[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Update on GuixSD containers
From: |
Ludovic Courtès |
Subject: |
Re: Update on GuixSD containers |
Date: |
Fri, 12 Jun 2015 17:08:12 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) |
"Thompson, David" <address@hidden> skribis:
> On Tue, Jun 9, 2015 at 5:28 PM, Ludovic Courtès <address@hidden> wrote:
[...]
>> I tried adding this dummy service:
>>
>> (define (bash-service)
>> (with-monad %store-monad
>> (return (service
>> (documentation "Run Bash from PID 1.")
>> (provision '(shell))
>> (start #~(make-forkexec-constructor
>> (string-append #$bash "/bin/bash")))
>> (stop #~(make-kill-destructor))
>> (respawn? #t)))))
>>
>> ... but it dies for some reason. So no shell prompt.
>
> I wouldn't expect that to work because bash isn't actually run in your
> tty. To create an interactive environment within the container (or
> run any arbitrary program), we need a tool that calls setns() with
> open file descriptors for all of the container's namespaces and then
> exec() the desired command. I threw together a tool to do this
> quickly, but for some reason joining the mount namespace fails with
> EINVAL. I have no idea why. Joining the IPC, UTS, PID, and network
> namespaces isn't a problem. Enlightenment needed!
Oh, I see. setns(2) specifies 6 reasons for EINVAL...
>> Until there’s a daemon to keep track of containers, “guix system
>> container” could return the PID of the container’s PID1, to make it
>> easier to kill it later?
>
> I'm actually unsure how to acquire the PID of the container's init
> process since I clone and exec. Any ideas?
Isn’t it the return value of ‘clone’?
>> It’s a shame that only CLONE_NEWUSER is available to non-root users. I
>> wonder what the rationale was. AIUI, Docker’s daemon performs clone(2)
>> on behalf of clients, right?
>
> Yeah, our daemon would do the same thing. We could maybe even have a
> little Guile library that allows one to evaluate arbitrary scheme code
> from within the container. :)
Definitely. Another application I’ve always wanted is a least-authority
shell, like Plash [0].
(Speaking of which, I just found Shill [1], which seems similar to Plash
and even has a to-do item regarding package management [2] and is
written in Racket; unfortunately it runs on FreeBSD, for Capsicum.)
Thanks,
Ludo’.
[0] http://plash.beasts.org/contents.html
[1] http://shill.seas.harvard.edu/
[2] http://shill.seas.harvard.edu/projects.html
- Update on GuixSD containers, Thompson, David, 2015/06/08
- Re: Update on GuixSD containers, Ludovic Courtès, 2015/06/09
- Re: Update on GuixSD containers, Thompson, David, 2015/06/11
- Re: Update on GuixSD containers, Ludovic Courtès, 2015/06/12
- Re: Update on GuixSD containers, Thompson, David, 2015/06/12
- Re: Update on GuixSD containers, Ludovic Courtès, 2015/06/13
- Re: Update on GuixSD containers, Thompson, David, 2015/06/13
- Re: Update on GuixSD containers, Ludovic Courtès, 2015/06/13
- Re: Update on GuixSD containers, Thompson, David, 2015/06/16
- Re: Update on GuixSD containers, Ludovic Courtès, 2015/06/19
- Re: Update on GuixSD containers, Thompson, David, 2015/06/19