From mboxrd@z Thu Jan  1 00:00:00 1970
From: Chris Marusich <cmmarusich@gmail.com>
Subject: Re: Building Docker images of GuixSD
Date: Fri, 15 Dec 2017 18:30:42 -0800
Message-ID: <87wp1n9zfx.fsf@gmail.com>
References: <87bmldavre.fsf@gmail.com> <87efq8pwrf.fsf@gnu.org>
	<87mv4viknx.fsf@gmail.com> <87she5kz6i.fsf@gmail.com>
	<87inez3tnb.fsf_-_@gnu.org> <87tvyg9g5f.fsf@gmail.com>
	<87o9ogsp9j.fsf@gnu.org> <87y3ngvuyd.fsf@gmail.com>
	<87609vid4q.fsf@cbaines.net>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha256; protocol="application/pgp-signature"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:37121)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <cmmarusich@gmail.com>) id 1eQ2Fa-0003kA-MH
	for guix-devel@gnu.org; Fri, 15 Dec 2017 21:30:55 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <cmmarusich@gmail.com>) id 1eQ2FW-0002Hb-NX
	for guix-devel@gnu.org; Fri, 15 Dec 2017 21:30:54 -0500
In-Reply-To: <87609vid4q.fsf@cbaines.net> (Christopher Baines's message of
	"Mon, 27 Nov 2017 22:13:25 +0000")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Christopher Baines <mail@cbaines.net>
Cc: guix-devel@gnu.org

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Christopher Baines <mail@cbaines.net> writes:

> Unfortunately, while I could get a shell using "docker exec ...", I had
> to start the guix-daemon manually as the shepherd service didn't seem to
> work, at least initially. Also, when I had started it, I tried
> installing a package, and there was some promising output to start off
> with, but then it failed with:
>
>   guix package: error: build failed: cloning builder process: Operation
>   not permitted
>
> Anyway, this is all pretty great! Awesome work getting this far. I'm
> very excited to see what services will run this way, as Docker could
> provide, albeit with some overhead, a layer of interoperability between
> software that can handle Docker containers, and Guix.

I tried making the changes you suggested.  I launched a container
without using docker's --privileged option.  However, the "boot" script
failed because something couldn't mount something in the container.  I
am not excited about the idea of trying to figure out which esoteric
combination of capabilities [1] are needed to run without the
=2D-privileged option, but I suppose that is necessary if I want to
minimize the container's access to the host system.

To be honest, I find it puzzling that Docker requires me to think so
much about the capabilities in the first place.  Perhaps I'm naive, but
I had hoped that within a Docker container, everything would be
"private" in the sense that, as root in the container, I can do anything
and everything, including mounting, including creating device nodes, and
no changes will be visible outside of the container.  The fact that that
is not the case (at least by default) comes as quite a surprise to me.

I also noticed that some services, like nscd, failed to start.  No error
messages anywhere except Shepherd saying something like "could not start
service nscd".  How do I begin to debug something like that?  All I can
think of is to inspect the Guix code that runs the service, and the
Shepherd code, commit time to learning about it, and then hopefully find
a way to insert debug statements of some kind that give me a hint about
what's going wrong.  Is there a faster, better way?

[1] https://docs.docker.com/engine/security/security/#linux-kernel-capabili=
ties

=2D-=20
Chris

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAlo0hVIACgkQ3UCaFdgi
Rp3UjA/8CGu8qWwyyuS6Ekx8hdK18qswP+og/1E7vU84JBXky1gsAwcD/W8ru7xD
Ev5l4OkJJN/kng8W7B5qFSsAuXVtCWoOeU8AYDaznBvQ8kCCRfnkizssjFfBUhzi
nOUnOsWBDTpzTT5Z0XB8Cvmq9/psDKfYWwCEWJkPj5dNU1g0foYul+q7qU/ODGNi
queqMEBI/AYRhOTVjysigGQck4gyjE2vj5Q/bwczFE6BuGeUzsbAiCFWuGRqzzAr
O5xaA1HMVYTPCu23sOYd8XtHVboMj4uji5Dn/Oy3QbtFXpRCz6tfPzhiECuzv0sU
+sGjn7S4ff9x2KMF31NhjffFXSPMqF+Gsixjug1YyYHCvLK2IaYTNQrY8dElOIWl
DFCt5jFATc2nfxHL47FubU4HJdCfNztLGGO7j7MhB969JyeqVEBbVPFhiA23MhRf
tKd2rYOCV/OjSif1UBqYFK5H9BuXpCw3A8U6tyio/LvzJlUECWt7LhHO71YNXYFu
E+i+NJFb1MqgGpBjSQvzxHcW/BrrpgtUiWlwTlCbhYuSq40JBHUCxlriMDfFIXSp
EO42gZhqQigdc6xGCbTpA55HXBfRktKdyPQ+KXuYqNXPSppCxPSElRg3Qj35/F5x
ODdYjONcehowpWItssFo/6JZUjxi37cHrPmwlBl/rFXAT+OWXdc=
=A9ET
-----END PGP SIGNATURE-----
--=-=-=--