From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: [PATCH 0/15] Add preliminary support for Linux containers Date: Tue, 07 Jul 2015 12:28:26 +0200 Message-ID: <87h9pgl0s5.fsf@gnu.org> References: <87lhetcudk.fsf@izanagi.i-did-not-set--mail-host-address--so-tickle-me> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:51443) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZCQ77-0004Iy-Ah for guix-devel@gnu.org; Tue, 07 Jul 2015 06:28:34 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZCQ73-0007pS-8d for guix-devel@gnu.org; Tue, 07 Jul 2015 06:28:33 -0400 In-Reply-To: <87lhetcudk.fsf@izanagi.i-did-not-set--mail-host-address--so-tickle-me> (David Thompson's message of "Mon, 06 Jul 2015 09:01:43 -0400") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: David Thompson Cc: guix-devel@gnu.org Howdy! In short, this is awesome! Here are random notes I took as I was playing with all this. David Thompson skribis: > The main interface to this functionality is the 'call-with-container' > procedure in the (gnu build linux-container) module: > > (call-with-container ^^ Missing list of mounts here. > (lambda () > (sethostname "guix-0.8.3")) Surprisingly, calling =E2=80=98getpid=E2=80=99 in the thunk returns the PID= of the parent (I was expecting it to return 1.) Not sure why that is the case. I=E2=80=99m still amazed that this works as non-root, BTW. There=E2=80=99s an issue when the parent=E2=80=99s Guile is not mapped into= the container=E2=80=99s file system: =E2=80=98use-modules=E2=80=99 forms and au= to-loading will fail. For instance, I did (use-modules (ice-9 ftw)) in the parent and called =E2=80=98scandir=E2=80=99 in the child, but that failed because of an attem= pt to auto-load (ice-9 i18n), which is unavailable in the container. > There is also a 'container-excursion' procedure for evaluating code in > the context of an existing container process: > > (container-excursion 9999 > (lambda () > (mkdir "/foo")) > > To run a command in the context of a running container, there's a new > 'guix container exec' command for that: > > guix container exec 9999 /run/current-system/profile/bin/bash --login I failed to get that to work, both with =E2=80=98guix environment --contain= er=E2=80=99 and =E2=80=98guix system container=E2=80=99. For instance, with a GuixSD c= ontainer running as root as PID 29532, I got this: --8<---------------cut here---------------start------------->8--- $ sudo ./pre-inst-env guix container exec 29532 ls Backtrace: In ice-9/boot-9.scm: 155: 14 [catch #t # ...] In unknown file: ?: 13 [apply-smob/1 #] In ice-9/boot-9.scm: 61: 12 [call-with-prompt prompt0 ...] In ice-9/eval.scm: 432: 11 [eval # #] In ice-9/boot-9.scm: 2401: 10 [save-module-excursion #] 4050: 9 [#] 1724: 8 [%start-stack load-stack ...] 1729: 7 [#] In unknown file: ?: 6 [primitive-load "/home/ludo/src/guix/scripts/guix"] In guix/ui.scm: 1015: 5 [run-guix-command container "exec" "29532" "ls"] In gnu/build/linux-container.scm: 36: 4 [call-with-clean-exit #] 279: 3 [#] In ice-9/boot-9.scm: 768: 2 [for-each # ...] 867: 1 [call-with-input-file "/proc/29779/ns/user" ...] 867: 0 [call-with-input-file "/proc/29532/ns/user" ...] ice-9/boot-9.scm:867:17: In procedure call-with-input-file: ice-9/boot-9.scm:867:17: In procedure setns: 11 0: Nevalida argumento --8<---------------cut here---------------end--------------->8--- What am I missing? > If that's not exciting enough, how about launching a new development > environment inside a container? > > guix environment --container emacs This is wonderful. :-) Currently, $PWD is mapped to /env in the container. I think the default should be to map $PWD to $PWD, because often build systems record $top_srcdir and $top_builddir and would be confused if you work on a given build tree both inside and outside the container. Also, I think we should add --expose and --share as for =E2=80=98guix syste= m=E2=80=99, though that can come later. Last, I wonder if there should be an option to use a UID other than 0. Then perhaps we=E2=80=99d need to create fake /etc/group and /etc/passwd, as done in build.cc. WDYT? > Here's how you build it: > > guix system container container.scm Very neat. I wonder if that should automatically override the =E2=80=98file-systems=E2=80=99 field to be =E2=80=98%container-file-systems= =E2=80=99, so that one can reuse existing OS declarations unmodified. WDYT? > Unfortunately, there is still one blocker bug that I know of: The unit > test for 'container-excursion' is non-deterministic. Once out of every > 10 to 20 test runs, it fails, but I can't figure out why. For anyone > interested, here are some strace snippets: Ouch, this one looks more difficult. :-) I=E2=80=99ll comment on the individual patches. Thank you for the nice code! Ludo=E2=80=99.