Re: Creating a container from a container
Hello! Konrad Hinsen skribis: > I am trying to run "guix shell -C" inside another container created with > "guix shell -C". I figured out that I need to take care of three > aspects: I realize I had never tried this, but it sounds fun. :-) This works well for me: --8<---cut here---start->8--- $ guix describe Generation 232 Oct 13 2022 16:14:01(current) guix 8b192c5 repository URL: https://git.savannah.gnu.org/git/guix.git branch: master commit: 8b192c5550213911f930594f4fd7386f36618237 $ guix shell --expose=/gnu/store --expose=/var/guix/daemon-socket -C guix -- guix shell -C coreutils [env]$ ls /gnu/store/ 094bbaq6glba86h1d4cj16xhdi6fk2jl-gcc-10.3.0-lib 5h2w4qi9hk1qzzgi1w83220ydslinr4s-glibc-2.33 720rj90bch716isd8z7lcwrnvz28ap4y-bash-static-5.1.8 8fpk2cja3f07xls48jfnpgrzrljpqivr-coreutils-8.32 9rrnm5hdjw7cy96a2a9rfgh6y08wsbmf-ncurses-6.2.20210619 a38k2v29l6l0iz6pmlk4dmzwdbvl10lq-acl-2.3.1 a7ggx0af69gv4k5mr1k617p4vy9kgx2v-libcap-2.62 d99ykvj3axzzidygsmdmzxah4lvxd6hw-bash-5.1.8 fwbiihd2sbhai63y1pvvdh0f2bakfzrf-gmp-6.2.1 jkjs0inmzhj4vsvclbf08nmh0shm7lrf-attr-2.5.1 jlp9lzac8bcd6dlfmgzy2wsplz7nwb8r-profile sp6gqzyczlnxas8pmhpsjfn4lv2az4n0-emacs-subdirs wcwls45278gzpjvwlvrrs1y7h30g44xh-readline-8.1.1 xx946lncjfqic6dg1pgaisg09jy8fqka-info-dir --8<---cut here---end--->8--- > With those precautions, my setup works some of the time but in other > conditions (which I haven't yet identified) I get the error message > > guix shell: error: mount: mount "none" on "/tmp/guix-directory.K4MoFR/sys": > Operation not permitted It’s weird that it’s not deterministic. Could you prepend your command with: strace -f -o /tmp/log -s 100 and share /tmp/log? What does ‘uname -rv’ report? Is this on a foreign distro? Thanks, Ludo’.
Re: Creating a container from a container
Konrad Hinsen writes: > In case it matters, I use -N for the outer container (in which I > use wget to fetch files), but not for the inner containers (the ones > whose creation causes the error). It does seem to matter... if I add -N for the inner container as well, the error disappears. Which provides a workaround, but I'd really like to understand what is going on here! Cheers, Konrad
Creating a container from a container
Hi everyone, I am trying to run "guix shell -C" inside another container created with "guix shell -C". I figured out that I need to take care of three aspects: - Include the package "guix" in the outer container. - --expose=/gnu/store such that guix-in-the-container can access the store - --expose=/var/guix/daemon-socket/socket such that guix-in-the-container can connect to the daemon With those precautions, my setup works some of the time but in other conditions (which I haven't yet identified) I get the error message guix shell: error: mount: mount "none" on "/tmp/guix-directory.K4MoFR/sys": Operation not permitted when I try to run "guix shell" inside the outer container. Browsing the Guix source code, I found the probable location where this happens: in (gnu build linux-container), the procedure run-container calls (mount-file-systems root mounts #:mount-/proc? (memq 'pid namespaces) #:mount-/sys? (memq 'net namespaces)) which in turn does ;; A sysfs mount requires the user to have the CAP_SYS_ADMIN capability in ;; the current network namespace. (when mount-/sys? (mount* "none" (scope "/sys") "sysfs" (logior MS_NOEXEC MS_NOSUID MS_NODEV MS_RDONLY))) and that looks suspect in view of my error message. But I have no idea why this happens, nor what that "network namespace" is or why it is needed. In case it matters, I use -N for the outer container (in which I use wget to fetch files), but not for the inner containers (the ones whose creation causes the error). Does anybody have an idea of the cause of the error, and ideally a solution or workaround? Finally, some background as to why I am trying to do this: my outer container runs a workflow (using good old "make"), which in turn contains rules that create containers as well. I cannot run the workflow plus all of its rules in a single container because different rules require conflicting packages. Thanks in advance, Konrad