From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mike Gerwitz Subject: Re: Running IceCat in a container Date: Tue, 16 Jan 2018 21:25:19 -0500 Message-ID: <87tvvlrzlc.fsf@gnu.org> References: <87vag2wopo.fsf@gnu.org> <877esh3gwd.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:45444) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ebdQD-0007mc-JT for help-guix@gnu.org; Tue, 16 Jan 2018 21:25:50 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ebdQC-0001DT-Jw for help-guix@gnu.org; Tue, 16 Jan 2018 21:25:49 -0500 In-Reply-To: <877esh3gwd.fsf@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\= \=\?utf-8\?Q\?s\?\= message of "Tue, 16 Jan 2018 17:30:42 +0100") List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org Sender: "Help-Guix" To: Ludovic =?utf-8?Q?Court=C3=A8s?= Cc: help-guix@gnu.org --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On Tue, Jan 16, 2018 at 17:30:42 +0100, Ludovic Court=C3=A8s wrote: > =E2=80=9Cguix environment -C=E2=80=9D makes $PWD shared; if you do (cd /t= mp; guix > environment -C =E2=80=A6), then /tmp is shared but not $HOME. I am doing that (I made a ~/.empty so as not to expose /tmp contents), but that still creates the home dir (as documented): $ pwd && guix environment -C coreutils -- ls /home /tmp mikegerwitz >> Is there a reasonable solution here? Should I create a separate user >> entirely and then just share the entire home directory? I'm not sure >> how that might impact X11 socket sharing, though. Can I maybe >> pre-create an image, already having run fc-cache, and run that image as >> a container (like one would with Docker?)? But that wouldn't solve my >> user privacy issue. > > Perhaps you could define a package that simply runs =E2=80=9Cfc-cache=E2= =80=9D with the > fonts it has as inputs, and then pass that to =E2=80=98guix environment= =E2=80=99. Oh, interesting; I wouldn't have thought of that. If there is a general solution/script, I think this needs to be considered---automatically including system fonts; any program that displays text needs a broad range of UTF-8/multi-lingual font support. If I were to containerize my shell, I'd have the same problem. > But really, we should make a specific tool for this. > > Thoughts? Yes, though I'd be curious how you'd approach it---each package requires certain paths be shared, and those paths would further depend on user privacy preferences, so need to be able to be overridden. Perhaps it'd be useful for those paths to be part of a package definition---the paths that a program creates/uses at runtime, and perhaps additional metadata associated with them, such as whether the path is necessary for its operation (will it break the program if it's ephemeral or read-only?). Something extensible for the future. Those directory metadata may have other uses that may make it worth adding, but I haven't given it much thought. For example, if a user wishes to purge a package from her system, she could opt to purge those paths from her home directory. Or maybe Guix could create a backup of user preferences such that a restoration would involve only a list of packages and a tarball of those directories. Might be useful for provisioning as well. Just some thoughts. I'm too new to Guix to provide much. =2D-=20 Mike Gerwitz Free Software Hacker+Activist | GNU Maintainer & Volunteer GPG: D6E9 B930 028A 6C38 F43B 2388 FEF6 3574 5E6F 6D05 https://mikegerwitz.com --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJaXrQQAAoJEIyRe39dxRui9WAQAKkhEAaqvWvMnoGIWvTFHe9z 7cQpCdCppY1HxquEEmgKfkZZHljIF9nN08RTRvzA5RiZYFg4c7yVsZtubNKyWDBs xUUcIYhgDsjMFxEgMN+FtDqgbbqlWVaj65kmnK0/h0Jnmu3HTForzlwvWP+HDUd4 SlAMsuoTvoz49C0C5yrBMZZmZ5Ni75ycRN5dtZMiyU+xX39rSPQQBFtzt1dRJ1Ee rhNidybkQIy/Z8xN8faEMD8ZgeqSCIPGPDK+XoUpxeg/KMh+VdLdC/+RvvIamPe3 jevpBdXIOiWDiOV53NHs9wjcB9iPoYG3tB4+RtINAA5aFKo8fg/gXomRFBIwo62r 397KUm0PiJMMiLfefc4fXi0FaW2KUaoGutx8GER3B6kKVkhEB0GHCwhgKRFxpO3B SMDciG6a6UPsCMAy+jJS10Blw3C8wfSwZ56OKqb2k2mcumLtzEXIm50uZfEeVTEG S87smUkT5vh7RQXfeUSxL9tm++txcttpORv4tbosLy4Rstu02n98ssWtPI+9oxq7 6OhOequQrV2yq2b++I+0lr67T4sceaR8Av66CsCdqVU8L1XdcgJ52Humjc05tAS6 qEn4ZRU+qmR5n79VAbLB0krb+PSzbtWd7gNpCY0lFnrejZmKmmwBrpXVKgSgVy17 GXB+ImV+DHW7AbOJtuBg =moJV -----END PGP SIGNATURE----- --=-=-=--