Hi Mike, Mike Gerwitz <[email protected]> skribis:
> I'm running IceCat in a container, with the goal of isolating it form > the rest of my system as much as possible without running a full > VM. Here's what I have so far: > > #+BEGIN_SRC sh > guix environment \ > --container \ > --network \ > -r "$gc_root" \ > --share=/tmp/.X11-unix/ \ > --expose=/etc/machine-id \ > --share=$HOME/.mozilla/ \ > --share=$HOME/.cache/mozilla/ \ > --share=$HOME/.Xauthority \ > --share=$HOME/Downloads/icecat-container/=$HOME/Downloads/ \ > --ad-hoc icecat coreutils > -- \ > env DISPLAY="$DISPLAY" icecat "$@" > #+END_SRC I’ve been dreaming of having it baked in into the shell (like Plash did; we could write a Bash or Guile-Bash extension) or something along these lines… > The most difficult problem I'm having is dealing with > fonts. Specifically, I want to share the system fonts > (/run/current-system/profile/share/fonts). The problem is, I can't just > expose that directory, because it symlinks into the store, and those > derivations don't exist within the container. > > - I do not want to expose all of /gnu. > - I can provide the fonts as inputs to the environment, but I do not > want to have to run fc-cache every time I start the container, > because that is very slow. Exposing the cache directory doesn't > help since the derivation used in the container ($GUIX_ENVIRONMENT) > always appears to be different than the font derivation used on my > system, and also by my user. > - I don't want to expose my user's entire ~/.guix-profile/. > > I'm making things difficult for myself because I want as little > shared/exposed with the container as possible. > > To complicate things further, for privacy, I don't want my user exposed > to the container via the name of my home directory; Guix creates that > automatically. I haven't yet looked at the code to see what exactly it > does. “guix environment -C” makes $PWD shared; if you do (cd /tmp; guix environment -C …), then /tmp is shared but not $HOME. > Is there a reasonable solution here? Should I create a separate user > entirely and then just share the entire home directory? I'm not sure > how that might impact X11 socket sharing, though. Can I maybe > pre-create an image, already having run fc-cache, and run that image as > a container (like one would with Docker?)? But that wouldn't solve my > user privacy issue. Perhaps you could define a package that simply runs “fc-cache” with the fonts it has as inputs, and then pass that to ‘guix environment’. But really, we should make a specific tool for this. Thoughts? Ludo’.
