[bug#52174,v2,1/6] gnu: add crun

* gnu/packages/containers.scm: new file
* gnu/local.mk: add containers.scm
---
 gnu/local.mk                |  1 +
 gnu/packages/containers.scm | 87 +++++++++++++++++++++++++++++++++++++
 2 files changed, 88 insertions(+)
 create mode 100644 gnu/packages/containers.scm

Ludovic Courtès <ludo@gnu.org> writes:

> Hi,
>
> Timmy Douglas <mail@timmydouglas.com> skribis:
>
>> * gnu/packages/containers.scm: new file
>> * gnu/local.mk: add containers.scm
>
> [...]
>
>> +      (arguments
>> +       `(#:tests? #f
>
> Sorry for not noticing earlier: we try hard to run test suites, and only
> disable it as a last resort, with a comment explaining why.  Often, we
> disable specific tests that cannot run in the build environment (for
> instance because they assume network access) and run everything else.
>
> I had a quick go at running crun’s test suite, and there’s a number of
> failures, which is not reassuring.
>
> Could you investigate a bit with the goal of fixing any actual issues
> the test suite reveals and/or skipping individual tests that cannot be
> run?

are there some docs I could refer to on how Guix sandboxes the build?
I tried
https://guix.gnu.org/manual/en/html_node/Debugging-Build-Failures.html#Debugging-Build-Failures
but I think I need to go further than sourcing env vars.


I tried modifying `make check` phase to invoking `mount` to see if I
could poke around (which didn't exactly work in my quick attempt...)
because I'm not sure how to debug some of the issues. I suspect some are
due to the fs layout/mounts. Probably could figure it out with some more
time but thought it might be best to ask first.

With these changes I could get them to pass by manually `make check`ing
in the --keep-failed directory:

           (add-after 'unpack 'fix-tests
             (lambda _
               (substitute* (find-files "tests" "\\.(c|py)")
                 (("/bin/true") (which "true"))
                 (("/bin/false") (which "false"))
                 ; relies on sd_notify which requires systemd?
                 (("\"sd-notify\" : test_sd_notify,") "")
                 (("\"sd-notify-file\" : test_sd_notify_file,") "")))))))


from guix build:

============================================================================
Testsuite summary for crun UNKNOWN
============================================================================
# TOTAL: 73
# PASS:  9
# SKIP:  28
# XFAIL: 0
# FAIL:  36
# XPASS: 0
# ERROR: 0


from cd /tmp/guix-build-crun-1.3.drv-5/source && make check

============================================================================
Testsuite summary for crun UNKNOWN
============================================================================
# TOTAL: 73
# PASS:  40
# SKIP:  33
# XFAIL: 0
# FAIL:  0
# XPASS: 0
# ERROR: 0


> Nitpick: You can omit the trailing #t now (yay!).

great!

Hello,

Timmy Douglas <mail@timmydouglas.com> skribis:

> Ludovic Courtès <ludo@gnu.org> writes:

[...]

>> Sorry for not noticing earlier: we try hard to run test suites, and only
>> disable it as a last resort, with a comment explaining why.  Often, we
>> disable specific tests that cannot run in the build environment (for
>> instance because they assume network access) and run everything else.
>>
>> I had a quick go at running crun’s test suite, and there’s a number of
>> failures, which is not reassuring.
>>
>> Could you investigate a bit with the goal of fixing any actual issues
>> the test suite reveals and/or skipping individual tests that cannot be
>> run?
>
> are there some docs I could refer to on how Guix sandboxes the build?
> I tried
> https://guix.gnu.org/manual/en/html_node/Debugging-Build-Failures.html#Debugging-Build-Failures
> but I think I need to go further than sourcing env vars.

Pretty much all the tricks are there.

There’s also info on what’s visible in the build environment here:

  https://guix.gnu.org/manual/en/html_node/Invoking-guix_002ddaemon.html

> I tried modifying `make check` phase to invoking `mount` to see if I
> could poke around (which didn't exactly work in my quick attempt...)
> because I'm not sure how to debug some of the issues. I suspect some are
> due to the fs layout/mounts. Probably could figure it out with some more
> time but thought it might be best to ask first.
>
> With these changes I could get them to pass by manually `make check`ing
> in the --keep-failed directory:
>
>            (add-after 'unpack 'fix-tests
>              (lambda _
>                (substitute* (find-files "tests" "\\.(c|py)")
>                  (("/bin/true") (which "true"))
>                  (("/bin/false") (which "false"))
>                  ; relies on sd_notify which requires systemd?
>                  (("\"sd-notify\" : test_sd_notify,") "")
>                  (("\"sd-notify-file\" : test_sd_notify_file,") "")))))))
>
>
> from guix build:
>
> ============================================================================
> Testsuite summary for crun UNKNOWN
> ============================================================================
> # TOTAL: 73
> # PASS:  9
> # SKIP:  28
> # XFAIL: 0
> # FAIL:  36
> # XPASS: 0
> # ERROR: 0

There are 36 failures though; does ‘test-suite.log’ show more details?

Thanks,
Ludo’.

Ludovic Courtès <ludo@gnu.org> writes:

>> from guix build:
>>
>> ============================================================================
>> Testsuite summary for crun UNKNOWN
>> ============================================================================
>> # TOTAL: 73
>> # PASS:  9
>> # SKIP:  28
>> # XFAIL: 0
>> # FAIL:  36
>> # XPASS: 0
>> # ERROR: 0
>
> There are 36 failures though; does ‘test-suite.log’ show more details?

Maybe my original reply wasn't clear--they all pass when I cd into the
tmp (--keep-failed) directory and run them manually. They fail when the builder runs
them. I think I put the reasons in the v3 patch. For crun, it's because
it needs the /sys/fs/cgroup mount which doesn't seem to be there for the
builder. For the others, it's a similar situation--off the top of my
head, they were either missing that mount or a /dev device.

Hi,

Timmy Douglas <mail@timmydouglas.com> skribis:

> Ludovic Courtès <ludo@gnu.org> writes:
>
>>> from guix build:
>>>
>>> ============================================================================
>>> Testsuite summary for crun UNKNOWN
>>> ============================================================================
>>> # TOTAL: 73
>>> # PASS:  9
>>> # SKIP:  28
>>> # XFAIL: 0
>>> # FAIL:  36
>>> # XPASS: 0
>>> # ERROR: 0
>>
>> There are 36 failures though; does ‘test-suite.log’ show more details?
>
> Maybe my original reply wasn't clear--they all pass when I cd into the
> tmp (--keep-failed) directory and run them manually. They fail when the builder runs
> them. I think I put the reasons in the v3 patch. For crun, it's because
> it needs the /sys/fs/cgroup mount which doesn't seem to be there for the
> builder. For the others, it's a similar situation--off the top of my
> head, they were either missing that mount or a /dev device.

Oh I see.  I pushed v3 as 637dec9d45db4df2a3e6aa565fa2c5cf6bb77768 with
minor tweaks (long lines and one or two synopses/descriptions tweaked.)

IWBN to see if we can still run those tests somehow, or at least the
subset of them that doesn’t rely on /sys/fs/cgroup.  I’d argue that the
test harness should automatically skip tests that cannot be run; perhaps
worth raising upstream?

Thanks!

Ludo’.

Ludovic Courtès <ludo@gnu.org> writes:

> Hi,
>
>> Timmy Douglas <mail@timmydouglas.com> skribis:
>>
>> Maybe my original reply wasn't clear--they all pass when I cd into the
>> tmp (--keep-failed) directory and run them manually. They fail when the builder runs
>> them. I think I put the reasons in the v3 patch. For crun, it's because
>> it needs the /sys/fs/cgroup mount which doesn't seem to be there for the
>> builder. For the others, it's a similar situation--off the top of my
>> head, they were either missing that mount or a /dev device.
>
> Oh I see.  I pushed v3 as 637dec9d45db4df2a3e6aa565fa2c5cf6bb77768 with
> minor tweaks (long lines and one or two synopses/descriptions tweaked.)

thanks for the help Ludo!

> IWBN to see if we can still run those tests somehow, or at least the
> subset of them that doesn’t rely on /sys/fs/cgroup.  I’d argue that the
> test harness should automatically skip tests that cannot be run; perhaps
> worth raising upstream?

I'd like to get the tests to run also, but the builder sandbox appears
to be blocking some pretty major functionality that the tests would rely
on.

I think pretty much all of the container/crun ones would rely on the
cgroup mount because that's the kernel interface into the container
APIs... Is there some way that guix and the builder could eventually
expose those by default? I don't know how receptive upstream would be
towards an ask to run container tests with the container interface
disabled?

For the networking ones that fail, they try to use /dev/net/tun. Like
the cgroup one, I assume this is a kernel interface needed to perform
network operations. I guess the builders disable this as a part of the
network disabling stuff because the tests pass outside of the builder
sandbox.

The cni-plugins (cni=container network interface) use /var/run to mount
network namespaces. /var/run is present on my machine but I don't think
it exists inside the builder sandbox. The actual directory used can be
set with XDG_RUNTIME_DIR, but it appears the code still checks the
ownership of /var/run to see if it's running in a user namespace:
https://github.com/containernetworking/plugins/blob/2c46a726805bcf13e2f78580c57b21e9de107285/pkg/testutils/netns_linux.go

Hello,

Timmy Douglas <mail@timmydouglas.com> skribis:

> Ludovic Courtès <ludo@gnu.org> writes:

[...]

>> IWBN to see if we can still run those tests somehow, or at least the
>> subset of them that doesn’t rely on /sys/fs/cgroup.  I’d argue that the
>> test harness should automatically skip tests that cannot be run; perhaps
>> worth raising upstream?
>
> I'd like to get the tests to run also, but the builder sandbox appears
> to be blocking some pretty major functionality that the tests would rely
> on.
>
> I think pretty much all of the container/crun ones would rely on the
> cgroup mount because that's the kernel interface into the container
> APIs... Is there some way that guix and the builder could eventually
> expose those by default? I don't know how receptive upstream would be
> towards an ask to run container tests with the container interface
> disabled?

The daemon probably won’t expose those; we’re rather conservative into
what to expose and how to change it because changes could break
bit-reproducible builds in unexpected ways.

I understand many/most tests require cgroups, I’m just wondering if we
can run at least those that don’t require it.  Perhaps we’re talking
about a very limited number of tests, in which case it’s moot, I don’t
know.

> For the networking ones that fail, they try to use /dev/net/tun. Like
> the cgroup one, I assume this is a kernel interface needed to perform
> network operations. I guess the builders disable this as a part of the
> network disabling stuff because the tests pass outside of the builder
> sandbox.

Yeah.

> The cni-plugins (cni=container network interface) use /var/run to mount
> network namespaces. /var/run is present on my machine but I don't think
> it exists inside the builder sandbox. The actual directory used can be
> set with XDG_RUNTIME_DIR, but it appears the code still checks the
> ownership of /var/run to see if it's running in a user namespace:
> https://github.com/containernetworking/plugins/blob/2c46a726805bcf13e2f78580c57b21e9de107285/pkg/testutils/netns_linux.go

Hmm OK.  So yeah, maybe there’s nothing we can do here.

Thanks for your feedback,
Ludo’.