From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id ALQ0HEl9rl59FwAA0tVLHw (envelope-from ) for ; Sun, 03 May 2020 08:14:01 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id cCrEBVR9rl4WfAAAbx9fmQ (envelope-from ) for ; Sun, 03 May 2020 08:14:12 +0000 Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:470:142::17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 5BE0B94456C for ; Sun, 3 May 2020 08:14:08 +0000 (UTC) Received: from localhost ([::1]:52512 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jV9lI-0004qR-In for larch@yhetil.org; Sun, 03 May 2020 04:14:08 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52680) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jV9lC-0004pz-UJ for guix-patches@gnu.org; Sun, 03 May 2020 04:14:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:43055) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jV9lC-0008QB-L2 for guix-patches@gnu.org; Sun, 03 May 2020 04:14:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1jV9lC-0004fH-EX for guix-patches@gnu.org; Sun, 03 May 2020 04:14:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#41041] [PATCH] doc: Add container example to run a web browser. Resent-From: Pierre Neidhardt Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 03 May 2020 08:14:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 41041 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 41041@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.158849359817865 (code B ref -1); Sun, 03 May 2020 08:14:02 +0000 Received: (at submit) by debbugs.gnu.org; 3 May 2020 08:13:18 +0000 Received: from localhost ([127.0.0.1]:54601 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jV9kT-0004e5-Sr for submit@debbugs.gnu.org; Sun, 03 May 2020 04:13:18 -0400 Received: from lists.gnu.org ([209.51.188.17]:57774) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jV9kS-0004dy-Qr for submit@debbugs.gnu.org; Sun, 03 May 2020 04:13:17 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52564) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jV9kS-0004Cr-JN for guix-patches@gnu.org; Sun, 03 May 2020 04:13:16 -0400 Received: from relay2-d.mail.gandi.net ([217.70.183.194]:36323) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jV9kR-0008C5-5Y for guix-patches@gnu.org; Sun, 03 May 2020 04:13:16 -0400 X-Originating-IP: 78.199.129.170 Received: from localhost.localdomain (moi44-1-78-199-129-170.fbx.proxad.net [78.199.129.170]) (Authenticated sender: mail@ambrevar.xyz) by relay2-d.mail.gandi.net (Postfix) with ESMTPSA id 9D0DF4000B for ; Sun, 3 May 2020 08:13:09 +0000 (UTC) From: Pierre Neidhardt Date: Sun, 3 May 2020 10:12:58 +0200 Message-Id: <20200503081258.21873-1-mail@ambrevar.xyz> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=217.70.183.194; envelope-from=mail@ambrevar.xyz; helo=relay2-d.mail.gandi.net X-detected-operating-system: by eggs.gnu.org: First seen = 2020/05/03 03:37:13 X-ACL-Warn: Detected OS = Linux 3.11 and newer [fuzzy] X-Spam_score_int: -25 X-Spam_score: -2.6 X-Spam_bar: -- X-Spam_report: (-2.6 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001 autolearn=_AUTOLEARN X-Spam_action: no action X-Spam-Score: -0.9 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -2.1 (--) X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Scanner: scn0 X-Spam-Score: 5.49 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 2001:470:142::17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Scan-Result: default: False [5.49 / 13.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; GENERIC_REPUTATION(0.00)[-0.49353627275084]; HAS_XOIP(0.00)[]; MX_INVALID(1.00)[cached]; DWL_DNSWL_BLOCKED(0.00)[2001:470:142::17:from]; R_SPF_ALLOW(-0.20)[+ip6:2001:470:142::/48:c]; R_MISSING_CHARSET(2.50)[]; TO_DN_NONE(0.00)[]; BROKEN_CONTENT_TYPE(1.50)[]; IP_REPUTATION_HAM(0.00)[asn: 22989(0.15), country: US(-0.00), ip: 2001:470:142::17(-0.49)]; MAILLIST(-0.20)[mailman]; FORGED_RECIPIENTS_MAILLIST(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[78.199.129.170:received]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:22989, ipnet:2001:470:142::/48, country:US]; R_DKIM_NA(0.00)[]; TAGGED_FROM(0.00)[larch=yhetil.org]; ARC_NA(0.00)[]; FROM_NEQ_ENVFROM(0.00)[mail@ambrevar.xyz,guix-patches-bounces@gnu.org]; FROM_HAS_DN(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[ambrevar.xyz]; HAS_LIST_UNSUB(-0.01)[]; RCPT_COUNT_ONE(0.00)[1]; DNSWL_BLOCKED(0.00)[2001:470:142::17:from]; MID_CONTAINS_FROM(1.00)[]; RCVD_COUNT_SEVEN(0.00)[10]; FORGED_SENDER_MAILLIST(0.00)[] X-TUID: LZIlRIiowRur * doc/guix.texi (Invoking `guix environment'): Add paragraph and example to run Eolie in a guix environment container. Add `container' cindex for the first container example, and the `certificates' cindex for the web browser example. --- doc/guix.texi | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/doc/guix.texi b/doc/guix.texi index d5d8662937..3c31386036 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -4786,6 +4786,7 @@ additionally includes Git and strace: guix environment --pure guix --ad-hoc git strace @end example +@cindex container Sometimes it is desirable to isolate the environment as much as possible, for maximal purity and reproducibility. In particular, when using Guix on a host distro that is not Guix System, it is desirable to @@ -4802,6 +4803,23 @@ guix environment --ad-hoc --container guile -- guile The @code{--container} option requires Linux-libre 3.19 or newer. @end quotation +@cindex certificates +Another typical use case for containers is to run security-sensitive +applications such as a web browser. To run Eolie, we must expose and +share some files and directories; we include @code{nss-certs} and expose +@file{/etc/sll/certs/} for HTTPS authentication; finally we use +@code{env} from the @code{coreutils} package to set the @code{DISPLAY} +environment variable since containerized graphical applications won't +display without it. + +@example +guix environment --container --network --expose=/etc/machine-id \ + --expose=/etc/ssl/certs/ \ + --share=$HOME/.local/share/eolie/=$HOME/.local/share/eolie/ \ + --ad-hoc eolie coreutils nss-certs dbus -- \ + env DISPLAY=$DISPLAY eolie +@end example + The available options are summarized below. @table @code -- 2.25.1