From unknown Thu Jun 19 14:04:53 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#50916 <50916@debbugs.gnu.org> To: bug#50916 <50916@debbugs.gnu.org> Subject: Status: Experimental `guix container PID program args` not working as expected Reply-To: bug#50916 <50916@debbugs.gnu.org> Date: Thu, 19 Jun 2025 21:04:53 +0000 retitle 50916 Experimental `guix container PID program args` not working as= expected reassign 50916 guix submitter 50916 Bonface Munyoki K. severity 50916 normal thanks From debbugs-submit-bounces@debbugs.gnu.org Thu Sep 30 10:23:52 2021 Received: (at submit) by debbugs.gnu.org; 30 Sep 2021 14:23:52 +0000 Received: from localhost ([127.0.0.1]:53601 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mVwyW-0001Q1-ED for submit@debbugs.gnu.org; Thu, 30 Sep 2021 10:23:52 -0400 Received: from lists.gnu.org ([209.51.188.17]:33056) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mVwyU-0001Pq-Ei for submit@debbugs.gnu.org; Thu, 30 Sep 2021 10:23:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:49184) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mVwyU-0003zL-8T for bug-guix@gnu.org; Thu, 30 Sep 2021 10:23:50 -0400 Received: from wout1-smtp.messagingengine.com ([64.147.123.24]:38983) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mVwyR-0005w9-JY for bug-guix@gnu.org; Thu, 30 Sep 2021 10:23:49 -0400 Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.west.internal (Postfix) with ESMTP id 0F56D320188B; Thu, 30 Sep 2021 10:23:43 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute2.internal (MEProxy); Thu, 30 Sep 2021 10:23:44 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= bonfacemunyoki.com; h=from:to:subject:date:message-id :mime-version:content-type; s=fm3; bh=zR9iZjkbUtu0k3V/DAnfWVLRUB 9xNBhJhSfiuXVIX5A=; b=k1yI6KBiUWohpCjwmG621cxwQ0jzDqFvB/rn6EhWTT EZMZpEJLxuyuDkT09Dc05hbBBsg9ekRkpyck6XUD5oL9YLtchycrhO0/4LPeY815 +0KJKCH/Fg5+F/4hVHsDkXLP8zhzd4zIS2yC3uDaheIjYr5VGX+sen791SNzkYla kvtthiVOaxkr3iKgKDAN/+7AXVQcfeYhRfpMtYEv4+BLtC7pQbRzMyePOEnJ8m71 quN3x6qkqE0wLpmLw4NggQazoGhKwVV076Wbubuq0CryqsUFvqPWKHZPalI1TPEp OnDY2MUsdGMwNFcj0KEnAAcI40xIIDDu5K3fB8LoFboQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm3; bh=zR9iZjkbUtu0k3V/DAnfWVLRUB9xN BhJhSfiuXVIX5A=; b=EHWYVLghbS76fHArEzOiQZBLdQuIjDtU7ZXwYoBYeyetY /Tf2Uw9bGT3hIrJGN8Ok4tWXkV8j313IjQDi5VNwJaQ9avkULrILlQbIWuyaeDl3 m9mnFPla73Ohwu5VYynQBrkowx2NkGAy0ioW2SjZ46G7w+sdwhqi8r6sXA1ZCPTQ WCCUHlJITiG6mxmEagMfeNGofbrgLDnYBsZTbsNEmK5rOROLBx+umnsNcsEeqI5L 7jshsL7uki7VtOw9btIJvl3A9bJpsXE31Jt8/JMBLmDZCxJvFkxU20+wZJlvcr0M NlfI4LtWGvi+CR5M2LO7rccjLPQjXudm8hHSPW5Pg== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvtddrudekgedgjeegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefhvffufffkfgggtgesghdtreertd ertdenucfhrhhomhepuehonhhfrggtvgcuofhunhihohhkihcumfdruceomhgvsegsohhn fhgrtggvmhhunhihohhkihdrtghomheqnecuggftrfgrthhtvghrnhepjeehffejfeelff ffleevgedtgeegvdeftdfgudejtefhtdfgkefhlefggefhvdffnecuffhomhgrihhnpehg nhhurdhorhhgpdhgnhhuphhgrdhnvghtpdhuphgsohhokhgtlhhusgdrtghomhenucevlh hushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmvgessghonhhf rggtvghmuhhnhihokhhirdgtohhm X-ME-Proxy: Received: by mail.messagingengine.com (Postfix) with ESMTPA for ; Thu, 30 Sep 2021 10:23:42 -0400 (EDT) From: Bonface Munyoki K. To: bug-guix@gnu.org Subject: Experimental `guix container PID program args` not working as expected Date: Thu, 30 Sep 2021 17:23:35 +0300 Message-ID: <865yuif8go.fsf@bonfacemunyoki.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Received-SPF: pass client-ip=64.147.123.24; envelope-from=me@bonfacemunyoki.com; helo=wout1-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.6 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.6 (--) --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi Guix! I've tried running a redis server in a container, and interact with it from outside the container as such: =2D-8<---------------cut here---------------start------------->8--- guix environment --ad-hoc --container redis coreutils =2D-8<---------------cut here---------------end--------------->8--- Thereby, when I get the PID of the above running process, I expect that: =2D-8<---------------cut here---------------start------------->8--- guix container PID redis-server --version =2D-8<---------------cut here---------------end--------------->8--- to be the redis version from the container which is *6.2.4*. However, the command gets the underlying redis-server from the host-- an old Debian distribution-- which is at *3.2.6*. In a bid to troubleshoot this, I have tried running: =2D-8<---------------cut here---------------start------------->8--- guix container PID /bin/sh =2D-8<---------------cut here---------------end--------------->8--- which returns a shell from /outside/ the container. Also, I have tried: =2D-8<---------------cut here---------------start------------->8--- guix environment --ad-hoc --container --link-profile =2D-8<---------------cut here---------------end--------------->8--- outside the $HOME directory, and then later: =2D-8<---------------cut here---------------start------------->8--- guix container PID echo $GUIX_ENVIRONMENT =2D-8<---------------cut here---------------end--------------->8--- with the expectation that $GUIX_ENVIRONMENT will output some path from the store. However, I get nothing. Finally, I tried: =2D-8<---------------cut here---------------start------------->8--- guix container exec PID ps aux =2D-8<---------------cut here---------------end--------------->8--- to gain perspective of whether I see the processes from the host's or container's perspective. That command, at least on my end, clearly shows that I am seeing things from the host's perspective. This demonstrates that *guix container* as described in https://guix.gnu.org/manual/en/html_node/Invoking-guix-container.html doesn't not execute from the container; and as such is a bug. =2D-=20 Bonface M. K. D4F09EB110177E03C28E2FE1F5BBAE1E0392253F (hkp://keys.gnupg.net) Free Software Activist Humble GNU Emacs User | Bearer of scheme-y parens Curator: | Twitter: @BonfaceKilz --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJKBAEBCAA0FiEE1PCesRAXfgPCji/h9buuHgOSJT8FAmFVyGoWHG1lQGJvbmZh Y2VtdW55b2tpLmNvbQAKCRD1u64eA5IlP73JEACLIxdzdXK+cNwFL66h6hSvg5ZM C2hlrSiuS3AyqThpM9NFXy+EZfFreRRGAsBNlnwbhLQx6keMGCCqdMEIORdLe2Sq 8J+Mne8QyUokMzHBKKuNwglnRBFlPz1jiBoYNyGyYyXGWX/Dfg+l77uEDtSebHj7 z+yH/6EiO2b2eXMmhWb6znP3X3gsTMJXFC5UOHYmOGIBZtKVHed07s1cPzppuY/8 iD5KJpN7xGj7TkmPQW9uYbov2GVROQDY2gjBC5BCVLiIDQ+8gcwWXl1m2l6UxHlA QhfRVcCZma3DnNA6pZcwMg5bOdM2WBEghmC3TqFD9XReFKHpegWSUmjxiw/mhMQa KtP2pGjqbKNWkgRSSjtEyee6AuslzLgzyVMqebzPkTbT37dnnaC7P/UAZgbNGmGV tdamBg7OHEUTe1VwuM6gsJctMsjqg6Olm1cDN+HPu8/8AnItnxOMYjxIcwfzGhxR XSW07XNXj6BE2B4FkEZ/R4JqBpBMtAMUgmKE8plsnF3R/Swdo3RS3klGageXG+HR LM88oMmu+GGduJDkmNKI8RDfn9ZSBImwolPmwVjEXV4k5dqg0xFKz5utSMzZWhyL X+sohIWJFh/RrGsHv3z26zOUAMO5Fi7j1Cgr7bns3PUC8XvDi7v/NCHhympBnxYn SLkx0tZ1q9SPZkiiVg== =59kr -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Sat Aug 06 15:56:38 2022 Received: (at 50916) by debbugs.gnu.org; 6 Aug 2022 19:56:38 +0000 Received: from localhost ([127.0.0.1]:35472 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oKPuY-000416-CM for submit@debbugs.gnu.org; Sat, 06 Aug 2022 15:56:38 -0400 Received: from knopi.disroot.org ([178.21.23.139]:50292) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oKPuV-00040v-Jz for 50916@debbugs.gnu.org; Sat, 06 Aug 2022 15:56:36 -0400 Received: from localhost (localhost [127.0.0.1]) by disroot.org (Postfix) with ESMTP id 25DC640F0F; Sat, 6 Aug 2022 21:56:34 +0200 (CEST) X-Virus-Scanned: SPAM Filter at disroot.org Received: from knopi.disroot.org ([127.0.0.1]) by localhost (disroot.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LM1jIPIvuQg1; Sat, 6 Aug 2022 21:56:33 +0200 (CEST) Date: Sat, 6 Aug 2022 19:56:29 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail; t=1659815793; bh=04WQ1iG3aSFODdGsVSb6eZTj4W8mYvckQyCz1CEYyrc=; h=Date:From:To:Subject:In-Reply-To; b=IWceFgqn17onlxmsVTgdR3dWroNW90y5X6Kb+BrBbA7rmcOxBMW7hZWNwRb9UdBmO ofRODKZPvldM8uR8Vi55aVHUiPk/SEP0PvsGky7MLxqc7cZDbiTphy9JziDAAqT9Tz c70NvqRKJPEcCknR5IPkBXPkXFFB9mfLh/vKxQmmcjGmNapFq8C7ch+i6oss1cHld1 4Mvu2EpKXrAtl9VBDidkdtxgdSC6Gz8wP7wolMdaJ8nHoHAAg7W4BioMl3Eg/ux71K bZieRCSP9QaM1IxKWT5V5ZTXzTl6qFvfYe4Zgf4ALF5hMAml9EvxgYSx+WNacu2T8g wAbLYJ6pmSVig== From: kiasoc5 To: me@bonfacemunyoki.com, 50916@debbugs.gnu.org Subject: bug#50916: Experimental `guix container PID program args` not working as expected Message-ID: <20220806195629.054aef70@aria> In-Reply-To: 865yuif8go.fsf@bonfacemunyoki.com Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 50916 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) This bug still persists and effectively bypasses container sandboxing: 1. Start a container shell. $ guix shell --container 2. Exec a shell inside the container. Here it is a foreign distro's bash, and assume that there is only 1 container running. $ guix container exec $(pgrep --full 'guix shell --container') /bin/bash 3. Observe that path is not empty. $ echo $PATH /usr/local/sbin:/usr/local/bin:/usr/bin This shell can access commands outside the container, such as kill (part of util-linux). 4. Kill the container from the shell inside the container. [env] $ kill -9 $(pgrep --full 'guix shell --container') [env] $ echo $? 0 The shell still persists in the container, even though the container itself is killed. The problem is that in guix/scripts/container/exec.scm, execlp is used to launch program with args. info guile says this about execlp: Similar to =E2=80=98execl=E2=80=99, however if FILENAME does not contain = a slash then the file to execute will be located by searching the directories listed in the =E2=80=98PATH=E2=80=99 environment variable. As seen above $PATH is set to a subset of the host system's PATH, not the PATH inside the guix container.