[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Running IceCat in a container
From: |
Ludovic Courtès |
Subject: |
Re: Running IceCat in a container |
Date: |
Tue, 16 Jan 2018 17:30:42 +0100 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) |
Hi Mike,
Mike Gerwitz <address@hidden> skribis:
> I'm running IceCat in a container, with the goal of isolating it form
> the rest of my system as much as possible without running a full
> VM. Here's what I have so far:
>
> #+BEGIN_SRC sh
> guix environment \
> --container \
> --network \
> -r "$gc_root" \
> --share=/tmp/.X11-unix/ \
> --expose=/etc/machine-id \
> --share=$HOME/.mozilla/ \
> --share=$HOME/.cache/mozilla/ \
> --share=$HOME/.Xauthority \
> --share=$HOME/Downloads/icecat-container/=$HOME/Downloads/ \
> --ad-hoc icecat coreutils
> -- \
> env DISPLAY="$DISPLAY" icecat "$@"
> #+END_SRC
I’ve been dreaming of having it baked in into the shell (like Plash did;
we could write a Bash or Guile-Bash extension) or something along these
lines…
> The most difficult problem I'm having is dealing with
> fonts. Specifically, I want to share the system fonts
> (/run/current-system/profile/share/fonts). The problem is, I can't just
> expose that directory, because it symlinks into the store, and those
> derivations don't exist within the container.
>
> - I do not want to expose all of /gnu.
> - I can provide the fonts as inputs to the environment, but I do not
> want to have to run fc-cache every time I start the container,
> because that is very slow. Exposing the cache directory doesn't
> help since the derivation used in the container ($GUIX_ENVIRONMENT)
> always appears to be different than the font derivation used on my
> system, and also by my user.
> - I don't want to expose my user's entire ~/.guix-profile/.
>
> I'm making things difficult for myself because I want as little
> shared/exposed with the container as possible.
>
> To complicate things further, for privacy, I don't want my user exposed
> to the container via the name of my home directory; Guix creates that
> automatically. I haven't yet looked at the code to see what exactly it
> does.
“guix environment -C” makes $PWD shared; if you do (cd /tmp; guix
environment -C …), then /tmp is shared but not $HOME.
> Is there a reasonable solution here? Should I create a separate user
> entirely and then just share the entire home directory? I'm not sure
> how that might impact X11 socket sharing, though. Can I maybe
> pre-create an image, already having run fc-cache, and run that image as
> a container (like one would with Docker?)? But that wouldn't solve my
> user privacy issue.
Perhaps you could define a package that simply runs “fc-cache” with the
fonts it has as inputs, and then pass that to ‘guix environment’.
But really, we should make a specific tool for this.
Thoughts?
Ludo’.
- Running IceCat in a container, Mike Gerwitz, 2018/01/15
- Re: Running IceCat in a container,
Ludovic Courtès <=
- Re: Running IceCat in a container, Ludovic Courtès, 2018/01/25
- Re: Running IceCat in a container, Ludovic Courtès, 2018/01/25
- Re: Running IceCat in a container, Mike Gerwitz, 2018/01/26
- Re: Running IceCat in a container, Ludovic Courtès, 2018/01/29
- Re: Running IceCat in a container, Ricardo Wurmus, 2018/01/29
- Running code from packs in containers, Ludovic Courtès, 2018/01/30