From mboxrd@z Thu Jan  1 00:00:00 1970
From: Mike Gerwitz <mtg@gnu.org>
Subject: Running IceCat in a container
Date: Mon, 15 Jan 2018 20:56:51 -0500
Message-ID: <87vag2wopo.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha512; protocol="application/pgp-signature"
Return-path: <help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:42970)
	by lists.gnu.org with esmtp (Exim 4.71) (envelope-from <mtg@gnu.org>)
	id 1ebGVA-0003La-K5
	for help-guix@gnu.org; Mon, 15 Jan 2018 20:57:25 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mtg@gnu.org>) id 1ebGV9-00089h-Jn
	for help-guix@gnu.org; Mon, 15 Jan 2018 20:57:24 -0500
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:60345)
	by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <mtg@gnu.org>)
	id 1ebGV9-00089b-G5
	for help-guix@gnu.org; Mon, 15 Jan 2018 20:57:23 -0500
Received: from localhost ([::1]:38256 helo=mikegerwitz-pc.gerwitz.local)
	by fencepost.gnu.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128)
	(Exim 4.82) (envelope-from <mtg@gnu.org>) id 1ebGV9-0005Xb-7G
	for help-guix@gnu.org; Mon, 15 Jan 2018 20:57:23 -0500
List-Id: <help-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/help-guix>,
	<mailto:help-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/help-guix/>
List-Post: <mailto:help-guix@gnu.org>
List-Help: <mailto:help-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/help-guix>,
	<mailto:help-guix-request@gnu.org?subject=subscribe>
Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org
Sender: "Help-Guix" <help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org>
To: help-guix@gnu.org

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Hello, everyone:

I'm running IceCat in a container, with the goal of isolating it form
the rest of my system as much as possible without running a full
VM.  Here's what I have so far:

#+BEGIN_SRC sh
guix environment \
     --container \
     --network \
     -r "$gc_root" \
     --share=3D/tmp/.X11-unix/ \
     --expose=3D/etc/machine-id \
     --share=3D$HOME/.mozilla/ \
     --share=3D$HOME/.cache/mozilla/ \
     --share=3D$HOME/.Xauthority \
     --share=3D$HOME/Downloads/icecat-container/=3D$HOME/Downloads/ \
     --ad-hoc icecat coreutils
     -- \
     env DISPLAY=3D"$DISPLAY" icecat "$@"
#+END_SRC

The most difficult problem I'm having is dealing with
fonts.  Specifically, I want to share the system fonts
(/run/current-system/profile/share/fonts).  The problem is, I can't just
expose that directory, because it symlinks into the store, and those
derivations don't exist within the container.

  - I do not want to expose all of /gnu.
  - I can provide the fonts as inputs to the environment, but I do not
    want to have to run fc-cache every time I start the container,
    because that is very slow.  Exposing the cache directory doesn't
    help since the derivation used in the container ($GUIX_ENVIRONMENT)
    always appears to be different than the font derivation used on my
    system, and also by my user.
  - I don't want to expose my user's entire ~/.guix-profile/.

I'm making things difficult for myself because I want as little
shared/exposed with the container as possible.

To complicate things further, for privacy, I don't want my user exposed
to the container via the name of my home directory; Guix creates that
automatically.  I haven't yet looked at the code to see what exactly it
does.

Is there a reasonable solution here?  Should I create a separate user
entirely and then just share the entire home directory?  I'm not sure
how that might impact X11 socket sharing, though.  Can I maybe
pre-create an image, already having run fc-cache, and run that image as
a container (like one would with Docker?)?  But that wouldn't solve my
user privacy issue.

Thanks,

=2D-=20
Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
GPG: D6E9 B930 028A 6C38 F43B  2388 FEF6 3574 5E6F 6D05
https://mikegerwitz.com

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJaXVvjAAoJEIyRe39dxRuihp0P/30iok5F6a8vWUhJrkls/hVD
3Ev02Xj8SwVIQJ7JVyQX00+LNDpO+iwgl4gXtawCc5RzHN23Hjh62Sa87ISecBcU
ZkQ/zVtagEuLPU4yEVFBIhGzgkMNWj1vmOzJ5qKNL7dks3Lre8hMi87QPZQOtper
EK/W4QiBOKJN7KSHXNWE08z78Oav/kvZGIfrGfNnnzGUSeKWFNHK/CIjHGuzS4g6
8i7mWBdgl1zNELY62PZqF2fLIqWwTV2K+hEHhROpWAbRzEdv47WBLa78GJfx+Rcn
hhUbPmZOf3/Epi8yOFL/IIWYL314sGxvW3vWeiOuvIdDwKITKa3n8t5frUWkJEPJ
BvOhSxlrrHx0L50ZX+mnLMxZY2jsOv2TgDHCZ2n7/dAK192uTg15NsT0h/fGcc2c
voJ4JUOpjKcc6OUisFkIgTrQ+beTz7qfyPoOLSVk3QeHSH0lVl76VDZsudSNZn3p
CzozT+SlPFAOkjK6Nfi+Fr+t0jYNc4aBAAlR2rAITTOqhk1u2LxqSrR4NDZGx8AS
xd0EVwmBTyggqDg/zFebfL9T0/15hanltTK9qcRooDGWTqg1rgCnW0Hb4hZD5Qkl
mhDbwkMZ12ke3Qd2srZdLxCU0vos41MF9j9ndhSIXJH8Bs9tqPuV9s4LTRDgj+zp
ActSrefnUwK5ANhwGuqp
=5JC1
-----END PGP SIGNATURE-----
--=-=-=--