[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Login to a guix container
|
From: |
Pjotr Prins |
|
Subject: |
Re: Login to a guix container |
|
Date: |
Mon, 25 Jan 2021 09:30:37 +0100 |
|
User-agent: |
NeoMutt/20170113 (1.7.2) |
On Mon, Jan 25, 2021 at 08:29:32AM +0100, Ricardo Wurmus wrote:
> In your requirements for an audit, how does a “Guix container” differ
> from a “Linux container”? Guix uses the kernel features like cloning
> namespaces and unsharing the filesystem directly. It merely mounts
> individual store locations into the filesystem namespace.
>
> “Malpractice” is a very big word for using user namespaces instead of
> chroot without a “serious audit”.
I agree. The alternative is using sftp chroot - if it is for file
transfers only, or a full chroot. A container should be safer as long
as we consider the Linux kernel itself safe. The reason I posed the
question was just that I was thinking the solution may be a bit over
the top.
Maybe more over the top would be to run Linux or even GNU Hurd in
qemu/kvm. The more I read about the GNU Hurd the more I like it (I
read this stuff for relaxation rather than work ;). Maybe we'll
experiment with that a little too. We can easily dedicate 1GB of RAM
for such VMs.
Anyway, off-topic on guix-dev, so I apologise. I must say that 'guix
environment -C' is one of the greatest Guix inventions and I just
start thinking of more applications beyond hosting web servers and
development environments. It is lovely :). Thanks everyone!
Pj.