Hello Ludo’ , On 10/19/23 22:13, Ludovic Courtès wrote: > Hello, > > paul skribis: > > > [...] > >>> Does ‘docker run’ necessarily need to run as root, or are there cases >>> where one might want to run it as non-root? (I expect the latter.) >> yes you are right, it's only required to be in the docker group or in >> general have enough permission to operate on the docker daemon >> socket. I added a new service extension setting up an oci-container >> user, that it's just in the docker group and can not login, that runs >> oci backed services. it is also overridable by the user > In that case, maybe create an “oci-service” account part of the “docker” > group, and run ‘docker run’ as that user instead of running it as root? > Would that be OK or am I overlooking something? I already added such user in the latest version of my patch. I probably made a mess with patch subjects. > What I’m suggesting above is that one would build a list of > ‘oci-container-service-type’ instances, like: > > (list (service oci-container-service-type > (oci-container-configuration …)) > (service oci-container-service-type > (oci-container-configuration …)) > …) > > Each instance above would correspond to exactly one program in a Docker > image. > > I feel it’s slightly more natural than having a service type that > implements support for multiple OCI services at once. I agree it's more natural but (list service-a service-b ...) it's the same interface exposed by the shepherd-root-service-type, I believe for the same reasons I need the oci-nextcloud-service-type to instantiate 3 shepherd services but only create a single account, activate a single data dir under /var/lib, something like this: (defineoci-nextcloud-service-type (service-type(name'nextcloud) (extensions(list(service-extensionoci-container-service-type (lambda (config) (make-nextcloud-container config) (make-nextcloud-cron-container config))) (service-extensionaccount-service-type (const%nextcloud-accounts)) (service-extensionactivation-service-type %nextcloud-activation))) (default-value(nextcloud-configuration)) (description "This service provides the Nextcloud service as an OCI-backed container."))) The only way where oci-container-service-type could support this use case by accepting a single configuration is I guess if multiple (service-extension oci-container-service-type ...) where allowed, am I understanding correctly? Is it legal in Guix to write somthing like: (extensions(list(service-extensionoci-container-service-type make-nextcloud-container) (service-extensionoci-container-service-typemake-nextcloud-cron-container) (service-extensionaccount-service-type (const%nextcloud-accounts)) (service-extensionactivation-service-type %nextcloud-activation))) > Check out under gnu/tests/*.scm, in particular (gnu tests docker). Thank you for the pointer, I'll look into those. giacomo