Re: [PATCH 14/15] scripts: environment: Add --container option.

[Ludovic Courtès]

David Thompson <address@hidden> skribis:

> * guix/scripts/enviroment.scm (show-help): Show help for new option.
>   (%options): Add --container option.
>   (launch-environment, launch-environment/container): New procedures.
>   (guix-environment): Spawn new process in a container when requested.
> * doc/guix.texi (Invoking guix environment): Document it.

[...]

> --- a/doc/guix.texi
> +++ b/doc/guix.texi
> @@ -4191,6 +4191,15 @@ NumPy:
>  guix environment --ad-hoc python2-numpy python-2.7 -E python
>  @end example
>  
> +Sometimes it is desirable to isolate the environment as much as
> +possible, for maximal purity and reproducibility.

+ “In particular, when using Guix on a host distro that is not GuixSD,
  it is desirable to prevent access to @file{/usr/bin} and other
  system-wide resources from the development environment.”

> +following command spawns a Guile REPL in a ``container'' where only the
> +store and the current working directory are mounted:

@cindex container

> address@hidden --container
> address@hidden -C
> +Run command within an isolated container.  The current working directory

@var{command}

Since this works without root privileges, what about adding a test in
tests/guix-environment.sh?

Basically something similar to one of the existing tests, but
additionally checking from within the container that ‘id -u’ returns 0,
that ‘$$’ is 2, and that files outside of $PWD are not in the container.

Which reminds me: In a separate commit, it Would Be Nice to document our
minimal kernel requirements for the container functionality.  Could you
look into that?

Thank you!

Ludo’.