Re: Update on GuixSD containers

[Thompson, David]

On Fri, Jun 12, 2015 at 11:08 AM, Ludovic Courtès <address@hidden> wrote:
> "Thompson, David" <address@hidden> skribis:
>
>> On Tue, Jun 9, 2015 at 5:28 PM, Ludovic Courtès <address@hidden> wrote:
>>
>>> Until there’s a daemon to keep track of containers, “guix system
>>> container” could return the PID of the container’s PID1, to make it
>>> easier to kill it later?
>>
>> I'm actually unsure how to acquire the PID of the container's init
>> process since I clone and exec.  Any ideas?
>
> Isn’t it the return value of ‘clone’?

Oh, you're right.  I forgot that the exec() *replaces* the process,
rather than spawning a new one.  The script now outputs the PID.

>>> It’s a shame that only CLONE_NEWUSER is available to non-root users.  I
>>> wonder what the rationale was.  AIUI, Docker’s daemon performs clone(2)
>>> on behalf of clients, right?
>>
>> Yeah, our daemon would do the same thing.  We could maybe even have a
>> little Guile library that allows one to evaluate arbitrary scheme code
>> from within the container. :)
>
> Definitely.  Another application I’ve always wanted is a least-authority
> shell, like Plash [0].
>
> (Speaking of which, I just found Shill [1], which seems similar to Plash
> and even has a to-do item regarding package management [2] and is
> written in Racket; unfortunately it runs on FreeBSD, for Capsicum.)

That's really cool.  Using a container + user-specified shared
directories we can achieve something like this, I think.

- Dave