From mboxrd@z Thu Jan  1 00:00:00 1970
From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: Re: Building Docker images of GuixSD
Date: Fri, 17 Nov 2017 22:14:54 +0100
Message-ID: <87a7zk38vl.fsf@gnu.org>
References: <87bmldavre.fsf@gmail.com> <87efq8pwrf.fsf@gnu.org>
	<87mv4viknx.fsf@gmail.com> <87she5kz6i.fsf@gmail.com>
	<87inez3tnb.fsf_-_@gnu.org> <87tvyg9g5f.fsf@gmail.com>
	<87o9ogsp9j.fsf@gnu.org> <87y3ngvuyd.fsf@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:49202)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1eFnyZ-00052w-Sv
	for guix-devel@gnu.org; Fri, 17 Nov 2017 16:15:05 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1eFnyW-0006KQ-KZ
	for guix-devel@gnu.org; Fri, 17 Nov 2017 16:15:03 -0500
Received: from hera.aquilenet.fr ([141.255.128.1]:59805)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <ludo@gnu.org>) id 1eFnyW-0006I0-AO
	for guix-devel@gnu.org; Fri, 17 Nov 2017 16:15:00 -0500
In-Reply-To: <87y3ngvuyd.fsf@gmail.com> (Chris Marusich's message of "Wed, 08
	Nov 2017 22:15:38 -0800")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Chris Marusich <cmmarusich@gmail.com>
Cc: guix-devel@gnu.org

Hi Chris,

Chris Marusich <cmmarusich@gmail.com> skribis:

> Run GuixSD in Docker
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>
> The attached patch makes it possible to build a GuixSD Docker image from
> an operating system configuration file.

For some reason, I had overlooked this message, but it=E2=80=99s awesome!

> Pretty neat!

Yup!

> Problems I Noticed
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

[...]

> Second, I noticed the following error in the Guix daemon's logs.  It
> might be benign, since package installation worked fine, but I'm not
> sure what it means or how to debug it:
>
>     error in finalization thread: Bad file descriptor

I=E2=80=99ve noticed this since we use Shepherd on Guile 2.2, but I haven=
=E2=80=99t
checked where that comes from; it doesn=E2=80=99t seem to be a serious issu=
e.
;-)  Anyway, it=E2=80=99s not related to your experiment.

> Third, I noticed that the shepherd failed to start syslogd and nscd (and
> user-homes, although I wasn't as concerned about that because the home
> directory for alice did in fact get created).

[...]

> I thought maybe syslogd wasn't working because /dev/log hadn't been
> created in the Docker image, so I tried creating it manually.  However,
> that didn't help; the Shepherd still couldn't start syslogd.

Hmm, I would have thought /dev/log was the issue.  Any other hints?

> Fourth, I wasn't able to run GuixSD in a Docker container without
> supplying the "--privileged" option.  GuixSD writes to sysfs during boot
> (I don't know why, but the details are apparently in
> guix/gnu/build/activation.scm), so the only way to get GuixSD to start
> is to run the container in privileged mode.  This is unfortunate,
> because privileged mode sounds quite dangerous for a lot of reasons.

I don=E2=80=99t think so: there=E2=80=99s a special case for when one creat=
es a
container with =E2=80=98guix system container=E2=80=99 that disables this k=
ind of thing.
I guess we should use it here.  It=E2=80=99s mostly about passing #:contain=
er? #f=20
somewhere.

> From 25d5527b14302fc835af5c338bf37cf621c63a4e Mon Sep 17 00:00:00 2001
> From: Chris Marusich <cmmarusich@gmail.com>
> Date: Sat, 21 Oct 2017 14:40:58 -0700
> Subject: [PATCH] Make it possible to build GuixSD docker images
>
> ---
>  gnu/build/linux-boot.scm    |   5 +-
>  gnu/build/vm.scm            |  14 ++--
>  gnu/system/linux-initrd.scm |  12 ++--
>  gnu/system/vm.scm           | 169 ++++++++++++++++++++++++++++++++++++++=
------
>  guix/docker.scm             |  23 ++++--
>  guix/scripts/pack.scm       |   5 +-
>  guix/scripts/system.scm     |   3 +-
>  7 files changed, 191 insertions(+), 40 deletions(-)

[...]

> +      (cond ((string=3D? "iso9660" file-system-type)
> +             (iso9660-image #:name name
> +                            #:file-system-label root-label
> +                            #:file-system-uuid root-uuid
> +                            #:os-drv os-drv
> +                            #:register-closures? #t
> +                            #:bootcfg-drv bootcfg
> +                            #:bootloader (bootloader-configuration-bootl=
oader
> +                                           (operating-system-bootloader =
os))
> +                            #:inputs `(("system" ,os-drv)
> +                                       ("bootcfg" ,bootcfg))))
> +            ((string=3D? "docker" file-system-type)
> +             (display "made it to docker image part\n")
> +             (os-docker-image #:name name
> +                              #:os-drv os-drv
> +                              #:register-closures? #t))

I=E2=80=99m not sure this is the right place for it since =E2=80=9Cdocker=
=E2=80=9D is not a file
system type.  Perhaps we need a separate procedure instead?

> @@ -106,7 +107,9 @@ return \"a\"."
>                               #:key closure compressor
>                               (symlinks '())
>                               (system (utsname:machine (uname)))
> -                             (creation-time (current-time time-utc)))
> +                             (creation-time (current-time time-utc))
> +                             (tmpdir "/tmp")
> +                             extra-items-dir)
>    "Write to IMAGE a Docker image archive from the given store PATH.  The=
 image
>  contains the closure of PATH, as specified in CLOSURE (a file produced by
>  #:references-graphs).  SYMLINKS must be a list of (SOURCE -> TARGET) tup=
les
> @@ -116,7 +119,7 @@ binaries at PATH are for; it is used to produce metad=
ata in the image.
>=20=20
>  Use COMPRESSOR, a command such as '(\"gzip\" \"-9n\"), to compress IMAGE=
.  Use
>  CREATION-TIME, a SRFI-19 time-utc object, as the creation time in metada=
ta."
> -  (let ((directory "/tmp/docker-image")           ;temporary working dir=
ectory
> +  (let ((directory (string-append tmpdir "/docker-image")) ;temporary wo=
rking directory

Why do we need that?  Would it be enough to honor $TMPDIR?

> --- a/guix/scripts/system.scm
> +++ b/guix/scripts/system.scm
> @@ -638,8 +638,9 @@ any, are available.  Raise an error if they're not."
>                                              #:mappings mappings))
>      ((disk-image)
>       (system-disk-image os
> -                        #:name (match file-system-type
> +                        #:name (match (pk file-system-type)
>                                   ("iso9660" "image.iso")
> +                                 ("docker" "docker-image")
>                                   (_         "disk-image"))
>                          #:disk-image-size image-size
>                          #:file-system-type file-system-type))))

Perhaps we could have a separate =E2=80=98guix system docker-image=E2=80=99=
 command?  Or
=E2=80=98guix system container -f docker=E2=80=99?  WDYT?

Once we=E2=80=99ve sorted out these minor issues, it would be great if you =
could
send polished patches.  This is something we should add!

Thank you,
Ludo=E2=80=99.