[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 14/15] scripts: environment: Add --container option.
From: |
Thompson, David |
Subject: |
Re: [PATCH 14/15] scripts: environment: Add --container option. |
Date: |
Thu, 9 Jul 2015 09:16:53 -0400 |
On Tue, Jul 7, 2015 at 10:35 AM, Ludovic Courtès <address@hidden> wrote:
> David Thompson <address@hidden> skribis:
>
>> * guix/scripts/enviroment.scm (show-help): Show help for new option.
>> (%options): Add --container option.
>> (launch-environment, launch-environment/container): New procedures.
>> (guix-environment): Spawn new process in a container when requested.
>> * doc/guix.texi (Invoking guix environment): Document it.
>
> [...]
>
>> --- a/doc/guix.texi
>> +++ b/doc/guix.texi
>> @@ -4191,6 +4191,15 @@ NumPy:
>> guix environment --ad-hoc python2-numpy python-2.7 -E python
>> @end example
>>
>> +Sometimes it is desirable to isolate the environment as much as
>> +possible, for maximal purity and reproducibility.
>
> + “In particular, when using Guix on a host distro that is not GuixSD,
> it is desirable to prevent access to @file{/usr/bin} and other
> system-wide resources from the development environment.”
>
>> +following command spawns a Guile REPL in a ``container'' where only the
>> +store and the current working directory are mounted:
>
> @cindex container
>
>> address@hidden --container
>> address@hidden -C
>> +Run command within an isolated container. The current working directory
>
> @var{command}
>
> Since this works without root privileges, what about adding a test in
> tests/guix-environment.sh?
>
> Basically something similar to one of the existing tests, but
> additionally checking from within the container that ‘id -u’ returns 0,
> that ‘$$’ is 2, and that files outside of $PWD are not in the container.
For some reason that I haven't figured out, the existing tests do not
pass on my machine when I run:
make check TESTS=tests/guix-environment.sh
I'm finding it difficult to debug our tests because the test runner
eats backtraces and other useful info.
> Which reminds me: In a separate commit, it Would Be Nice to document our
> minimal kernel requirements for the container functionality. Could you
> look into that?
AFAIK the recommended minimal kernel version that folks should be
using for this stuff is 3.13, and the kernel needs to be configured
with that DEVPTS_MULTIPLE_INSTANCES flag. Where would you put this
information?
Thanks,
- Dave
- [PATCH 08/15] gnu: build: Add Linux container module., (continued)
[PATCH 12/15] gnu: system: Add Linux container file systems., David Thompson, 2015/07/06
[PATCH 14/15] scripts: environment: Add --container option., David Thompson, 2015/07/06
[PATCH 11/15] gnu: system: Add Linux container module., David Thompson, 2015/07/06
[PATCH 15/15] scripts: Add 'container' subcommand., David Thompson, 2015/07/06
Re: [PATCH 01/15] build: syscalls: Add additional mount flags., Ludovic Courtès, 2015/07/07