David Thompson <[email protected]> skribis:
> * guix/scripts/enviroment.scm (show-help): Show help for new option.
> (%options): Add --container option.
> (launch-environment, launch-environment/container): New procedures.
> (guix-environment): Spawn new process in a container when requested.
> * doc/guix.texi (Invoking guix environment): Document it.
[...]
> --- a/doc/guix.texi
> +++ b/doc/guix.texi
> @@ -4191,6 +4191,15 @@ NumPy:
> guix environment --ad-hoc python2-numpy python-2.7 -E python
> @end example
>
> +Sometimes it is desirable to isolate the environment as much as
> +possible, for maximal purity and reproducibility.
+ “In particular, when using Guix on a host distro that is not GuixSD,
it is desirable to prevent access to @file{/usr/bin} and other
system-wide resources from the development environment.”
> +following command spawns a Guile REPL in a ``container'' where only the
> +store and the current working directory are mounted:
@cindex container
> +@item --container
> +@itemx -C
> +Run command within an isolated container. The current working directory
@var{command}
Since this works without root privileges, what about adding a test in
tests/guix-environment.sh?
Basically something similar to one of the existing tests, but
additionally checking from within the container that ‘id -u’ returns 0,
that ‘$$’ is 2, and that files outside of $PWD are not in the container.
Which reminds me: In a separate commit, it Would Be Nice to document our
minimal kernel requirements for the container functionality. Could you
look into that?
Thank you!
Ludo’.
