From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: Running IceCat in a container Date: Tue, 16 Jan 2018 17:30:42 +0100 Message-ID: <877esh3gwd.fsf@gnu.org> References: <87vag2wopo.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:38363) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ebU8O-0001K2-Gg for help-guix@gnu.org; Tue, 16 Jan 2018 11:30:49 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ebU8L-0002yP-Cb for help-guix@gnu.org; Tue, 16 Jan 2018 11:30:48 -0500 In-Reply-To: <87vag2wopo.fsf@gnu.org> (Mike Gerwitz's message of "Mon, 15 Jan 2018 20:56:51 -0500") List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org Sender: "Help-Guix" To: Mike Gerwitz Cc: help-guix@gnu.org Hi Mike, Mike Gerwitz skribis: > I'm running IceCat in a container, with the goal of isolating it form > the rest of my system as much as possible without running a full > VM. Here's what I have so far: > > #+BEGIN_SRC sh > guix environment \ > --container \ > --network \ > -r "$gc_root" \ > --share=3D/tmp/.X11-unix/ \ > --expose=3D/etc/machine-id \ > --share=3D$HOME/.mozilla/ \ > --share=3D$HOME/.cache/mozilla/ \ > --share=3D$HOME/.Xauthority \ > --share=3D$HOME/Downloads/icecat-container/=3D$HOME/Downloads/ \ > --ad-hoc icecat coreutils > -- \ > env DISPLAY=3D"$DISPLAY" icecat "$@" > #+END_SRC I=E2=80=99ve been dreaming of having it baked in into the shell (like Plash= did; we could write a Bash or Guile-Bash extension) or something along these lines=E2=80=A6 > The most difficult problem I'm having is dealing with > fonts. Specifically, I want to share the system fonts > (/run/current-system/profile/share/fonts). The problem is, I can't just > expose that directory, because it symlinks into the store, and those > derivations don't exist within the container. > > - I do not want to expose all of /gnu. > - I can provide the fonts as inputs to the environment, but I do not > want to have to run fc-cache every time I start the container, > because that is very slow. Exposing the cache directory doesn't > help since the derivation used in the container ($GUIX_ENVIRONMENT) > always appears to be different than the font derivation used on my > system, and also by my user. > - I don't want to expose my user's entire ~/.guix-profile/. > > I'm making things difficult for myself because I want as little > shared/exposed with the container as possible. > > To complicate things further, for privacy, I don't want my user exposed > to the container via the name of my home directory; Guix creates that > automatically. I haven't yet looked at the code to see what exactly it > does. =E2=80=9Cguix environment -C=E2=80=9D makes $PWD shared; if you do (cd /tmp= ; guix environment -C =E2=80=A6), then /tmp is shared but not $HOME. > Is there a reasonable solution here? Should I create a separate user > entirely and then just share the entire home directory? I'm not sure > how that might impact X11 socket sharing, though. Can I maybe > pre-create an image, already having run fc-cache, and run that image as > a container (like one would with Docker?)? But that wouldn't solve my > user privacy issue. Perhaps you could define a package that simply runs =E2=80=9Cfc-cache=E2=80= =9D with the fonts it has as inputs, and then pass that to =E2=80=98guix environment=E2= =80=99. But really, we should make a specific tool for this. Thoughts? Ludo=E2=80=99.