Re: [PATCH 14/15] scripts: environment: Add --container option.

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 14/15] scripts: environment: Add --container option.

From:	Thompson, David
Subject:	Re: [PATCH 14/15] scripts: environment: Add --container option.
Date:	Sat, 5 Sep 2015 19:45:38 -0400

On Tue, Jul 7, 2015 at 10:35 AM, Ludovic Courtès <address@hidden> wrote:
> David Thompson <address@hidden> skribis:
>
>> * guix/scripts/enviroment.scm (show-help): Show help for new option.
>>   (%options): Add --container option.
>>   (launch-environment, launch-environment/container): New procedures.
>>   (guix-environment): Spawn new process in a container when requested.
>> * doc/guix.texi (Invoking guix environment): Document it.
>
> [...]
>
>> --- a/doc/guix.texi
>> +++ b/doc/guix.texi
>> @@ -4191,6 +4191,15 @@ NumPy:
>>  guix environment --ad-hoc python2-numpy python-2.7 -E python
>>  @end example
>>
>> +Sometimes it is desirable to isolate the environment as much as
>> +possible, for maximal purity and reproducibility.
>
> + “In particular, when using Guix on a host distro that is not GuixSD,
>   it is desirable to prevent access to @file{/usr/bin} and other
>   system-wide resources from the development environment.”
>
>> +following command spawns a Guile REPL in a ``container'' where only the
>> +store and the current working directory are mounted:
>
> @cindex container
>
>> address@hidden --container
>> address@hidden -C
>> +Run command within an isolated container.  The current working directory
>
> @var{command}
>
> Since this works without root privileges, what about adding a test in
> tests/guix-environment.sh?
>
> Basically something similar to one of the existing tests, but
> additionally checking from within the container that ‘id -u’ returns 0,
> that ‘$$’ is 2, and that files outside of $PWD are not in the container.

Still need to do this.

> Which reminds me: In a separate commit, it Would Be Nice to document our
> minimal kernel requirements for the container functionality.  Could you
> look into that?

Still need to do this, but...

I have a shiny new patch that adds --network, --share, and --expose
options.  Also, rather than bind-mounting the entire store, I figured
out how to bind-mount only the union of the closures of the inputs
like build daemon containers.  And finally, the original patch didn't
setup /bin/sh, which is of course terrible and broke tons of things so
I've fixed that, too.

Now I can do things like build Guix from source inside a container, or
better replicate the build daemon's environment when debugging with
failed builds.  I hope that soon everyone will be able to enjoy this.
:)

- Dave

0001-scripts-environment-Add-container-option.patch
Description: Text Data

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [PATCH 14/15] scripts: environment: Add --container option., Thompson, David <=
- Re: [PATCH 14/15] scripts: environment: Add --container option., Ludovic Courtès, 2015/09/11

Prev by Date: WIP: ibus-pinyin
Next by Date: Re: [PATCHES] Add ruby-nokogiri, ruby-mini-portile, and ruby-minitar
Previous by thread: WIP: ibus-pinyin
Next by thread: Re: [PATCH 14/15] scripts: environment: Add --container option.
Index(es):
- Date
- Thread