On Fri, Jun 12, 2015 at 11:08 AM, Ludovic Courtès <l...@gnu.org> wrote: > "Thompson, David" <dthomps...@worcester.edu> skribis: > >> On Tue, Jun 9, 2015 at 5:28 PM, Ludovic Courtès <l...@gnu.org> wrote: >> >>> Until there’s a daemon to keep track of containers, “guix system >>> container” could return the PID of the container’s PID1, to make it >>> easier to kill it later? >> >> I'm actually unsure how to acquire the PID of the container's init >> process since I clone and exec. Any ideas? > > Isn’t it the return value of ‘clone’?
Oh, you're right. I forgot that the exec() *replaces* the process, rather than spawning a new one. The script now outputs the PID. >>> It’s a shame that only CLONE_NEWUSER is available to non-root users. I >>> wonder what the rationale was. AIUI, Docker’s daemon performs clone(2) >>> on behalf of clients, right? >> >> Yeah, our daemon would do the same thing. We could maybe even have a >> little Guile library that allows one to evaluate arbitrary scheme code >> from within the container. :) > > Definitely. Another application I’ve always wanted is a least-authority > shell, like Plash [0]. > > (Speaking of which, I just found Shill [1], which seems similar to Plash > and even has a to-do item regarding package management [2] and is > written in Racket; unfortunately it runs on FreeBSD, for Capsicum.) That's really cool. Using a container + user-specified shared directories we can achieve something like this, I think. - Dave
