From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp10.migadu.com ([2001:41d0:8:6d80::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms9.migadu.com with LMTPS
	id +FmsJHk5HGTqLQEASxT56A
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Thu, 23 Mar 2023 12:35:21 +0100
Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp10.migadu.com with LMTPS
	id IE26I3k5HGR+bAEAG6o9tA
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Thu, 23 Mar 2023 12:35:21 +0100
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 4833D95CC
	for <larch@yhetil.org>; Thu, 23 Mar 2023 12:35:21 +0100 (CET)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces@gnu.org>)
	id 1pfJD0-0006LO-1D; Thu, 23 Mar 2023 07:34:18 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <vladilen.kozin@gmail.com>)
 id 1pevZy-0000U3-IL
 for guix-devel@gnu.org; Wed, 22 Mar 2023 06:20:26 -0400
Received: from mail-ed1-x529.google.com ([2a00:1450:4864:20::529])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <vladilen.kozin@gmail.com>)
 id 1pevZw-0005RM-KC
 for guix-devel@gnu.org; Wed, 22 Mar 2023 06:20:26 -0400
Received: by mail-ed1-x529.google.com with SMTP id b20so37717344edd.1
 for <guix-devel@gnu.org>; Wed, 22 Mar 2023 03:20:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20210112; t=1679480423;
 h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
 :date:message-id:reply-to;
 bh=7PM82Ekvf8nC81X2p0q+NygEW+VYrD/k6kriqIW5Yhs=;
 b=FFITfjf3JltnRES8qeGsCJK3fOvPtM4ABb6bn1ebO3n0MfXadIcKwygxrhB9OkNScC
 523xH85gwlD1cVF75OjuD1pjRF717ePV8HRnw5CfSdGGPu0idSuv7qBtXVXHMi4mUxkF
 Z7P3RIN5fQC9vuENkPrhMAQUCvkzXn8qdGJktitMgZPZMbEhFNBp2zKLd60bW6Sq7/mn
 XPMZZXXMY1S8cKUtZnL/osmqgq6hRiRcnYklAft11TduBs/ianaM+8BhdWvNFobl42mS
 qZLN+P0TNQ4+6A0Zl6yUwsbS424e1Irjo0Q9O6teZ4XVGbLcFLEzRNo3CDGckChJZ9ZV
 KXYA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112; t=1679480423;
 h=to:subject:message-id:date:from:mime-version:x-gm-message-state
 :from:to:cc:subject:date:message-id:reply-to;
 bh=7PM82Ekvf8nC81X2p0q+NygEW+VYrD/k6kriqIW5Yhs=;
 b=EPpH4DNsCamESwOGqZ/krwBI4S086z3WFT6UaxrMbkdR6AXzjvdYOej9n0x35NGFtN
 w4c1MusVs+e92iCln8TmhKKScdnHTIN6oQ7NFwHiKrI3Cufhnje9hoOj18z4EpQ0uQNm
 pzpxRbz1t3AkbixzfTFYXKOGPNZN5No8yBaaFMwFNn0TCQyFyj9KmSWqaKZSIPAMXdJV
 cXV0T9LNv5nKntRJEa4gKhOgbyTm4/yR3tdVC9yjbjWOjBWWhu9qXqDbsjKmNK8zvPn8
 3jVr9yFufPjORMg+Zq4moyNdxrORSkMS118cTrhh6Xf1cmkbzb9Bip0mSCUzs0lV7KHz
 lXcw==
X-Gm-Message-State: AO0yUKUeIDs6h2yl1sbueMOP9CZYQYoS221j9U3qP5HFoqBaf/0WhkD8
 1+7QrxYdEFRtxvIR0tfT74TVcBYUlc1U/iTIJr8+Zp7kNLo=
X-Google-Smtp-Source: AK7set8pOsxq+gscwQ0rFnTeLbt86O2wiQbA4OGEYgnS1AHGWBoP650b38Lo6hciF/LR4mt3LOzY+M6DtIwGTjC7bLA=
X-Received: by 2002:a17:906:b893:b0:932:6a66:fc43 with SMTP id
 hb19-20020a170906b89300b009326a66fc43mr2777790ejb.13.1679480423090; Wed, 22
 Mar 2023 03:20:23 -0700 (PDT)
MIME-Version: 1.0
From: Vladilen Kozin <vladilen.kozin@gmail.com>
Date: Wed, 22 Mar 2023 10:20:12 +0000
Message-ID: <CACw=CXMTsMa6D+rAHW+KvATOje4cGqkR_yQJx9qDYfSa9CFfgw@mail.gmail.com>
Subject: shepherd service works on host but fails inside system container
To: guix-devel@gnu.org
Content-Type: multipart/alternative; boundary="000000000000068e3605f77a82f7"
Received-SPF: pass client-ip=2a00:1450:4864:20::529;
 envelope-from=vladilen.kozin@gmail.com; helo=mail-ed1-x529.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Mailman-Approved-At: Thu, 23 Mar 2023 07:34:17 -0400
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: guix-devel-bounces+larch=yhetil.org@gnu.org
X-Migadu-Country: US
X-Migadu-Flow: FLOW_IN
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1679571321; a=rsa-sha256; cv=none;
	b=f/SSMlGMghniAw16rhPQgLogVqlOye9/uEvdayjF8QGUvAreEDoa7hiBXpZuY6XYqWS0Ou
	c5MV1Lb13GmgvrPGgK+oX0vaudbBnHK01EKjYgUMzKIXBeGWJD6PJF+HlAUgmv2Gz9O3sL
	XAWiJYlb/5m0NIK0MShIRQRObuX208AXK9UvWO+21Gpsfcs7Fh4dlLsvTEmwbI7qHYJThC
	BskUudvoKpebObKorKS9k+pNzngDOdTdXrk3K+qM1XwE2Lm9Big3jDpsWL5Li2rK+4INmL
	VM1pRY2r6xTzJJcjewrir9POW2zcNRcDvtfZUYgihhjAswJuqMojzq4VJCwynw==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=pass header.d=gmail.com header.s=20210112 header.b=FFITfjf3;
	dmarc=pass (policy=none) header.from=gmail.com;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1679571321;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:list-id:list-help:list-unsubscribe:
	 list-subscribe:list-post:dkim-signature;
	bh=7PM82Ekvf8nC81X2p0q+NygEW+VYrD/k6kriqIW5Yhs=;
	b=YDmExMb7WOttAyfuCwvpneQpoOrfCzCuaOdp7Pa3Fsiw5LDTQJcsfnm41wBMjcdNuetv7v
	1tH3TV/kBYNe/5Rty9XGLzJF2POA0Re7S/K4FhllcoyiVp4Sdi+ffns0XPefDUCWbtE1r3
	gy75fh2iKEtQhwwTtItv3fSzEVrx3WCpyMCYiL3c+ea1tADkWNjWLWwQ2zdnTReZmbm4S6
	WgVkUzP5aNOZxvP4zeksapKgItqcl9TOXsgtjgZjT0ZOBfh0dNW0bFClXzKsH5AiKvRrRB
	ADMKR6UwONNwPdntYbtfwByDH6RFfv1GIdb5p1QTRUxnPXWQ/AjyrrNqu5g+sA==
Authentication-Results: aspmx1.migadu.com;
	dkim=pass header.d=gmail.com header.s=20210112 header.b=FFITfjf3;
	dmarc=pass (policy=none) header.from=gmail.com;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"
X-Migadu-Scanner: scn1.migadu.com
X-Migadu-Spam-Score: -3.98
X-Spam-Score: -3.98
X-Migadu-Queue-Id: 4833D95CC
X-TUID: RRcWTfuRr9d1

--000000000000068e3605f77a82f7
Content-Type: text/plain; charset="UTF-8"

Hello guix.

I put together a tailscale system service that's meant to start a tailscale
daemon managed by the system shepherd, that is to say that my
`tailscaled-service-type` specifies `(service-extension
shepherd-root-service-type tailscaled-shepherd-service)`, where
`tailscaled-shepherd-service` creates a `shepherd-service` with (provision
'(tailscaled)) and (requirement '(networking)).

I tested it by lowering to store via `shepherd-service-file` and then
loading the generated script via `sudo herd load root ...`. This works fine
and the daemon starts without a problem.

Next, I try to spawn tailscaled as part of my OS definition:
(services (cons* (service tailscaled-service-type
(tailscaled-configuration)) %base-services))
;; tried %desktop-services too

To test, we create a container:
sudo guix system -K -L /home/vlad/Code/fullmeta-guix/channel container
os.scm --network --expose=/dev/net=/dev

Earlier runs had it complaining that /dev/net/tun was missing, so I exposed
that. Dunno if that's how I'm supposed to handle this. Now,
/var/log/messages show:

Mar 22 09:38:48 twgter shepherd[1]: [tailscaled] 2023/03/22 09:38:48 Linux
kernel version: 5.18.10
Mar 22 09:38:48 twgter shepherd[1]: [tailscaled] 2023/03/22 09:38:48 is
CONFIG_TUN enabled in your kernel? `modprobe tun` failed with:
Mar 22 09:38:48 twgter shepherd[1]: [tailscaled] 2023/03/22 09:38:48
wgengine.NewUserspaceEngine(tun "tailscale0") error:
tstun.New("tailscale0"): operation not permitted

I feel like maybe I'm missing some kernel modules, but I would've expected
host and container to share the kernel, so I dunno. In fact, when I
randomly attempted adding (kernel-arguments (cons* "CONFIG_TUN=m"
%default-kernel-arguments)) to my os definition, resulting script hash came
out the same, which tells me, containers don't even look at these kernel
params when generating a script.

Any guesses as to why this works under host but not inside container?

Relatedly, does anyone have a nicer workflow they use to define and test
shepherd services? Such containerization was the next step in testing the
service and would've been ok were it not for the above failure, but the
initial indirection with lowering to store, then `sudo herd load root ...`
is a bit too involved and "indirect" for my liking as well - anyone has an
improved way of developing shepherd services?

Thanks!
-- 
Best regards
Vlad Kozin

--000000000000068e3605f77a82f7
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_default" style=3D"font-family:arial,sa=
ns-serif">Hello guix.</div><div class=3D"gmail_default" style=3D"font-famil=
y:arial,sans-serif"><br></div><div class=3D"gmail_default" style=3D"font-fa=
mily:arial,sans-serif">I put together a tailscale system service that&#39;s=
 meant to start a tailscale daemon managed by the system shepherd, that is =
to say that my `tailscaled-service-type` specifies `(service-extension shep=
herd-root-service-type tailscaled-shepherd-service)`, where `tailscaled-she=
pherd-service` creates a `shepherd-service` with=C2=A0(provision &#39;(tail=
scaled)) and (requirement &#39;(networking)).</div><div class=3D"gmail_defa=
ult" style=3D"font-family:arial,sans-serif"><br></div><div class=3D"gmail_d=
efault" style=3D"font-family:arial,sans-serif">I tested it by lowering to s=
tore via `shepherd-service-file` and then loading the generated script via =
`sudo herd load root ...`. This works fine and the daemon starts without a =
problem.</div><div class=3D"gmail_default" style=3D"font-family:arial,sans-=
serif"><br></div><div class=3D"gmail_default" style=3D"font-family:arial,sa=
ns-serif">Next, I try to spawn tailscaled as part of my OS definition:</div=
><div class=3D"gmail_default" style=3D"font-family:arial,sans-serif">(servi=
ces (cons*=C2=A0(service tailscaled-service-type (tailscaled-configuration)=
) %base-services))</div><div class=3D"gmail_default" style=3D"font-family:a=
rial,sans-serif">;; tried %desktop-services too</div><div class=3D"gmail_de=
fault" style=3D"font-family:arial,sans-serif"><br></div><div class=3D"gmail=
_default" style=3D"font-family:arial,sans-serif">To test, we create a conta=
iner:</div><div class=3D"gmail_default" style=3D"font-family:arial,sans-ser=
if">sudo guix system -K -L /home/vlad/Code/fullmeta-guix/channel container =
os.scm --network --expose=3D/dev/net=3D/dev<br></div><div class=3D"gmail_de=
fault" style=3D"font-family:arial,sans-serif"><br></div><div class=3D"gmail=
_default" style=3D"font-family:arial,sans-serif">Earlier runs had it compla=
ining that /dev/net/tun was missing, so I exposed that. Dunno if that&#39;s=
 how I&#39;m supposed to handle this. Now, /var/log/messages show:</div><di=
v class=3D"gmail_default" style=3D"font-family:arial,sans-serif"><br></div>=
<div class=3D"gmail_default" style=3D"font-family:arial,sans-serif">Mar 22 =
09:38:48 twgter shepherd[1]: [tailscaled] 2023/03/22 09:38:48 Linux kernel =
version: 5.18.10<br>Mar 22 09:38:48 twgter shepherd[1]: [tailscaled] 2023/0=
3/22 09:38:48 is CONFIG_TUN enabled in your kernel? `modprobe tun` failed w=
ith:<br>Mar 22 09:38:48 twgter shepherd[1]: [tailscaled] 2023/03/22 09:38:4=
8 wgengine.NewUserspaceEngine(tun &quot;tailscale0&quot;) error: tstun.New(=
&quot;tailscale0&quot;): operation not permitted<br></div><div><br></div><d=
iv><div class=3D"gmail_default" style=3D"font-family:arial,sans-serif">I fe=
el like maybe I&#39;m missing some kernel modules, but I would&#39;ve expec=
ted host and container to share the kernel, so I dunno. In fact, when I ran=
domly attempted adding=C2=A0(kernel-arguments (cons* &quot;CONFIG_TUN=3Dm&q=
uot; %default-kernel-arguments)) to my os definition, resulting script hash=
 came out the same, which tells me, containers don&#39;t even look at these=
 kernel params when generating a script.</div><div class=3D"gmail_default" =
style=3D"font-family:arial,sans-serif"><br></div><div class=3D"gmail_defaul=
t" style=3D"font-family:arial,sans-serif">Any guesses as to why this works =
under host but not inside container?</div></div><div class=3D"gmail_default=
" style=3D"font-family:arial,sans-serif"><br></div><div class=3D"gmail_defa=
ult" style=3D"font-family:arial,sans-serif">Relatedly, does anyone have a n=
icer workflow they use to define and test shepherd services? Such container=
ization was the next step in testing the service and would&#39;ve been ok w=
ere it not for the above failure, but the initial indirection with lowering=
 to store, then `sudo herd load root ...` is a bit too involved and &quot;i=
ndirect&quot; for my liking as well - anyone has an improved way of develop=
ing shepherd services?</div><div class=3D"gmail_default" style=3D"font-fami=
ly:arial,sans-serif"><br></div><div class=3D"gmail_default" style=3D"font-f=
amily:arial,sans-serif">Thanks!</div><span class=3D"gmail_signature_prefix"=
>--<span class=3D"gmail_default" style=3D"font-family:arial,sans-serif"></s=
pan><span class=3D"gmail_default" style=3D"font-family:arial,sans-serif"></=
span> </span><br><div dir=3D"ltr" class=3D"gmail_signature" data-smartmail=
=3D"gmail_signature">B<span class=3D"gmail_default" style=3D"font-family:ar=
ial,sans-serif"></span>est regards<br>Vlad Kozin</div></div>

--000000000000068e3605f77a82f7--