From mboxrd@z Thu Jan  1 00:00:00 1970
From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: Re: [PATCH 14/15] scripts: environment: Add --container option.
Date: Tue, 07 Jul 2015 16:35:45 +0200
Message-ID: <87zj38f326.fsf@gnu.org>
References: <1436188604-2813-1-git-send-email-dthompson2@worcester.edu>
	<1436188604-2813-14-git-send-email-dthompson2@worcester.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:54337)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1ZCTyT-0000J0-OL
	for guix-devel@gnu.org; Tue, 07 Jul 2015 10:35:54 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1ZCTyP-0001R5-9x
	for guix-devel@gnu.org; Tue, 07 Jul 2015 10:35:53 -0400
In-Reply-To: <1436188604-2813-14-git-send-email-dthompson2@worcester.edu>
	(David Thompson's message of "Mon, 6 Jul 2015 09:16:43 -0400")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
To: David Thompson <dthompson2@worcester.edu>
Cc: guix-devel@gnu.org, David Thompson <davet@gnu.org>

David Thompson <dthompson2@worcester.edu> skribis:

> * guix/scripts/enviroment.scm (show-help): Show help for new option.
>   (%options): Add --container option.
>   (launch-environment, launch-environment/container): New procedures.
>   (guix-environment): Spawn new process in a container when requested.
> * doc/guix.texi (Invoking guix environment): Document it.

[...]

> --- a/doc/guix.texi
> +++ b/doc/guix.texi
> @@ -4191,6 +4191,15 @@ NumPy:
>  guix environment --ad-hoc python2-numpy python-2.7 -E python
>  @end example
>=20=20
> +Sometimes it is desirable to isolate the environment as much as
> +possible, for maximal purity and reproducibility.

+ =E2=80=9CIn particular, when using Guix on a host distro that is not Guix=
SD,
  it is desirable to prevent access to @file{/usr/bin} and other
  system-wide resources from the development environment.=E2=80=9D

> +following command spawns a Guile REPL in a ``container'' where only the
> +store and the current working directory are mounted:

@cindex container

> +@item --container
> +@itemx -C
> +Run command within an isolated container.  The current working directory

@var{command}

Since this works without root privileges, what about adding a test in
tests/guix-environment.sh?

Basically something similar to one of the existing tests, but
additionally checking from within the container that =E2=80=98id -u=E2=80=
=99 returns 0,
that =E2=80=98$$=E2=80=99 is 2, and that files outside of $PWD are not in t=
he container.

Which reminds me: In a separate commit, it Would Be Nice to document our
minimal kernel requirements for the container functionality.  Could you
look into that?

Thank you!

Ludo=E2=80=99.