Cannot start a container built with `guix system container --network'.

  • Done
  • quality assurance status badge
Details
4 participants
  • Arun Isaac
  • Bruno Victal
  • Nicolò Balzarotti
  • Pierre Langlois
Owner
unassigned
Submitted by
Pierre Langlois
Severity
normal
Merged with
P
P
Pierre Langlois wrote on 19 Feb 2023 15:58
(address . bug-guix@gnu.org)
87a619u22x.fsf@gmx.com
Hi Guix!

There seems to be a bug with the --network flag to `guix system
container', if we try to use docker-image.tmpl as an example we get the
following failure:

Toggle snippet (39 lines)
$ sudo `guix system container -v3 --network gnu/system/examples/docker-image.tmpl`
Password:
system container is running as PID 17630
WARNING: (guile-user): imported module (guix build utils) overrides core binding `delete'
Run 'sudo guix container exec 17630 /run/current-system/profile/bin/bash --login'
or run 'sudo nsenter -a -t 17630' to get a shell into it.

WARNING: (guile-user): imported module (guix build utils) overrides core binding `delete'
making '/gnu/store/2w0c609is7iilv6r2l1vrchb9qsbfgkp-system' the current system...
WARNING: (guile-user): imported module (guix build utils) overrides core binding `delete'
setting up setuid programs in '/run/setuid-programs'...
populating /etc from /gnu/store/ywsdjyq161a2clhvz6kx5m4ppz5ziqp1-etc...
Backtrace:
11 (primitive-load "/gnu/store/5wdqg0jpiw1zd9pn13wmzy3f85g…")
In gnu/build/linux-container.scm:
300:8 10 (call-with-temporary-directory #<procedure 7fa5741fdd70…>)
397:16 9 (_ "/tmp/guix-directory.KgjoQ6")
62:6 8 (call-with-clean-exit #<procedure 7fa57420fd40 at gnu/b…>)
In unknown file:
7 (primitive-load "/gnu/store/2w0c609is7iilv6r2l1vrchb9qs…")
In ice-9/eval.scm:
619:8 6 (_ #f)
In unknown file:
5 (primitive-load "/gnu/store/xfd58fw9x65n7wr5kw2gnciszkl…")
In srfi/srfi-1.scm:
634:9 4 (for-each #<procedure primitive-load (_)> _)
In unknown file:
3 (primitive-load "/gnu/store/3gwb0jydx90f61a6kizawsjdi6h…")
In srfi/srfi-1.scm:
634:9 2 (for-each #<procedure 7fa57410e0e0 at gnu/build/activa…> …)
In gnu/build/activation.scm:
268:20 1 (_ "hosts")
In unknown file:
0 (copy-file "/etc/static/hosts" "/etc/hosts")

ERROR: In procedure copy-file:
In procedure copy-file: Read-only file system

Doing a git bisect, the problem started with this commit it seems:
802ea1f3a43e5fb8d0b8bd2882954d8a6e49cde6

Toggle snippet (18 lines)
system: Deprecate hosts-file.

* gnu/system.scm (operating-system-hosts-file): Deprecate procedure.
(warn-hosts-file-field-deprecation): New procedure, helper for
deprecated variable.
(operating-system)[hosts-file]: Use helper to warn deprecated field.
(local-host-aliases): Mark as deprecated.
(local-host-entries): New procedure.
(operating-system-default-essential-services,
hurd-default-essential-services): Use hosts-service-type. Use
'%operating-system-hosts-file' and 'local-host-entries'.
(default-/etc/hosts): Remove procedure.
(operating-system-etc-service): Remove hosts file.
* doc/guix.texi (operating-system Reference)
(Networking Services) (Virtualization Services): Rewrite documentation
entries to use hosts-service-type.

Thanks!
Pierre
-----BEGIN PGP SIGNATURE-----

iQFMBAEBCgA2FiEEctU9gYy29KFyWDdMqPyeRH9PfVQFAmPyOvYYHHBpZXJyZS5s
YW5nbG9pc0BnbXguY29tAAoJEKj8nkR/T31URDcH/RYw3nPHCM6Tb7wqW6DSeo+K
54TA8TvmlucVmyIrNDAA0TY79INGHkPza/aUZLfwjBv6+w4ARIUnDJwAKrpELl4X
5ro2uXyAr1r7ENGPXTjPxlNA0EsY3HV/JTbOvTJqe1J/6eoobsjNGVJ9T0HqMV1W
GlsGTMV6VMVHmTfJ6KQIX/mYJam32g3T7TgPK1LbCeyGz2Sb7OO5ib4m1xt0GtxW
XcNjYcLGtNxMrsEORBimk3TISNroUMJXvNg/DUybHyg7dclpfTlONbqyaNSVL069
APuJAfODRM2RGhyWtegml+WrlwWu3T5WofXMdg40kGtlBlpATWuZlnW/ORP//as=
=VH6S
-----END PGP SIGNATURE-----

P
P
Pierre Langlois wrote on 19 Feb 2023 16:29
(address . 61627@debbugs.gnu.org)
873571u0vx.fsf@gmx.com
Pierre Langlois <pierre.langlois@gmx.com> writes:

Toggle quote (66 lines)
> [[PGP Signed Part:Undecided]]
> Hi Guix!
>
> There seems to be a bug with the --network flag to `guix system
> container', if we try to use docker-image.tmpl as an example we get the
> following failure:
>
> $ sudo `guix system container -v3 --network gnu/system/examples/docker-image.tmpl`
> Password:
> system container is running as PID 17630
> WARNING: (guile-user): imported module (guix build utils) overrides core binding `delete'
> Run 'sudo guix container exec 17630 /run/current-system/profile/bin/bash --login'
> or run 'sudo nsenter -a -t 17630' to get a shell into it.
>
> WARNING: (guile-user): imported module (guix build utils) overrides core binding `delete'
> making '/gnu/store/2w0c609is7iilv6r2l1vrchb9qsbfgkp-system' the current system...
> WARNING: (guile-user): imported module (guix build utils) overrides core binding `delete'
> setting up setuid programs in '/run/setuid-programs'...
> populating /etc from /gnu/store/ywsdjyq161a2clhvz6kx5m4ppz5ziqp1-etc...
> Backtrace:
> 11 (primitive-load "/gnu/store/5wdqg0jpiw1zd9pn13wmzy3f85g…")
> In gnu/build/linux-container.scm:
> 300:8 10 (call-with-temporary-directory #<procedure 7fa5741fdd70…>)
> 397:16 9 (_ "/tmp/guix-directory.KgjoQ6")
> 62:6 8 (call-with-clean-exit #<procedure 7fa57420fd40 at gnu/b…>)
> In unknown file:
> 7 (primitive-load "/gnu/store/2w0c609is7iilv6r2l1vrchb9qs…")
> In ice-9/eval.scm:
> 619:8 6 (_ #f)
> In unknown file:
> 5 (primitive-load "/gnu/store/xfd58fw9x65n7wr5kw2gnciszkl…")
> In srfi/srfi-1.scm:
> 634:9 4 (for-each #<procedure primitive-load (_)> _)
> In unknown file:
> 3 (primitive-load "/gnu/store/3gwb0jydx90f61a6kizawsjdi6h…")
> In srfi/srfi-1.scm:
> 634:9 2 (for-each #<procedure 7fa57410e0e0 at gnu/build/activa…> …)
> In gnu/build/activation.scm:
> 268:20 1 (_ "hosts")
> In unknown file:
> 0 (copy-file "/etc/static/hosts" "/etc/hosts")
>
> ERROR: In procedure copy-file:
> In procedure copy-file: Read-only file system
>
>
> Doing a git bisect, the problem started with this commit it seems:
> 802ea1f3a43e5fb8d0b8bd2882954d8a6e49cde6
>
> system: Deprecate hosts-file.
>
> * gnu/system.scm (operating-system-hosts-file): Deprecate procedure.
> (warn-hosts-file-field-deprecation): New procedure, helper for
> deprecated variable.
> (operating-system)[hosts-file]: Use helper to warn deprecated field.
> (local-host-aliases): Mark as deprecated.
> (local-host-entries): New procedure.
> (operating-system-default-essential-services,
> hurd-default-essential-services): Use hosts-service-type. Use
> '%operating-system-hosts-file' and 'local-host-entries'.
> (default-/etc/hosts): Remove procedure.
> (operating-system-etc-service): Remove hosts file.
> * doc/guix.texi (operating-system Reference)
> (Networking Services) (Virtualization Services): Rewrite documentation
> entries to use hosts-service-type.

Digging into the container script code, I think the reason is that when
sharing the network, it's supposed to remove any network-related
services from the containerized operating system. And it's not aware of
the new hosts-service-type. The following diff seems to fix the issue:

Toggle snippet (22 lines)
diff --git a/gnu/system/linux-container.scm b/gnu/system/linux-container.scm
index c2fd55d48e..9190d013bc 100644
--- a/gnu/system/linux-container.scm
+++ b/gnu/system/linux-container.scm
@@ -49,9 +49,12 @@ (define* (container-essential-services os #:key shared-network?)
(define base
(remove (lambda (service)
(memq (service-kind service)
- (list (service-kind %linux-bare-metal-service)
- firmware-service-type
- system-service-type)))
+ (cons* (service-kind %linux-bare-metal-service)
+ firmware-service-type
+ system-service-type
+ (if shared-network?
+ (list hosts-service-type)
+ '()))))
(operating-system-default-essential-services os)))

(cons (service system-service-type

I wonder if this is a full fix though, I see that we also remove network
related configuration files, using `%network-configuration-files', and I
wonder if "/etc/hosts" is still supposed to be there?

Toggle snippet (7 lines)
(define %network-configuration-files
;; List of essential network configuration files.
'("/etc/resolv.conf"
"/etc/nsswitch.conf"
"/etc/services"
"/etc/hosts"))
-----BEGIN PGP SIGNATURE-----

iQFMBAEBCgA2FiEEctU9gYy29KFyWDdMqPyeRH9PfVQFAmPyQQIYHHBpZXJyZS5s
YW5nbG9pc0BnbXguY29tAAoJEKj8nkR/T31Uo5UH/ArQUZvVp9UYvirgW/5jVtWn
tvZEtS9Tc3sVM61Po98voyTqGHHi7bga8ECgbpa0rtApST1g0TRsqAQthgDTlgHr
P9sQplXpSOMXKfFFK1uj60wqJq2L3zXt4Qm210CETV6PprABUdgvyCLD59Bj+ccv
p5sf74aJx85ujTx3gmI97Sas3MwW6Aw3GO4P1zN8PKWI6fnMCo+ZjBLz1elzbSuz
tja+xqqNIjMpCdumnlLcCViODH23t0Mt3zy5NWppKxVQNTGyle8bH+yMI3r7kCFz
NRmc5FbULFeAr8unTQEr4/Q/F40K7NawsO32i0dj/YhtGCSKWLjVe29VKwZ0/vg=
=uOjq
-----END PGP SIGNATURE-----

N
N
Nicolò Balzarotti wrote on 26 Feb 2023 21:54
Cannot start a container built with `guix system container --network'.
(address . 61627@debbugs.gnu.org)
86edqc5er9.fsf@IITUVIPLAP024.mail-host-address-is-not-set
Hi,
I'm on eb87d2c4 (just updated a 412(!) days old guix server O.o) and
I can confirm this is still happening

(btw, this is the only problem I had in upgrading, so great job guix)

Thanks!
Nicolò
A
A
Arun Isaac wrote on 19 Mar 2023 20:26
(name . Pierre Langlois)(address . pierre.langlois@gmx.com)
873560bl0s.fsf@systemreboot.net
Hi Bruno and Ludo,

This bug seems related to your commit
802ea1f3a43e5fb8d0b8bd2882954d8a6e49cde6 . Could you weigh in?


Thanks!
Arun
A
A
Arun Isaac wrote on 19 Mar 2023 20:31
Merge #61856 with #61627
(address . control@debbugs.gnu.org)
87zg88a688.fsf@systemreboot.net
merge 61856 61627
thanks
B
B
Bruno Victal wrote on 20 Mar 2023 18:46
Re: bug#61627: Cannot start a container built with `guix system container --network'.
(name . Pierre Langlois)(address . pierre.langlois@gmx.com)
b52480ff-484e-fdd4-da22-ffd2b096a0f5@makinata.eu
Hi,


On 2023-02-19 15:29, Pierre Langlois wrote:
Toggle quote (44 lines)
>
> Pierre Langlois <pierre.langlois@gmx.com> writes:
>
> Digging into the container script code, I think the reason is that when
> sharing the network, it's supposed to remove any network-related
> services from the containerized operating system. And it's not aware of
> the new hosts-service-type. The following diff seems to fix the issue:
>
> --8<---------------cut here---------------start------------->8---
> diff --git a/gnu/system/linux-container.scm b/gnu/system/linux-container.scm
> index c2fd55d48e..9190d013bc 100644
> --- a/gnu/system/linux-container.scm
> +++ b/gnu/system/linux-container.scm
> @@ -49,9 +49,12 @@ (define* (container-essential-services os #:key shared-network?)
> (define base
> (remove (lambda (service)
> (memq (service-kind service)
> - (list (service-kind %linux-bare-metal-service)
> - firmware-service-type
> - system-service-type)))
> + (cons* (service-kind %linux-bare-metal-service)
> + firmware-service-type
> + system-service-type
> + (if shared-network?
> + (list hosts-service-type)
> + '()))))
> (operating-system-default-essential-services os)))
>
> (cons (service system-service-type
> --8<---------------cut here---------------end--------------->8---
>
> I wonder if this is a full fix though, I see that we also remove network
> related configuration files, using `%network-configuration-files', and I
> wonder if "/etc/hosts" is still supposed to be there?
>
> --8<---------------cut here---------------start------------->8---
> (define %network-configuration-files
> ;; List of essential network configuration files.
> '("/etc/resolv.conf"
> "/etc/nsswitch.conf"
> "/etc/services"
> "/etc/hosts"))
> --8<---------------cut here---------------end--------------->8---

/etc/hosts is created by hosts-service-type, so if you remove that service
it shouldn't be present anymore.


Cheers,
Bruno
A
A
Arun Isaac wrote on 21 Mar 2023 13:53
(name . Bruno Victal)(address . mirai@makinata.eu)
87r0ti9sez.fsf@systemreboot.net
Hi Bruno,

Toggle quote (3 lines)
> /etc/hosts is created by hosts-service-type, so if you remove that service
> it shouldn't be present anymore.

That makes sense.

There's one more question, though. Now that we are handling /etc/hosts
using hosts-service-type, should /etc/hosts still be in
%network-configuration-files? I believe this is what Pierre was asking.

Thanks,
Arun
B
B
Bruno Victal wrote on 23 Mar 2023 13:50
(name . Arun Isaac)(address . arunisaac@systemreboot.net)
40ddadcf-6e5d-456f-a59f-371e60e7461d@makinata.eu
On 2023-03-21 12:53, Arun Isaac wrote:
Toggle quote (12 lines)
>
> Hi Bruno,
>
>> /etc/hosts is created by hosts-service-type, so if you remove that service
>> it shouldn't be present anymore.
>
> That makes sense.
>
> There's one more question, though. Now that we are handling /etc/hosts
> using hosts-service-type, should /etc/hosts still be in
> %network-configuration-files? I believe this is what Pierre was asking.

I'm inclined to keep it in %network-configuration-files just to be safe.

Strictly speaking, the file shouldn't be present when you remove hosts-service-type but
you could, for $REASONS, have a template that has hosts-service-type removed from the
essential-services and /etc/hosts manually provisioned using etc-service-type or special-service-type.

Unless it's desirable to honor the /etc/hosts file configured in this manner, in which case you should
remove it from %network-configuration-files to respect the users wishes, I'd say the file should
be kept in %network-configuration-files to avoid some strange cases that may arise.


I should say that I don't use `guix system container` so I'm not too familiar with what behavior is
to be expected/“the correct one” here.


Cheers,
Bruno
A
A
Arun Isaac wrote on 25 Mar 2023 17:10
(name . Bruno Victal)(address . mirai@makinata.eu)
87mt403j7s.fsf@systemreboot.net
Toggle quote (3 lines)
> I'm inclined to keep it in %network-configuration-files just to be
> safe.

I agree. I don't really understand the implications of removing
/etc/hosts from %network-configuration-files. I would err on the side of
caution and leave it there for now.

@Pierre: Could you make a patch of the fix you suggested earlier
(removing hosts-service-type when the --network flag is provided) and
push it? Thank you!
P
P
Pierre Langlois wrote on 26 Mar 2023 15:14
(name . Arun Isaac)(address . arunisaac@systemreboot.net)
87fs9rhcv3.fsf@gmx.com
Hi Arun and Bruno,

Arun Isaac <arunisaac@systemreboot.net> writes:

Toggle quote (7 lines)
>> I'm inclined to keep it in %network-configuration-files just to be
>> safe.
>
> I agree. I don't really understand the implications of removing
> /etc/hosts from %network-configuration-files. I would err on the side of
> caution and leave it there for now.

That sounds very sensible.

Toggle quote (5 lines)
>
> @Pierre: Could you make a patch of the fix you suggested earlier
> (removing hosts-service-type when the --network flag is provided) and
> push it? Thank you!

Sounds good! Just testing the following patch and will push it in a
minute.
-----BEGIN PGP SIGNATURE-----

iQFMBAEBCgA2FiEEctU9gYy29KFyWDdMqPyeRH9PfVQFAmQgRaAYHHBpZXJyZS5s
YW5nbG9pc0BnbXguY29tAAoJEKj8nkR/T31UrvAIAJJCduXIVsNgq38GcYUPzyZH
AM91Yr6N7CHkWPQvVn0vGI4lfUxuXPeQb2QjP41iUwZGD2eaRJlmxw7FbUX76Npr
33h4ToIza31wBjLtYBeSBrBXEkQaX0i4XD0LuWU4mcNigiBlfzML7wOgpRuu6qte
6qxcjkO3TpgpkDYgimSdt68s8thSeMecPNXr+4TqzyikM6zSTkzzO0goReBQ3x9v
fagzSVKzsoByAKnioG5sOiT/tj5yDjSJFdsZD2RmqPfBPUZWU0qZK8TICpOr8zvw
ZvdJIdC7CwObz3eWYLlW6oHmN6pjQZh2ywbrmFiUF6OMmpOEPkZMbWY1Di9GblE=
=otHo
-----END PGP SIGNATURE-----

From 42fbe62d52a82d1003c3d7039d3c4a46806c5cee Mon Sep 17 00:00:00 2001
Message-Id: <42fbe62d52a82d1003c3d7039d3c4a46806c5cee.1679836531.git.pierre.langlois@gmx.com>
From: Pierre Langlois <pierre.langlois@gmx.com>
Date: Sun, 26 Mar 2023 13:55:14 +0100
Subject: [PATCH] linux-container: Remove hosts-service-type when network is
shared.


* gnu/system/linux-container.scm (container-essential-services): When
shared-network? is true, remove the hosts-service-type service kind.
---
gnu/system/linux-container.scm | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)

Toggle diff (30 lines)
diff --git a/gnu/system/linux-container.scm b/gnu/system/linux-container.scm
index c2fd55d48e..409386a84f 100644
--- a/gnu/system/linux-container.scm
+++ b/gnu/system/linux-container.scm
@@ -5,6 +5,7 @@
;;; Copyright © 2020 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2020 Google LLC
;;; Copyright © 2022 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2023 Pierre Langlois <pierre.langlois@gmx.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -49,9 +50,12 @@ (define* (container-essential-services os #:key shared-network?)
(define base
(remove (lambda (service)
(memq (service-kind service)
- (list (service-kind %linux-bare-metal-service)
- firmware-service-type
- system-service-type)))
+ (cons* (service-kind %linux-bare-metal-service)
+ firmware-service-type
+ system-service-type
+ (if shared-network?
+ (list hosts-service-type)
+ '()))))
(operating-system-default-essential-services os)))
(cons (service system-service-type
--
2.39.2
Thanks,
Pierre
P
P
Pierre Langlois wrote on 26 Mar 2023 15:41
(address . 61627-done@debbugs.gnu.org)
87v8infx1s.fsf@gmx.com
Pierre Langlois <pierre.langlois@gmx.com> writes:

Toggle quote (35 lines)
> [[PGP Signed Part:Undecided]]
> Hi Arun and Bruno,
>
> Arun Isaac <arunisaac@systemreboot.net> writes:
>
>>> I'm inclined to keep it in %network-configuration-files just to be
>>> safe.
>>
>> I agree. I don't really understand the implications of removing
>> /etc/hosts from %network-configuration-files. I would err on the side of
>> caution and leave it there for now.
>
> That sounds very sensible.
>
>>
>> @Pierre: Could you make a patch of the fix you suggested earlier
>> (removing hosts-service-type when the --network flag is provided) and
>> push it? Thank you!
>
> Sounds good! Just testing the following patch and will push it in a
> minute.
>
> [[End of PGP Signed Part]]
> From 42fbe62d52a82d1003c3d7039d3c4a46806c5cee Mon Sep 17 00:00:00 2001
> Message-Id: <42fbe62d52a82d1003c3d7039d3c4a46806c5cee.1679836531.git.pierre.langlois@gmx.com>
> From: Pierre Langlois <pierre.langlois@gmx.com>
> Date: Sun, 26 Mar 2023 13:55:14 +0100
> Subject: [PATCH] linux-container: Remove hosts-service-type when network is
> shared.
>
> Fixes <https://issues.guix.gnu.org/61627>.
>
> * gnu/system/linux-container.scm (container-essential-services): When
> shared-network? is true, remove the hosts-service-type service kind.

Pushed as 42fbe62d52a82d1003c3d7039d3c4a46806c5cee

Thanks,
Pierre
-----BEGIN PGP SIGNATURE-----

iQFMBAEBCgA2FiEEctU9gYy29KFyWDdMqPyeRH9PfVQFAmQgS+8YHHBpZXJyZS5s
YW5nbG9pc0BnbXguY29tAAoJEKj8nkR/T31UD40H/0YLB4yGLx7ZT0gLAZmFvJ/h
/SLM/ea7LBZDW8dz9GmUpgHdOSHYLiDSFrqQxkplE08mNvYSBl1KW4f7/MzsQSTy
lA/t9tOhH4bt479etGMsOBH0sLD1o8cuh/hCfzD1bde9ob9pFlPkcHz6GQDeQFSr
0l0PLaVKLDQouHPWSpz870q6mXIYCLVxBP76x/LduP753qlTtCi2jBqEWKGTcmRk
FwkITQEq7u8WrEQCLj7St6S8DlmG21D7R1uYaeVHu+N9cxNCAPLsme84F+t/58Wi
7/kBNxbHTLsOB4otblmEFlhhg6SNLH+k9sYnflCjvmCKCVczb8dirmJbq+7UKxU=
=+oQx
-----END PGP SIGNATURE-----

Closed
A
A
Arun Isaac wrote on 27 Mar 2023 00:20
878rfj2m0c.fsf@systemreboot.net
Toggle quote (2 lines)
> Pushed as 42fbe62d52a82d1003c3d7039d3c4a46806c5cee

Thank you, Pierre! :-)
Closed
?