From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id SKWoKGqBM2LNcgEAgWs5BA (envelope-from ) for ; Thu, 17 Mar 2022 19:43:54 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id qD0cJmqBM2I/8gAA9RJhRA (envelope-from ) for ; Thu, 17 Mar 2022 19:43:54 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 13B28B998 for ; Thu, 17 Mar 2022 19:43:54 +0100 (CET) Received: from localhost ([::1]:53008 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nUv6G-0007B8-Kc for larch@yhetil.org; Thu, 17 Mar 2022 14:43:52 -0400 Received: from eggs.gnu.org ([209.51.188.92]:59746) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nUuoI-0001tO-CQ for help-guix@gnu.org; Thu, 17 Mar 2022 14:25:18 -0400 Received: from mail2-relais-roc.national.inria.fr ([192.134.164.83]:12268) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nUuoF-0006Q7-Fz for help-guix@gnu.org; Thu, 17 Mar 2022 14:25:17 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inria.fr; s=dc; h=from:to:cc:subject:references:date:in-reply-to: message-id:mime-version:content-transfer-encoding; bh=fuSdHxy3xVo1tIBDAcZoIXoIJJByUs2lP3zPVMRHDuA=; b=HxzvnSf+BpMP4ZSaI+XOU1Zdghnomweo+7/bElnh2dlArk5+bnHRtNiB XC8w3k1Y4iVnffLA+1Z/jOdn5fMb6T+uKhJCMG7gg4UYgU8KLDubfyAif CUV+d/7Fmi7yz/FitJLHFoqb7O/+/gMqgls+/o/1TKnl2QWoLzWRZvQFO 4=; X-IronPort-AV: E=Sophos;i="5.90,188,1643670000"; d="scan'208";a="26749638" Received: from 91-160-117-201.subs.proxad.net (HELO ribbon) ([91.160.117.201]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Mar 2022 19:25:11 +0100 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Jean-Christophe HAESSIG Subject: Re: Packaging Slurm References: <8e232d15-fdf1-35c3-f6b9-d075936a4830@igbmc.fr> <19845aa3-1f42-64ed-c67f-d25a2ee994ff@igbmc.fr> <874k487mml.fsf@gnu.org> <9672ca27-a9dc-78ab-cb92-2fb86cd76698@igbmc.fr> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 27 =?utf-8?Q?Vent=C3=B4se?= an 230 de la =?utf-8?Q?R?= =?utf-8?Q?=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Thu, 17 Mar 2022 19:25:11 +0100 In-Reply-To: <9672ca27-a9dc-78ab-cb92-2fb86cd76698@igbmc.fr> (Jean-Christophe HAESSIG's message of "Tue, 15 Mar 2022 10:16:21 +0000") Message-ID: <87y2188mig.fsf@inria.fr> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=192.134.164.83; envelope-from=ludovic.courtes@inria.fr; helo=mail2-relais-roc.national.inria.fr X-Spam_score_int: -43 X-Spam_score: -4.4 X-Spam_bar: ---- X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: "help-guix@gnu.org" Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1647542634; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=fuSdHxy3xVo1tIBDAcZoIXoIJJByUs2lP3zPVMRHDuA=; b=AmTGzoADtJnws6iU6eqkfierBiwHEB4XGrNXgKhQrW4ZSv5t9sgFRsyzesRHugiS2p4Mtg y3EBGtbC54jnso7ZIzkLwtdxmq2vTcNL+4vaW7MgeNsgstaFmSYqxVglDhzNuBeUvZ0EUw NZZRnv7x9n6LaN9NyxpaeJ3OfJHleqvLSvYwExrYkOOQaFSXEXMZQjDlVx8uSwMM9Go+u7 4HfGS/R3q1XmmyZ2Ydo6bB0FYDbxQN5+bkgcDAbMjB4FrnLCh0aU8W4/XuOBbg+OrwhPfV RinsbZirfyNcZPY6wjmaQiMHHPYxrUQ5X1SM7uWovPSZ6/BJsBvAfqRSBfAKNw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1647542634; a=rsa-sha256; cv=none; b=K7WgXkLq9mA5nVH9BxErPJzgci99iuI61edoa2imMIb0kO015nJtjnqrNNLn1m5BCyG7VT em+RmctgjB//fjF0DNZ+ANdagYmWEfUkVmyzLgUYIVYS2wp9UgSN2fML8HNv7bHmXWhsdg s1k4CnI4SelRAvk8OSjL98yGepnCfBGNe6sWKWEdp2H5RGoQRNFTFn8oVtxtIPyL0Qg+TV ZdSuytXAf7LRrAXwfn6thjJEVo48LPguAH7wd8Pn/nspDVKxzsYxD3TFk/XriVcfKyXzC7 Pzhw6XJpxPSRV0ssIEflW9T5TC0hzKZDYZLDgnzRtudP+fupIPNFlEWkuog62Q== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=inria.fr header.s=dc header.b=HxzvnSf+; dmarc=pass (policy=none) header.from=inria.fr; spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -9.15 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=inria.fr header.s=dc header.b=HxzvnSf+; dmarc=pass (policy=none) header.from=inria.fr; spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 13B28B998 X-Spam-Score: -9.15 X-Migadu-Scanner: scn0.migadu.com X-TUID: 72WXSIOMSdhu Hello, Jean-Christophe HAESSIG skribis: > I don't really know what the implications of this would be. I continued=20 > exploring packaging Slurm with Guix and deploying it on Debian. > I feel what i'm trying to do is slightly out of scope of Guix's intent := =20 > I used guix pack with various options -R, -RR but these are made to=20 > enable regular users to run software from guix packages. When the=20 > software is intended to be run by root, things seem to go awry. I had=20 > errors because the program tries to switch user and groups. > > -------------- > mount("none", "/tmp/guix-exec-C6ZnPc", "tmpfs", 0, NULL) =3D 0 > clone(child_stack=3DNULL, flags=3DCLONE_NEWNS|CLONE_NEWUSER|SIGCHLD) =3D = 4061 > openat(AT_FDCWD, "/proc/4061/setgroups", O_WRONLY) =3D 3 > write(3, "deny\0", 5) =3D 5 > close(3) =3D 0 > getuid() =3D 0 > -------------- > > and later : > > -------------- > [pid 4061] newfstatat(5, "", {st_mode=3DS_IFREG|0644, st_size=3D10406312= ,=20 > ...}, AT_EMPTY_PATH) =3D 0 > [pid 4061] setgroups(2, [3000, 51692]) =3D -1 EPERM (Operation not permi= tted) > [pid 4061] poll([{fd=3D2, events=3DPOLLOUT}], 1, 5000) =3D 1 ([{fd=3D2,= =20 > revents=3DPOLLOUT}]) > [pid 4061] newfstatat(2, "", {st_mode=3DS_IFIFO|0600, st_size=3D0, ...},= =20 > AT_EMPTY_PATH) =3D 0 > [pid 4061] write(2, "slurmdbd: fatal: Failed to set s"..., 89slurmdbd:=20 > fatal: Failed to set supplementary groups, initgroups: Operation not=20 > permitted > -------------- Can you try with: GUIX_EXECUTION_ENGINE=3Dfakechroot ./bin/sulrmbdb =E2=80=A6 assuming you=E2=80=99re using a -RR pack? > When the program is directly run with its final system user account, it=20 > starts correctly, still complains about not being able to fiddle with=20 > groups but doesn't crash: > > slurmdbd: Not running as root. Can't drop supplementary groups > > I only got this to work with -RR. -R got me other permission errors=20 > about not being able to setup subuid/subgid. System is Debian 10.9 with=20 > kernel 4.19. I expected containers to be well available and didn't know=20 > if the errors could come from what the program tries to do as root so I=20 > didn't check thoroughly yet. Yeah, presumably things running in an unprivileged user namespace (this is the case with -R and also with GUIX_EXECUTION_ENGINE=3Duserns) can=E2=80= =99t call setgroups(2). >> This would be a welcome change, though it would have a noticeable impact >> on the closure size: >>=20 >> --8<---------------cut here---------------start------------->8--- >> $ guix size slurm |tail -1 >> total: 134.7 MiB >> $ guix size slurm mariadb |tail -1 >> total: 421.4 MiB >> --8<---------------cut here---------------end--------------->8--- > > I don't know if this could change anything but AFAIK mariadb is a=20 > dependency of slurmdbd only. Debian has separate packages for the=20 > accounting daemon, the controller daemon (slurmctld) and the client=20 > (slurmd) but there still is one source package. Here we could have a separate output maybe: https://guix.gnu.org/manual/devel/en/html_node/Packages-with-Multiple-Out= puts.html [...] > For the time being, I'm still confident it can be done somehow, at least= =20 > temporarily to enable a smooth upgrade. There are some minor hurdles=20 > e.g. Debian decided to change the paths in etc, var and the like to=20 > slurm-llnl. I managed to build several versions from git, I'm still=20 > blocked with 18.08 which doesn't compile because of "multiple definition= =20 > of 'opt'". Only thing I can think of is something is too recent wrt=20 > slurm version. FWIW I recently fixed that build error in Guix: https://git.savannah.gnu.org/cgit/guix.git/commit/?id=3Ddd98dc42fe8d898bb= df8b3f988120a81bb145f77 > I guess running Guix system would remove many problems but I'm not ready= =20 > for that and since I'm interested in the shared software use case for a=20 > cluster, there would still remain the "battle for /gnu/store" issue. Where =E2=80=9Cbattle from /gnu/store=E2=80=9D is the chicken-and-egg when = booting, right? (That is, if /gnu/store is on NFS, then how do you boot.) HTH, Ludo=E2=80=99.