An interesting thread on isolating the browser in a container on GuixSD lists.gnu.org/archive/html/hel

Thanks @mikegerwitz for starting this one!

@cwebber @mikegerwitz one of those things I've wanted to do for quite some time but never got around to. thanks for looking into it, Mike!

@cwebber @dthompson It wouldn't have been much of a problem were it not for fonts/fontconfig.

I took a pause on it yesterday, but I'll post what I come up with to the list in the next few days. It's been hours of research/strugging since I wasn't all that familiar with X11 fonts or fontconfig, nor am I all that familiar with the details of Guix. My solution is going to be a combination of a packaged font cache and a script to invoke `guix container`; ugly and rigid!

Hopefully Ludo or someone will be able to provide guidance on a better way, or come up with a general solution, including the option to either run in a container or a VM depending on isolation concerns. I'm not expecting Qubes-style isolation here, though. :)

(Typing this in IceCat running in the container right now.)
@cwebber @dthompson Actually it my solution might involve some minor `guix/scripts/environment.scm` hacking, too. I'm asking for trouble.

@mikegerwitz @cwebber well I wrote most of that file so you'll be alright :)

@dthompson @cwebber Oh, nice. It's pretty easy to understand/hack. I have some changes, but I'm going to get a couple more together before I send patches. I feel like some of these things I want to do may be better suited to a higher-level abstraction, so I'm trying to just get some sort of implementation out there to demonstrate how it works and at least start some good discussion on where to go from there.

@dthompson Are you going to attend LP2018, or maybe stop by like last year?

@mikegerwitz yes, I'll be at libreplanet. I'll be giving a talk about Guix, too. :)

@cwebber @dthompson

https://lists.gnu.org/archive/html/guix-patches/2018-01/msg00601.html

I also posted my current package and script for containerized IceCat, but as of posting this notice, it hasn't yet been archived. The message is a child of the thread that Chris originally posted.
flock of birbs
Follow

@mikegerwitz @cwebber I think some of these new command line options are too specialized, but I need some time to understand all the proposed changes so I can give reasonable feedback.

@dthompson I felt the same; I just didn't have anywhere else to put it. If Ludo's script is a good base for moving forward with, then it may be better to begin integrating the behavior into something like that; `guix environment` doesn't seem like it was intended as a general-purpose container tool.

@mikegerwitz there's a 'guix container' tool that I made but never fully fleshed out. perhaps it could go there.

Sign in to participate in the conversation
Toot.Cat

A Mastodon instance for cats, the people who love them, and kindness in general. We strive to be a radically inclusive safe space. By creating an account, you agree to follow our CoC below.

Instance Administration

  • Woozle: Supreme Uberwensch, general support, web hostess
  • Charlotte: tech support, apprentice in warp-drive arcana (aka Mastomaintenance)
  • ash: backend stuff, gay crimes

The Project: