From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:44265) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eeujI-0001f9-Pf for guix-patches@gnu.org; Thu, 25 Jan 2018 22:31:06 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eeujH-0002wY-6A for guix-patches@gnu.org; Thu, 25 Jan 2018 22:31:04 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:35108) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1eeujH-0002wQ-3c for guix-patches@gnu.org; Thu, 25 Jan 2018 22:31:03 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1eeujG-00023q-Uh for guix-patches@gnu.org; Thu, 25 Jan 2018 22:31:02 -0500 Subject: [bug#30255] [PATCH 1/3] scripts: environment: Add --link-profile. Resent-Message-ID: Received: from eggs.gnu.org ([2001:4830:134:3::10]:44087) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eeuiq-0001bn-0q for guix-patches@gnu.org; Thu, 25 Jan 2018 22:30:37 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eeuio-0002gR-CP for guix-patches@gnu.org; Thu, 25 Jan 2018 22:30:36 -0500 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:34347) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eeuio-0002gM-81 for guix-patches@gnu.org; Thu, 25 Jan 2018 22:30:34 -0500 Received: from localhost ([::1]:37481 helo=mikegerwitz-pc.gerwitz.local) by fencepost.gnu.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.82) (envelope-from ) id 1eeuin-00079K-Se for guix-patches@gnu.org; Thu, 25 Jan 2018 22:30:34 -0500 From: Mike Gerwitz In-Reply-To: Date: Thu, 25 Jan 2018 22:29:15 -0500 References: <87vag2wopo.fsf@gnu.org> Message-Id: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: 30255@debbugs.gnu.org --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable This change is motivated by attempts to run programs (like GNU IceCat) with= in containers. The 'fontconfig' program, for example, is configured explicitly to check ~/.guix-profile for additional fonts. There were no existing container tests in 'tests/guix-environment.sh', but I added one anyway for this change. * doc/guix.texi (Invoking guix environment): Add '--link-profile'. * guix/scripts/environment.scm (show-help): Add '--link-profile'. (%options): Add 'link-profile' as '#\P', assigned to 'link-profile?'. (lnk-environment): New procedure. (launch-environment/container): Use it when 'link-profile?'. [link-profile?]: New parameter. (guix-environment): Leave when '--link-prof' but not '--container'. Add '#:link-profile?' argument to 'launch-environment/container' application. * tests/guix-environment.sh: New '--link-profile' test. =2D-- doc/guix.texi | 17 +++++++++++++++++ guix/scripts/environment.scm | 43 +++++++++++++++++++++++++++++++++++++---= --- tests/guix-environment.sh | 12 ++++++++++++ 3 files changed, 66 insertions(+), 6 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 1ecdcd218..3b6ae1ab9 100644 =2D-- a/doc/guix.texi +++ b/doc/guix.texi @@ -46,6 +46,7 @@ Copyright @copyright{} 2017 Andy Wingo@* Copyright @copyright{} 2017 Arun Isaac@* Copyright @copyright{} 2017 nee@* Copyright @copyright{} 2018 Rutger Helling +Copyright @copyright{} 2018 Mike Gerwitz =20 Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or @@ -7166,6 +7167,22 @@ For containers, share the network namespace with the= host system. Containers created without this flag only have access to the loopback device. =20 +@item --link-profile +@itemx -P +For containers, link the environment profile to +@file{~/.guix-profile} within the container. This is equivalent to +running the command @command{ln -s $GUIX_ENVIRONMENT ~/.guix-profile} +within the container. Linking will fail and abort the environment if +the directory already exists, which will certainly be the case if +@command{guix environment} was invoked in the user's home directory. + +Certain packages are configured to look in +@code{~/.guix-profile} for configuration files and data;@footnote{For +example, the @code{fontconfig} package inspects +@file{~/.guix-profile/share/fonts} for additional fonts.} +@code{--link-profile} allows these programs to behave as expected within +the environment. + @item --expose=3D@var{source}[=3D@var{target}] For containers, expose the file system @var{source} from the host system as the read-only file system @var{target} within the container. If diff --git a/guix/scripts/environment.scm b/guix/scripts/environment.scm index d2568e6a7..771574c15 100644 =2D-- a/guix/scripts/environment.scm +++ b/guix/scripts/environment.scm @@ -1,6 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright =C2=A9 2014, 2015 David Thompson ;;; Copyright =C2=A9 2015, 2016, 2017 Ludovic Court=C3=A8s +;;; Copyright =C2=A9 2018 Mike Gerwitz ;;; ;;; This file is part of GNU Guix. ;;; @@ -157,6 +158,9 @@ COMMAND or an interactive shell in that environment.\n"= )) -C, --container run command within an isolated container")) (display (G_ " -N, --network allow containers to access the network")) + (display (G_ " + -P, --link-profile link environment profile to ~/.guix-profile within + an isolated container")) (display (G_ " --share=3DSPEC for containers, share writable host file system according to SPEC")) @@ -236,6 +240,9 @@ COMMAND or an interactive shell in that environment.\n"= )) (option '(#\N "network") #f #f (lambda (opt name arg result) (alist-cons 'network? #t result))) + (option '(#\P "link-profile") #f #f + (lambda (opt name arg result) + (alist-cons 'link-profile? #t result))) (option '("share") #t #f (lambda (opt name arg result) (alist-cons 'file-system-mapping @@ -384,18 +391,20 @@ environment variables are cleared before setting the = new ones." ((_ . status) status))))) =20 (define* (launch-environment/container #:key command bash user-mappings =2D profile paths network?) + profile paths link-profile? network= ?) "Run COMMAND within a container that features the software in PROFILE. Environment variables are set according to PATHS, a list of native search paths. The global shell is BASH, a file name for a GNU Bash binary in the store. When NETWORK?, access to the host system network is permitted. USER-MAPPINGS, a list of file system mappings, contains the user-specified =2Dhost file systems to mount inside the container." +host file systems to mount inside the container. LINK-PROFILE? creates a +symbolic link from ~/.guix-profile to the environment profile." (mlet %store-monad ((reqs (inputs->requisites (list (direct-store-path bash) profile)))) (return =2D (let* ((cwd (getcwd)) =2D (passwd (getpwuid (getuid))) + (let* ((cwd (getcwd)) + (passwd (getpwuid (getuid))) + (home-dir (passwd:dir passwd)) ;; Bind-mount all requisite store items, user-specified mappin= gs, ;; /bin/sh, the current working directory, and possibly networ= king ;; configuration files within the container. @@ -440,8 +449,13 @@ host file systems to mount inside the container." =20 ;; Create a dummy home directory under the same name as on the ;; host. =2D (mkdir-p (passwd:dir passwd)) =2D (setenv "HOME" (passwd:dir passwd)) + (mkdir-p home-dir) + (setenv "HOME" home-dir) + + ;; If requested, link $GUIX_ENVIRONMENT to $HOME/.guix-profile; + ;; this allows programs expecting that path to continue workin= g as + ;; expected within a container. + (when link-profile? (link-environment profile home-dir)) =20 ;; Create a dummy /etc/passwd to satisfy applications that dem= and ;; to read it, such as 'git clone' over SSH, a valid use-case = when @@ -471,6 +485,18 @@ host file systems to mount inside the container." (delq 'net %namespaces) ; share host network %namespaces))))))) =20 +(define (link-environment profile home-dir) + "Create a symbolic link from HOME-DIR/.guix-profile to PROFILE." + (let ((profile-dir (string-append home-dir "/.guix-profile"))) + (catch 'system-error + (lambda () + (symlink profile profile-dir)) + (lambda args + (if (=3D EEXIST (system-error-errno args)) + (leave (G_ "cannot link profile: path '~a' already exists with= in container~%") + profile-dir) + (apply throw args)))))) + (define (environment-bash container? bootstrap? system) "Return a monadic value in the store monad for the version of GNU Bash needed in the environment for SYSTEM, if any. If CONTAINER? is #f, return= #f. @@ -544,6 +570,7 @@ message if any test fails." (let* ((opts (parse-args args)) (pure? (assoc-ref opts 'pure)) (container? (assoc-ref opts 'container?)) + (link-prof? (assoc-ref opts 'link-profile?)) (network? (assoc-ref opts 'network?)) (bootstrap? (assoc-ref opts 'bootstrap?)) (system (assoc-ref opts 'system)) @@ -577,6 +604,9 @@ message if any test fails." =20 (when container? (assert-container-features)) =20 + (when (and (not container?) link-prof?) + (leave (G_ "--link-prof cannot be used without --container~%"))) + (with-store store (set-build-options-from-command-line store opts) =20 @@ -626,6 +656,7 @@ message if any test fails." #:user-mappings mappings #:profile profile #:paths paths + #:link-profile? link-pro= f? #:network? network?))) (else (return diff --git a/tests/guix-environment.sh b/tests/guix-environment.sh index bf5ca17fa..e995636df 100644 =2D-- a/tests/guix-environment.sh +++ b/tests/guix-environment.sh @@ -62,6 +62,18 @@ fi guix environment --bootstrap --ad-hoc guile-bootstrap --pure \ -- "$SHELL" -c 'test -f "$GUIX_ENVIRONMENT/bin/guile"' =20 +# Make sure 'GUIX_ENVIRONMENT' is linked to '~/.guix-profile' when request= ed +# within a container +( + linktest=3D'(exit (string=3D? (getenv "GUIX_ENVIRONMENT") +(readlink (string-append (getenv "HOME") "/.guix-profile"))))' + + cd "$tmpdir" \ + && guix environment --bootstrap --container --link-profile \ + --ad-hoc guile-bootstrap --pure \ + -- guile -c "$linktest" +) + # Make sure '-r' works as expected. rm -f "$gcroot" expected=3D"`guix environment --bootstrap --ad-hoc guile-bootstrap \ =2D-=20 2.15.1 --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJaaqCLAAoJEIyRe39dxRuiOdAP/jqTM1ukWG+O9Z55wULIbGsA qOKF5jYnF43nCDsnzhG8IQ8xDJ1v2rqgKH2JUN62nn1iDXo64m9oN/qY1LFsWP7D LnG31VB9umg6GJZQRQ0AOWLZggcRoIt2WNwzjxSFsyJZ2NXLf/wxCw2AgimL5ZMy RBb3QNQ1V1O7EsGuxtCzKO3vsiOvHW5XTEJ8x8sfaRKaNxnshgJ/51ACfodjxw4L s0OlrQr/ZpWN/6XJmuVQ4gWw/vz6nJww89Pt8JOe44yltgRyC/16s5P2O+72iNDU sTqEQwURJSx2BB5yHZ7X3P58ZGqH2cJYHa7FKyb+L6L1NO0Qub0BUx7qkpBd0uNV /5zHi/F5EqSYJRiaEd5Gl3gSD5AGF7869KJwee1V2MUmDjsjgQkv8hUXzV02EZxi EoDZSfCms3PVAjfteclXtpL6kdMUez6ySjd0SJKu/AXKyQy/6NpZ8m6nP3PSb9yQ hiS1BMNucR4WYtDIGKeGYAqK4Hy8Gfe/Tv+PUzcV+qRBUWaqGk/Mvd+idg6spHF2 qUDRCteBu57VSpR//a/tRe3S3usklVNuvCC3eg8s0SdjHZtzkWY68NmW2Eu95xgI iAQjzuUXQrQzivTz/WFOoGclhIBmJpveFSisGRiVOOq6mfaZMznjV5rcwzRIAohP YBts3gN4TWs5F+ywA//Q =UvhA -----END PGP SIGNATURE----- --=-=-=--