bug#61627: Cannot start a container built with `guix system container --network'.

bug#61627: Cannot start a container built with `guix system container --network'.

[Pierre Langlois]

[-- Attachment #1: Type: text/plain, Size: 3128 bytes --]

Hi Guix!

There seems to be a bug with the --network flag to `guix system
container', if we try to use docker-image.tmpl as an example we get the
following failure:

--8<---------------cut here---------------start------------->8---
$ sudo `guix system container -v3 --network gnu/system/examples/docker-image.tmpl`
Password:
system container is running as PID 17630
WARNING: (guile-user): imported module (guix build utils) overrides core binding `delete'
Run 'sudo guix container exec 17630 /run/current-system/profile/bin/bash --login'
or run 'sudo nsenter -a -t 17630' to get a shell into it.

WARNING: (guile-user): imported module (guix build utils) overrides core binding `delete'
making '/gnu/store/2w0c609is7iilv6r2l1vrchb9qsbfgkp-system' the current system...
WARNING: (guile-user): imported module (guix build utils) overrides core binding `delete'
setting up setuid programs in '/run/setuid-programs'...
populating /etc from /gnu/store/ywsdjyq161a2clhvz6kx5m4ppz5ziqp1-etc...
Backtrace:
          11 (primitive-load "/gnu/store/5wdqg0jpiw1zd9pn13wmzy3f85g…")
In gnu/build/linux-container.scm:
    300:8 10 (call-with-temporary-directory #<procedure 7fa5741fdd70…>)
   397:16  9 (_ "/tmp/guix-directory.KgjoQ6")
     62:6  8 (call-with-clean-exit #<procedure 7fa57420fd40 at gnu/b…>)
In unknown file:
           7 (primitive-load "/gnu/store/2w0c609is7iilv6r2l1vrchb9qs…")
In ice-9/eval.scm:
    619:8  6 (_ #f)
In unknown file:
           5 (primitive-load "/gnu/store/xfd58fw9x65n7wr5kw2gnciszkl…")
In srfi/srfi-1.scm:
    634:9  4 (for-each #<procedure primitive-load (_)> _)
In unknown file:
           3 (primitive-load "/gnu/store/3gwb0jydx90f61a6kizawsjdi6h…")
In srfi/srfi-1.scm:
    634:9  2 (for-each #<procedure 7fa57410e0e0 at gnu/build/activa…> …)
In gnu/build/activation.scm:
   268:20  1 (_ "hosts")
In unknown file:
           0 (copy-file "/etc/static/hosts" "/etc/hosts")

ERROR: In procedure copy-file:
In procedure copy-file: Read-only file system
--8<---------------cut here---------------end--------------->8---

Doing a git bisect, the problem started with this commit it seems:
802ea1f3a43e5fb8d0b8bd2882954d8a6e49cde6

--8<---------------cut here---------------start------------->8---
system: Deprecate hosts-file.

* gnu/system.scm (operating-system-hosts-file): Deprecate procedure.
(warn-hosts-file-field-deprecation): New procedure, helper for
deprecated variable.
(operating-system)[hosts-file]: Use helper to warn deprecated field.
(local-host-aliases): Mark as deprecated.
(local-host-entries): New procedure.
(operating-system-default-essential-services,
hurd-default-essential-services): Use hosts-service-type.  Use
'%operating-system-hosts-file' and 'local-host-entries'.
(default-/etc/hosts): Remove procedure.
(operating-system-etc-service): Remove hosts file.
* doc/guix.texi (operating-system Reference)
(Networking Services) (Virtualization Services): Rewrite documentation
entries to use hosts-service-type.
--8<---------------cut here---------------end--------------->8---

Thanks!
Pierre

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 519 bytes --]

bug#61627: Cannot start a container built with `guix system container --network'.

[Pierre Langlois]

[-- Attachment #1: Type: text/plain, Size: 4961 bytes --]


Pierre Langlois <pierre.langlois@gmx.com> writes:

> [[PGP Signed Part:Undecided]]
> Hi Guix!
>
> There seems to be a bug with the --network flag to `guix system
> container', if we try to use docker-image.tmpl as an example we get the
> following failure:
>
> $ sudo `guix system container -v3 --network gnu/system/examples/docker-image.tmpl`
> Password:
> system container is running as PID 17630
> WARNING: (guile-user): imported module (guix build utils) overrides core binding `delete'
> Run 'sudo guix container exec 17630 /run/current-system/profile/bin/bash --login'
> or run 'sudo nsenter -a -t 17630' to get a shell into it.
>
> WARNING: (guile-user): imported module (guix build utils) overrides core binding `delete'
> making '/gnu/store/2w0c609is7iilv6r2l1vrchb9qsbfgkp-system' the current system...
> WARNING: (guile-user): imported module (guix build utils) overrides core binding `delete'
> setting up setuid programs in '/run/setuid-programs'...
> populating /etc from /gnu/store/ywsdjyq161a2clhvz6kx5m4ppz5ziqp1-etc...
> Backtrace:
>           11 (primitive-load "/gnu/store/5wdqg0jpiw1zd9pn13wmzy3f85g…")
> In gnu/build/linux-container.scm:
>     300:8 10 (call-with-temporary-directory #<procedure 7fa5741fdd70…>)
>    397:16  9 (_ "/tmp/guix-directory.KgjoQ6")
>      62:6  8 (call-with-clean-exit #<procedure 7fa57420fd40 at gnu/b…>)
> In unknown file:
>            7 (primitive-load "/gnu/store/2w0c609is7iilv6r2l1vrchb9qs…")
> In ice-9/eval.scm:
>     619:8  6 (_ #f)
> In unknown file:
>            5 (primitive-load "/gnu/store/xfd58fw9x65n7wr5kw2gnciszkl…")
> In srfi/srfi-1.scm:
>     634:9  4 (for-each #<procedure primitive-load (_)> _)
> In unknown file:
>            3 (primitive-load "/gnu/store/3gwb0jydx90f61a6kizawsjdi6h…")
> In srfi/srfi-1.scm:
>     634:9  2 (for-each #<procedure 7fa57410e0e0 at gnu/build/activa…> …)
> In gnu/build/activation.scm:
>    268:20  1 (_ "hosts")
> In unknown file:
>            0 (copy-file "/etc/static/hosts" "/etc/hosts")
>
> ERROR: In procedure copy-file:
> In procedure copy-file: Read-only file system
>
>
> Doing a git bisect, the problem started with this commit it seems:
> 802ea1f3a43e5fb8d0b8bd2882954d8a6e49cde6
>
> system: Deprecate hosts-file.
>
> * gnu/system.scm (operating-system-hosts-file): Deprecate procedure.
> (warn-hosts-file-field-deprecation): New procedure, helper for
> deprecated variable.
> (operating-system)[hosts-file]: Use helper to warn deprecated field.
> (local-host-aliases): Mark as deprecated.
> (local-host-entries): New procedure.
> (operating-system-default-essential-services,
> hurd-default-essential-services): Use hosts-service-type.  Use
> '%operating-system-hosts-file' and 'local-host-entries'.
> (default-/etc/hosts): Remove procedure.
> (operating-system-etc-service): Remove hosts file.
> * doc/guix.texi (operating-system Reference)
> (Networking Services) (Virtualization Services): Rewrite documentation
> entries to use hosts-service-type.

Digging into the container script code, I think the reason is that when
sharing the network, it's supposed to remove any network-related
services from the containerized operating system. And it's not aware of
the new hosts-service-type. The following diff seems to fix the issue:

--8<---------------cut here---------------start------------->8---
diff --git a/gnu/system/linux-container.scm b/gnu/system/linux-container.scm
index c2fd55d48e..9190d013bc 100644
--- a/gnu/system/linux-container.scm
+++ b/gnu/system/linux-container.scm
@@ -49,9 +49,12 @@ (define* (container-essential-services os #:key shared-network?)
   (define base
     (remove (lambda (service)
               (memq (service-kind service)
-                    (list (service-kind %linux-bare-metal-service)
-                          firmware-service-type
-                          system-service-type)))
+                    (cons* (service-kind %linux-bare-metal-service)
+                           firmware-service-type
+                           system-service-type
+                           (if shared-network?
+                               (list hosts-service-type)
+                               '()))))
             (operating-system-default-essential-services os)))

   (cons (service system-service-type
--8<---------------cut here---------------end--------------->8---

I wonder if this is a full fix though, I see that we also remove network
related configuration files, using `%network-configuration-files', and I
wonder if "/etc/hosts" is still supposed to be there?

--8<---------------cut here---------------start------------->8---
(define %network-configuration-files
  ;; List of essential network configuration files.
  '("/etc/resolv.conf"
    "/etc/nsswitch.conf"
    "/etc/services"
    "/etc/hosts"))
--8<---------------cut here---------------end--------------->8---

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 519 bytes --]

bug#61627: Cannot start a container built with `guix system container --network'.

[Nicolò Balzarotti]

Hi, 
I'm on eb87d2c4 (just updated a 412(!) days old guix server O.o) and
I can confirm this is still happening

(btw, this is the only problem I had in upgrading, so great job guix)

Thanks!
Nicolò

bug#61627: Cannot start a container built with `guix system container --network'.

[Arun Isaac]

Hi Bruno and Ludo,

This bug seems related to your commit
802ea1f3a43e5fb8d0b8bd2882954d8a6e49cde6 . Could you weigh in?

https://issues.guix.gnu.org/61627

Thanks!
Arun

bug#61627: Cannot start a container built with `guix system container --network'.

[Bruno Victal]

Hi,


On 2023-02-19 15:29, Pierre Langlois wrote:
> 
> Pierre Langlois <pierre.langlois@gmx.com> writes:
> 
> Digging into the container script code, I think the reason is that when
> sharing the network, it's supposed to remove any network-related
> services from the containerized operating system. And it's not aware of
> the new hosts-service-type. The following diff seems to fix the issue:
> 
> --8<---------------cut here---------------start------------->8---
> diff --git a/gnu/system/linux-container.scm b/gnu/system/linux-container.scm
> index c2fd55d48e..9190d013bc 100644
> --- a/gnu/system/linux-container.scm
> +++ b/gnu/system/linux-container.scm
> @@ -49,9 +49,12 @@ (define* (container-essential-services os #:key shared-network?)
>    (define base
>      (remove (lambda (service)
>                (memq (service-kind service)
> -                    (list (service-kind %linux-bare-metal-service)
> -                          firmware-service-type
> -                          system-service-type)))
> +                    (cons* (service-kind %linux-bare-metal-service)
> +                           firmware-service-type
> +                           system-service-type
> +                           (if shared-network?
> +                               (list hosts-service-type)
> +                               '()))))
>              (operating-system-default-essential-services os)))
> 
>    (cons (service system-service-type
> --8<---------------cut here---------------end--------------->8---
> 
> I wonder if this is a full fix though, I see that we also remove network
> related configuration files, using `%network-configuration-files', and I
> wonder if "/etc/hosts" is still supposed to be there?
> 
> --8<---------------cut here---------------start------------->8---
> (define %network-configuration-files
>   ;; List of essential network configuration files.
>   '("/etc/resolv.conf"
>     "/etc/nsswitch.conf"
>     "/etc/services"
>     "/etc/hosts"))
> --8<---------------cut here---------------end--------------->8---

/etc/hosts is created by hosts-service-type, so if you remove that service
it shouldn't be present anymore.


Cheers,
Bruno

bug#61627: Cannot start a container built with `guix system container --network'.

[Arun Isaac]

Hi Bruno,

> /etc/hosts is created by hosts-service-type, so if you remove that service
> it shouldn't be present anymore.

That makes sense.

There's one more question, though. Now that we are handling /etc/hosts
using hosts-service-type, should /etc/hosts still be in
%network-configuration-files? I believe this is what Pierre was asking.

Thanks,
Arun

bug#61627: Cannot start a container built with `guix system container --network'.

[Bruno Victal]

On 2023-03-21 12:53, Arun Isaac wrote:
> 
> Hi Bruno,
> 
>> /etc/hosts is created by hosts-service-type, so if you remove that service
>> it shouldn't be present anymore.
> 
> That makes sense.
> 
> There's one more question, though. Now that we are handling /etc/hosts
> using hosts-service-type, should /etc/hosts still be in
> %network-configuration-files? I believe this is what Pierre was asking.

I'm inclined to keep it in %network-configuration-files just to be safe.

Strictly speaking, the file shouldn't be present when you remove hosts-service-type but
you could, for $REASONS, have a template that has hosts-service-type removed from the
essential-services and /etc/hosts manually provisioned using etc-service-type or special-service-type.

Unless it's desirable to honor the /etc/hosts file configured in this manner, in which case you should
remove it from %network-configuration-files to respect the users wishes, I'd say the file should
be kept in %network-configuration-files to avoid some strange cases that may arise.


I should say that I don't use `guix system container` so I'm not too familiar with what behavior is
to be expected/“the correct one” here.


Cheers,
Bruno

bug#61627: Cannot start a container built with `guix system container --network'.

[Arun Isaac]

> I'm inclined to keep it in %network-configuration-files just to be
> safe.

I agree. I don't really understand the implications of removing
/etc/hosts from %network-configuration-files. I would err on the side of
caution and leave it there for now.

@Pierre: Could you make a patch of the fix you suggested earlier
(removing hosts-service-type when the --network flag is provided) and
push it? Thank you!

bug#61627: Cannot start a container built with `guix system container --network'.

[Pierre Langlois]

[-- Attachment #1.1: Type: text/plain, Size: 599 bytes --]

Hi Arun and Bruno,

Arun Isaac <arunisaac@systemreboot.net> writes:

>> I'm inclined to keep it in %network-configuration-files just to be
>> safe.
>
> I agree. I don't really understand the implications of removing
> /etc/hosts from %network-configuration-files. I would err on the side of
> caution and leave it there for now.

That sounds very sensible.

>
> @Pierre: Could you make a patch of the fix you suggested earlier
> (removing hosts-service-type when the --network flag is provided) and
> push it? Thank you!

Sounds good! Just testing the following patch and will push it in a
minute.


[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 519 bytes --]

[-- Attachment #2: 0001-linux-container-Remove-hosts-service-type-when-netwo.patch --]
[-- Type: text/x-patch, Size: 1909 bytes --]

From 42fbe62d52a82d1003c3d7039d3c4a46806c5cee Mon Sep 17 00:00:00 2001
Message-Id: <42fbe62d52a82d1003c3d7039d3c4a46806c5cee.1679836531.git.pierre.langlois@gmx.com>
From: Pierre Langlois <pierre.langlois@gmx.com>
Date: Sun, 26 Mar 2023 13:55:14 +0100
Subject: [PATCH] linux-container: Remove hosts-service-type when network is
 shared.

Fixes <https://issues.guix.gnu.org/61627>.

* gnu/system/linux-container.scm (container-essential-services): When
shared-network? is true, remove the hosts-service-type service kind.
---
 gnu/system/linux-container.scm | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/gnu/system/linux-container.scm b/gnu/system/linux-container.scm
index c2fd55d48e..409386a84f 100644
--- a/gnu/system/linux-container.scm
+++ b/gnu/system/linux-container.scm
@@ -5,6 +5,7 @@
 ;;; Copyright © 2020 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2020 Google LLC
 ;;; Copyright © 2022 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2023 Pierre Langlois <pierre.langlois@gmx.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -49,9 +50,12 @@ (define* (container-essential-services os #:key shared-network?)
   (define base
     (remove (lambda (service)
               (memq (service-kind service)
-                    (list (service-kind %linux-bare-metal-service)
-                          firmware-service-type
-                          system-service-type)))
+                    (cons* (service-kind %linux-bare-metal-service)
+                           firmware-service-type
+                           system-service-type
+                           (if shared-network?
+                               (list hosts-service-type)
+                               '()))))
             (operating-system-default-essential-services os)))
 
   (cons (service system-service-type
-- 
2.39.2


[-- Attachment #3: Type: text/plain, Size: 18 bytes --]


Thanks,
Pierre

bug#61627: Cannot start a container built with `guix system container --network'.

[Pierre Langlois]

[-- Attachment #1: Type: text/plain, Size: 1346 bytes --]


Pierre Langlois <pierre.langlois@gmx.com> writes:

> [[PGP Signed Part:Undecided]]
> Hi Arun and Bruno,
>
> Arun Isaac <arunisaac@systemreboot.net> writes:
>
>>> I'm inclined to keep it in %network-configuration-files just to be
>>> safe.
>>
>> I agree. I don't really understand the implications of removing
>> /etc/hosts from %network-configuration-files. I would err on the side of
>> caution and leave it there for now.
>
> That sounds very sensible.
>
>>
>> @Pierre: Could you make a patch of the fix you suggested earlier
>> (removing hosts-service-type when the --network flag is provided) and
>> push it? Thank you!
>
> Sounds good! Just testing the following patch and will push it in a
> minute.
>
> [[End of PGP Signed Part]]
> From 42fbe62d52a82d1003c3d7039d3c4a46806c5cee Mon Sep 17 00:00:00 2001
> Message-Id: <42fbe62d52a82d1003c3d7039d3c4a46806c5cee.1679836531.git.pierre.langlois@gmx.com>
> From: Pierre Langlois <pierre.langlois@gmx.com>
> Date: Sun, 26 Mar 2023 13:55:14 +0100
> Subject: [PATCH] linux-container: Remove hosts-service-type when network is
>  shared.
>
> Fixes <https://issues.guix.gnu.org/61627>.
>
> * gnu/system/linux-container.scm (container-essential-services): When
> shared-network? is true, remove the hosts-service-type service kind.

Pushed as 42fbe62d52a82d1003c3d7039d3c4a46806c5cee

Thanks,
Pierre

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 519 bytes --]

bug#61627: Cannot start a container built with `guix system container --network'.

[Arun Isaac]

> Pushed as 42fbe62d52a82d1003c3d7039d3c4a46806c5cee

Thank you, Pierre! :-)