Re: Generating wrappers for execution in non-root non-Guix contexts

[Ricardo Wurmus]

Hi Ludo,

> The hack below allows ‘guix pack’ to produce wrappers that allow,
> through user namespaces, programs to automatically relocate themselves
> when you run them unprivileged on a machine that lacks Guix.

This is very cool and very useful!  It would make “guix pack” much more
useful than it already is.  Using a pack like that would require little
more than unpacking it and running the application — that’s much less
work than setting up Docker, Singularity or Guix itself, which may be
impossible in an environment where user privileges are severely
restricted.

> We could also have wrappers fall back to PRoot when unshare(2) fails.

Good idea.  Could we use ptrace directly and optimize it for the case of
“/gnu/store” paths?  I’m just guessing that PRoot may incur a higher
performance penalty because it’s so generic compared to a compile-time
deterministic use of ptrace – after all, we know all /gnu/store
locations in advance.

--
Ricardo