• 82cb5abccd918e03@lemmygrad.ml
    link
    fedilink
    arrow-up
    3
    ·
    3 months ago

    Would be pretty useful, as far as I know there is no way to change /etc/{subuid,subgid} in the system configuration without manually editing.

    Another annoyance with podman on guix is making / a shared mount doesn’t work so changes in mounts aren’t propagated.

    • fishinthecalculatorOP
      link
      fedilink
      English
      arrow-up
      3
      ·
      3 months ago

      Would be pretty useful, as far as I know there is no way to change /etc/{subuid,subgid} in the system configuration without manually editing.

      Well I had to make one :) it is being tracked on https://issues.guix.gnu.org/72337 . You can define subuid and subgid ranges like so:

      (use-modules (gnu system shadow)      ;for 'subids-service-type'
                               (gnu system accounts))   ;for 'subid-range'
      
      (operating-system
        (services
          (list
            (simple-service 'alice-bob-subids
                            subids-service-type
                            (subids-extension
                              (subgids
                               (list
                                (subid-range (name "alice"))))
                              (subuids
                               (list
                                (subid-range (name "alice"))
                                (subid-range (name "bob")
                                             (start 100700)))))))))
      
      

      which would yield

      # cat /etc/subgid
      root:100000:65536
      alice:165536:65536
      
      
      # cat /etc/subuid
      root:100000:700
      bob:100700:65536
      alice:166236:65536
      

      Another annoyance with podman on guix is making / a shared mount doesn’t work so changes in mounts aren’t propagated.

      I think I solved that by using a Shepherd service run on boot calling mount --make-shared / . I didn’t do extensive testing of mounts but I’m currently using this on my systems as it’s set up in my personal channel. By adding the following to my own system config

      (use-modules (small-guix system accounts)
                               (small-guix services containers))
      
      (service iptables-service-type)
      (service rootless-podman-service-type
                     (rootless-podman-configuration
                      (subgids
                       (list (subid-range (name "alice"))))
                      (subuids
                       (list (subid-range (name "alice"))))))
      

      I’m able to run the following rootless Podman hello world

      $ podman run -it --rm docker.io/alpine cat /etc/*release*
      NAME="Alpine Linux"
      ID=alpine
      VERSION_ID=3.20.2
      PRETTY_NAME="Alpine Linux v3.20"
      HOME_URL="https://alpinelinux.org/"
      BUG_REPORT_URL="https://gitlab.alpinelinux.org/alpine/aports/-/issues"
      

      and with guix shell podman-compose I’m able to run this Podman compose hello world:

      $ mkdir data
      $ echo hello world > data/index.html
      $ podman compose up -d
      
      ...
      
      exit code: 0
      $ curl localhost:8080
      hello world
      

      So some kind of mount appears to work. Thank you for your feedback and feel free to try the service from my own channel if you are interested in providing more or in trying rootless podman on the Guix System.

    • Doom4535@lemmy.sdf.org
      link
      fedilink
      arrow-up
      1
      ·
      29 days ago

      For my non-guix (and foreign) systems I’ve switched to Podman, but for Guix System I’ve fallen back to Docker as I haven’t gotten up the time and courage to deviate too far from the documented/mainline approach so that I can use Podman; hopefully they’ll get some updates to address’s it

  • Doom4535@lemmy.sdf.org
    link
    fedilink
    arrow-up
    1
    ·
    29 days ago

    Have you considered reaching out to folks on the IRC for feedback? These issues look to have been open for a while, so the automated build farm has likely forgotten them; I’d love to have a mainlined approach for Podman

    • fishinthecalculatorOP
      link
      fedilink
      arrow-up
      2
      ·
      edit-2
      25 days ago

      I feel kind of bad about this but I refuse to join Guix IRC. I use mailing list out of frustration but these communication channels are the proof that Guix is not only a nice, useful and open project but it has born a project for fossbro babyboomers. It is a golden walled garden for themselves , I don’t feel ok in that space.

      EDIT: I’ve answered a little emotionally. Let me clarify, I believe most Guix maintainers act of of good will and they want to find some communication platform which is inclusive for everyone (since it is clear also to rocks that IRC is good only for someone born before 1990, so it is good for people aged >= 35) . Some of the maintainers, and some most noisy members of the community make it so bad for everyone else but themselves that, having so much explicit and soft power, the discussion about moving away from communication protocols older than CDs was closed stating “everything is perfect as it is, we reach exactly the right set of people, we do not care of increasing the userbase or making the community more inclusive”.

      • Doom4535@lemmy.sdf.org
        link
        fedilink
        arrow-up
        1
        ·
        24 days ago

        I’m not too bothered by the IRC, it is a bit annoying not being able to get messages/responses while away (unless you rig up something to stay connected), I haven’t tried the mailing lists yet (other than the ones used as part of the Guix patching process (which Guix does provide a nice UI for with issues.guix.gnu.org), but it was a real pain connecting git:send-email as a first time user for the send-email part. There is supposedly some new tool called Mumi, but I haven’t tried it yet.).

        I don’t see what you mean about the IRC being a walled garden? It did take a bit more work to connect than registering for Reddit, but I’d say it is comparable to the effort of joining Lemmy (but without the nice persistence of Lemmy). Another reason they might have for not wanting to add more communication channels is maintainer fatigue, every communication channel they officially add has to be watched by someone; and if all their maintainers are comfortable with something else, they will have to take time out of their day (with them already likely being volunteers) to monitor the new channel.

        • fishinthecalculatorOP
          link
          fedilink
          arrow-up
          2
          ·
          10 days ago

          I feel like IRC is yet another obstacle to newcomers, in addition to email based git flow, debbugs, guile stack traces and zero editor (or very early WIP) integration except for Emacs. This is literally vendor lock-in. I’ve been contributing for years and now i almost have no trouble, but it was painful and I don’t think it is fair to expect everyone to go through all this while with Nix you just need to open a PR.

          What is the point of building a completely free system, that does not try to extract value from users, and actually tries to emancipate them by offering a trusted computing ecosystem, if no one gets to enjoy it because you made it so inaccessible that people are not able to use it? I’m exaggerating but I think you get the point. Now with efforts like the survey it looks like a fresh breath of air just entered the project, and the situation with contributions is a little better than a couple of years ago. I really hope we can pull an effort to make the bar for using and contributing Guix a little lower than it currently is, I am convinced that if we make some effort more people could liberate their computing environment with Guix

          • Doom4535@lemmy.sdf.org
            link
            fedilink
            arrow-up
            1
            ·
            5 days ago

            The email git flow could definitely be better and having the patch added as a regular patch file shouldn’t break things (setting up git-send email was surprisingly cumbersome with email security settings and such). Hopefully they are able to improve (like the normal industry git repos) or at least add a compatibility layer that makes their existing setup work with a web interface for managing commits (I’d like to close/merge two broken issues I made and either I don’t have permission for email commands or I don’t know the proper syntax, so now I’m waiting for it to just expire).