container” and “image format” because what
they deal with are binary images.

Conversely Guix and GuixSD have a detailed view of package composition,
service composition, etc.  Thus, they can spawn a container that
contains everything you specified (see ‘guix system container’ and ‘guix
environment -C’), and they can also create binary images that contain
everything you want (see ‘guix pack’ and ‘guix system vm-image’).

However, neither Guix nor GuixSD is in the business of running software
from containers in the format defined by Docker & co.

> *Q: *Can guix/sd use images? What are the advantages?
> *Q: *How does networking happens in guix/sd?
> *Q: *Is it possible to bind multiple interfaces via a bridge on the host
> system to the container?

Not easily so.

> *Q: *Is it possible or recommended to run shepherd inside a guix container?

‘guix system container’ runs GuixSD in a container, and GuixSD uses the
Shepherd.

> *Q:* isn't AppImage <https://en.wikipedia.org/wiki/AppImage> a
> "combination" of 'guix pack' and 'guix container'.

AppImage is a *format* for distributing software, as Wikipedia notes.

‘guix pack’ is a tool to create images (“binary images”, “bundles”,
depending on the preferred terminology).  See
<https://www.gnu.org/software/guix/blog/2017/creating-bundles-with-guix-pack/>.

> *Q: *Is it possible to have Xorg running inside a container and then use
> ssh -X to access it? Is there a way to avoid the ssh -X?

In theory we should be able to run Xorg in a ‘guix system container’,
but it would have to use a display different from that of the host.
Never tried though.

That said, you don’t need a running X server on the remote host to use
“ssh -X”.

HTH,
Ludo’.