Re: Building Docker images of GuixSD

[Ludovic Courtès]

Hi Chris,

Chris Marusich <address@hidden> skribis:

> Run GuixSD in Docker
> ====================
>
> The attached patch makes it possible to build a GuixSD Docker image from
> an operating system configuration file.

For some reason, I had overlooked this message, but it’s awesome!

> Pretty neat!

Yup!

> Problems I Noticed
> ==================

[...]

> Second, I noticed the following error in the Guix daemon's logs.  It
> might be benign, since package installation worked fine, but I'm not
> sure what it means or how to debug it:
>
>     error in finalization thread: Bad file descriptor

I’ve noticed this since we use Shepherd on Guile 2.2, but I haven’t
checked where that comes from; it doesn’t seem to be a serious issue.
;-)  Anyway, it’s not related to your experiment.

> Third, I noticed that the shepherd failed to start syslogd and nscd (and
> user-homes, although I wasn't as concerned about that because the home
> directory for alice did in fact get created).

[...]

> I thought maybe syslogd wasn't working because /dev/log hadn't been
> created in the Docker image, so I tried creating it manually.  However,
> that didn't help; the Shepherd still couldn't start syslogd.

Hmm, I would have thought /dev/log was the issue.  Any other hints?

> Fourth, I wasn't able to run GuixSD in a Docker container without
> supplying the "--privileged" option.  GuixSD writes to sysfs during boot
> (I don't know why, but the details are apparently in
> guix/gnu/build/activation.scm), so the only way to get GuixSD to start
> is to run the container in privileged mode.  This is unfortunate,
> because privileged mode sounds quite dangerous for a lot of reasons.

I don’t think so: there’s a special case for when one creates a
container with ‘guix system container’ that disables this kind of thing.
I guess we should use it here.  It’s mostly about passing #:container? #f 
somewhere.

> From 25d5527b14302fc835af5c338bf37cf621c63a4e Mon Sep 17 00:00:00 2001
> From: Chris Marusich <address@hidden>
> Date: Sat, 21 Oct 2017 14:40:58 -0700
> Subject: [PATCH] Make it possible to build GuixSD docker images
>
> ---
>  gnu/build/linux-boot.scm    |   5 +-
>  gnu/build/vm.scm            |  14 ++--
>  gnu/system/linux-initrd.scm |  12 ++--
>  gnu/system/vm.scm           | 169 
> ++++++++++++++++++++++++++++++++++++++------
>  guix/docker.scm             |  23 ++++--
>  guix/scripts/pack.scm       |   5 +-
>  guix/scripts/system.scm     |   3 +-
>  7 files changed, 191 insertions(+), 40 deletions(-)

[...]

> +      (cond ((string=? "iso9660" file-system-type)
> +             (iso9660-image #:name name
> +                            #:file-system-label root-label
> +                            #:file-system-uuid root-uuid
> +                            #:os-drv os-drv
> +                            #:register-closures? #t
> +                            #:bootcfg-drv bootcfg
> +                            #:bootloader (bootloader-configuration-bootloader
> +                                           (operating-system-bootloader os))
> +                            #:inputs `(("system" ,os-drv)
> +                                       ("bootcfg" ,bootcfg))))
> +            ((string=? "docker" file-system-type)
> +             (display "made it to docker image part\n")
> +             (os-docker-image #:name name
> +                              #:os-drv os-drv
> +                              #:register-closures? #t))

I’m not sure this is the right place for it since “docker” is not a file
system type.  Perhaps we need a separate procedure instead?

> @@ -106,7 +107,9 @@ return \"a\"."
>                               #:key closure compressor
>                               (symlinks '())
>                               (system (utsname:machine (uname)))
> -                             (creation-time (current-time time-utc)))
> +                             (creation-time (current-time time-utc))
> +                             (tmpdir "/tmp")
> +                             extra-items-dir)
>    "Write to IMAGE a Docker image archive from the given store PATH.  The 
> image
>  contains the closure of PATH, as specified in CLOSURE (a file produced by
>  #:references-graphs).  SYMLINKS must be a list of (SOURCE -> TARGET) tuples
> @@ -116,7 +119,7 @@ binaries at PATH are for; it is used to produce metadata 
> in the image.
>  
>  Use COMPRESSOR, a command such as '(\"gzip\" \"-9n\"), to compress IMAGE.  
> Use
>  CREATION-TIME, a SRFI-19 time-utc object, as the creation time in metadata."
> -  (let ((directory "/tmp/docker-image")           ;temporary working 
> directory
> +  (let ((directory (string-append tmpdir "/docker-image")) ;temporary 
> working directory

Why do we need that?  Would it be enough to honor $TMPDIR?

> --- a/guix/scripts/system.scm
> +++ b/guix/scripts/system.scm
> @@ -638,8 +638,9 @@ any, are available.  Raise an error if they're not."
>                                              #:mappings mappings))
>      ((disk-image)
>       (system-disk-image os
> -                        #:name (match file-system-type
> +                        #:name (match (pk file-system-type)
>                                   ("iso9660" "image.iso")
> +                                 ("docker" "docker-image")
>                                   (_         "disk-image"))
>                          #:disk-image-size image-size
>                          #:file-system-type file-system-type))))

Perhaps we could have a separate ‘guix system docker-image’ command?  Or
‘guix system container -f docker’?  WDYT?

Once we’ve sorted out these minor issues, it would be great if you could
send polished patches.  This is something we should add!

Thank you,
Ludo’.