From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: [PATCH 0/15] Add preliminary support for Linux containers Date: Wed, 08 Jul 2015 14:46:26 +0200 Message-ID: <87oajmlsv1.fsf@gnu.org> References: <87lhetcudk.fsf@izanagi.i-did-not-set--mail-host-address--so-tickle-me> <87h9pgl0s5.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:55895) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZCokD-0007fK-VJ for guix-devel@gnu.org; Wed, 08 Jul 2015 08:46:38 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZCok9-0004Pj-QB for guix-devel@gnu.org; Wed, 08 Jul 2015 08:46:33 -0400 In-Reply-To: (David Thompson's message of "Tue, 7 Jul 2015 18:35:53 -0400") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: "Thompson, David" Cc: guix-devel "Thompson, David" skribis: > On Tue, Jul 7, 2015 at 6:28 AM, Ludovic Court=C3=A8s wrote: [...] >>> (lambda () >>> (sethostname "guix-0.8.3")) >> >> Surprisingly, calling =E2=80=98getpid=E2=80=99 in the thunk returns the = PID of the >> parent (I was expecting it to return 1.) Not sure why that is the >> case. I=E2=80=99m still amazed that this works as non-root, BTW. > > The first process created inside the PID namespace gets the honor of > being PID 1, not the process created with the 'clone' call. > > For more information, see: https://lwn.net/Articles/532748/ To me, the thunk above is just like =E2=80=98childFunc=E2=80=99 in =E2=80=93i.e., it=E2=80=99s the procedure= that =E2=80=98clone=E2=80=99 calls in the first child process of the new PID name space. What am I missing? >> There=E2=80=99s an issue when the parent=E2=80=99s Guile is not mapped i= nto the >> container=E2=80=99s file system: =E2=80=98use-modules=E2=80=99 forms and= auto-loading will fail. >> For instance, I did (use-modules (ice-9 ftw)) in the parent and called >> =E2=80=98scandir=E2=80=99 in the child, but that failed because of an at= tempt to >> auto-load (ice-9 i18n), which is unavailable in the container. > > Hmm, I don't know of a way to deal with that other than the user being > careful to bind-mount in the Guile modules they need. Right. Maybe the best we can do is to add a word of caution in the docstring or something. > Hmm, there's various reasons that EINVAL would be thrown. Could you > readlink "those" files, that is /proc//ns/user > and /proc//ns/user, and tell me if the contents > are the same? They shouldn't be, but this will eliminate one of the > possible causes of EINVAL. It turns out I was targeting the wrong PID. >> Also, I think we should add --expose and --share as for =E2=80=98guix sy= stem=E2=80=99, >> though that can come later. > > Yes, I also really want that, but it's a task for another time. Sure. >>> Here's how you build it: >>> >>> guix system container container.scm >> >> Very neat. I wonder if that should automatically override the >> =E2=80=98file-systems=E2=80=99 field to be =E2=80=98%container-file-syst= ems=E2=80=99, so that one can >> reuse existing OS declarations unmodified. WDYT? > > This would be a better user experience, for sure. I thought about > this, but I don't know how to do it in a way that isn't surprising or > just broken. Ideas? IMO it=E2=80=99d be fine to simply override the subset of =E2=80=98file-sys= tems=E2=80=99 that clashes with =E2=80=98%container-file-systems=E2=80=99, similar to what =E2=80=98virtualized-operating-system=E2=80=99 does in (gnu system vm). WDYT? Thanks, Ludo=E2=80=99.