From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ricardo Wurmus <rekado@elephly.net>
Subject: Re: Generating wrappers for execution in non-root non-Guix contexts
Date: Thu, 26 Apr 2018 15:39:21 +0200
Message-ID: <87fu3it7cm.fsf@elephly.net>
References: <87zi1rwsv6.fsf@inria.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:53535)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <rekado@elephly.net>) id 1fBhMO-0002ls-2D
	for guix-devel@gnu.org; Thu, 26 Apr 2018 09:55:01 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <rekado@elephly.net>) id 1fBhMJ-0000lk-7Y
	for guix-devel@gnu.org; Thu, 26 Apr 2018 09:54:56 -0400
Received: from sender-of-o51.zoho.com ([135.84.80.216]:21083)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <rekado@elephly.net>) id 1fBhMI-0000l1-T2
	for guix-devel@gnu.org; Thu, 26 Apr 2018 09:54:51 -0400
In-reply-to: <87zi1rwsv6.fsf@inria.fr>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludovic.courtes@inria.fr>
Cc: guix-devel <guix-devel@gnu.org>


Hi Ludo,

> The hack below allows =E2=80=98guix pack=E2=80=99 to produce wrappers tha=
t allow,
> through user namespaces, programs to automatically relocate themselves
> when you run them unprivileged on a machine that lacks Guix.

This is very cool and very useful!  It would make =E2=80=9Cguix pack=E2=80=
=9D much more
useful than it already is.  Using a pack like that would require little
more than unpacking it and running the application =E2=80=94 that=E2=80=99s=
 much less
work than setting up Docker, Singularity or Guix itself, which may be
impossible in an environment where user privileges are severely
restricted.

> We could also have wrappers fall back to PRoot when unshare(2) fails.

Good idea.  Could we use ptrace directly and optimize it for the case of
=E2=80=9C/gnu/store=E2=80=9D paths?  I=E2=80=99m just guessing that PRoot m=
ay incur a higher
performance penalty because it=E2=80=99s so generic compared to a compile-t=
ime
deterministic use of ptrace =E2=80=93 after all, we know all /gnu/store
locations in advance.

--
Ricardo