From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Thompson, David" Subject: Update on GuixSD containers Date: Mon, 8 Jun 2015 11:20:41 -0400 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:43831) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Z1yr0-0000PR-MH for guix-devel@gnu.org; Mon, 08 Jun 2015 11:20:50 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Z1yqx-0000aR-Fu for guix-devel@gnu.org; Mon, 08 Jun 2015 11:20:46 -0400 Received: from mail-pa0-f50.google.com ([209.85.220.50]:35906) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Z1yqx-0000UI-B0 for guix-devel@gnu.org; Mon, 08 Jun 2015 11:20:43 -0400 Received: by pabqy3 with SMTP id qy3so99558475pab.3 for ; Mon, 08 Jun 2015 08:20:41 -0700 (PDT) List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: guix-devel Hey folks, I'd like to give a quick update on the state of wip-container branch. As of this morning, one can run the below commands and have a somewhat functional GuixSD container: # Hardcoded /tmp/container as the container root directory until I # add a command line switch. mkdir /tmp/container guix system container container-config.scm Where 'container-config.scm' is: (use-modules (gnu)) ;; Minimal GuixSD configuration suitable for a Linux container. (operating-system (host-name "container-test") (timezone "America/New_York") (locale "en_US.UTF-8") ;; Unused (bootloader (grub-configuration (device "/dev/sdX"))) ;; Dummy FS (file-systems (cons (file-system (mount-point "/") (device "dummy") (type "dummy")) %base-file-systems)) (users (cons (user-account (name "alice") (comment "Bob's sister") (group "users") (supplementary-groups '("wheel" "audio" "video")) (home-directory "/home/alice")) %base-user-accounts))) The activation and boot scripts for the system have been tweaked to DTRT for a container, and DMD is able to start successfully and start all of the base services, sans the console-font-tty services for some reason. So, this is cool, but much work remains to be done. Our containers operate in 5 of 6 possible Linux namespaces: mount, PID, UTS, IPC, and network. The remaining namespace to get working is the user namespace, which is especially tricky. I don't think even Docker can use user namespaces properly yet, but I might be wrong. Additionally, our containers have a loopback device, but have no way of accessing an outside network such as your LAN or a virtual network on the host system. There's also no support for cgroups, which would allow us to limit the resource usage of containers like you can with a VM hypervisor. For the long term, we'll need a container daemon to keep track of all containers on the system to allow for easily starting and stopping them (right now you have to 'sudo kill -9 '), spawning new processes within them (for example, launching bash for an interactive environment), and whatever else we might want. In closing, things aren't exactly usable, but I encourage brave/curious people to take 'guix system container' for a spin and hack on it to make Guix the best container management tool yet! Also, I think the code is very easy to follow (unlike Docker's libcontainer), so if you want to understand what containers *really* are beyond a buzzword, have a look at gnu/build/linux-container.scm and gnu/system/linux-container.scm. Happy hacking, - Dave