Docker image format with services

[Jack Hill]

Hi Guix,

I have a need to build some Docker images (well, really OCI-compliant 
images) to run some service on computing systems that I don't manage. I 
thought I would use `guix system image` to build these images. In order to 
get a feel for it, I'm testing it out with the docker service running on 
my Guix System (commit 50dd91bc30634c75c0001cfd38bbcc2fbbeb894e).

So far, I've created an image from this file with `guix system image 
filename.scm`:

```
(use-modules (gnu)
             (gnu image)
             (gnu system image))
(use-service-modules databases ssh)
(use-package-modules databases linux)

(define container-os
  (operating-system
   (host-name "container")
   (timezone "America/New_York")
   (kernel linux-libre)
   (bootloader (bootloader-configuration
                (bootloader grub-efi-bootloader)
                (targets '("/dev/sdX"))))
   (file-systems '())
   (packages %base-packages)
   (users (cons* (user-account
                  (name "jackhill")
                  (comment "Jack Hill")
                  (group "users")
                  (supplementary-groups '("wheel" )))
                 %base-user-accounts))
   (services
    (cons* (service openssh-service-type
                    (openssh-configuration
                     (port-number 2222)
                     (password-authentication? #f)
                     (authorized-keys
                      `(("jackhill" ,(local-file 
"/home/jackhill/.ssh/id_ed25519.pub"))))))
           (service postgresql-service-type
                    (postgresql-configuration
                     (postgresql postgresql-14)
                     (config-file
                      (postgresql-config-file
                       (log-destination "stderr")
                       (hba-file
                        (plain-file "pg_hba.conf"
                                    "
local all all trust
host all all 172.17.0.1/32 trust"))
                       (extra-config
                        '(("listen_addresses" "*")
                          ("log_directory"    "/var/log/postgresql")))))))
           (service postgresql-role-service-type
                    (postgresql-role-configuration
                     (roles
                      (list (postgresql-role
                             (name "test")
                             (create-database? #t))))))
           %base-services))))

(define container-image
  (image
   (format 'docker)
   (operating-system container-os)
   (shared-network? #t)))

container-image
```

I then load that into docker: `docker load < /gnu/store/…tar.gz`, and run 
it with `docker run guix`.

So far, so good. However, ssh-daemon and postgres don't start. If I then 
get a shell in the running container with `docker exec -ti … /bin/sh`, I 
can see that `herd status` reports that those services are stopped. Trying 
to start either service fails:

```
sh-5.1# herd start ssh-daemon
herd: exception caught while executing 'start' on service 'loopback':
Throw to key `%exception' with args `("#<&netlink-response-error errno: 1>")'.
sh-5.1# herd start postgres
herd: exception caught while executing 'start' on service 'loopback':
Throw to key `%exception' with args `("#<&netlink-response-error errno: 1>")'.
```

What's going on here? Is this a disagreement between shepherd and docker 
about who's in charge of the networking? What's the right way to create a 
docker system image that can run services?

Or, alternatively, is system image the way to go here? I haven't yet 
explored running these services from a `guix pack` produced image, but I 
suppose that could work as well?

Thanks!
Jack