| 19 Mar 2025 |
 ElvishJerricco | and it's really weird because you wouldn't need mountfsd (and the authentication craziness it entails) if you did directory based containers | 10:10:22 |
 steveej | maybe the systemd folks are open to implementing the gap. i'd be surprised as there doesn't seem to be much demand for systemd-nspawn in general | 10:14:53 |
| ElvishJerricco | systemd-nspawn and systemd-vmspawn were designed first and foremost as tools to test an OS with, not so much a proper containerization / virtualization framework | 10:16:16 |
| ElvishJerricco | of course nspawn has evolved a lot since | 10:16:37 |
| ElvishJerricco | But yea I don't really understand why directory based nspawn isn't possible unprivileged. That really does seem like the easier thing to do unprivileged | 10:17:46 |
| ElvishJerricco | so I bet it just wasn't the priority of whoever implemented unprivileged operation so they didn't do it | 10:18:08 |
 magic_rb | Wouldnt it be better to just use runc for this? I do use nspawn but like, runc exists | 10:18:48 |
| ElvishJerricco | well, if you wanna rewrite the nixos containers system with runc then be my guest :) | 10:19:42 |
| magic_rb | :) might try tbh, when i finish my bachelor. I do kind of want a better system which would be declarative but not really. (Split the eval into parts but make sure everything updates in tandem) | 10:20:46 |
| steveej | i'm up for integrating a rust-based container runtime with nixos-containers, just in case i had to change something about it. | 10:21:14 |
| magic_rb | I dont think it would need any actual programming, if we were to bolt runc on the bottom | 10:21:49 |
| magic_rb | Just a healthy amount of nix and maybe some bash | 10:21:56 |
| magic_rb | Ill try to retarget my ucontainer thing i use to run NixNG containers on top of runc first tho | 10:22:30 |
| ElvishJerricco | do other container systems integrate as nicely with systemd as nspawn does? e.g. nspawn will use sd_notify to signal when the container is ready, so that you can order units after container@foo.service and have that mean the right thing | 10:24:37 |
| ElvishJerricco | or systemctl status container@foo.service shows you the unit hierarchy of the container | 10:24:51 |
 @lotte:chir.rs | In reply to @elvishjerricco:matrix.org
do other container systems integrate as nicely with systemd as nspawn does? e.g. nspawn will use sd_notify to signal when the container is ready, so that you can order units after container@foo.service and have that mean the right thing OH | 10:25:14 |
| @lotte:chir.rs | i was confused on that front | 10:25:29 |
| @lotte:chir.rs | i was wondering how to depend on container@postgres.service and actually have another service/container start when postgres is ready? | 10:25:57 |
| magic_rb | In reply to @elvishjerricco:matrix.org
do other container systems integrate as nicely with systemd as nspawn does? e.g. nspawn will use sd_notify to signal when the container is ready, so that you can order units after container@foo.service and have that mean the right thing Not really i guess, but its not impossible to get working. You can use SDNOTIFY the socket from within the container to signal ready when you reach multi-user.target manually | 10:26:13 |
| magic_rb | I had to script that for NixNG as its not running systemd so systemd wont do it itself | 10:26:30 |
| ElvishJerricco | I think it'll signal that it's started when default.target is reached | 10:26:38 |
| magic_rb | Also i think systemd on the inside doesnt care at all about the outside runtime. Itll signal ready if it sees the socket, so it might just work | 10:26:53 |
| magic_rb | I seem to recall that from reading the code | 10:27:06 |
| ElvishJerricco | neat | 10:27:14 |
| @lotte:chir.rs | which like i didn’t see much documentation on this so i thought this was simply unsupported | 10:27:25 |
| magic_rb | Ill try with runc, will add it to my infinite list of side projects | 10:27:36 |
| @lotte:chir.rs | even though, honestly, kinda important | 10:27:36 |
| ElvishJerricco | yea it wouldn't surprise me if systemd just knows how to do this stuff implicitly and nspawn isn't actually doing anything special | 10:27:43 |
| magic_rb | There might be quirks if we go for rootless, but nothing that couldnt be solved | 10:28:07 |
| steveej | what i really like about systemd-nspawn is the integration with machinectl and journalctl -M and journalctl -m | 10:36:35 |
