Hello Guix! In hostile environments (read: machines that lack Guix and where you’re not root, such as HPC clusters), it can be hard to manage software with Guix.
We can use ‘guix pack’ to build a bundle on one machine and ship it to the target machine. But then, on the target machine, we need to be able to “map” the pack’s root directory to the root directory of the processes we run. When user namespaces are enabled, this can be achieved with ‘unshare’ and ‘chroot’ as shown at <https://www.gnu.org/software/guix/news/creating-bundles-with-guix-pack.html>. However user namespaces are often disabled by distros for lack of confidence in their security properties¹. One way to work around the problem is to use PRoot, a ptrace(2)-based tool to virtualize the file system². With the ‘proot-static’ package I just pushed, one can run, say, hwloc, on such a hostile machine by sending locally-created packs as well as ‘proot’: scp $(guix build proot-static)/bin/proot hostile: scp $(guix pack hwloc -S /bin=bin) hostile:hwloc.tgz and then on the hostile machine: mkdir ~/.local cd ~/.local tar xf ~/hwloc.tgz cd ./proot -b .local:/ /bin/lstopo where “proot -b .local:/” essentially “bind-mounts” ~/.local to /. Pretty cool no? :-) PRoot adds overhead since it has to intercept every syscall. However, for a mostly computational process, it should not be much of a problem. Ludo’. ¹ See for instance <http://rhelblog.redhat.com/2015/07/07/whats-next-for-containers-user-namespaces/> and the recent AF_PACKET vulnerability <https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html>. ² https://github.com/proot-me/PRoot
