[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

14/15: scripts: environment: Add --container option.

From: David Thompson
Subject: 14/15: scripts: environment: Add --container option.
Date: Sun, 05 Jul 2015 19:31:46 +0000

davexunit pushed a commit to branch wip-container
in repository guix.

commit 84a2397e547b602d3201a9facca23b2231e58e31
Author: David Thompson <address@hidden>
Date:   Fri Jun 19 08:57:44 2015 -0400

    scripts: environment: Add --container option.
    * guix/scripts/enviroment.scm (show-help): Show help for new option.
      (%options): Add --container option.
      (launch-environment, launch-environment/container): New procedures.
      (guix-environment): Spawn new process in a container when requested.
    * doc/guix.texi (Invoking guix environment): Document it.
 doc/guix.texi                |   16 ++++++++++++++
 guix/scripts/environment.scm |   48 ++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 62 insertions(+), 2 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index d24f97e..57fc446 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -4191,6 +4191,15 @@ NumPy:
 guix environment --ad-hoc python2-numpy python-2.7 -E python
 @end example
+Sometimes it is desirable to isolate the environment as much as
+possible, for maximal purity and reproducibility.  For example, the
+following command spawns a Guile REPL in a ``container'' where only the
+store and the current working directory are mounted:
+guix environment --ad-hoc --container guile --exec=guile
address@hidden example
 The available options are summarized below.
 @table @code
@@ -4256,6 +4265,13 @@ environment.
 @item address@hidden
 @itemx -s @var{system}
 Attempt to build for @var{system}---e.g., @code{i686-linux}.
address@hidden --container
address@hidden -C
+Run command within an isolated container.  The current working directory
+outside the container is mapped to @file{/env} inside the container.
+Additionally, the spawned process runs as the current user outside the
+container, but has root privileges in the context of the container.
 @end table
 It also supports all of the common build options that @command{guix
diff --git a/guix/scripts/environment.scm b/guix/scripts/environment.scm
index ecdbc7a..41d1554 100644
--- a/guix/scripts/environment.scm
+++ b/guix/scripts/environment.scm
@@ -28,6 +28,9 @@
   #:use-module (guix monads)
   #:use-module ((guix gexp) #:select (lower-inputs))
   #:use-module (guix scripts build)
+  #:use-module (gnu build linux-container)
+  #:use-module (gnu system linux-container)
+  #:use-module (gnu system file-systems)
   #:use-module (gnu packages)
   #:use-module (ice-9 format)
   #:use-module (ice-9 match)
@@ -122,6 +125,8 @@ shell command in that environment.\n"))
       --search-paths     display needed environment variable definitions"))
   (display (_ "
   -s, --system=SYSTEM    attempt to build for SYSTEM--e.g., \"i686-linux\""))
+  (display (_ "
+  -C, --container        run command within an isolated container"))
@@ -174,6 +179,9 @@ shell command in that environment.\n"))
                  (lambda (opt name arg result)
                    (alist-cons 'system arg
                                (alist-delete 'system result eq?))))
+         (option '(#\C "container") #f #f
+                 (lambda (opt name arg result)
+                   (alist-cons 'container? #t result)))
 (define (pick-all alist key)
@@ -229,6 +237,38 @@ OUTPUT) tuples, using the build options in OPTS."
                (built-derivations derivations)
                (return derivations))))))))
+(define (launch-environment command inputs paths pure?)
+  "Run COMMAND in a new environment containing INPUTS, using the native search
+paths defined by the list PATHS.  When PURE?, pre-existing environment
+variables are cleared before setting the new ones."
+  (create-environment inputs paths pure?)
+  (system command))
+(define (launch-environment/container command inputs paths)
+  "Run COMMAND within a Linux container that includes INPUTS and the
+environment variables defined by PATHS, a list of native search paths."
+  ;; Bind-mount the store and the current working directory within the
+  ;; container.
+  (let* ((mappings
+          (list (file-system-mapping
+                 (source (%store-prefix))
+                 (target (%store-prefix))
+                 (writable? #f))
+                (file-system-mapping
+                 (source (getcwd))
+                 (target "/env")
+                 (writable? #t))))
+         (file-systems
+          (append %container-file-systems
+                  (map mapping->file-system mappings)))
+         (status
+          (call-with-container (map file-system->spec file-systems)
+            (lambda ()
+              (chdir "/env")
+              ;; A container's environment is already purified.
+              (launch-environment command inputs paths #f)))))
+    (status:exit-val status)))
 ;; Entry point.
 (define (guix-environment . args)
   (define (handle-argument arg result)
@@ -238,6 +278,7 @@ OUTPUT) tuples, using the build options in OPTS."
     (let* ((opts     (parse-command-line args %options (list %default-options)
                                          #:argument-handler handle-argument))
            (pure?    (assoc-ref opts 'pure))
+           (container? (assoc-ref opts 'container?))
            (ad-hoc?  (assoc-ref opts 'ad-hoc?))
            (command  (assoc-ref opts 'exec))
            (packages (pick-all (options/resolve-packages opts) 'package))
@@ -279,6 +320,9 @@ OUTPUT) tuples, using the build options in OPTS."
                     ((assoc-ref opts 'search-paths)
                      (show-search-paths inputs paths pure?)
                      (return #t))
+                    (container?
+                     (return
+                      (launch-environment/container command inputs paths)))
-                     (create-environment inputs paths pure?)
-                     (return (exit (status:exit-val (system 
+                     (return
+                      (launch-environment command inputs paths pure?)))))))))))

reply via email to

[Prev in Thread] Current Thread [Next in Thread]