bug#55358: docker containers stopped when doing guix install or guix shell
Hi Csepp, 2023/05/20 00:29, Csepp: > Remco van 't Veer writes: > >> Hi Maxim and Zimoun, >> >> 2023/02/09 13:26, Remco van 't Veer: >> >>> I think I know what is causing the issue. Both the "standard" mysql and >>> postgres containers use user-id 999 to run the database service (this >>> seems like a common practice because the redis container is configured >>> similarly). That user-id is also configured as guixbuilder01 so I guess >>> the guix daemon is killing those when processes when it finishes doing >>> builds. >> >> I found a solution / workaround for this problem by using >> "userns-remap". This feature allows the remapping of uids and guids to >> different ranges. I tried it by hacking the required files into my >> etc-directory and it works; guix no long kills my database containers. >> >> I'd like to add this feature to docker-service-type having a new >> configuration option named enable-userns-remap? which introduces a new >> user and group (both named dockremap) to do the remapping by adding some >> configurable number to the uids and guids of the running container. In >> /etc/subuid and /etc/subgid it would look like: >> >> dockremap:10:65536 >> >> See https://docs.docker.com/engine/security/userns-remap/ for >> documentation about this. >> >> WDYT? >> >> Cheers, >> Remco > > The rootless podman example that was shared a few months ago could be > relevant to this, since that also adds a subuid/subgid mapping. Thanks! Borrowed that. For future reference: https://lists.gnu.org/archive/html/guix-devel/2023-03/msg00176.html Cheers, Remco
bug#55358: docker containers stopped when doing guix install or guix shell
Remco van 't Veer writes: > Hi Maxim and Zimoun, > > 2023/02/09 13:26, Remco van 't Veer: > >> I think I know what is causing the issue. Both the "standard" mysql and >> postgres containers use user-id 999 to run the database service (this >> seems like a common practice because the redis container is configured >> similarly). That user-id is also configured as guixbuilder01 so I guess >> the guix daemon is killing those when processes when it finishes doing >> builds. > > I found a solution / workaround for this problem by using > "userns-remap". This feature allows the remapping of uids and guids to > different ranges. I tried it by hacking the required files into my > etc-directory and it works; guix no long kills my database containers. > > I'd like to add this feature to docker-service-type having a new > configuration option named enable-userns-remap? which introduces a new > user and group (both named dockremap) to do the remapping by adding some > configurable number to the uids and guids of the running container. In > /etc/subuid and /etc/subgid it would look like: > > dockremap:10:65536 > > See https://docs.docker.com/engine/security/userns-remap/ for > documentation about this. > > WDYT? > > Cheers, > Remco The rootless podman example that was shared a few months ago could be relevant to this, since that also adds a subuid/subgid mapping.
bug#55358: docker containers stopped when doing guix install or guix shell
Hi Maxim and Zimoun, 2023/02/09 13:26, Remco van 't Veer: > I think I know what is causing the issue. Both the "standard" mysql and > postgres containers use user-id 999 to run the database service (this > seems like a common practice because the redis container is configured > similarly). That user-id is also configured as guixbuilder01 so I guess > the guix daemon is killing those when processes when it finishes doing > builds. I found a solution / workaround for this problem by using "userns-remap". This feature allows the remapping of uids and guids to different ranges. I tried it by hacking the required files into my etc-directory and it works; guix no long kills my database containers. I'd like to add this feature to docker-service-type having a new configuration option named enable-userns-remap? which introduces a new user and group (both named dockremap) to do the remapping by adding some configurable number to the uids and guids of the running container. In /etc/subuid and /etc/subgid it would look like: dockremap:10:65536 See https://docs.docker.com/engine/security/userns-remap/ for documentation about this. WDYT? Cheers, Remco -- https://debbugs.gnu.org/cgi/bugreport.cgi?bug=55358
bug#55358: docker containers stopped when doing guix install or guix shell
I think I know what is causing the issue. Both the "standard" mysql and postgres containers use user-id 999 to run the database service (this seems like a common practice because the redis container is configured similarly). That user-id is also configured as guixbuilder01 so I guess the guix daemon is killing those when processes when it finishes doing builds. Does that make sense? If so can guix daemon be fixed to be a tad more gentile to the processes not spawned on its behalf? 2022/07/12 16:37, Remco van 't Veer: > 2022/07/12 09:48, Maxim Cournoyer: > >> Hi, >> >> Remco van 't Veer writes: >> >>> On a Guix system host, some running docker containers are stopped when >>> doing guix install or other guix operations like shell. I noticed this >>> happing to mysql and postgres containers but an elasticsearch container >>> just keeps running. >>> >>> Here's an example session: >>> >>> $ docker ps >>> CONTAINER ID IMAGE COMMAND CREATED >>> STATUSPORTS NAMES >>> $ docker run -d postgres:10.10 >>> .. >>> 2b52ee072b1f5584cae597afb033cdcc0e560bbe9145b17b41502c204034e60b >>> $ docker ps >>> CONTAINER ID IMAGE COMMAND CREATED >>> STATUSPORTS NAMES >>> 2b52ee072b1f postgres:10.10 "docker-entrypoint.s…" 2 seconds ago Up >>> 1 seconds 5432/tcp blah_blah >>> $ guix shell xeyes -- xeyes >>> substitute: updating substitutes from 'https://ci.guix.gnu.org'... 100.0% >>> 0.0 MB will be downloaded >>>xeyes-1.1.2 11KiB >>> 613KiB/s 00:00 [##] 100.0% >>> The following derivation will be built: >>> /gnu/store/xc002hxl4g8mskqmpm0grsk8s45m91gz-profile.drv >>> >>> applying 4 grafts for xeyes-1.1.2 ... >>> building CA certificate bundle... >>> listing Emacs sub-directories... >>> building fonts directory... >>> building directory of Info manuals... >>> building profile with 1 package... >>> $ docker ps >>> CONTAINER ID IMAGE COMMAND CREATED >>> STATUSPORTS NAMES >>> $ exit >>> >>> First we see no docker containers are running, then we start postgres-10 >>> from docker hub, we see its container is running, then we do something >>> using guix-shell on an application *not already available on this >>> system*, and now the container died. This does not work the second time >>> when the "derivation" is already "built". >> >> Are you still able to reproduce this using the new version of docker >> packaged in Guix? > > Yes, same problem after a guix pull and guix system reconfigure just now. > > $ guix describe > Generation 72 Jul 12 2022 16:11:38(current) > guix 9173cb5 > repository URL: https://git.savannah.gnu.org/git/guix.git > branch: master > commit: 9173cb522ddc4f31f21948cee3fb214fd67ef616 > > Cheers, > Remco
bug#55358: docker containers stopped when doing guix install or guix shell
2022/07/12 09:48, Maxim Cournoyer: > Hi, > > Remco van 't Veer writes: > >> On a Guix system host, some running docker containers are stopped when >> doing guix install or other guix operations like shell. I noticed this >> happing to mysql and postgres containers but an elasticsearch container >> just keeps running. >> >> Here's an example session: >> >> $ docker ps >> CONTAINER ID IMAGE COMMAND CREATED >> STATUSPORTS NAMES >> $ docker run -d postgres:10.10 >> .. >> 2b52ee072b1f5584cae597afb033cdcc0e560bbe9145b17b41502c204034e60b >> $ docker ps >> CONTAINER ID IMAGE COMMAND CREATED >> STATUSPORTS NAMES >> 2b52ee072b1f postgres:10.10 "docker-entrypoint.s…" 2 seconds ago Up 1 >> seconds 5432/tcp blah_blah >> $ guix shell xeyes -- xeyes >> substitute: updating substitutes from 'https://ci.guix.gnu.org'... 100.0% >> 0.0 MB will be downloaded >>xeyes-1.1.2 11KiB >>613KiB/s 00:00 [##] 100.0% >> The following derivation will be built: >> /gnu/store/xc002hxl4g8mskqmpm0grsk8s45m91gz-profile.drv >> >> applying 4 grafts for xeyes-1.1.2 ... >> building CA certificate bundle... >> listing Emacs sub-directories... >> building fonts directory... >> building directory of Info manuals... >> building profile with 1 package... >> $ docker ps >> CONTAINER ID IMAGE COMMAND CREATED >> STATUSPORTS NAMES >> $ exit >> >> First we see no docker containers are running, then we start postgres-10 >> from docker hub, we see its container is running, then we do something >> using guix-shell on an application *not already available on this >> system*, and now the container died. This does not work the second time >> when the "derivation" is already "built". > > Are you still able to reproduce this using the new version of docker > packaged in Guix? Yes, same problem after a guix pull and guix system reconfigure just now. $ guix describe Generation 72 Jul 12 2022 16:11:38(current) guix 9173cb5 repository URL: https://git.savannah.gnu.org/git/guix.git branch: master commit: 9173cb522ddc4f31f21948cee3fb214fd67ef616 Cheers, Remco
bug#55358: docker containers stopped when doing guix install or guix shell
Hi, Remco van 't Veer writes: > On a Guix system host, some running docker containers are stopped when > doing guix install or other guix operations like shell. I noticed this > happing to mysql and postgres containers but an elasticsearch container > just keeps running. > > Here's an example session: > > $ docker ps > CONTAINER ID IMAGE COMMAND CREATED > STATUSPORTS NAMES > $ docker run -d postgres:10.10 > .. > 2b52ee072b1f5584cae597afb033cdcc0e560bbe9145b17b41502c204034e60b > $ docker ps > CONTAINER ID IMAGE COMMAND CREATED > STATUSPORTS NAMES > 2b52ee072b1f postgres:10.10 "docker-entrypoint.s…" 2 seconds ago Up 1 > seconds 5432/tcp blah_blah > $ guix shell xeyes -- xeyes > substitute: updating substitutes from 'https://ci.guix.gnu.org'... 100.0% > 0.0 MB will be downloaded >xeyes-1.1.2 11KiB > 613KiB/s 00:00 [##] 100.0% > The following derivation will be built: > /gnu/store/xc002hxl4g8mskqmpm0grsk8s45m91gz-profile.drv > > applying 4 grafts for xeyes-1.1.2 ... > building CA certificate bundle... > listing Emacs sub-directories... > building fonts directory... > building directory of Info manuals... > building profile with 1 package... > $ docker ps > CONTAINER ID IMAGE COMMAND CREATED > STATUSPORTS NAMES > $ exit > > First we see no docker containers are running, then we start postgres-10 > from docker hub, we see its container is running, then we do something > using guix-shell on an application *not already available on this > system*, and now the container died. This does not work the second time > when the "derivation" is already "built". Are you still able to reproduce this using the new version of docker packaged in Guix? Thanks, Maxim
bug#55358: docker containers stopped when doing guix install or guix shell
On a Guix system host, some running docker containers are stopped when doing guix install or other guix operations like shell. I noticed this happing to mysql and postgres containers but an elasticsearch container just keeps running. Here's an example session: $ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES $ docker run -d postgres:10.10 .. 2b52ee072b1f5584cae597afb033cdcc0e560bbe9145b17b41502c204034e60b $ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 2b52ee072b1f postgres:10.10 "docker-entrypoint.s…" 2 seconds ago Up 1 seconds 5432/tcp blah_blah $ guix shell xeyes -- xeyes substitute: updating substitutes from 'https://ci.guix.gnu.org'... 100.0% 0.0 MB will be downloaded xeyes-1.1.2 11KiB 613KiB/s 00:00 [##] 100.0% The following derivation will be built: /gnu/store/xc002hxl4g8mskqmpm0grsk8s45m91gz-profile.drv applying 4 grafts for xeyes-1.1.2 ... building CA certificate bundle... listing Emacs sub-directories... building fonts directory... building directory of Info manuals... building profile with 1 package... $ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES $ exit First we see no docker containers are running, then we start postgres-10 from docker hub, we see its container is running, then we do something using guix-shell on an application *not already available on this system*, and now the container died. This does not work the second time when the "derivation" is already "built". Cheers, Remco
