Fwd: regression: “guix_ pack” Docker images no longer work on AWS

OpenSubmitted by Ricardo Wurmus.
Details
3 participants
  • Efraim Flashner
  • Ludovic Courtès
  • Ricardo Wurmus
Owner
unassigned
Severity
important
R
R
Ricardo Wurmus wrote on 26 Apr 17:16 +0200
Fwd: regression: “guix pack” Docker images no longer work on AWS
(address . bug-guix@gnu.org)
877dkpoz40.fsf@elephly.net
Hi Guix,
I’m using “guix pack”-generated Docker images on AWS ECS. On June 17,2020 I generated and uploaded an image that works fine. According toAWS this image has this manifest type:
application/vnd.docker.distribution.manifest.v2+json
Today I generated a new image that does not work. It cannot be openedby ECS; it cannot find /bin/sh, which exists. The manifest type is nowrecognized as
application/vnd.oci.image.manifest.v1+json
It also now detects an “Artifact media type” and prints it as
application/vnd.oci.image.config.v1+json
I’d very much like to push a newly generated image. Is there a way togenerate the image as it was done in the summer of 2020?
Note that both these images appear to work “fine” with a local Dockerinstallation (i.e. when run with “docker run”). (When running /bin/shin the container interactively it appears to freeze whenever I try toactually run a command, but perhaps I’m just holding it wrong…)
-- Ricardo
E
E
Efraim Flashner wrote on 27 Apr 08:55 +0200
Re: bug#48035: Fwd: regression : “guix pack” Docker images no longer work on AWS
(name . Ricardo Wurmus)(address . rekado@elephly.net)(address . 48035@debbugs.gnu.org)
YIe1bN7aPJFkr54J@3900XT
On Mon, Apr 26, 2021 at 05:16:15PM +0200, Ricardo Wurmus wrote:
Toggle quote (28 lines)> > Hi Guix,> > I’m using “guix pack”-generated Docker images on AWS ECS. On June 17,> 2020 I generated and uploaded an image that works fine. According to> AWS this image has this manifest type:> > application/vnd.docker.distribution.manifest.v2+json> > Today I generated a new image that does not work. It cannot be opened> by ECS; it cannot find /bin/sh, which exists. The manifest type is now> recognized as> > application/vnd.oci.image.manifest.v1+json> > It also now detects an “Artifact media type” and prints it as> > application/vnd.oci.image.config.v1+json> > I’d very much like to push a newly generated image. Is there a way to> generate the image as it was done in the summer of 2020?> > Note that both these images appear to work “fine” with a local Docker> installation (i.e. when run with “docker run”). (When running /bin/sh> in the container interactively it appears to freeze whenever I try to> actually run a command, but perhaps I’m just holding it wrong…)>
On March 10th, a couple of days before your original message, docker wasupdated to 19.03.15 for some security fixes. Perhaps try locallyreverting that and see if it fixes your problem.
-- Efraim Flashner <efraim@flashner.co.il> אפרים פלשנרGPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351Confidentiality cannot be guaranteed on emails sent or received unencrypted
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAmCHtWoACgkQQarn3Mo9g1ECmA//c3TeA3Cv8jMSfBScLLlE7CaOWbnaoGsfIc1TvkVe9hAHSCemyO2Ewy2d2saDF6XAAfusKtWsbzjcF0vXfONj7QHf7oAw4FaRplzLh9maJ/NhWwe8BEpxd1JhnXT6jwbzDOFO2/HYTW1txptvJtswENN2mHwcRYBRphRS3PX7bLok5B2Losl9LNB68gg49j0YOnuW90Y5EY1IIEdcWHUnI4Gzvb0PUFSNYOEv7juL+98I3shveX1jSuXUlNsRYoXSYneIC4oDI74+vGYb2ISrcMtrAHTtvM37q9u6EV32//5lwpt9aH5KYn7Glaf2gzoaDxNdRhh3M1tn/2CsnpDI1/LhmcpIRVxyh+ITJVQLwOeB940wYm/xYdg7W6bL7nNf+VUWm9xIEF1Cy7U3ZrybqofQsKdmIJ2fxRTK3f1oPwP/1DNTdlBPz5XPvMSZEAifDZPKGpt2dlv3E3kXWK+ym2H65CYYc22ivNA1lRP9izgnbkZKth4sI0cJ9kx6o8szkQF4YUpTVPkRBmoZpx2EtFI8Cyi4l61HYqmF4hHv35YljmVw5HhzLEwCiZbbwzQUsEw5WhTWZr4FmR/0DKRoswW8XaOQyYkrjD/RpJLs8KEB0bIT6VKnpD4Bc7zVKkVrh2YS7Wp+WMh2FTHztXAVm9ir8RLU+Bu7PWufxEMBOmE==P6gZ-----END PGP SIGNATURE-----

R
R
Ricardo Wurmus wrote on 27 Apr 09:48 +0200
Re: bug#48035: Fwd: regression: “guix pack” Docker images no longer work on AWS
(name . Efraim Flashner)(address . efraim@flashner.co.il)(address . 48035@debbugs.gnu.org)
87sg3cnp5n.fsf@elephly.net
Hi Efraim,
Toggle quote (5 lines)> On March 10th, a couple of days before your original message, > docker was> updated to 19.03.15 for some security fixes. Perhaps try locally> reverting that and see if it fixes your problem.
We are not using Docker to generate the Docker images.
I only have problems with the generated Docker images on AWS, which does not use Docker from Guix.
-- Ricardo
L
L
Ludovic Courtès wrote on 28 Apr 23:29 +0200
(name . Ricardo Wurmus)(address . rekado@elephly.net)(address . 48035@debbugs.gnu.org)
87wnsmp072.fsf@gnu.org
Hi,
Ricardo Wurmus <rekado@elephly.net> skribis:
Toggle quote (25 lines)> I’m using “guix pack”-generated Docker images on AWS ECS. On June 17,> 2020 I generated and uploaded an image that works fine. According to> AWS this image has this manifest type:>> application/vnd.docker.distribution.manifest.v2+json>> Today I generated a new image that does not work. It cannot be opened> by ECS; it cannot find /bin/sh, which exists. The manifest type is> now> recognized as>> application/vnd.oci.image.manifest.v1+json>> It also now detects an “Artifact media type” and prints it as>> application/vnd.oci.image.config.v1+json>> I’d very much like to push a newly generated image. Is there a way to> generate the image as it was done in the summer of 2020?>> Note that both these images appear to work “fine” with a local Docker> installation (i.e. when run with “docker run”). (When running /bin/sh> in the container interactively it appears to freeze whenever I try to> actually run a command, but perhaps I’m just holding it wrong…)
The Git log of (guix docker) and (guix scripts pack) doesn’t showanything suspicious.
Could you try generating an image with ‘guix pack’ and feeding it toDocker using Guix’ Docker service in a VM? Attached is an OS that Iused previously to test Docker things. (You need to run with ‘-m 8192’or similar so that when you run ‘docker load -i/gnu/store/…-docker-pack.tar.gz’ the whole VM disk fits into RAM.)
If you used ‘-S /bin=bin’, /bin/sh in the image is a symlink to/gnu/store/…-bash/bin/sh, an absolute file name that’s only valid withinthe image. Perhaps Docker is confused by that like Singularity is/was.In that case, try changing ‘guix pack’ so it produces relative symlinksas it already does for the ‘singularity’ backend.
HTH!
Ludo’.
(use-modules (gnu) (srfi srfi-1)) (use-package-modules docker linux) (use-service-modules dbus desktop networking docker) (operating-system (host-name "dockeros") (timezone "Europe/Paris") (locale "fr_FR.utf8") (bootloader (bootloader-configuration (bootloader grub-bootloader) (target "/dev/sdX"))) (file-systems (cons (file-system (device (file-system-label "my-root")) (mount-point "/") (type "ext4")) %base-file-systems)) (users (cons (user-account (name "ludo") (group "users") (supplementary-groups '("wheel")) (password (crypt "foo" "$6$")) (home-directory "/home/ludo")) %base-user-accounts)) (packages (cons* docker-cli singularity %base-packages)) (services (append (list (service docker-service-type) (service dbus-root-service-type) (service elogind-service-type) (service dhcp-client-service-type)) ;; Choose a better console font. (modify-services %base-services (console-font-service-type config => (map (lambda (tty) (cons tty "lat9u-16")) '("tty1" "tty2" "tty3" "tty4" "tty5" "tty6")))))))
L
L
Ludovic Courtès wrote on 30 Apr 17:38 +0200
control message for bug #48035
(address . control@debbugs.gnu.org)
87zgxfbx5s.fsf@gnu.org
severity 48035 importantquit
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send email to 48035@debbugs.gnu.org