From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id WFs6OrgUZmdqBAEA62LTzQ:P1 (envelope-from ) for ; Sat, 21 Dec 2024 01:07:05 +0000 Received: from aspmx1.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1.migadu.com with LMTPS id WFs6OrgUZmdqBAEA62LTzQ (envelope-from ) for ; Sat, 21 Dec 2024 02:07:05 +0100 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=fail ("body hash did not verify") header.d=autistici.org header.s=stigmate header.b="LAAQl/uh"; spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1734743224; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=1q6Dm2baK5puPAnCN9FmU5T5knuZ1q5APVQQuAsE3Pc=; b=qLsM5/OVjiobMK/71frqw3x0TA+bUAk0lwvR84OyMOiWWe9fGRdERdnCf7dzjVmiyVQh/R JfkBnOc/wF97gNO7vFSSh/yJR9qOZLNDS/VXMEHkHeS/zvlmdwAJxE/INeaewhG7QVl1qP PIVZnYPcs8cIxeoWAvjHbqYr2tFpkZt0jA6sRD+E0Vml0j/kch8QzZ73wJWl8/iRUPFwse EvkTyJrVJAQJ2cZzXTyVxa7DAs1U6wH/kB3rMtuCZccFE95yOC4fZcLE3qtE5jaO9bFlzn I6BYpOLFLZ89y1f9ADlGiG+U4nLPRy73BUjjK/g8Nvu/sVQy//UNmGOsVGELVg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("body hash did not verify") header.d=autistici.org header.s=stigmate header.b="LAAQl/uh"; spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org ARC-Seal: i=1; s=key1; d=yhetil.org; t=1734743224; a=rsa-sha256; cv=none; b=T8YjkdAsfksCgHH79+9knfp4so/tIzZIUf8PFADCxKp8xq2P2KyzqeEwX3m3t8x2twWMOM u3dBFHd6qaOVjJwqS91/IVFhs6dzgGz5IkzCq+Hztk0YwxE9no8tuusozgYoVtRLUviXYA bByXCOEZlHt3m1kjs5xn8xJUnZUs0g3aLNrCjkN8i6ID43Rz7263uRI21drqzQ2SmezzGB zcBdh7CiPJE+71B40c2OMkVJraL07KVx/RBFNyhyDEPmJWeathoVnDR8B+S6XlsmbRCDsZ JfbD5zqs3ZQWNtMvCwcxkxJ+L6SFvr4PC5E6bPXX6Yvt048LgGGyq6M7pkDYqg== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 23D0A1E697 for ; Sat, 21 Dec 2024 02:07:04 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tOnww-0002Hw-MO; Fri, 20 Dec 2024 20:06:35 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tOnwt-0002Hk-J6 for help-guix@gnu.org; Fri, 20 Dec 2024 20:06:31 -0500 Received: from confino.investici.org ([2a11:7980:1::2:0]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tOnwp-00049O-Gp for help-guix@gnu.org; Fri, 20 Dec 2024 20:06:30 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=autistici.org; s=stigmate; t=1734743181; bh=/0GKoEOnij/yxhPf2GRS7wvOHqZMnklqhoY8SheYGEE=; h=Date:Subject:To:References:From:In-Reply-To:From; b=LAAQl/uhIn3Y3voDNEQok9tFvlAWhOPKKax8YTYTQnlpmVeKArVlAz7uwnXQLs/EZ u16AV1P9kD17LZ17OLiSxgqM0QgqHEAJ63TImX5dwpbAcfm5/7J48NvBXMaeiXSsEt azxoXLJEgPV67yLSNlHp8NlB/igTzWgUAue56IDA= Received: from mx1.investici.org (unknown [127.0.0.1]) by confino.investici.org (Postfix) with ESMTP id 4YFR1n1mqkz112Q; Sat, 21 Dec 2024 01:06:21 +0000 (UTC) Received: from [93.190.126.19] (mx1.investici.org [93.190.126.19]) (Authenticated sender: goodoldpaul@autistici.org) by localhost (Postfix) with ESMTPSA id 4YFR1n0ntpz10xY; Sat, 21 Dec 2024 01:06:21 +0000 (UTC) Message-ID: <0dde3080-ebe3-4b2c-a1aa-e580344d5804@autistici.org> Date: Sat, 21 Dec 2024 02:06:20 +0100 MIME-Version: 1.0 User-Agent: Icedove Daily Subject: Re: OCI containers To: Aleksej , Guix Help References: Content-Language: en-US In-Reply-To: Received-SPF: pass client-ip=2a11:7980:1::2:0; envelope-from=goodoldpaul@autistici.org; helo=confino.investici.org X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: paul From: paul via Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: help-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Scanner: mx12.migadu.com X-Migadu-Spam-Score: -0.82 X-Spam-Score: -0.82 X-Migadu-Queue-Id: 23D0A1E697 X-TUID: QiimPLe2c6ml Hi Lesik, On 12/20/24 00:14, Aleksej via wrote: > I’m currently trying to migrate my server to the Guix System, but I’m encountering some issues with OCI containers. Is there a way to run them as a Shepherd service while using Podman and nftables? I know about the oci-container-service-type, but it depends on Docker and iptables, both of which I dislike due to their design. Perhaps the oci-container-service-type could be abstracted from its backend so that it supports both rootless Podman and Docker? It definitely can :) I'm working on an oci-service-type over at gocix [0], which will deprecate the oci-container-service-type. It is introducing a configurable OCI runtime supporting rootless Podman and Docker, and the ability to provision networks and volumes. It still isn't well tested as I was waiting for rootless Podman to get into Guix mainline before focusing on it. Hopefully during the end of the year break I'll be able to test it better and send it upstream. You are welcome to try it [1] and open issues if you find problems. It is not yet very well documented but you can find API documentation here [2]. > Also, why does the rootless-podman-service-type depend on iptables? Our netavark version has complete nftables support, so maybe we could add an option to choose between iptables and nftables? There is no specific reason besides being the easiest way I was able to find to get Podman up and running. If you could make the firewall backend configurable it would be awesome imho. hope this helps, giacomo [0]: https://github.com/fishinthecalculator/gocix/blob/main/modules/oci/services/containers.scm#L768 [1]: https://github.com/fishinthecalculator/gocix?tab=readme-ov-file#configure [2]: https://github.com/fishinthecalculator/gocix/tree/main/doc#OCI-Service