Cannot start a container built with `guix system container --network'.

  • Done
  • quality assurance status badge
Details
4 participants
  • Arun Isaac
  • Bruno Victal
  • Nicolò Balzarotti
  • Pierre Langlois
Owner
unassigned
Submitted by
Pierre Langlois
Severity
normal
Merged with
P
P
Pierre Langlois wrote on 19 Feb 2023 15:58
(address . bug-guix@gnu.org)
87a619u22x.fsf@gmx.com
Hi Guix!

There seems to be a bug with the --network flag to `guix system
container', if we try to use docker-image.tmpl as an example we get the
following failure:

Toggle snippet (39 lines)
$ sudo `guix system container -v3 --network gnu/system/examples/docker-image.tmpl`
Password:
system container is running as PID 17630
WARNING: (guile-user): imported module (guix build utils) overrides core binding `delete'
Run 'sudo guix container exec 17630 /run/current-system/profile/bin/bash --login'
or run 'sudo nsenter -a -t 17630' to get a shell into it.

WARNING: (guile-user): imported module (guix build utils) overrides core binding `delete'
making '/gnu/store/2w0c609is7iilv6r2l1vrchb9qsbfgkp-system' the current system...
WARNING: (guile-user): imported module (guix build utils) overrides core binding `delete'
setting up setuid programs in '/run/setuid-programs'...
populating /etc from /gnu/store/ywsdjyq161a2clhvz6kx5m4ppz5ziqp1-etc...
Backtrace:
11 (primitive-load "/gnu/store/5wdqg0jpiw1zd9pn13wmzy3f85g…")
In gnu/build/linux-container.scm:
300:8 10 (call-with-temporary-directory #<procedure 7fa5741fdd70…>)
397:16 9 (_ "/tmp/guix-directory.KgjoQ6")
62:6 8 (call-with-clean-exit #<procedure 7fa57420fd40 at gnu/b…>)
In unknown file:
7 (primitive-load "/gnu/store/2w0c609is7iilv6r2l1vrchb9qs…")
In ice-9/eval.scm:
619:8 6 (_ #f)
In unknown file:
5 (primitive-load "/gnu/store/xfd58fw9x65n7wr5kw2gnciszkl…")
In srfi/srfi-1.scm:
634:9 4 (for-each #<procedure primitive-load (_)> _)
In unknown file:
3 (primitive-load "/gnu/store/3gwb0jydx90f61a6kizawsjdi6h…")
In srfi/srfi-1.scm:
634:9 2 (for-each #<procedure 7fa57410e0e0 at gnu/build/activa…> …)
In gnu/build/activation.scm:
268:20 1 (_ "hosts")
In unknown file:
0 (copy-file "/etc/static/hosts" "/etc/hosts")

ERROR: In procedure copy-file:
In procedure copy-file: Read-only file system

Doing a git bisect, the problem started with this commit it seems:
802ea1f3a43e5fb8d0b8bd2882954d8a6e49cde6

Toggle snippet (18 lines)
system: Deprecate hosts-file.

* gnu/system.scm (operating-system-hosts-file): Deprecate procedure.
(warn-hosts-file-field-deprecation): New procedure, helper for
deprecated variable.
(operating-system)[hosts-file]: Use helper to warn deprecated field.
(local-host-aliases): Mark as deprecated.
(local-host-entries): New procedure.
(operating-system-default-essential-services,
hurd-default-essential-services): Use hosts-service-type. Use
'%operating-system-hosts-file' and 'local-host-entries'.
(default-/etc/hosts): Remove procedure.
(operating-system-etc-service): Remove hosts file.
* doc/guix.texi (operating-system Reference)
(Networking Services) (Virtualization Services): Rewrite documentation
entries to use hosts-service-type.

Thanks!
Pierre
-----BEGIN PGP SIGNATURE-----

iQFMBAEBCgA2FiEEctU9gYy29KFyWDdMqPyeRH9PfVQFAmPyOvYYHHBpZXJyZS5s
YW5nbG9pc0BnbXguY29tAAoJEKj8nkR/T31URDcH/RYw3nPHCM6Tb7wqW6DSeo+K
54TA8TvmlucVmyIrNDAA0TY79INGHkPza/aUZLfwjBv6+w4ARIUnDJwAKrpELl4X
5ro2uXyAr1r7ENGPXTjPxlNA0EsY3HV/JTbOvTJqe1J/6eoobsjNGVJ9T0HqMV1W
GlsGTMV6VMVHmTfJ6KQIX/mYJam32g3T7TgPK1LbCeyGz2Sb7OO5ib4m1xt0GtxW
XcNjYcLGtNxMrsEORBimk3TISNroUMJXvNg/DUybHyg7dclpfTlONbqyaNSVL069
APuJAfODRM2RGhyWtegml+WrlwWu3T5WofXMdg40kGtlBlpATWuZlnW/ORP//as=
=VH6S
-----END PGP SIGNATURE-----

P
P
Pierre Langlois wrote on 19 Feb 2023 16:29
(address . 61627@debbugs.gnu.org)
873571u0vx.fsf@gmx.com
Pierre Langlois <pierre.langlois@gmx.com> writes:

Toggle quote (66 lines)
> [[PGP Signed Part:Undecided]]
> Hi Guix!
>
> There seems to be a bug with the --network flag to `guix system
> container', if we try to use docker-image.tmpl as an example we get the
> following failure:
>
> $ sudo `guix system container -v3 --network gnu/system/examples/docker-image.tmpl`
> Password:
> system container is running as PID 17630
> WARNING: (guile-user): imported module (guix build utils) overrides core binding `delete'
> Run 'sudo guix container exec 17630 /run/current-system/profile/bin/bash --login'
> or run 'sudo nsenter -a -t 17630' to get a shell into it.
>
> WARNING: (guile-user): imported module (guix build utils) overrides core binding `delete'
> making '/gnu/store/2w0c609is7iilv6r2l1vrchb9qsbfgkp-system' the current system...
> WARNING: (guile-user): imported module (guix build utils) overrides core binding `delete'
> setting up setuid programs in '/run/setuid-programs'...
> populating /etc from /gnu/store/ywsdjyq161a2clhvz6kx5m4ppz5ziqp1-etc...
> Backtrace:
> 11 (primitive-load "/gnu/store/5wdqg0jpiw1zd9pn13wmzy3f85g…")
> In gnu/build/linux-container.scm:
> 300:8 10 (call-with-temporary-directory #<procedure 7fa5741fdd70…>)
> 397:16 9 (_ "/tmp/guix-directory.KgjoQ6")
> 62:6 8 (call-with-clean-exit #<procedure 7fa57420fd40 at gnu/b…>)
> In unknown file:
> 7 (primitive-load "/gnu/store/2w0c609is7iilv6r2l1vrchb9qs…")
> In ice-9/eval.scm:
> 619:8 6 (_ #f)
> In unknown file:
> 5 (primitive-load "/gnu/store/xfd58fw9x65n7wr5kw2gnciszkl…")
> In srfi/srfi-1.scm:
> 634:9 4 (for-each #<procedure primitive-load (_)> _)
> In unknown file:
> 3 (primitive-load "/gnu/store/3gwb0jydx90f61a6kizawsjdi6h…")
> In srfi/srfi-1.scm:
> 634:9 2 (for-each #<procedure 7fa57410e0e0 at gnu/build/activa…> …)
> In gnu/build/activation.scm:
> 268:20 1 (_ "hosts")
> In unknown file:
> 0 (copy-file "/etc/static/hosts" "/etc/hosts")
>
> ERROR: In procedure copy-file:
> In procedure copy-file: Read-only file system
>
>
> Doing a git bisect, the problem started with this commit it seems:
> 802ea1f3a43e5fb8d0b8bd2882954d8a6e49cde6
>
> system: Deprecate hosts-file.
>
> * gnu/system.scm (operating-system-hosts-file): Deprecate procedure.
> (warn-hosts-file-field-deprecation): New procedure, helper for
> deprecated variable.
> (operating-system)[hosts-file]: Use helper to warn deprecated field.
> (local-host-aliases): Mark as deprecated.
> (local-host-entries): New procedure.
> (operating-system-default-essential-services,
> hurd-default-essential-services): Use hosts-service-type. Use
> '%operating-system-hosts-file' and 'local-host-entries'.
> (default-/etc/hosts): Remove procedure.
> (operating-system-etc-service): Remove hosts file.
> * doc/guix.texi (operating-system Reference)
> (Networking Services) (Virtualization Services): Rewrite documentation
> entries to use hosts-service-type.

Digging into the container script code, I think the reason is that when
sharing the network, it's supposed to remove any network-related
services from the containerized operating system. And it's not aware of
the new hosts-service-type. The following diff seems to fix the issue:

Toggle snippet (22 lines)
diff --git a/gnu/system/linux-container.scm b/gnu/system/linux-container.scm
index c2fd55d48e..9190d013bc 100644
--- a/gnu/system/linux-container.scm
+++ b/gnu/system/linux-container.scm
@@ -49,9 +49,12 @@ (define* (container-essential-services os #:key shared-network?)
(define base
(remove (lambda (service)
(memq (service-kind service)
- (list (service-kind %linux-bare-metal-service)
- firmware-service-type
- system-service-type)))
+ (cons* (service-kind %linux-bare-metal-service)
+ firmware-service-type
+ system-service-type
+ (if shared-network?
+ (list hosts-service-type)
+ '()))))
(operating-system-default-essential-services os)))

(cons (service system-service-type

I wonder if this is a full fix though, I see that we also remove network
related configuration files, using `%network-configuration-files', and I
wonder if "/etc/hosts" is still supposed to be there?

Toggle snippet (7 lines)
(define %network-configuration-files
;; List of essential network configuration files.
'("/etc/resolv.conf"
"/etc/nsswitch.conf"
"/etc/services"
"/etc/hosts"))
-----BEGIN PGP SIGNATURE-----

iQFMBAEBCgA2FiEEctU9gYy29KFyWDdMqPyeRH9PfVQFAmPyQQIYHHBpZXJyZS5s
YW5nbG9pc0BnbXguY29tAAoJEKj8nkR/T31Uo5UH/ArQUZvVp9UYvirgW/5jVtWn
tvZEtS9Tc3sVM61Po98voyTqGHHi7bga8ECgbpa0rtApST1g0TRsqAQthgDTlgHr
P9sQplXpSOMXKfFFK1uj60wqJq2L3zXt4Qm210CETV6PprABUdgvyCLD59Bj+ccv
p5sf74aJx85ujTx3gmI97Sas3MwW6Aw3GO4P1zN8PKWI6fnMCo+ZjBLz1elzbSuz
tja+xqqNIjMpCdumnlLcCViODH23t0Mt3zy5NWppKxVQNTGyle8bH+yMI3r7kCFz
NRmc5FbULFeAr8unTQEr4/Q/F40K7NawsO32i0dj/YhtGCSKWLjVe29VKwZ0/vg=
=uOjq
-----END PGP SIGNATURE-----

N
N
Nicolò Balzarotti wrote on 26 Feb 2023 21:54
Cannot start a container built with `guix system container --network'.
(address . 61627@debbugs.gnu.org)
86edqc5er9.fsf@IITUVIPLAP024.mail-host-address-is-not-set
Hi,
I'm on eb87d2c4 (just updated a 412(!) days old guix server O.o) and
I can confirm this is still happening

(btw, this is the only problem I had in upgrading, so great job guix)

Thanks!
Nicolò
A
A
Arun Isaac wrote on 19 Mar 2023 20:26
(name . Pierre Langlois)(address . pierre.langlois@gmx.com)
873560bl0s.fsf@systemreboot.net
Hi Bruno and Ludo,

This bug seems related to your commit
802ea1f3a43e5fb8d0b8bd2882954d8a6e49cde6 . Could you weigh in?


Thanks!
Arun
A
A
Arun Isaac wrote on 19 Mar 2023 20:31
Merge #61856 with #61627
(address . control@debbugs.gnu.org)
87zg88a688.fsf@systemreboot.net
merge 61856 61627
thanks
B
B
Bruno Victal wrote on 20 Mar 2023 18:46
Re: bug#61627: Cannot start a container built with `guix system container --network'.
(name . Pierre Langlois)(address . pierre.langlois@gmx.com)
b52480ff-484e-fdd4-da22-ffd2b096a0f5@makinata.eu
Hi,


On 2023-02-19 15:29, Pierre Langlois wrote:
Toggle quote (44 lines)
>
> Pierre Langlois <pierre.langlois@gmx.com> writes:
>
> Digging into the container script code, I think the reason is that when
> sharing the network, it's supposed to remove any network-related
> services from the containerized operating system. And it's not aware of
> the new hosts-service-type. The following diff seems to fix the issue:
>
> --8<---------------cut here---------------start------------->8---
> diff --git a/gnu/system/linux-container.scm b/gnu/system/linux-container.scm
> index c2fd55d48e..9190d013bc 100644
> --- a/gnu/system/linux-container.scm
> +++ b/gnu/system/linux-container.scm
> @@ -49,9 +49,12 @@ (define* (container-essential-services os #:key shared-network?)
> (define base
> (remove (lambda (service)
> (memq (service-kind service)
> - (list (service-kind %linux-bare-metal-service)
> - firmware-service-type
> - system-service-type)))
> + (cons* (service-kind %linux-bare-metal-service)
> + firmware-service-type
> + system-service-type
> + (if shared-network?
> + (list hosts-service-type)
> + '()))))
> (operating-system-default-essential-services os)))
>
> (cons (service system-service-type
> --8<---------------cut here---------------end--------------->8---
>
> I wonder if this is a full fix though, I see that we also remove network
> related configuration files, using `%network-configuration-files', and I
> wonder if "/etc/hosts" is still supposed to be there?
>
> --8<---------------cut here---------------start------------->8---
> (define %network-configuration-files
> ;; List of essential network configuration files.
> '("/etc/resolv.conf"
> "/etc/nsswitch.conf"
> "/etc/services"
> "/etc/hosts"))
> --8<---------------cut here---------------end--------------->8---

/etc/hosts is created by hosts-service-type, so if you remove that service
it shouldn't be present anymore.


Cheers,
Bruno
A
A
Arun Isaac wrote on 21 Mar 2023 13:53
(name . Bruno Victal)(address . mirai@makinata.eu)
87r0ti9sez.fsf@systemreboot.net
Hi Bruno,

Toggle quote (3 lines)
> /etc/hosts is created by hosts-service-type, so if you remove that service
> it shouldn't be present anymore.

That makes sense.

There's one more question, though. Now that we are handling /etc/hosts
using hosts-service-type, should /etc/hosts still be in
%network-configuration-files? I believe this is what Pierre was asking.

Thanks,
Arun
B
B
Bruno Victal wrote on 23 Mar 2023 13:50
(name . Arun Isaac)(address . arunisaac@systemreboot.net)
40ddadcf-6e5d-456f-a59f-371e60e7461d@makinata.eu
On 2023-03-21 12:53, Arun Isaac wrote:
Toggle quote (12 lines)
>
> Hi Bruno,
>
>> /etc/hosts is created by hosts-service-type, so if you remove that service
>> it shouldn't be present anymore.
>
> That makes sense.
>
> There's one more question, though. Now that we are handling /etc/hosts
> using hosts-service-type, should /etc/hosts still be in
> %network-configuration-files? I believe this is what Pierre was asking.

I'm inclined to keep it in %network-configuration-files just to be safe.

Strictly speaking, the file shouldn't be present when you remove hosts-service-type but
you could, for $REASONS, have a template that has hosts-service-type removed from the
essential-services and /etc/hosts manually provisioned using etc-service-type or special-service-type.

Unless it's desirable to honor the /etc/hosts file configured in this manner, in which case you should
remove it from %network-configuration-files to respect the users wishes, I'd say the file should
be kept in %network-configuration-files to avoid some strange cases that may arise.


I should say that I don't use `guix system container` so I'm not too familiar with what behavior is
to be expected/“the correct one” here.


Cheers,
Bruno
A
A
Arun Isaac wrote on 25 Mar 2023 17:10
(name . Bruno Victal)(address . mirai@makinata.eu)
87mt403j7s.fsf@systemreboot.net
Toggle quote (3 lines)
> I'm inclined to keep it in %network-configuration-files just to be
> safe.

I agree. I don't really understand the implications of removing
/etc/hosts from %network-configuration-files. I would err on the side of
caution and leave it there for now.

@Pierre: Could you make a patch of the fix you suggested earlier
(removing hosts-service-type when the --network flag is provided) and
push it? Thank you!
P
P
Pierre Langlois wrote on 26 Mar 2023 15:14
(name . Arun Isaac)(address . arunisaac@systemreboot.net)
87fs9rhcv3.fsf@gmx.com
Hi Arun and Bruno,

Arun Isaac <arunisaac@systemreboot.net> writes:

Toggle quote (7 lines)
>> I'm inclined to keep it in %network-configuration-files just to be
>> safe.
>
> I agree. I don't really understand the implications of removing
> /etc/hosts from %network-configuration-files. I would err on the side of
> caution and leave it there for now.

That sounds very sensible.

Toggle quote (5 lines)
>
> @Pierre: Could you make a patch of the fix you suggested earlier
> (removing hosts-service-type when the --network flag is provided) and
> push it? Thank you!

Sounds good! Just testing the following patch and will push it in a
minute.
-----BEGIN PGP SIGNATURE-----

iQFMBAEBCgA2FiEEctU9gYy29KFyWDdMqPyeRH9PfVQFAmQgRaAYHHBpZXJyZS5s
YW5nbG9pc0BnbXguY29tAAoJEKj8nkR/T31UrvAIAJJCduXIVsNgq38GcYUPzyZH
AM91Yr6N7CHkWPQvVn0vGI4lfUxuXPeQb2QjP41iUwZGD2eaRJlmxw7FbUX76Npr
33h4ToIza31wBjLtYBeSBrBXEkQaX0i4XD0LuWU4mcNigiBlfzML7wOgpRuu6qte
6qxcjkO3TpgpkDYgimSdt68s8thSeMecPNXr+4TqzyikM6zSTkzzO0goReBQ3x9v
fagzSVKzsoByAKnioG5sOiT/tj5yDjSJFdsZD2RmqPfBPUZWU0qZK8TICpOr8zvw
ZvdJIdC7CwObz3eWYLlW6oHmN6pjQZh2ywbrmFiUF6OMmpOEPkZMbWY1Di9GblE=
=otHo
-----END PGP SIGNATURE-----

From 42fbe62d52a82d1003c3d7039d3c4a46806c5cee Mon Sep 17 00:00:00 2001
Message-Id: <42fbe62d52a82d1003c3d7039d3c4a46806c5cee.1679836531.git.pierre.langlois@gmx.com>
From: Pierre Langlois <pierre.langlois@gmx.com>
Date: Sun, 26 Mar 2023 13:55:14 +0100
Subject: [PATCH] linux-container: Remove hosts-service-type when network is
shared.


* gnu/system/linux-container.scm (container-essential-services): When
shared-network? is true, remove the hosts-service-type service kind.
---
gnu/system/linux-container.scm | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)

Toggle diff (30 lines)
diff --git a/gnu/system/linux-container.scm b/gnu/system/linux-container.scm
index c2fd55d48e..409386a84f 100644
--- a/gnu/system/linux-container.scm
+++ b/gnu/system/linux-container.scm
@@ -5,6 +5,7 @@
;;; Copyright © 2020 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2020 Google LLC
;;; Copyright © 2022 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2023 Pierre Langlois <pierre.langlois@gmx.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -49,9 +50,12 @@ (define* (container-essential-services os #:key shared-network?)
(define base
(remove (lambda (service)
(memq (service-kind service)
- (list (service-kind %linux-bare-metal-service)
- firmware-service-type
- system-service-type)))
+ (cons* (service-kind %linux-bare-metal-service)
+ firmware-service-type
+ system-service-type
+ (if shared-network?
+ (list hosts-service-type)
+ '()))))
(operating-system-default-essential-services os)))
(cons (service system-service-type
--
2.39.2
Thanks,
Pierre
P
P
Pierre Langlois wrote on 26 Mar 2023 15:41
(address . 61627-done@debbugs.gnu.org)
87v8infx1s.fsf@gmx.com
Pierre Langlois <pierre.langlois@gmx.com> writes:

Toggle quote (35 lines)
> [[PGP Signed Part:Undecided]]
> Hi Arun and Bruno,
>
> Arun Isaac <arunisaac@systemreboot.net> writes:
>
>>> I'm inclined to keep it in %network-configuration-files just to be
>>> safe.
>>
>> I agree. I don't really understand the implications of removing
>> /etc/hosts from %network-configuration-files. I would err on the side of
>> caution and leave it there for now.
>
> That sounds very sensible.
>
>>
>> @Pierre: Could you make a patch of the fix you suggested earlier
>> (removing hosts-service-type when the --network flag is provided) and
>> push it? Thank you!
>
> Sounds good! Just testing the following patch and will push it in a
> minute.
>
> [[End of PGP Signed Part]]
> From 42fbe62d52a82d1003c3d7039d3c4a46806c5cee Mon Sep 17 00:00:00 2001
> Message-Id: <42fbe62d52a82d1003c3d7039d3c4a46806c5cee.1679836531.git.pierre.langlois@gmx.com>
> From: Pierre Langlois <pierre.langlois@gmx.com>
> Date: Sun, 26 Mar 2023 13:55:14 +0100
> Subject: [PATCH] linux-container: Remove hosts-service-type when network is
> shared.
>
> Fixes <https://issues.guix.gnu.org/61627>.
>
> * gnu/system/linux-container.scm (container-essential-services): When
> shared-network? is true, remove the hosts-service-type service kind.

Pushed as 42fbe62d52a82d1003c3d7039d3c4a46806c5cee

Thanks,
Pierre
-----BEGIN PGP SIGNATURE-----

iQFMBAEBCgA2FiEEctU9gYy29KFyWDdMqPyeRH9PfVQFAmQgS+8YHHBpZXJyZS5s
YW5nbG9pc0BnbXguY29tAAoJEKj8nkR/T31UD40H/0YLB4yGLx7ZT0gLAZmFvJ/h
/SLM/ea7LBZDW8dz9GmUpgHdOSHYLiDSFrqQxkplE08mNvYSBl1KW4f7/MzsQSTy
lA/t9tOhH4bt479etGMsOBH0sLD1o8cuh/hCfzD1bde9ob9pFlPkcHz6GQDeQFSr
0l0PLaVKLDQouHPWSpz870q6mXIYCLVxBP76x/LduP753qlTtCi2jBqEWKGTcmRk
FwkITQEq7u8WrEQCLj7St6S8DlmG21D7R1uYaeVHu+N9cxNCAPLsme84F+t/58Wi
7/kBNxbHTLsOB4otblmEFlhhg6SNLH+k9sYnflCjvmCKCVczb8dirmJbq+7UKxU=
=+oQx
-----END PGP SIGNATURE-----

Closed
A
A
Arun Isaac wrote on 27 Mar 2023 00:20
878rfj2m0c.fsf@systemreboot.net
Toggle quote (2 lines)
> Pushed as 42fbe62d52a82d1003c3d7039d3c4a46806c5cee

Thank you, Pierre! :-)
Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 61627@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 61627
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch