GNU bug report logs -
#77578
[PATCH] tests: docker-system: Use only guix-daemon service.
Previous Next
To reply to this bug, email your comments to 77578 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#77578; Package
guix-patches.
(Sun, 06 Apr 2025 15:09:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Oleg Pykhalov <go.wigust <at> gmail.com>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Sun, 06 Apr 2025 15:09:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
The test run-docker-system-test was hanging on:
(docker-cli "exec" container
"/run/current-system/profile/bin/herd"
"status")
This occurred because %test-docker-system specified more services than
gnu/system/examples/docker-image.tmpl, which may have caused conflicts or
unexpected behavior.
* gnu/tests/docker.scm (%test-docker-system): Simplify by using only the
guix-daemon service to prevent test hangs.
Change-Id: I2c3f7bc54fa6b5a802c8e16cba6ffae0cd09d4cc
---
gnu/tests/docker.scm | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/gnu/tests/docker.scm b/gnu/tests/docker.scm
index 90c8d0f850..e528064c2b 100644
--- a/gnu/tests/docker.scm
+++ b/gnu/tests/docker.scm
@@ -26,6 +26,7 @@ (define-module (gnu tests docker)
#:use-module (gnu system image)
#:use-module (gnu system vm)
#:use-module (gnu services)
+ #:use-module (gnu services base)
#:use-module (gnu services dbus)
#:use-module (gnu services networking)
#:use-module (gnu services docker)
@@ -345,7 +346,9 @@ (define %test-docker-system
(inherit (simple-operating-system))
;; Use locales for a single libc to
;; reduce space requirements.
- (locale-libcs (list glibc)))
+ (locale-libcs (list glibc))
+ ;; Guix is all you need!
+ (services (list (service guix-service-type))))
#:type docker-image-type)))
run-docker-system-test)))))
--
2.47.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#77578; Package
guix-patches.
(Tue, 08 Apr 2025 15:32:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 77578 <at> debbugs.gnu.org (full text, mbox):
Oleg Pykhalov <go.wigust <at> gmail.com> skribis:
> The test run-docker-system-test was hanging on:
>
> (docker-cli "exec" container
> "/run/current-system/profile/bin/herd"
> "status")
>
> This occurred because %test-docker-system specified more services than
> gnu/system/examples/docker-image.tmpl, which may have caused conflicts or
> unexpected behavior.
>
> * gnu/tests/docker.scm (%test-docker-system): Simplify by using only the
> guix-daemon service to prevent test hangs.
Hi! It’s not clear to me why ‘herd status’ was blocking in the first
place—it’s never supposed to happen. Do you have ideas?
Thanks,
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#77578; Package
guix-patches.
(Wed, 16 Apr 2025 13:54:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 77578 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi Ludovic,
Thank you for review.
Ludovic Courtès <ludo <at> gnu.org> writes:
> Oleg Pykhalov <go.wigust <at> gmail.com> skribis:
>
>> The test run-docker-system-test was hanging on:
>>
>> (docker-cli "exec" container
>> "/run/current-system/profile/bin/herd"
>> "status")
>>
>> This occurred because %test-docker-system specified more services than
>> gnu/system/examples/docker-image.tmpl, which may have caused conflicts or
>> unexpected behavior.
>>
>> * gnu/tests/docker.scm (%test-docker-system): Simplify by using only the
>> guix-daemon service to prevent test hangs.
>
> It’s not clear to me why ‘herd status’ was blocking in the first
> place—it’s never supposed to happen. Do you have ideas?
The docker create command creates a container with a limited set of
privileges by default. These default privileges are insufficient for
certain configuration tasks such as networking setup or hostname
configuration.
Guix inside the container attempts to configure networking itself,
whereas containerd and other container runtimes typically handle
networking internally or with the help of CNI (Container Network
Interface). I don’t think Guix should configure networking by default in
containers, as this is already managed by the runtime.
Adding the --privileged flag to docker create may allow the test to
pass, note that herd status will report a failure for the 'loopback'
service (though this is non-blocking and won't prevent the test from
passing).
Regards,
Oleg.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#77578; Package
guix-patches.
(Wed, 16 Apr 2025 16:25:12 GMT)
Full text and
rfc822 format available.
Message #14 received at 77578 <at> debbugs.gnu.org (full text, mbox):
Hi Oleg,
Oleg Pykhalov <go.wigust <at> gmail.com> writes:
> Ludovic Courtès <ludo <at> gnu.org> writes:
>
>> Oleg Pykhalov <go.wigust <at> gmail.com> skribis:
>>
>>> The test run-docker-system-test was hanging on:
>>>
>>> (docker-cli "exec" container
>>> "/run/current-system/profile/bin/herd"
>>> "status")
>>>
>>> This occurred because %test-docker-system specified more services than
>>> gnu/system/examples/docker-image.tmpl, which may have caused conflicts or
>>> unexpected behavior.
>>>
>>> * gnu/tests/docker.scm (%test-docker-system): Simplify by using only the
>>> guix-daemon service to prevent test hangs.
>>
>> It’s not clear to me why ‘herd status’ was blocking in the first
>> place—it’s never supposed to happen. Do you have ideas?
>
> The docker create command creates a container with a limited set of
> privileges by default. These default privileges are insufficient for
> certain configuration tasks such as networking setup or hostname
> configuration.
Oh I see. Then, what about changing the patch to (1) specifically
remove the one or two services that are problematic, and (2) have the
above in a comment?
Thanks for explaining,
Ludo’.
PS: Would be great to have support for CNI and all this!
Information forwarded
to
guix-patches <at> gnu.org:
bug#77578; Package
guix-patches.
(Fri, 18 Apr 2025 19:55:05 GMT)
Full text and
rfc822 format available.
Message #17 received at 77578 <at> debbugs.gnu.org (full text, mbox):
'run-docker-system-test' was hanging during execution of 'herd status' inside
a container. This occurred because '%test-docker-system' specified more
services than 'gnu/system/examples/docker-image.tmpl', which may have caused
conflicts or unexpected behavior.
* gnu/tests/docker.scm (%test-docker-system): Remove
static-networking-service-type, udev-service-type, urandom-seed-service-type,
shepherd-system-log-service-type. Add syslog-service-type.
Change-Id: I2c3f7bc54fa6b5a802c8e16cba6ffae0cd09d4cc
---
gnu/tests/docker.scm | 53 ++++++++++++++++++++++++++++++++++++++------
1 file changed, 46 insertions(+), 7 deletions(-)
diff --git a/gnu/tests/docker.scm b/gnu/tests/docker.scm
index 90c8d0f850..3c3995c9b8 100644
--- a/gnu/tests/docker.scm
+++ b/gnu/tests/docker.scm
@@ -26,10 +26,13 @@ (define-module (gnu tests docker)
#:use-module (gnu system image)
#:use-module (gnu system vm)
#:use-module (gnu services)
+ #:use-module (gnu services admin)
+ #:use-module (gnu services base)
#:use-module (gnu services dbus)
#:use-module (gnu services networking)
#:use-module (gnu services docker)
#:use-module (gnu services desktop)
+ #:use-module (gnu services shepherd)
#:use-module (gnu packages)
#:use-module ((gnu packages base) #:select (glibc))
#:use-module (gnu packages guile)
@@ -340,13 +343,49 @@ (define %test-docker-system
docker-image} inside Docker.")
(value (with-monad %store-monad
(>>= (lower-object
- (system-image (os->image
- (operating-system
- (inherit (simple-operating-system))
- ;; Use locales for a single libc to
- ;; reduce space requirements.
- (locale-libcs (list glibc)))
- #:type docker-image-type)))
+ (system-image
+ (os->image
+ (let ((os (simple-operating-system)))
+ (operating-system
+ (inherit os)
+ ;; Use locales for a single libc to
+ ;; reduce space requirements.
+ (locale-libcs (list glibc))
+ (services
+ (modify-services
+ (append
+ (operating-system-user-services os)
+ (list
+ (service syslog-service-type
+ (syslog-configuration
+ (extra-options
+ '("--rcfile=/etc/syslog.conf"
+ "--no-forward"
+ "--no-unixaf"
+ "--no-klog"))))))
+ ;; 'herd status' is unresponsive. Investigation
+ ;; needed to resolve before migrating from syslog
+ ;; logging.
+ (delete shepherd-system-log-service-type)
+
+ ;; Containers are created with limited privileges
+ ;; by default as a security measure. This
+ ;; restriction can prevent direct configuration of
+ ;; networking or hostname settings, which often
+ ;; require elevated permissions. Container runtimes
+ ;; typically manage these aspects using internal
+ ;; mechanisms and the CNI (Container Network
+ ;; Interface) standard, abstracting away much of
+ ;; the underlying network configuration.
+ (delete static-networking-service-type)
+
+ ;; Inside a container, the device tree is often
+ ;; limited and controlled by a container runtime.
+ (delete udev-service-type)
+ ;; Seeding urandom rely on devices that are not
+ ;; available inside the container.
+ (delete urandom-seed-service-type)))))
+ #:type docker-image-type)))
run-docker-system-test)))))
�
--
2.47.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#77578; Package
guix-patches.
(Fri, 18 Apr 2025 19:55:08 GMT)
Full text and
rfc822 format available.
Message #20 received at 77578 <at> debbugs.gnu.org (full text, mbox):
Addresses intermittent Docker test failures caused by timing issues where
container-related checks ran before the networking service was fully
initialized. A new "network is up" assertion has been added to explicitly
start and verify the 'networking' service using `marionette-eval`.
* gnu/tests/docker.scm (%test-docker-system): Add "network is up" test.
Change-Id: I0c761ae2ce2e7b398c8f35ea1faf50257193ccc5
---
gnu/tests/docker.scm | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/gnu/tests/docker.scm b/gnu/tests/docker.scm
index 3c3995c9b8..540ac76877 100644
--- a/gnu/tests/docker.scm
+++ b/gnu/tests/docker.scm
@@ -252,6 +252,13 @@ (define marionette
(test-runner-current (system-test-runner #$output))
(test-begin "docker")
+ (test-assert "network is up"
+ (marionette-eval
+ '(begin
+ (use-modules (gnu services herd))
+ (start-service 'networking))
+ marionette))
+
(test-assert "containerd service running"
(marionette-eval
'(begin
--
2.47.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#77578; Package
guix-patches.
(Fri, 25 Apr 2025 17:15:02 GMT)
Full text and
rfc822 format available.
Message #23 received at 77578 <at> debbugs.gnu.org (full text, mbox):
Hi,
Oleg Pykhalov <go.wigust <at> gmail.com> writes:
> 'run-docker-system-test' was hanging during execution of 'herd status' inside
> a container. This occurred because '%test-docker-system' specified more
> services than 'gnu/system/examples/docker-image.tmpl', which may have caused
> conflicts or unexpected behavior.
>
> * gnu/tests/docker.scm (%test-docker-system): Remove
> static-networking-service-type, udev-service-type, urandom-seed-service-type,
> shepherd-system-log-service-type. Add syslog-service-type.
>
> Change-Id: I2c3f7bc54fa6b5a802c8e16cba6ffae0cd09d4cc
> + (services
> + (modify-services
> + (append
> + (operating-system-user-services os)
> + (list
> + (service syslog-service-type
> + (syslog-configuration
> + (extra-options
> + '("--rcfile=/etc/syslog.conf"
> + "--no-forward"
> + "--no-unixaf"
> + "--no-klog"))))))
> + ;; 'herd status' is unresponsive. Investigation
> + ;; needed to resolve before migrating from syslog
> + ;; logging.
> + (delete shepherd-system-log-service-type)
I think that’s because by default ‘system-log-service’ tries to open
/proc/kmsg; it fails in the container, which causes ‘system-log’ to fail
to start, and then nothing starts.
The solution is to modify ‘shepherd-system-log-service-type’ to set
‘kernel-log-file’ to #f (similar to ‘--no-klog’ above).
> + ;; Containers are created with limited privileges
> + ;; by default as a security measure. This
> + ;; restriction can prevent direct configuration of
> + ;; networking or hostname settings, which often
> + ;; require elevated permissions. Container runtimes
> + ;; typically manage these aspects using internal
> + ;; mechanisms and the CNI (Container Network
> + ;; Interface) standard, abstracting away much of
> + ;; the underlying network configuration.
> + (delete static-networking-service-type)
> +
> + ;; Inside a container, the device tree is often
> + ;; limited and controlled by a container runtime.
> + (delete udev-service-type)
> + ;; Seeding urandom rely on devices that are not
> + ;; available inside the container.
> + (delete urandom-seed-service-type)))))
I realized that ‘containerized-operating-system’ already attempts to do
exactly that (it misses udev, urandom, and system-log handling though).
Should we use it here, adjusting it as needed?
Thank you, and apologies for the back-and-forth,
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#77578; Package
guix-patches.
(Tue, 06 May 2025 22:22:01 GMT)
Full text and
rfc822 format available.
Message #26 received at 77578 <at> debbugs.gnu.org (full text, mbox):
Hi,
Ludovic Courtès <ludo <at> gnu.org> writes:
>> + (modify-services
>> + (append
>> + (operating-system-user-services os)
>> + (list
>> + (service syslog-service-type
>> + (syslog-configuration
>> + (extra-options
>> + '("--rcfile=/etc/syslog.conf"
>> + "--no-forward"
>> + "--no-unixaf"
>> + "--no-klog"))))))
>> + ;; 'herd status' is unresponsive. Investigation
>> + ;; needed to resolve before migrating from syslog
>> + ;; logging.
>> + (delete shepherd-system-log-service-type)
>
> I think that’s because by default ‘system-log-service’ tries to open
> /proc/kmsg; it fails in the container, which causes ‘system-log’ to fail
> to start, and then nothing starts.
>
> The solution is to modify ‘shepherd-system-log-service-type’ to set
> ‘kernel-log-file’ to #f (similar to ‘--no-klog’ above).
I also pushed a fix in the Shepherd (which will be in 1.0.5) where
‘system-log’ starts even if #:kernel-log-file is inaccessible:
https://git.savannah.gnu.org/cgit/shepherd.git/commit/?id=a54a503b01f9da4f6fb49d736dcf90da0fe51f1b
In the meantime, the solution I proposed above remains necessary.
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#77578; Package
guix-patches.
(Mon, 02 Jun 2025 10:00:02 GMT)
Full text and
rfc822 format available.
Message #29 received at 77578 <at> debbugs.gnu.org (full text, mbox):
Hi Oleg,
Ludovic Courtès <ludo <at> gnu.org> writes:
> Ludovic Courtès <ludo <at> gnu.org> writes:
>
>>> + (modify-services
>>> + (append
>>> + (operating-system-user-services os)
>>> + (list
>>> + (service syslog-service-type
>>> + (syslog-configuration
>>> + (extra-options
>>> + '("--rcfile=/etc/syslog.conf"
>>> + "--no-forward"
>>> + "--no-unixaf"
>>> + "--no-klog"))))))
>>> + ;; 'herd status' is unresponsive. Investigation
>>> + ;; needed to resolve before migrating from syslog
>>> + ;; logging.
>>> + (delete shepherd-system-log-service-type)
>>
>> I think that’s because by default ‘system-log-service’ tries to open
>> /proc/kmsg; it fails in the container, which causes ‘system-log’ to fail
>> to start, and then nothing starts.
>>
>> The solution is to modify ‘shepherd-system-log-service-type’ to set
>> ‘kernel-log-file’ to #f (similar to ‘--no-klog’ above).
>
> I also pushed a fix in the Shepherd (which will be in 1.0.5) where
> ‘system-log’ starts even if #:kernel-log-file is inaccessible:
>
> https://git.savannah.gnu.org/cgit/shepherd.git/commit/?id=a54a503b01f9da4f6fb49d736dcf90da0fe51f1b
Now that 1.0.5 is out, could we revisit this patch?
TIA,
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#77578; Package
guix-patches.
(Fri, 06 Jun 2025 20:17:02 GMT)
Full text and
rfc822 format available.
Message #32 received at 77578 <at> debbugs.gnu.org (full text, mbox):
These services aren't needed in containers since:
- udev requires device tree access controlled by the container runtime
- urandom-seed depends on udev service
* gnu/tests/docker.scm (%test-docker-system): Remove udev-service-type,
urandom-seed-service-type.
Change-Id: I2c3f7bc54fa6b5a802c8e16cba6ffae0cd09d4cc
Signed-off-by: Oleg Pykhalov <go.wigust <at> gmail.com>
---
gnu/tests/docker.scm | 26 +++++++++++++++++++-------
1 file changed, 19 insertions(+), 7 deletions(-)
diff --git a/gnu/tests/docker.scm b/gnu/tests/docker.scm
index 90c8d0f850..84d604f8d3 100644
--- a/gnu/tests/docker.scm
+++ b/gnu/tests/docker.scm
@@ -26,10 +26,12 @@ (define-module (gnu tests docker)
#:use-module (gnu system image)
#:use-module (gnu system vm)
#:use-module (gnu services)
+ #:use-module (gnu services base)
#:use-module (gnu services dbus)
#:use-module (gnu services networking)
#:use-module (gnu services docker)
#:use-module (gnu services desktop)
+ #:use-module (gnu services shepherd)
#:use-module (gnu packages)
#:use-module ((gnu packages base) #:select (glibc))
#:use-module (gnu packages guile)
@@ -340,13 +342,23 @@ (define %test-docker-system
docker-image} inside Docker.")
(value (with-monad %store-monad
(>>= (lower-object
- (system-image (os->image
- (operating-system
- (inherit (simple-operating-system))
- ;; Use locales for a single libc to
- ;; reduce space requirements.
- (locale-libcs (list glibc)))
- #:type docker-image-type)))
+ (system-image
+ (os->image
+ (let ((os (simple-operating-system)))
+ (operating-system
+ (inherit os)
+ ;; Use locales for a single libc to
+ ;; reduce space requirements.
+ (locale-libcs (list glibc))
+ (services
+ (modify-services (operating-system-user-services os)
+ ;; Inside a container, the device tree is often
+ ;; limited and controlled by a container runtime.
+ (delete udev-service-type)
+ ;; Seeding urandom rely on devices that are not
+ ;; available inside the container.
+ (delete urandom-seed-service-type)))))
+ #:type docker-image-type)))
run-docker-system-test)))))
�
--
2.41.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#77578; Package
guix-patches.
(Fri, 06 Jun 2025 20:17:02 GMT)
Full text and
rfc822 format available.
Message #35 received at 77578 <at> debbugs.gnu.org (full text, mbox):
Addresses intermittent Docker test failures caused by timing issues where
container-related checks ran before the networking service was fully
initialized. A new "network is up" assertion has been added to explicitly
start and verify the 'networking' service using `marionette-eval`.
* gnu/tests/docker.scm (%test-docker-system): Add "network is up" test.
Change-Id: I0c761ae2ce2e7b398c8f35ea1faf50257193ccc5
Signed-off-by: Oleg Pykhalov <go.wigust <at> gmail.com>
---
gnu/tests/docker.scm | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/gnu/tests/docker.scm b/gnu/tests/docker.scm
index 84d604f8d3..c8796e42bb 100644
--- a/gnu/tests/docker.scm
+++ b/gnu/tests/docker.scm
@@ -251,6 +251,13 @@ (define marionette
(test-runner-current (system-test-runner #$output))
(test-begin "docker")
+ (test-assert "network is up"
+ (marionette-eval
+ '(begin
+ (use-modules (gnu services herd))
+ (start-service 'networking))
+ marionette))
+
(test-assert "containerd service running"
(marionette-eval
'(begin
--
2.41.0
This bug report was last modified 72 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.