[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 14/15] scripts: environment: Add --container option.
From: |
Thompson, David |
Subject: |
Re: [PATCH 14/15] scripts: environment: Add --container option. |
Date: |
Sat, 5 Sep 2015 19:45:38 -0400 |
On Tue, Jul 7, 2015 at 10:35 AM, Ludovic Courtès <address@hidden> wrote:
> David Thompson <address@hidden> skribis:
>
>> * guix/scripts/enviroment.scm (show-help): Show help for new option.
>> (%options): Add --container option.
>> (launch-environment, launch-environment/container): New procedures.
>> (guix-environment): Spawn new process in a container when requested.
>> * doc/guix.texi (Invoking guix environment): Document it.
>
> [...]
>
>> --- a/doc/guix.texi
>> +++ b/doc/guix.texi
>> @@ -4191,6 +4191,15 @@ NumPy:
>> guix environment --ad-hoc python2-numpy python-2.7 -E python
>> @end example
>>
>> +Sometimes it is desirable to isolate the environment as much as
>> +possible, for maximal purity and reproducibility.
>
> + “In particular, when using Guix on a host distro that is not GuixSD,
> it is desirable to prevent access to @file{/usr/bin} and other
> system-wide resources from the development environment.”
>
>> +following command spawns a Guile REPL in a ``container'' where only the
>> +store and the current working directory are mounted:
>
> @cindex container
>
>> address@hidden --container
>> address@hidden -C
>> +Run command within an isolated container. The current working directory
>
> @var{command}
>
> Since this works without root privileges, what about adding a test in
> tests/guix-environment.sh?
>
> Basically something similar to one of the existing tests, but
> additionally checking from within the container that ‘id -u’ returns 0,
> that ‘$$’ is 2, and that files outside of $PWD are not in the container.
Still need to do this.
> Which reminds me: In a separate commit, it Would Be Nice to document our
> minimal kernel requirements for the container functionality. Could you
> look into that?
Still need to do this, but...
I have a shiny new patch that adds --network, --share, and --expose
options. Also, rather than bind-mounting the entire store, I figured
out how to bind-mount only the union of the closures of the inputs
like build daemon containers. And finally, the original patch didn't
setup /bin/sh, which is of course terrible and broke tons of things so
I've fixed that, too.
Now I can do things like build Guix from source inside a container, or
better replicate the build daemon's environment when debugging with
failed builds. I hope that soon everyone will be able to enjoy this.
:)
- Dave
0001-scripts-environment-Add-container-option.patch
Description: Text Data
- Re: [PATCH 14/15] scripts: environment: Add --container option.,
Thompson, David <=