From: ludo@gnu.org (Ludovic Courtès)
To: Mike Gerwitz <mtg@gnu.org>
Cc: help-guix@gnu.org
Subject: Re: Running IceCat in a container
Date: Tue, 16 Jan 2018 17:30:42 +0100 [thread overview]
Message-ID: <877esh3gwd.fsf@gnu.org> (raw)
In-Reply-To: <87vag2wopo.fsf@gnu.org> (Mike Gerwitz's message of "Mon, 15 Jan 2018 20:56:51 -0500")
Hi Mike,
Mike Gerwitz <mtg@gnu.org> skribis:
> I'm running IceCat in a container, with the goal of isolating it form
> the rest of my system as much as possible without running a full
> VM. Here's what I have so far:
>
> #+BEGIN_SRC sh
> guix environment \
> --container \
> --network \
> -r "$gc_root" \
> --share=/tmp/.X11-unix/ \
> --expose=/etc/machine-id \
> --share=$HOME/.mozilla/ \
> --share=$HOME/.cache/mozilla/ \
> --share=$HOME/.Xauthority \
> --share=$HOME/Downloads/icecat-container/=$HOME/Downloads/ \
> --ad-hoc icecat coreutils
> -- \
> env DISPLAY="$DISPLAY" icecat "$@"
> #+END_SRC
I’ve been dreaming of having it baked in into the shell (like Plash did;
we could write a Bash or Guile-Bash extension) or something along these
lines…
> The most difficult problem I'm having is dealing with
> fonts. Specifically, I want to share the system fonts
> (/run/current-system/profile/share/fonts). The problem is, I can't just
> expose that directory, because it symlinks into the store, and those
> derivations don't exist within the container.
>
> - I do not want to expose all of /gnu.
> - I can provide the fonts as inputs to the environment, but I do not
> want to have to run fc-cache every time I start the container,
> because that is very slow. Exposing the cache directory doesn't
> help since the derivation used in the container ($GUIX_ENVIRONMENT)
> always appears to be different than the font derivation used on my
> system, and also by my user.
> - I don't want to expose my user's entire ~/.guix-profile/.
>
> I'm making things difficult for myself because I want as little
> shared/exposed with the container as possible.
>
> To complicate things further, for privacy, I don't want my user exposed
> to the container via the name of my home directory; Guix creates that
> automatically. I haven't yet looked at the code to see what exactly it
> does.
“guix environment -C” makes $PWD shared; if you do (cd /tmp; guix
environment -C …), then /tmp is shared but not $HOME.
> Is there a reasonable solution here? Should I create a separate user
> entirely and then just share the entire home directory? I'm not sure
> how that might impact X11 socket sharing, though. Can I maybe
> pre-create an image, already having run fc-cache, and run that image as
> a container (like one would with Docker?)? But that wouldn't solve my
> user privacy issue.
Perhaps you could define a package that simply runs “fc-cache” with the
fonts it has as inputs, and then pass that to ‘guix environment’.
But really, we should make a specific tool for this.
Thoughts?
Ludo’.
next prev parent reply other threads:[~2018-01-16 16:30 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-16 1:56 Running IceCat in a container Mike Gerwitz
2018-01-16 16:30 ` Ludovic Courtès [this message]
2018-01-17 2:25 ` Mike Gerwitz
2018-01-17 19:05 ` Mike Gerwitz
2018-01-17 23:20 ` Leo Famulari
2018-01-18 1:53 ` Mike Gerwitz
2018-01-25 14:34 ` Ludovic Courtès
2018-01-25 22:16 ` Ludovic Courtès
2018-01-26 3:52 ` Mike Gerwitz
2018-01-29 16:47 ` Ludovic Courtès
2018-01-30 2:19 ` Ricardo Wurmus
2018-01-30 17:21 ` Running code from packs in containers Ludovic Courtès
2018-03-19 17:42 ` Running IceCat in a container ng0
2018-01-29 16:48 ` Ludovic Courtès
2018-01-26 3:29 ` [bug#30254] [PATCH 0/3] guix environment --user, --link-profile, --no-cwd Mike Gerwitz
2018-01-26 3:29 ` [bug#30255] [PATCH 1/3] scripts: environment: Add --link-profile Mike Gerwitz
2018-03-02 10:20 ` bug#30255: " Ludovic Courtès
2018-01-26 3:29 ` [bug#30257] [PATCH 2/3] scripts: environment: Add --user Mike Gerwitz
2018-03-02 10:33 ` Ludovic Courtès
2018-01-26 3:29 ` [bug#30256] [PATCH 3/3] scripts: environment: Add --no-cwd Mike Gerwitz
2018-03-02 10:54 ` Ludovic Courtès
2018-03-02 18:00 ` Mike Gerwitz
2018-03-03 14:44 ` Ludovic Courtès
2018-03-04 18:03 ` Mike Gerwitz
2018-03-04 22:24 ` Ludovic Courtès
2018-03-05 18:03 ` Mike Gerwitz
2018-03-06 10:20 ` Ludovic Courtès
2018-03-06 18:07 ` Mike Gerwitz
2018-10-17 12:19 ` [bug#30254] " Ludovic Courtès
2018-11-08 1:56 ` Mike Gerwitz
2019-06-29 23:27 ` Carl Dong
2019-07-07 13:18 ` [bug#30254] " Ludovic Courtès
2019-07-07 14:24 ` Carl Dong
2019-07-08 9:41 ` Ludovic Courtès
2021-07-14 13:18 ` [bug#30256] bug#30254: [PATCH 0/3] guix environment --user, --link-profile, --no-cwd Maxim Cournoyer
2019-07-07 13:45 ` [bug#30256] [PATCH 3/3] scripts: environment: Add --no-cwd Mike Gerwitz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=877esh3gwd.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=help-guix@gnu.org \
--cc=mtg@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.