Christopher Baines writes: > Unfortunately, while I could get a shell using "docker exec ...", I had > to start the guix-daemon manually as the shepherd service didn't seem to > work, at least initially. Also, when I had started it, I tried > installing a package, and there was some promising output to start off > with, but then it failed with: > > guix package: error: build failed: cloning builder process: Operation > not permitted > > Anyway, this is all pretty great! Awesome work getting this far. I'm > very excited to see what services will run this way, as Docker could > provide, albeit with some overhead, a layer of interoperability between > software that can handle Docker containers, and Guix. I tried making the changes you suggested. I launched a container without using docker's --privileged option. However, the "boot" script failed because something couldn't mount something in the container. I am not excited about the idea of trying to figure out which esoteric combination of capabilities [1] are needed to run without the --privileged option, but I suppose that is necessary if I want to minimize the container's access to the host system. To be honest, I find it puzzling that Docker requires me to think so much about the capabilities in the first place. Perhaps I'm naive, but I had hoped that within a Docker container, everything would be "private" in the sense that, as root in the container, I can do anything and everything, including mounting, including creating device nodes, and no changes will be visible outside of the container. The fact that that is not the case (at least by default) comes as quite a surprise to me. I also noticed that some services, like nscd, failed to start. No error messages anywhere except Shepherd saying something like "could not start service nscd". How do I begin to debug something like that? All I can think of is to inspect the Guix code that runs the service, and the Shepherd code, commit time to learning about it, and then hopefully find a way to insert debug statements of some kind that give me a hint about what's going wrong. Is there a faster, better way? [1] https://docs.docker.com/engine/security/security/#linux-kernel-capabilities -- Chris