guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 0/15] Add preliminary support for Linux containers

From: Ludovic Courtès
Subject: Re: [PATCH 0/15] Add preliminary support for Linux containers
Date: Tue, 07 Jul 2015 12:28:26 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) 
Howdy!

In short, this is awesome!

Here are random notes I took as I was playing with all this.

David Thompson <address@hidden> skribis:

> The main interface to this functionality is the 'call-with-container'
> procedure in the (gnu build linux-container) module:
>
>     (call-with-container
                          ^^
Missing list of mounts here.

>       (lambda ()
>         (sethostname "guix-0.8.3"))

Surprisingly, calling ‘getpid’ in the thunk returns the PID of the
parent (I was expecting it to return 1.)  Not sure why that is the
case.  I’m still amazed that this works as non-root, BTW.

There’s an issue when the parent’s Guile is not mapped into the
container’s file system: ‘use-modules’ forms and auto-loading will fail.
For instance, I did (use-modules (ice-9 ftw)) in the parent and called
‘scandir’ in the child, but that failed because of an attempt to
auto-load (ice-9 i18n), which is unavailable in the container.

> There is also a 'container-excursion' procedure for evaluating code in
> the context of an existing container process:
>
>     (container-excursion 9999
>       (lambda ()
>         (mkdir "/foo"))
>
> To run a command in the context of a running container, there's a new
> 'guix container exec' command for that:
>
>     guix container exec 9999 /run/current-system/profile/bin/bash --login

I failed to get that to work, both with ‘guix environment --container’
and ‘guix system container’.  For instance, with a GuixSD container
running as root as PID 29532, I got this:

--8<---------------cut here---------------start------------->8---
$ sudo ./pre-inst-env guix container exec 29532 ls
Backtrace:
In ice-9/boot-9.scm:
 155: 14 [catch #t #<catch-closure 1be1bc0> ...]
In unknown file:
   ?: 13 [apply-smob/1 #<catch-closure 1be1bc0>]
In ice-9/boot-9.scm:
  61: 12 [call-with-prompt prompt0 ...]
In ice-9/eval.scm:
 432: 11 [eval # #]
In ice-9/boot-9.scm:
2401: 10 [save-module-excursion #<procedure 1bff980 at ice-9/boot-9.scm:4045:3 
()>]
4050: 9 [#<procedure 1bff980 at ice-9/boot-9.scm:4045:3 ()>]
1724: 8 [%start-stack load-stack ...]
1729: 7 [#<procedure 1c16e70 ()>]
In unknown file:
   ?: 6 [primitive-load "/home/ludo/src/guix/scripts/guix"]
In guix/ui.scm:
1015: 5 [run-guix-command container "exec" "29532" "ls"]
In gnu/build/linux-container.scm:
  36: 4 [call-with-clean-exit #<procedure 240cb10 at 
gnu/build/linux-container.scm:278:3 ()>]
 279: 3 [#<procedure 240cb10 at gnu/build/linux-container.scm:278:3 ()>]
In ice-9/boot-9.scm:
 768: 2 [for-each #<procedure 2408000 at gnu/build/linux-container.scm:279:15 
(ns)> ...]
 867: 1 [call-with-input-file "/proc/29779/ns/user" ...]
 867: 0 [call-with-input-file "/proc/29532/ns/user" ...]

ice-9/boot-9.scm:867:17: In procedure call-with-input-file:
ice-9/boot-9.scm:867:17: In procedure setns: 11 0: Nevalida argumento
--8<---------------cut here---------------end--------------->8---

What am I missing?

> If that's not exciting enough, how about launching a new development
> environment inside a container?
>
>     guix environment --container emacs

This is wonderful.  :-)

Currently, $PWD is mapped to /env in the container.  I think the default
should be to map $PWD to $PWD, because often build systems record
$top_srcdir and $top_builddir and would be confused if you work on a
given build tree both inside and outside the container.

Also, I think we should add --expose and --share as for ‘guix system’,
though that can come later.

Last, I wonder if there should be an option to use a UID other than 0.
Then perhaps we’d need to create fake /etc/group and /etc/passwd, as
done in build.cc.

WDYT?

> Here's how you build it:
>
>     guix system container container.scm

Very neat.  I wonder if that should automatically override the
‘file-systems’ field to be ‘%container-file-systems’, so that one can
reuse existing OS declarations unmodified.  WDYT?

> Unfortunately, there is still one blocker bug that I know of: The unit
> test for 'container-excursion' is non-deterministic.  Once out of every
> 10 to 20 test runs, it fails, but I can't figure out why.  For anyone
> interested, here are some strace snippets:

Ouch, this one looks more difficult.  :-)

I’ll comment on the individual patches.

Thank you for the nice code!

Ludo’.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]