[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Update on GuixSD containers
From: |
Thompson, David |
Subject: |
Re: Update on GuixSD containers |
Date: |
Thu, 11 Jun 2015 10:51:11 -0400 |
On Tue, Jun 9, 2015 at 5:28 PM, Ludovic Courtès <address@hidden> wrote:
> "Thompson, David" <address@hidden> skribis:
>
>> I'd like to give a quick update on the state of wip-container branch.
>> As of this morning, one can run the below commands and have a somewhat
>> functional GuixSD container:
>>
>> # Hardcoded /tmp/container as the container root directory until I
>> # add a command line switch.
>> mkdir /tmp/container
>> guix system container container-config.scm
>
> Wonderful! I’ve given it a try, and it works as advertised. ;-)
> I was a bit afraid the first time I ran the ‘run-container’ script as
> root, but everything went like a charm.
Yeah, running as root is a bit scary. With working user namespaces it
should become less scary. I just don't know how to reasonably start a
system with users of its own that are allowed to write to the file
system. Everything I've tried thus far has failed. I thought that
mapping the uid/gid 0 in the namespace to uid/gid 0 outside of the
namespace would be enough to boot the system, but it didn't work.
> I tried adding this dummy service:
>
> (define (bash-service)
> (with-monad %store-monad
> (return (service
> (documentation "Run Bash from PID 1.")
> (provision '(shell))
> (start #~(make-forkexec-constructor
> (string-append #$bash "/bin/bash")))
> (stop #~(make-kill-destructor))
> (respawn? #t)))))
>
> ... but it dies for some reason. So no shell prompt.
I wouldn't expect that to work because bash isn't actually run in your
tty. To create an interactive environment within the container (or
run any arbitrary program), we need a tool that calls setns() with
open file descriptors for all of the container's namespaces and then
exec() the desired command. I threw together a tool to do this
quickly, but for some reason joining the mount namespace fails with
EINVAL. I have no idea why. Joining the IPC, UTS, PID, and network
namespaces isn't a problem. Enlightenment needed!
>> For the long term, we'll need a container daemon to keep track of all
>> containers on the system to allow for easily starting and stopping
>> them (right now you have to 'sudo kill -9 <dmd pid>'), spawning new
>> processes within them (for example, launching bash for an interactive
>> environment), and whatever else we might want.
>
> Having launched a bunch of containers and then hacked to kill all the
> dmds, I can see why keeping track of containers matters. :-)
>
> Until there’s a daemon to keep track of containers, “guix system
> container” could return the PID of the container’s PID1, to make it
> easier to kill it later?
I'm actually unsure how to acquire the PID of the container's init
process since I clone and exec. Any ideas?
> It’s a shame that only CLONE_NEWUSER is available to non-root users. I
> wonder what the rationale was. AIUI, Docker’s daemon performs clone(2)
> on behalf of clients, right?
Yeah, our daemon would do the same thing. We could maybe even have a
little Guile library that allows one to evaluate arbitrary scheme code
from within the container. :)
- Dave
- Update on GuixSD containers, Thompson, David, 2015/06/08
- Re: Update on GuixSD containers, Ludovic Courtès, 2015/06/09
- Re: Update on GuixSD containers,
Thompson, David <=
- Re: Update on GuixSD containers, Ludovic Courtès, 2015/06/12
- Re: Update on GuixSD containers, Thompson, David, 2015/06/12
- Re: Update on GuixSD containers, Ludovic Courtès, 2015/06/13
- Re: Update on GuixSD containers, Thompson, David, 2015/06/13
- Re: Update on GuixSD containers, Ludovic Courtès, 2015/06/13
- Re: Update on GuixSD containers, Thompson, David, 2015/06/16
- Re: Update on GuixSD containers, Ludovic Courtès, 2015/06/19
- Re: Update on GuixSD containers, Thompson, David, 2015/06/19