Ludovic Courtès
2018-04-25 09:14:05 UTC
Hello Guix!
The hack below allows âguix packâ to produce wrappers that allow,
through user namespaces, programs to automatically relocate themselves
when you run them unprivileged on a machine that lacks Guix. In the
example below, I run âsedâ from a pack on a machine that lacks Guix:
--8<---------------cut here---------------start------------->8---
***@fencepost:~/tmp$ tar xf ../pack.tgz
***@fencepost:~/tmp$ echo hello > foo
***@fencepost:~/tmp$ gnu/store/ffdzkyi23n8xh3n6vfqpa1lzg3xx9jpj-sed-4.4/bin/sed -i foo -es/hello/bye/g
***@fencepost:~/tmp$ cat foo
bye
***@fencepost:~/tmp$ ls /gnu/store
ls: cannot access '/gnu/store': No such file or directory
--8<---------------cut here---------------end--------------->8---
Pretty cool no?
What I imagine is that we could make this an option of âguix packâ, such
that âguix pack -wâ would produce such binaries.
This relies on the same approach as âcall-with-containerâ⊠except itâs
written in C and statically-linked to avoid bootstrapping issues. Doing
that in Scheme would be a bit involved because a shebang like
#!/gnu/store/âŠ-guile/bin/guile wouldnât work; the wrappers have to be
statically-linked executables.
There are (minor) issues to be solved: symlinks created by âguix pack
-Sâ should be relative instead of absolute, and same for symlinks in the
profile. This would allow users to directly type ./bin/sed instead of
having to find out which directory is the right one as in the example
above.
We could also have wrappers fall back to PRoot when unshare(2) fails.
What do people think?
Cheers,
Ludoâ.
The hack below allows âguix packâ to produce wrappers that allow,
through user namespaces, programs to automatically relocate themselves
when you run them unprivileged on a machine that lacks Guix. In the
example below, I run âsedâ from a pack on a machine that lacks Guix:
--8<---------------cut here---------------start------------->8---
***@fencepost:~/tmp$ tar xf ../pack.tgz
***@fencepost:~/tmp$ echo hello > foo
***@fencepost:~/tmp$ gnu/store/ffdzkyi23n8xh3n6vfqpa1lzg3xx9jpj-sed-4.4/bin/sed -i foo -es/hello/bye/g
***@fencepost:~/tmp$ cat foo
bye
***@fencepost:~/tmp$ ls /gnu/store
ls: cannot access '/gnu/store': No such file or directory
--8<---------------cut here---------------end--------------->8---
Pretty cool no?
What I imagine is that we could make this an option of âguix packâ, such
that âguix pack -wâ would produce such binaries.
This relies on the same approach as âcall-with-containerâ⊠except itâs
written in C and statically-linked to avoid bootstrapping issues. Doing
that in Scheme would be a bit involved because a shebang like
#!/gnu/store/âŠ-guile/bin/guile wouldnât work; the wrappers have to be
statically-linked executables.
There are (minor) issues to be solved: symlinks created by âguix pack
-Sâ should be relative instead of absolute, and same for symlinks in the
profile. This would allow users to directly type ./bin/sed instead of
having to find out which directory is the right one as in the example
above.
We could also have wrappers fall back to PRoot when unshare(2) fails.
What do people think?
Cheers,
Ludoâ.