Re: guix pack isolation

From: Simon Tournier
Subject: Re: guix pack isolation
Date: Thu, 16 Feb 2023 10:44:00 +0100


On Wed, 15 Feb 2023 at 23:56, Kyle Andrews <> wrote:

>> I do not have Singularity at hand, let demo with Docker
>> which is very similar.
> Too bad! My system admistrators are against running Docker on the
> cluster. The "relocatable" option didn't seem relevant to me since it
> wouldn't apply any file system isolation.

Well, I think it should not be an issue for Singularity to reuse Docker
pack. ;-) Once the Docker pack imported inside Docker – say e.g., docker
load < $(guix pack -f pack …) – then something like,

    singularity run docker://python-python-numpy-bash:latest python3

should do the job.  Anyway! :-)

>> $ docker run -ti python-python-numpy-bash:latest python3
> The arguments in this command atleast gave me an idea. Maybe I am just
> ignorant about how singularity works? I didn't know what -ti could
> possibly mean without first looking them up. Maybe I just need to add
> some additional arguments to singularity exec?

Well, is this invocation

    singularity exec                                     \
       $(guix pack -f squashfs python python-numpy bash) \

working for you?

> Arguments in the manual which look particularly interesting to me are:
> --contain
> --containall
> --bind=/path/to/shared/file/system/location
> --no-home
> --workdir

This depends on what you would like to achieve. ;-)

> If you or anyone else have have any tips on how to best mimic the
> behavior of the analogous `guix shell' command with an `singularity
> exec' call I would use if guix was available, I am all ears.


    guix shell -C -m manifest.scm -- something

is more or less similar to,

    singularity exec $(guix pack -f squashfs -m manifest.scm) something

But since Guix is not running on the cluster, you need to build the pack
on your machine running Guix – this will produce a self contained
archive, say using the format Squashfs (Singularity).

Hope that helps,

