all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* Documenting current state of isolating icecat
@ 2019-06-26 16:58 Christopher Lemmer Webber
  2019-06-27  3:13 ` Mike Gerwitz
  0 siblings, 1 reply; 3+ messages in thread
From: Christopher Lemmer Webber @ 2019-06-26 16:58 UTC (permalink / raw)
  To: help-guix, Mike Gerwitz

If you want to have the hairs on the back of your neck stand up and not
lie down for a while, why not read this:

  https://robertheaton.com/2019/06/24/i-was-7-words-away-from-being-spear-phished/

Previously there were some threads about isolating icecat and other
graphical applications:

  https://lists.gnu.org/archive/html/help-guix/2018-01/msg00056.html

However, it's not obvious to me if we have an answer yet on what to do.
Whatever it is, I'd like to do it.

Could someone point me in the right direction?  Much appreciated.
Maybe we should even include it as an example in the documentation?
That could be a big win, and make it clearer to users how Guix comes
with tools that can help empower them.

 - Chris

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Documenting current state of isolating icecat
  2019-06-26 16:58 Documenting current state of isolating icecat Christopher Lemmer Webber
@ 2019-06-27  3:13 ` Mike Gerwitz
  2019-06-27 10:18   ` Pierre Neidhardt
  0 siblings, 1 reply; 3+ messages in thread
From: Mike Gerwitz @ 2019-06-27  3:13 UTC (permalink / raw)
  To: Christopher Lemmer Webber; +Cc: help-guix

[-- Attachment #1: Type: text/plain, Size: 8102 bytes --]

I'd love to be able to get a discussion going on this again.  I really
wish I had time to spend on this, since it's something I'm really
interested in helping with.  But I either need to do a lot more research
or need the help of people more familiar with Guix than me.

On Wed, Jun 26, 2019 at 12:58:39 -0400, Christopher Lemmer Webber wrote:
> If you want to have the hairs on the back of your neck stand up and not
> lie down for a while, why not read this:
>
>   https://robertheaton.com/2019/06/24/i-was-7-words-away-from-being-spear-phished/
>
> Previously there were some threads about isolating icecat and other
> graphical applications:
>
>   https://lists.gnu.org/archive/html/help-guix/2018-01/msg00056.html
>
> However, it's not obvious to me if we have an answer yet on what to do.
> Whatever it is, I'd like to do it.
>
> Could someone point me in the right direction?  Much appreciated.
> Maybe we should even include it as an example in the documentation?
> That could be a big win, and make it clearer to users how Guix comes
> with tools that can help empower them.

First: I should mention that later on in that thread, I solved the font
issues and Ludo provided a script to containerize programs.  I
unfortunately still haven't had the time to give it a try, and I still
have some outstanding issues that I haven't had time to research:

1. XDG_DATA_DIRS=$HOME/.guix-local/share is required within the
   container.  Perhaps we should provide a wrapper for icecat to do this
   automatically, otherwise it's broken by default (broken font
   rendering).

2. I notice that if I run icecat outside of a container, save to a
   directory, and then run within a container that does not have such a
   directory, icecat segfaults.  I haven't even looked at a backtrace
   yet.

3. I haven't researched what may be needed for audio to work.  Videos
   work, but no audio.  TBH, this is currently a feature for me. ;)

4. Icecat is significantly less stable.  Tabs crash more frequently,
   especially when dealing with video, and the entire browser will
   occasionally crash.  But it's stable enough for use---I still run it
   within a container.

5. Attempting to print (just attempting to show the print dialog)
   immediately segfaults.  I don't even have printers configured, so this
   is at the very bottom of my list of priorities to investigate.

6. /etc/machine-id is required, and could be used to deanonymize users
   if ever it is leaked within the container.  I haven't researched
   potential mitigations.

Otherwise, it seems performant (again, videos play just fine without
audio) and works well overall.

Here is my current script:

#+BEGIN_SRC sh
#!/bin/bash

mkdir -p /tmp/.icecat-tmp && cd /tmp/.icecat-tmp || exit

# .X11-unix and .Xauthority are requird for X11 session sharing with the
# host.  /etc/machine-id is required for DBUS.  The rest is optional, but
# .mozilla is ideal for persisting sessions, and .cache for performance.
# A unique `Downloads' directory is mounted to keep its eyes away from
# anything that might have been downloaded outside this container, though
# note that it _will_ have access to downloads from previous sessions (if
# you don't want that, then just create a random dir each time).
guix environment \
     --container \
     --link-profile \
     --user=user \
     --network \
     -r "$gc_root" \
     --expose=/etc/machine-id \
     --expose=/tmp/.X11-unix/ \
     --expose=$HOME/.Xauthority \
     --expose=$HOME/.config/icecat-hosts=/etc/hosts \
     --share=/dev/snd \
     --share=$HOME/.mozilla/ \
     --share=$HOME/Downloads/icecat-container/=$HOME/Downloads/ \
     --ad-hoc mtg-icecat-containerized  \
     #-- \
     #icecat --display=:0.0 "$@" \
#  || zenity --error \
#            --title 'Error starting container' \
#            --text 'Icecat failed to start in a container'
#
#+END_SRC

The comments above are so that I enter a shell to manually set
XDG_DATA_DIRS---I haven't yet researched the best way to handle that;
I'm a packaging noob. :)  If someone wouldn't mind enlightening me...

The creation of the temporary directory prevents exposing the CWD.  That
can go away once I can actually get around to addressing Ludo's concerns
for my --no-cwd patch... (which was actually just brought up in #guix on
Freenode).

Here's my package definition for mtg-icecat-containerized:

#+BEGIN_SRC scheme
(define-module (mtg personal)
  #:use-module ((guix licenses) #:prefix license:)
  #:use-module (guix packages)
  #:use-module (gnu packages)
  #:use-module (guix build-system trivial)
  #:use-module (gnu packages gnome)
  #:use-module (gnu packages gnuzilla)
  #:use-module (gnu packages fonts)
  #:use-module (gnu packages fontutils)
  #:use-module (gnu packages pulseaudio))


(define-public mtg-icecat-containerized
  (package
    (name "mtg-icecat-containerized")
    (version "1.0")
    (home-page "https://mikegerwitz.com/")
    (build-system trivial-build-system)
    (source #f)
    (native-inputs
     `(("fontconfig" ,fontconfig)))
    (arguments
     `(#:modules ((guix build utils))
       #:builder
       (begin
         (use-modules (guix build utils))
         (let* ((share-dir (string-append %output "/share"))
                (cache-dir (string-append %output "/var/cache"))
                (bin-dir   (string-append %output "/bin"))
                (fc-dir    (string-append share-dir "/fontconfig/conf.avail"))
                (fc-mtg    (string-append fc-dir "/52-mtg-container.conf"))
                (fc-cache-dir (string-append cache-dir "/fontconfig"))
                (fonts-dir (string-append share-dir "/fonts")))
           ;; container script to invoke IceCat
           (mkdir-p bin-dir)
           (call-with-output-file (string-append bin-dir "/icecat-container")
             (lambda (port)
               (format port "#!/bin/bash")))

           ;; fontconfig configuration
           (mkdir-p fc-dir)
           (call-with-output-file fc-mtg
             (lambda (port)
               (format port (string-append "<?xml version=\"1.0\"?>
<!DOCTYPE fontconfig SYSTEM \"fonts.dtd\">
<fontconfig>
  <dir>" (string-append (assoc-ref %build-inputs "font-dejavu")
                        "/share/fonts") "</dir>"
  ;;<dir>" (string-append (assoc-ref %build-inputs "font-adobe-source-han-sans")
  ;;                      "/share/fonts") "</dir>
  "
  <cachedir>" fc-cache-dir "</cachedir>
</fontconfig>\n"))))

           (setenv "PATH"
                   (string-append (assoc-ref %build-inputs "fontconfig")
                                  "/bin"))
           (setenv "FONTCONFIG_FILE" fc-mtg)
           (setenv "XDG_DATA_HOME" share-dir)

           (mkdir-p cache-dir)
           (invoke "fc-cache" "-fv")))))
    (propagated-inputs
     `(("icecat" ,icecat)
       ("zenity" ,zenity)
       ("font-dejavu" ,font-dejavu)
       ;;("pulseaudio" ,pulseaudio)
       ;;("font-adobe-source-han-sans", font-adobe-source-han-sans)
       ))
    (synopsis "GNU IceCat packaged for running within a container")
    (description
     "GNU IceCat packaged with various fonts (including multi-lingual).
Suitable for use within a container.")
    (license license:gpl3+)))
#+END_SRC

It might be in a mangled state, though, because I can't remember where I
left off with it.  I think `font-adobe-source-han-sans' is only
commented out because there weren't substitutes and building it takes
forever and is massive.  `pulseaudio' was me starting to try to play
around with audio, but I made no progress and spent very little time.

Hopefully that's a good starting point for others, and again, please
check out Ludo's script that I haven't had a chance to.  My personal
ideal, which I think Ludo shares, is to be able to containerize any
program with sane defaults without having to write package definitions
like the one above, so he's headed in the right direction.

-- 
Mike Gerwitz

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Documenting current state of isolating icecat
  2019-06-27  3:13 ` Mike Gerwitz
@ 2019-06-27 10:18   ` Pierre Neidhardt
  0 siblings, 0 replies; 3+ messages in thread
From: Pierre Neidhardt @ 2019-06-27 10:18 UTC (permalink / raw)
  To: Mike Gerwitz, Christopher Lemmer Webber; +Cc: help-guix

[-- Attachment #1: Type: text/plain, Size: 458 bytes --]

Thanks for bringing this back up.

Regarding the audio, there was this discussion more recently:

https://lists.gnu.org/archive/html/guix-devel/2019-03/msg00340.html

Which led to the implementation of some changes around user IDs.

With that patch, I still wasn't able to get around sound to work, as
explained in the thread.

Apparently it's possible to get sound to work with Docker.

Cheers!

-- 
Pierre Neidhardt
https://ambrevar.xyz/

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2019-06-27 10:19 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-06-26 16:58 Documenting current state of isolating icecat Christopher Lemmer Webber
2019-06-27  3:13 ` Mike Gerwitz
2019-06-27 10:18   ` Pierre Neidhardt

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.