From: Mike Gerwitz <mtg@gnu.org>
To: help-guix@gnu.org
Subject: Running IceCat in a container
Date: Mon, 15 Jan 2018 20:56:51 -0500 [thread overview]
Message-ID: <87vag2wopo.fsf@gnu.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 2308 bytes --]
Hello, everyone:
I'm running IceCat in a container, with the goal of isolating it form
the rest of my system as much as possible without running a full
VM. Here's what I have so far:
#+BEGIN_SRC sh
guix environment \
--container \
--network \
-r "$gc_root" \
--share=/tmp/.X11-unix/ \
--expose=/etc/machine-id \
--share=$HOME/.mozilla/ \
--share=$HOME/.cache/mozilla/ \
--share=$HOME/.Xauthority \
--share=$HOME/Downloads/icecat-container/=$HOME/Downloads/ \
--ad-hoc icecat coreutils
-- \
env DISPLAY="$DISPLAY" icecat "$@"
#+END_SRC
The most difficult problem I'm having is dealing with
fonts. Specifically, I want to share the system fonts
(/run/current-system/profile/share/fonts). The problem is, I can't just
expose that directory, because it symlinks into the store, and those
derivations don't exist within the container.
- I do not want to expose all of /gnu.
- I can provide the fonts as inputs to the environment, but I do not
want to have to run fc-cache every time I start the container,
because that is very slow. Exposing the cache directory doesn't
help since the derivation used in the container ($GUIX_ENVIRONMENT)
always appears to be different than the font derivation used on my
system, and also by my user.
- I don't want to expose my user's entire ~/.guix-profile/.
I'm making things difficult for myself because I want as little
shared/exposed with the container as possible.
To complicate things further, for privacy, I don't want my user exposed
to the container via the name of my home directory; Guix creates that
automatically. I haven't yet looked at the code to see what exactly it
does.
Is there a reasonable solution here? Should I create a separate user
entirely and then just share the entire home directory? I'm not sure
how that might impact X11 socket sharing, though. Can I maybe
pre-create an image, already having run fc-cache, and run that image as
a container (like one would with Docker?)? But that wouldn't solve my
user privacy issue.
Thanks,
--
Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
GPG: D6E9 B930 028A 6C38 F43B 2388 FEF6 3574 5E6F 6D05
https://mikegerwitz.com
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]
next reply other threads:[~2018-01-16 1:57 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-16 1:56 Mike Gerwitz [this message]
2018-01-16 16:30 ` Running IceCat in a container Ludovic Courtès
2018-01-17 2:25 ` Mike Gerwitz
2018-01-17 19:05 ` Mike Gerwitz
2018-01-17 23:20 ` Leo Famulari
2018-01-18 1:53 ` Mike Gerwitz
2018-01-25 14:34 ` Ludovic Courtès
2018-01-25 22:16 ` Ludovic Courtès
2018-01-26 3:52 ` Mike Gerwitz
2018-01-29 16:47 ` Ludovic Courtès
2018-01-30 2:19 ` Ricardo Wurmus
2018-01-30 17:21 ` Running code from packs in containers Ludovic Courtès
2018-03-19 17:42 ` Running IceCat in a container ng0
2018-01-29 16:48 ` Ludovic Courtès
2018-01-26 3:29 ` [bug#30254] [PATCH 0/3] guix environment --user, --link-profile, --no-cwd Mike Gerwitz
2018-01-26 3:29 ` [bug#30255] [PATCH 1/3] scripts: environment: Add --link-profile Mike Gerwitz
2018-03-02 10:20 ` bug#30255: " Ludovic Courtès
2018-01-26 3:29 ` [bug#30257] [PATCH 2/3] scripts: environment: Add --user Mike Gerwitz
2018-03-02 10:33 ` Ludovic Courtès
2018-01-26 3:29 ` [bug#30256] [PATCH 3/3] scripts: environment: Add --no-cwd Mike Gerwitz
2018-03-02 10:54 ` Ludovic Courtès
2018-03-02 18:00 ` Mike Gerwitz
2018-03-03 14:44 ` Ludovic Courtès
2018-03-04 18:03 ` Mike Gerwitz
2018-03-04 22:24 ` Ludovic Courtès
2018-03-05 18:03 ` Mike Gerwitz
2018-03-06 10:20 ` Ludovic Courtès
2018-03-06 18:07 ` Mike Gerwitz
2018-10-17 12:19 ` [bug#30254] " Ludovic Courtès
2018-11-08 1:56 ` Mike Gerwitz
2019-06-29 23:27 ` Carl Dong
2019-07-07 13:18 ` [bug#30254] " Ludovic Courtès
2019-07-07 14:24 ` Carl Dong
2019-07-08 9:41 ` Ludovic Courtès
2021-07-14 13:18 ` [bug#30256] bug#30254: [PATCH 0/3] guix environment --user, --link-profile, --no-cwd Maxim Cournoyer
2019-07-07 13:45 ` [bug#30256] [PATCH 3/3] scripts: environment: Add --no-cwd Mike Gerwitz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87vag2wopo.fsf@gnu.org \
--to=mtg@gnu.org \
--cc=help-guix@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.