Hello, everyone: I'm running IceCat in a container, with the goal of isolating it form the rest of my system as much as possible without running a full VM. Here's what I have so far: #+BEGIN_SRC sh guix environment \ --container \ --network \ -r "$gc_root" \ --share=/tmp/.X11-unix/ \ --expose=/etc/machine-id \ --share=$HOME/.mozilla/ \ --share=$HOME/.cache/mozilla/ \ --share=$HOME/.Xauthority \ --share=$HOME/Downloads/icecat-container/=$HOME/Downloads/ \ --ad-hoc icecat coreutils -- \ env DISPLAY="$DISPLAY" icecat "$@" #+END_SRC The most difficult problem I'm having is dealing with fonts. Specifically, I want to share the system fonts (/run/current-system/profile/share/fonts). The problem is, I can't just expose that directory, because it symlinks into the store, and those derivations don't exist within the container. - I do not want to expose all of /gnu. - I can provide the fonts as inputs to the environment, but I do not want to have to run fc-cache every time I start the container, because that is very slow. Exposing the cache directory doesn't help since the derivation used in the container ($GUIX_ENVIRONMENT) always appears to be different than the font derivation used on my system, and also by my user. - I don't want to expose my user's entire ~/.guix-profile/. I'm making things difficult for myself because I want as little shared/exposed with the container as possible. To complicate things further, for privacy, I don't want my user exposed to the container via the name of my home directory; Guix creates that automatically. I haven't yet looked at the code to see what exactly it does. Is there a reasonable solution here? Should I create a separate user entirely and then just share the entire home directory? I'm not sure how that might impact X11 socket sharing, though. Can I maybe pre-create an image, already having run fc-cache, and run that image as a container (like one would with Docker?)? But that wouldn't solve my user privacy issue. Thanks, -- Mike Gerwitz Free Software Hacker+Activist | GNU Maintainer & Volunteer GPG: D6E9 B930 028A 6C38 F43B 2388 FEF6 3574 5E6F 6D05 https://mikegerwitz.com