On Tue, Jul 7, 2015 at 10:35 AM, Ludovic Courtès <l...@gnu.org> wrote:
> David Thompson <dthomps...@worcester.edu> skribis:
>
>> * guix/scripts/enviroment.scm (show-help): Show help for new option.
>> (%options): Add --container option.
>> (launch-environment, launch-environment/container): New procedures.
>> (guix-environment): Spawn new process in a container when requested.
>> * doc/guix.texi (Invoking guix environment): Document it.
>
> [...]
>
>> --- a/doc/guix.texi
>> +++ b/doc/guix.texi
>> @@ -4191,6 +4191,15 @@ NumPy:
>> guix environment --ad-hoc python2-numpy python-2.7 -E python
>> @end example
>>
>> +Sometimes it is desirable to isolate the environment as much as
>> +possible, for maximal purity and reproducibility.
>
> + “In particular, when using Guix on a host distro that is not GuixSD,
> it is desirable to prevent access to @file{/usr/bin} and other
> system-wide resources from the development environment.”
>
>> +following command spawns a Guile REPL in a ``container'' where only the
>> +store and the current working directory are mounted:
>
> @cindex container
>
>> +@item --container
>> +@itemx -C
>> +Run command within an isolated container. The current working directory
>
> @var{command}
>
> Since this works without root privileges, what about adding a test in
> tests/guix-environment.sh?
>
> Basically something similar to one of the existing tests, but
> additionally checking from within the container that ‘id -u’ returns 0,
> that ‘$$’ is 2, and that files outside of $PWD are not in the container.
For some reason that I haven't figured out, the existing tests do not
pass on my machine when I run:
make check TESTS=tests/guix-environment.sh
I'm finding it difficult to debug our tests because the test runner
eats backtraces and other useful info.
> Which reminds me: In a separate commit, it Would Be Nice to document our
> minimal kernel requirements for the container functionality. Could you
> look into that?
AFAIK the recommended minimal kernel version that folks should be
using for this stuff is 3.13, and the kernel needs to be configured
with that DEVPTS_MULTIPLE_INSTANCES flag. Where would you put this
information?
Thanks,
- Dave
