From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: Guix on clusters and in HPC Date: Wed, 26 Oct 2016 18:31:08 +0200 Message-ID: <87bmy7qdgz.fsf@gnu.org> References: <1410513345.84070744.1477496586021.JavaMail.root@centurylink.net> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:41097) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bzR6i-0006sK-UQ for guix-devel@gnu.org; Wed, 26 Oct 2016 12:31:21 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bzR6e-0003XD-6Q for guix-devel@gnu.org; Wed, 26 Oct 2016 12:31:16 -0400 In-Reply-To: <1410513345.84070744.1477496586021.JavaMail.root@centurylink.net> (Eric Bavier's message of "Wed, 26 Oct 2016 11:43:06 -0400 (EDT)") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Eric Bavier Cc: Guix-devel Hi! Eric Bavier skribis: >> - non-root usage > > The Singularity project advertises that it does not use a root-owned > daemon http://singularity.lbl.gov/about#no-root-owned-daemon-processes > but it does not in the same section explain that it uses a setuid > helper instead: http://singularity.lbl.gov/docs-security which also=20 > summarizes some of the current limitations and trade-offs of user namespa= ces. Interesting, thanks for the pointers, especially the second one which moderates the claim of the first one. Do you how widely Singularity is being deployed? The build daemon used to have a small setuid helper that people could use instead of running the whole daemon as root; it was removed in Nix and in commit d43eb499a6c112af609118803c6cd33fbcedfa43 on our side. The reason for the removal was that nobody was using it, and that it was presumably unhelpful in overcoming the =E2=80=9Cnon-root=E2=80=9D use case. I feel like it may be easier to get user namespaces enabled than to get a setuid helper installed. WDYT? >> - central daemon usage (like at MDC, but improved) > > For many-user systems, I think we'd need to put in place some controls > to keep users from stepping on each others feet when it comes to interact= ing > with the deamon. E.g. One user spends a bunch of time building her > application; before she gets a chance to use it, another user comes along > and runs 'guix gc'. That=E2=80=99s not a problem: packages in a profile are protected from GC, = and profiles generated by =E2=80=98guix environment=E2=80=99 are also protected= for the duration of the session. With =E2=80=98guix build=E2=80=99, one has to use =E2=80=98-r=E2=80=99 to m= ake sure the package won=E2=80=99t be GC=E2=80=99d as soon as =E2=80=98guix build=E2=80=99 completes. > Can a user run 'nice 10 guix build ...' and have it DTRT? No it won=E2=80=99t DTRT. > On existing systems, the root partition may not be as large as Guix might > like and there may not be opporunities to mount a separate partition for = the > store. While it's nice that Guix would give users the change to share > package build results, often disk partitions are weighted in favor of /ho= me > (possibly because of the current widespread practice of users building th= eir > own packages in $HOME). Until that changes, sysadmins might like some mo= re > powerful tools for auditing store disk usage to answer questions such as > "which user profiles are exclusively occupying the most store space?" or = even > some way to specify expiration dates for certain profiles. I see what you mean, though it=E2=80=99s again a =E2=80=9Ccultural=E2=80=9D= thing. I can see that the shared store would effectively allow sysadmins to save space, but yeah. >> + admin/social issues >> * daemon runs as root > > So, Singularity uses a setuid helper, and Shifter needs to run the Docker > daemon. It may be easier to convince sysadmins to run Guix's daemon > given those other examples. Of course, if we can do what we need to > with even fewer privileges, that'd be great. Good to know! >> * daemon needs Internet access > > There are many HPC sites that are air-gapped for security reasons. Of th= ose > sites that I know, the ones that allow any outside software to be put on = the > machine after the initial system installation require CD/DVD installation= media. > IMO for such sites, and for other users wishing to take Guix off the grid= , it > would be nice to be able to prepopulate the installation media, whether U= SB or > CD, with more package outputs and/or source (e.g. like Trisquel's "Source= s DVD"). > Or similarly a way to "mount" some media that contains a bunch of package > definitions for GUIX_PACKAGE_PATH as well as the corresponding source or = output > for a specific Guix release. Probably =E2=80=98guix build --sources=3Dtransitive=E2=80=99 and similar to= ols can help here? Then we can populate a store on a DVD or something and import it on the machine. >> - package variants, experimentation >> + for experiments, as in Section 4.2 of >> [[https://hal.inria.fr/hal-01161771/en][the RepPar paper]] >> * in the meantime we added >> [[https://www.gnu.org/software/guix/manual/html_node/Package-Trans= formation-Options.html][--with-input >> et al.]]; need more? >> + for >> [[https://lists.gnu.org/archive/html/guix-devel/2016-10/msg00005.htm= l][CPU-specific >> optimizations]] >> + somehow support -mtune=3Dnative (and even profile-guided >> optimizations?) >> + simplify the API to switch compilers, libcs, etc. > > +1 for all these > > Even though we intend to not specifically support proprietary compilers, = some > users may still want to explore building their packages with other compil= ers, > like e.g. Clang and Rose Yup. >> - workflow, reproducible science >> + implement >> [[http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D22629][channels]] > > Perhaps what I discussed above re installation media could fold into this. I think it=E2=80=99s orthogonal. Thanks a lot for your feedback! Ludo=E2=80=99.