[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Running IceCat in a container

From: Mike Gerwitz
Subject: Running IceCat in a container
Date: Mon, 15 Jan 2018 20:56:51 -0500
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux)

Hello, everyone:

I'm running IceCat in a container, with the goal of isolating it form
the rest of my system as much as possible without running a full
VM.  Here's what I have so far:

guix environment \
     --container \
     --network \
     -r "$gc_root" \
     --share=/tmp/.X11-unix/ \
     --expose=/etc/machine-id \
     --share=$HOME/.mozilla/ \
     --share=$HOME/.cache/mozilla/ \
     --share=$HOME/.Xauthority \
     --share=$HOME/Downloads/icecat-container/=$HOME/Downloads/ \
     --ad-hoc icecat coreutils
     -- \
     env DISPLAY="$DISPLAY" icecat "$@"

The most difficult problem I'm having is dealing with
fonts.  Specifically, I want to share the system fonts
(/run/current-system/profile/share/fonts).  The problem is, I can't just
expose that directory, because it symlinks into the store, and those
derivations don't exist within the container.

  - I do not want to expose all of /gnu.
  - I can provide the fonts as inputs to the environment, but I do not
    want to have to run fc-cache every time I start the container,
    because that is very slow.  Exposing the cache directory doesn't
    help since the derivation used in the container ($GUIX_ENVIRONMENT)
    always appears to be different than the font derivation used on my
    system, and also by my user.
  - I don't want to expose my user's entire ~/.guix-profile/.

I'm making things difficult for myself because I want as little
shared/exposed with the container as possible.

To complicate things further, for privacy, I don't want my user exposed
to the container via the name of my home directory; Guix creates that
automatically.  I haven't yet looked at the code to see what exactly it

Is there a reasonable solution here?  Should I create a separate user
entirely and then just share the entire home directory?  I'm not sure
how that might impact X11 socket sharing, though.  Can I maybe
pre-create an image, already having run fc-cache, and run that image as
a container (like one would with Docker?)?  But that wouldn't solve my
user privacy issue.


Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
GPG: D6E9 B930 028A 6C38 F43B  2388 FEF6 3574 5E6F 6D05

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]