guix-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Update on GuixSD containers


From: Ludovic Courtès
Subject: Re: Update on GuixSD containers
Date: Fri, 12 Jun 2015 17:08:12 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)

"Thompson, David" <address@hidden> skribis:

> On Tue, Jun 9, 2015 at 5:28 PM, Ludovic Courtès <address@hidden> wrote:

[...]

>> I tried adding this dummy service:
>>
>>   (define (bash-service)
>>     (with-monad %store-monad
>>       (return (service
>>                (documentation "Run Bash from PID 1.")
>>                (provision '(shell))
>>                (start #~(make-forkexec-constructor
>>                          (string-append #$bash "/bin/bash")))
>>                (stop #~(make-kill-destructor))
>>                (respawn? #t)))))
>>
>> ... but it dies for some reason.  So no shell prompt.
>
> I wouldn't expect that to work because bash isn't actually run in your
> tty.  To create an interactive environment within the container (or
> run any arbitrary program), we need a tool that calls setns() with
> open file descriptors for all of the container's namespaces and then
> exec() the desired command.  I threw together a tool to do this
> quickly, but for some reason joining the mount namespace fails with
> EINVAL.  I have no idea why.  Joining the IPC, UTS, PID, and network
> namespaces isn't a problem.  Enlightenment needed!

Oh, I see.  setns(2) specifies 6 reasons for EINVAL...

>> Until there’s a daemon to keep track of containers, “guix system
>> container” could return the PID of the container’s PID1, to make it
>> easier to kill it later?
>
> I'm actually unsure how to acquire the PID of the container's init
> process since I clone and exec.  Any ideas?

Isn’t it the return value of ‘clone’?

>> It’s a shame that only CLONE_NEWUSER is available to non-root users.  I
>> wonder what the rationale was.  AIUI, Docker’s daemon performs clone(2)
>> on behalf of clients, right?
>
> Yeah, our daemon would do the same thing.  We could maybe even have a
> little Guile library that allows one to evaluate arbitrary scheme code
> from within the container. :)

Definitely.  Another application I’ve always wanted is a least-authority
shell, like Plash [0].

(Speaking of which, I just found Shill [1], which seems similar to Plash
and even has a to-do item regarding package management [2] and is
written in Racket; unfortunately it runs on FreeBSD, for Capsicum.)

Thanks,
Ludo’.

[0] http://plash.beasts.org/contents.html
[1] http://shill.seas.harvard.edu/
[2] http://shill.seas.harvard.edu/projects.html



reply via email to

[Prev in Thread] Current Thread [Next in Thread]