"Thompson, David" <dthomps...@worcester.edu> skribis: > On Tue, Jun 9, 2015 at 5:28 PM, Ludovic Courtès <l...@gnu.org> wrote:
[...] >> I tried adding this dummy service: >> >> (define (bash-service) >> (with-monad %store-monad >> (return (service >> (documentation "Run Bash from PID 1.") >> (provision '(shell)) >> (start #~(make-forkexec-constructor >> (string-append #$bash "/bin/bash"))) >> (stop #~(make-kill-destructor)) >> (respawn? #t))))) >> >> ... but it dies for some reason. So no shell prompt. > > I wouldn't expect that to work because bash isn't actually run in your > tty. To create an interactive environment within the container (or > run any arbitrary program), we need a tool that calls setns() with > open file descriptors for all of the container's namespaces and then > exec() the desired command. I threw together a tool to do this > quickly, but for some reason joining the mount namespace fails with > EINVAL. I have no idea why. Joining the IPC, UTS, PID, and network > namespaces isn't a problem. Enlightenment needed! Oh, I see. setns(2) specifies 6 reasons for EINVAL... >> Until there’s a daemon to keep track of containers, “guix system >> container” could return the PID of the container’s PID1, to make it >> easier to kill it later? > > I'm actually unsure how to acquire the PID of the container's init > process since I clone and exec. Any ideas? Isn’t it the return value of ‘clone’? >> It’s a shame that only CLONE_NEWUSER is available to non-root users. I >> wonder what the rationale was. AIUI, Docker’s daemon performs clone(2) >> on behalf of clients, right? > > Yeah, our daemon would do the same thing. We could maybe even have a > little Guile library that allows one to evaluate arbitrary scheme code > from within the container. :) Definitely. Another application I’ve always wanted is a least-authority shell, like Plash [0]. (Speaking of which, I just found Shill [1], which seems similar to Plash and even has a to-do item regarding package management [2] and is written in Racket; unfortunately it runs on FreeBSD, for Capsicum.) Thanks, Ludo’. [0] http://plash.beasts.org/contents.html [1] http://shill.seas.harvard.edu/ [2] http://shill.seas.harvard.edu/projects.html
