From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id mFUiBNMFYGfgYQEAqHPOHw:P1 (envelope-from ) for ; Mon, 16 Dec 2024 10:49:55 +0000 Received: from aspmx1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0.migadu.com with LMTPS id mFUiBNMFYGfgYQEAqHPOHw (envelope-from ) for ; Mon, 16 Dec 2024 11:49:55 +0100 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers eddsa verify failed") header.d=josefsson.org header.s=ed2303 header.b=5EMAWEJN; dkim=fail ("headers rsa verify failed") header.d=josefsson.org header.s=rsa2303 header.b=BefIMmgJ; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org" ARC-Seal: i=1; s=key1; d=yhetil.org; t=1734346195; a=rsa-sha256; cv=none; b=CIewcAC5DTi265Jw6Qko6AGsva3W5xsmKcFtMwKBgvqVpMy3A6fQeB4uLyo/fDkVj18Ork g1PmcxulHSTu17mguuJpaGc5JcxXaYgOhyuvzt/QLMNLfFXZrQGqGwYMpIsKAj4T2gRNP4 Klv8WLHhMvkYsXbWi22gKogJPg7NdMnHOrEi6o1QGpscxdfWr4l8dKh7DHr+RDVupNdQVN BeCG+z27UKOcFw+3CRuWao8tctX2JlC288q2mSWzl15drn2QzXtxTAxThSMI8J4SABTIcX JXqAJtcMs9RdAOjdUzvcsKWc5783j1bkWbAC1RmBjCpJcpYWqLN/a07s5zgcnA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers eddsa verify failed") header.d=josefsson.org header.s=ed2303 header.b=5EMAWEJN; dkim=fail ("headers rsa verify failed") header.d=josefsson.org header.s=rsa2303 header.b=BefIMmgJ; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1734346195; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature:openpgp:openpgp; bh=MIPSzdLmoyEAVtk/dhMrjydDJf5slzOZB1sNypzVmEs=; b=ZhiwTLAPdnnwxDDB/BXVwIVjuyPV9MhwjlQRWwSMQN+O7snLx52xn7v7fEwDbR0EWvJPf7 6nERF3VGg97tN7vzFhekuKF6uBsqmGmVRnWXivBESag+ZIV6X8icCAuk5K/RVIa0rQzlc+ fvA4+0anSResEPSvqAtLP948V2M9NiulYPksavQLYQwVdlAAzz0nB5IaFSl4/xb6UMrhrz gNiDaFvXUei1xytKsNjDIl8QEbTaXZ4PWK8aP1Rb4NWN2z50H70VNcejS4EwvsnvFosesp cuOUHFcS259Q5t57ZPL4+QTZ+3EZyj9EgYivrPKtKewr5/tV5W3n+94VUnK03g== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id EAACD9BAF6 for ; Mon, 16 Dec 2024 11:49:53 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tN8fU-0003tQ-Ks; Mon, 16 Dec 2024 05:49:40 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tN8fS-0003tC-Ut for help-guix@gnu.org; Mon, 16 Dec 2024 05:49:39 -0500 Received: from uggla.sjd.se ([2001:9b1:8633::107]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tN8fH-00056B-B3 for help-guix@gnu.org; Mon, 16 Dec 2024 05:49:29 -0500 DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=ed2303; h=Content-Type:MIME-Version:Message-ID:In-Reply-To :Date:References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding :Content-ID:Content-Description; bh=MIPSzdLmoyEAVtk/dhMrjydDJf5slzOZB1sNypzVmEs=; t=1734346154; x=1735555754; b=5EMAWEJN7qepVvh51EalBup8dMFGt8BODspnJ5T+cgTqV6PD5wHwJ/QMtKUVZyvs01ETeqhWuUn 7Nj5Vnv1aBQ==; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=rsa2303; h=Content-Type:MIME-Version:Message-ID: In-Reply-To:Date:References:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=MIPSzdLmoyEAVtk/dhMrjydDJf5slzOZB1sNypzVmEs=; t=1734346154; x=1735555754; b=BefIMmgJf0zUdC4mnIK5htWIaDY5/wPc38Jkl0qrvQrMGA2SqPpcJ5TgidjPb0/lQUmNLkuXsAa dABFmbAvsDDnUF8N6hk0q4SDR6Ovsp1yxwX1szKDRz6xnmwx10r5NxwMaEE66OWDik7uKwmZmJ6vj b3bGJKGXr6EHx3ZTO03UTvnJ/1lvdwF7OfJt1xdr/RREFvJDHM0IfueiIKJOF+7GnphySgHvZrcqL ZEMNf6CoF/ZiGi2CR+xxXnyW2gI/uqMfh7O+5bcwvB+FlDRD7jBpyxl/ghgNzrX+8r7AC87BIPpUE HjCEdW2bIpuLpmy9Du1lRFw7Lon40NPAyKAkOBoY+RxaN3LPnvqtIOKtsc/dhnSeTn42shPJekcCA Ioto94T+QgztIclH6ENg/0cdc/T2+XX2u6MThdhfkOjYlpZ8ySxJKZgT4gVMLDcTPgcutdaWO; Received: from h-178-174-130-130.a498.priv.bahnhof.se ([178.174.130.130]:55930 helo=kaka) by uggla.sjd.se with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1tN8em-008kOb-9l; Mon, 16 Dec 2024 10:48:56 +0000 To: help-guix@gnu.org Cc: ludovic.courtes@inria.fr, suhail@bayesians.ca, Cayetano Santos Subject: Re: Building a Docker image for GitLab-CI References: <87ttb4d5c8.fsf@inventati.org> <87a5cwd4bn.fsf@inventati.org> OpenPGP: id=B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE; url=https://josefsson.org/key-20190320.txt X-Hashcash: 1:23:241216:help-guix@gnu.org::dDCFBcumEHNIDVXw:Eprp X-Hashcash: 1:23:241216:csantosb@inventati.org::l3F/upDLtV636AAk:PXKD X-Hashcash: 1:23:241216:suhail@bayesians.ca::S/AzdkPGDgS6tK7s:vGF9 X-Hashcash: 1:23:241216:ludovic.courtes@inria.fr::5G19XA0PIkccbTMY:jn+q Date: Mon, 16 Dec 2024 11:42:34 +0100 In-Reply-To: <87a5cwd4bn.fsf@inventati.org> (Cayetano Santos's message of "Sun, 15 Dec 2024 22:27:56 +0100") Message-ID: <87ed27oqn9.fsf@kaka.sjd.se> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Received-SPF: pass client-ip=2001:9b1:8633::107; envelope-from=simon@josefsson.org; helo=uggla.sjd.se X-Spam_score_int: -43 X-Spam_score: -4.4 X-Spam_bar: ---- X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, LOTS_OF_MONEY=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Simon Josefsson From: Simon Josefsson via Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: help-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -7.29 X-Spam-Score: -7.29 X-Migadu-Queue-Id: EAACD9BAF6 X-Migadu-Scanner: mx10.migadu.com X-TUID: 3kyoR+BVym5N --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable All, I am trying to get a Guix container usable in GitLab, and thought I'd share my status. I have established working networking in the resulting Guix container, which seems like progress (whoohoo!). tl;dr: https://gitlab.com/debdistutils/guix/container/-/jobs/8652014833 The problem seems to be that GitLab (I suppose they use docker?) picks the wrong container file system from the resulting image. It doesn't use the same file system as a local 'podman run', see below. Could this be a 'guix pack' OCI container bug/problem? Maybe 'guix pack' produces too many blobs and GitLab/docker stops looking after while? Or the container configuration is incorrect? Some bad interaction with 'podman load -i'? My OCI-fu is too weak here, help appreciated. Here is my work: https://gitlab.com/debdistutils/guix/container/ https://gitlab.com/debdistutils/guix/container/-/blob/main/.gitlab-ci.yml (The system-* jobs are inspired by Cayetano's work, they aren't necessary unless there is something wrong with the 'guix pack' approach below...) The idea is: 1) First job 'debian-with-guix' creates a Debian trixie container with Guix and podman, and a 'guix pull'. This is for caching, it takes 25 minutes to run on a large compute node, using a GitLab-local mirror of Guix because Savannah access makes it even slower. https://gitlab.com/debdistutils/guix/container/-/blob/main/debian-with-guix= /Containerfile?ref_type=3Dheads https://gitlab.com/debdistutils/guix/container/-/jobs/8649009536 Output container (quite useful on its own): registry.gitlab.com/debdistutils/guix/container:debian-with-guix 2) Second job 'pack' uses the 'debian-with-guix' image, runs a 'guix pack' and creates a container using 'podman' and uploads it into: registry.gitlab.com/debdistutils/guix/container:pack I suspect the problem is happening in the 'guix pack' or 'podman load' commands here. Output from last successful run: https://gitlab.com/debdistutils/guix/container/-/jobs/8649183646 3) Third job 'pack-test' tries to use the pack image in a GitLab job, as a normal GitLab CI/CD build would work. Job output is here: https://gitlab.com/debdistutils/guix/container/-/jobs/8652014833 It fails with networking errors just like Ludo's earlier e-mail: fping: icmp: unknown protocol What is really weird is this root directory: Using docker image sha256:57160f1c13ce56799d6e3e83dd97da4c929993ac008404ac3= 8c67317cded25d1 for registry.gitlab.com/debdistutils/guix/container:pack wi= th digest registry.gitlab.com/debdistutils/guix/container@sha256:be1ad3a7af= 69669cf3d138c6ec2b1201a64294aad33320246212c6689a1e5c9d ... ... $ ls -la /etc total 20 drwxr-xr-x 2 0 0 4096 Dec 16 10:15 . drwxr-xr-x 1 0 0 4096 Dec 16 10:15 .. =2Drw-r--r-- 1 0 0 46 Dec 16 10:15 hostname =2Drw-r--r-- 1 0 0 283 Dec 16 10:15 hosts lrwxrwxrwx 1 0 0 12 Dec 16 10:15 mtab -> /proc/mounts =2Drw-r--r-- 1 0 0 841 Dec 16 10:15 resolv.conf There is no /etc/protocols! No wonder things doesn't work. However if I run the same container locally, it looks different: jas@kaka:~/src/guix-container$ podman images|grep pack registry.gitlab.com/debdistutils/guix/container pack = 57160f1c13ce 54 years ago 1.23 GB jas@kaka:~/src/guix-container$ podman run --entrypoint /bin/bash -it --rm r= egistry.gitlab.com/debdistutils/guix/container:pack bash-5.1# ls -la /etc lrwxrwxrwx 1 0 0 55 Jan 1 1970 /etc -> /gnu/store/kcpr09dgqnr8q29d167cjk3= wsmgizzkb-profile/etc bash-5.1# ls -la /etc/ total 92 ... lrwxrwxrwx 1 0 0 70 Jan 1 1970 protocols -> /gnu/store/bfp25w47fxn8z0fd= wj45prx2609sx59j-net-base-5.3/etc/protocols ... bash-5.1#=20 What is going on here? Seems like GitLab docker is finding another container file system compared to my local podman? The hashes are the same, so I should be working on the same file. Does anyone have docker installed? What does the equivalent of this command do with docker? Does it work like podman or GitLab? podman run registry.gitlab.com/debdistutils/guix/container:pack ls -l /etc/ Networking seems to be set up fine, except the missing /etc/protocols: $ ip address 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group d= efault qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host=20 valid_lft forever preferred_lft forever 17: eth0@if18: mtu 1460 qdisc noqueue sta= te UP group default=20 link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 172.17.0.3/16 brd 172.17.255.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fd76:5338:4685:1:0:242:ac11:3/64 scope global nodad=20 valid_lft forever preferred_lft forever inet6 fe80::42:acff:fe11:3/64 scope link tentative=20 valid_lft forever preferred_lft forever $ ip -4 route default via 172.17.0.1 dev eth0=20 172.17.0.0/16 dev eth0 proto kernel scope link src 172.17.0.3=20 $ ip -6 route fd76:5338:4685:1::/64 dev eth0 proto kernel metric 256 pref medium fe80::/64 dev eth0 proto kernel metric 256 pref medium default via fd76:5338:4685:1::1 dev eth0 metric 1024 pref medium ... $ fping -c3 -D 130.237.72.201 fping: icmp: unknown protocol Adding a small /etc/protocols makes networking work: $ printf 'icmp\t1\tICMP\nipv6-icmp\t58\tIPv6-ICMP\n' > /etc/protocols $ fping -c3 -D 130.237.72.201 [1734345646.83678] 130.237.72.201 : [0], 64 bytes, 112 ms (112 avg, 0% loss) [1734345647.83701] 130.237.72.201 : [1], 64 bytes, 111 ms (112 avg, 0% loss) [1734345648.83694] 130.237.72.201 : [2], 64 bytes, 111 ms (112 avg, 0% loss) 130.237.72.201 : xmt/rcv/%loss =3D 3/3/0%, min/avg/max =3D 111/112/112 $ fping -c3 -D gnu.org [1734345648.90485] gnu.org : [0], 64 bytes, 25.1 ms (25.1 avg, 0% loss) [1734345649.86358] gnu.org : [1], 64 bytes, 24.2 ms (24.6 avg, 0% loss) [1734345650.86371] gnu.org : [2], 64 bytes, 24.3 ms (24.5 avg, 0% loss) gnu.org : xmt/rcv/%loss =3D 3/3/0%, min/avg/max =3D 24.2/24.5/25.1 /Simon --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iIoEARYIADIWIQSjzJyHC50xCrrUzy9RcisI/kdFogUCZ2AEGhQcc2ltb25Aam9z ZWZzc29uLm9yZwAKCRBRcisI/kdFoqdxAPwI4mESGt/MsY/fSyAXYqsu++nT7Sev 7tKVRjetrTwQHQD7BX5JkFVr56eVvyu9H9IGxqsRgHc5+D8jGarCS6eckgI= =om1/ -----END PGP SIGNATURE----- --=-=-=--