[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Building Docker images of GuixSD
|
From: |
Chris Marusich |
|
Subject: |
Re: Building Docker images of GuixSD |
|
Date: |
Fri, 15 Dec 2017 18:30:42 -0800 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) |
Christopher Baines <address@hidden> writes:
> Unfortunately, while I could get a shell using "docker exec ...", I had
> to start the guix-daemon manually as the shepherd service didn't seem to
> work, at least initially. Also, when I had started it, I tried
> installing a package, and there was some promising output to start off
> with, but then it failed with:
>
> guix package: error: build failed: cloning builder process: Operation
> not permitted
>
> Anyway, this is all pretty great! Awesome work getting this far. I'm
> very excited to see what services will run this way, as Docker could
> provide, albeit with some overhead, a layer of interoperability between
> software that can handle Docker containers, and Guix.
I tried making the changes you suggested. I launched a container
without using docker's --privileged option. However, the "boot" script
failed because something couldn't mount something in the container. I
am not excited about the idea of trying to figure out which esoteric
combination of capabilities [1] are needed to run without the
--privileged option, but I suppose that is necessary if I want to
minimize the container's access to the host system.
To be honest, I find it puzzling that Docker requires me to think so
much about the capabilities in the first place. Perhaps I'm naive, but
I had hoped that within a Docker container, everything would be
"private" in the sense that, as root in the container, I can do anything
and everything, including mounting, including creating device nodes, and
no changes will be visible outside of the container. The fact that that
is not the case (at least by default) comes as quite a surprise to me.
I also noticed that some services, like nscd, failed to start. No error
messages anywhere except Shepherd saying something like "could not start
service nscd". How do I begin to debug something like that? All I can
think of is to inspect the Guix code that runs the service, and the
Shepherd code, commit time to learning about it, and then hopefully find
a way to insert debug statements of some kind that give me a hint about
what's going wrong. Is there a faster, better way?
[1] https://docs.docker.com/engine/security/security/#linux-kernel-capabilities
--
Chris
signature.asc
Description: PGP signature