Running IceCat in a container

help-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Running IceCat in a container

From:	Mike Gerwitz
Subject:	Running IceCat in a container
Date:	Mon, 15 Jan 2018 20:56:51 -0500
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux)

Hello, everyone:

I'm running IceCat in a container, with the goal of isolating it form
the rest of my system as much as possible without running a full
VM.  Here's what I have so far:

#+BEGIN_SRC sh
guix environment \
     --container \
     --network \
     -r "$gc_root" \
     --share=/tmp/.X11-unix/ \
     --expose=/etc/machine-id \
     --share=$HOME/.mozilla/ \
     --share=$HOME/.cache/mozilla/ \
     --share=$HOME/.Xauthority \
     --share=$HOME/Downloads/icecat-container/=$HOME/Downloads/ \
     --ad-hoc icecat coreutils
     -- \
     env DISPLAY="$DISPLAY" icecat "$@"
#+END_SRC

The most difficult problem I'm having is dealing with
fonts.  Specifically, I want to share the system fonts
(/run/current-system/profile/share/fonts).  The problem is, I can't just
expose that directory, because it symlinks into the store, and those
derivations don't exist within the container.

  - I do not want to expose all of /gnu.
  - I can provide the fonts as inputs to the environment, but I do not
    want to have to run fc-cache every time I start the container,
    because that is very slow.  Exposing the cache directory doesn't
    help since the derivation used in the container ($GUIX_ENVIRONMENT)
    always appears to be different than the font derivation used on my
    system, and also by my user.
  - I don't want to expose my user's entire ~/.guix-profile/.

I'm making things difficult for myself because I want as little
shared/exposed with the container as possible.

To complicate things further, for privacy, I don't want my user exposed
to the container via the name of my home directory; Guix creates that
automatically.  I haven't yet looked at the code to see what exactly it
does.

Is there a reasonable solution here?  Should I create a separate user
entirely and then just share the entire home directory?  I'm not sure
how that might impact X11 socket sharing, though.  Can I maybe
pre-create an image, already having run fc-cache, and run that image as
a container (like one would with Docker?)?  But that wouldn't solve my
user privacy issue.

Thanks,

-- 
Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
GPG: D6E9 B930 028A 6C38 F43B  2388 FEF6 3574 5E6F 6D05
https://mikegerwitz.com

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

Running IceCat in a container, Mike Gerwitz <=
- Re: Running IceCat in a container, Ludovic Courtès, 2018/01/16
  - Re: Running IceCat in a container, Mike Gerwitz, 2018/01/16
    - Re: Running IceCat in a container, Mike Gerwitz, 2018/01/17
    - Re: Running IceCat in a container, Leo Famulari, 2018/01/17
    - Re: Running IceCat in a container, Mike Gerwitz, 2018/01/17
    - Re: Running IceCat in a container, Ludovic Courtès, 2018/01/25
    - Re: Running IceCat in a container, Ludovic Courtès, 2018/01/25
    - Re: Running IceCat in a container, Mike Gerwitz, 2018/01/26
    - Re: Running IceCat in a container, Ludovic Courtès, 2018/01/29
    - Re: Running IceCat in a container, Ricardo Wurmus, 2018/01/29

Prev by Date: Re: Guix and sel4
Next by Date: Why is IceCat/GuixSD slower than Firefox/Debian on headless servers?
Previous by thread: How to make XQuartz/MacOS <--> IceCat/GuixSD fast?
Next by thread: Re: Running IceCat in a container
Index(es):
- Date
- Thread