unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* Environment containers
@ 2015-10-26  1:27 Thompson, David
  2015-10-26 10:45 ` Daniel Pimentel
                   ` (4 more replies)
  0 siblings, 5 replies; 29+ messages in thread
From: Thompson, David @ 2015-10-26  1:27 UTC (permalink / raw)
  To: guix-devel

Hello Guix hackers,

I am pleased to announce that the patch for adding Linux container
support to 'guix environment' has just landed in master!

Why is this cool, you ask?  Well, it enables one to truly isolate
development environments from the rest of the system, much more so
than --pure does.  The --pure option only clears the environment
variables, but --container goes further and "unshares" kernel
resources (such as the user, mount, and pid namespaces) and creates a
chroot environment that has no file system access to what might be
considered "impurities."  The only file systems from the host that
make it into the container by default are the current working
directory and the store paths for all of the needed software.  This is
especially useful when running Guix on top of another host distro,
where sometimes things from the host sneak into your build environment
because a tool decided to inspect the contents of /usr or something.

You can use it like this:

    guix environment --container guix

The above command will create an isolated container with everything
you need to build Guix from source.

There's more fun to be had, too.  Sometimes it's nice to make ad-hoc
sandboxes just to play around in.  The below command will run a
sandboxed Guile REPL:

    guix environment --container --ad-hoc guile -- guile

By default, containers have no network access.  To share the host
network, use the --network flag.

This is just the beginning!  There's lots more to do.  It would be
nice to be able to create a network bridge so that the container can
have network access without sharing the host devices, a la Docker and
friends.  It would also be great to incorporate cgroups to arbitrarily
restrict container resources.

Coming soon is 'guix system container', which creates full-blown
GuixSD containers.

Since I mentioned Docker, I'd like to point some significant
advantages that Guix containers have over other implementations:

1) The container tools I'm working on are completely declarative.  No
imperative Dockerfiles!  This means that you don't have to worry about
order of operations, something that you have to think about constantly
when using Docker, especially when trying to maximize the use of the
image cache.

2) There are no disk images.  Disk images are opaque blobs that are
often not reproducible, whereas the items in the Guix store tell you
the full story of how the software came to be.  Thus, Guix containers
do not worry at all about the complications involved with layering
disk images in an overlayfs-style setup.  They are simply not needed.

3) Software and other files shared amongst many containers are
deduplicated system-wide.  This is a big deal from my perspective.
With Docker, container images *must* share as many base image layers
as possible to take advantage of deduplication, and there's
limitations to how smart overlay file systems can be to do
deduplication in memory (citation missing because I can't find the
article that explained the issues.)  Some people say that Docker is a
higher-level form of static linking, but instead of static linking the
executables, you "statically link" an entire, albeit more minimal,
operating system for each application that you run.  I'm inclined to
agree, and I'm happy to say that Guix doesn't have this problem.  A
store item present in N containers exists in exactly one place: in the
host store.  We take great advantage of bind mounts to share
everything without duplication.  Once again the fundamental building
block of every Guix tool, the immutable store, proves to be an
invaluable asset in overcoming the problems of our imperative
predecessors and contemporaries.

I hope this excites some of you.  Containers are all the rage right
now, and they have some seriously good properties if you can look past
the Docker hype.  I'd love to get some more hands to help make Guix
containers more featureful and robust in order to compete with the
mainstream tools.

Until next time, happy hacking!

- Dave

^ permalink raw reply	[flat|nested] 29+ messages in thread

end of thread, other threads:[~2015-11-23 15:08 UTC | newest]

Thread overview: 29+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-10-26  1:27 Environment containers Thompson, David
2015-10-26 10:45 ` Daniel Pimentel
2015-10-26 12:16   ` Alex Vong
2015-10-26 14:33 ` Ludovic Courtès
2015-10-26 14:37 ` Taylan Ulrich Bayırlı/Kammer
2015-10-26 14:38   ` Thompson, David
2015-10-27  5:11     ` Alex Vong
2015-10-27 10:58       ` Ludovic Courtès
2015-10-28 13:10         ` Alex Vong
2015-10-28 14:45           ` bug#21410: " Ludovic Courtès
2015-10-28 15:14             ` Alex Vong
2015-10-28 15:20               ` Thompson, David
2015-10-28 15:56                 ` Ludovic Courtès
2015-10-28 16:08                   ` Thompson, David
2015-10-28 16:20                     ` Alex Vong
2015-10-29 19:24                     ` Ludovic Courtès
2015-10-29 19:25                       ` Thompson, David
2015-11-20 14:51                         ` bug#21410: " Ludovic Courtès
2015-11-21 13:36                           ` Alex Vong
2015-11-21 15:57                             ` Ludovic Courtès
2015-11-21 17:47                               ` Mathieu Lirzin
2015-11-21 21:27                                 ` Ludovic Courtès
2015-11-23 15:08                                   ` Alex Vong
2015-10-29 10:25   ` Taylan Ulrich Bayırlı/Kammer
2015-10-26 16:23 ` Christopher Allan Webber
2015-10-26 17:50   ` Thompson, David
2015-10-28 15:32 ` Ricardo Wurmus
2015-10-28 19:09   ` Efraim Flashner
2015-10-29 12:36     ` Thompson, David

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).