[PATCH] doc: Add container example to run a web browser.

  • Done
  • quality assurance status badge
Details
3 participants
  • Caleb Ristvedt
  • Ludovic Courtès
  • Pierre Neidhardt
Owner
unassigned
Submitted by
Pierre Neidhardt
Severity
normal
P
P
Pierre Neidhardt wrote on 3 May 2020 10:12
(address . guix-patches@gnu.org)
20200503081258.21873-1-mail@ambrevar.xyz
* doc/guix.texi (Invoking `guix environment'): Add paragraph and example to
run Eolie in a guix environment container. Add `container' cindex for the
first container example, and the `certificates' cindex for the web browser
example.
---
doc/guix.texi | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)

Toggle diff (38 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index d5d8662937..3c31386036 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -4786,6 +4786,7 @@ additionally includes Git and strace:
guix environment --pure guix --ad-hoc git strace
@end example
+@cindex container
Sometimes it is desirable to isolate the environment as much as
possible, for maximal purity and reproducibility. In particular, when
using Guix on a host distro that is not Guix System, it is desirable to
@@ -4802,6 +4803,23 @@ guix environment --ad-hoc --container guile -- guile
The @code{--container} option requires Linux-libre 3.19 or newer.
@end quotation
+@cindex certificates
+Another typical use case for containers is to run security-sensitive
+applications such as a web browser. To run Eolie, we must expose and
+share some files and directories; we include @code{nss-certs} and expose
+@file{/etc/sll/certs/} for HTTPS authentication; finally we use
+@code{env} from the @code{coreutils} package to set the @code{DISPLAY}
+environment variable since containerized graphical applications won't
+display without it.
+
+@example
+guix environment --container --network --expose=/etc/machine-id \
+ --expose=/etc/ssl/certs/ \
+ --share=$HOME/.local/share/eolie/=$HOME/.local/share/eolie/ \
+ --ad-hoc eolie coreutils nss-certs dbus -- \
+ env DISPLAY=$DISPLAY eolie
+@end example
+
The available options are summarized below.
@table @code
--
2.25.1
L
L
Ludovic Courtès wrote on 7 May 2020 09:42
(name . Pierre Neidhardt)(address . mail@ambrevar.xyz)(address . 41041@debbugs.gnu.org)
87zhakdwd0.fsf@gnu.org
Hi,

Pierre Neidhardt <mail@ambrevar.xyz> skribis:

Toggle quote (5 lines)
> * doc/guix.texi (Invoking `guix environment'): Add paragraph and example to
> run Eolie in a guix environment container. Add `container' cindex for the
> first container example, and the `certificates' cindex for the web browser
> example.

Good idea!

Toggle quote (7 lines)
> +@example
> +guix environment --container --network --expose=/etc/machine-id \
> + --expose=/etc/ssl/certs/ \
> + --share=$HOME/.local/share/eolie/=$HOME/.local/share/eolie/ \
> + --ad-hoc eolie coreutils nss-certs dbus -- \
> + env DISPLAY=$DISPLAY eolie

Instead of ‘env’, you can preserve the ‘DISPLAY’ variable with:

guix environment -E ^DISPLAY$ …

which in turn allows you to remove ‘coreutils’, maybe.

Otherwise LGTM!

Thanks,
Ludo’.
P
P
Pierre Neidhardt wrote on 7 May 2020 09:47
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 41041@debbugs.gnu.org)
87tv0stcd2.fsf@ambrevar.xyz
Ludovic Courtès <ludo@gnu.org> writes:

Toggle quote (6 lines)
> Instead of ‘env’, you can preserve the ‘DISPLAY’ variable with:
>
> guix environment -E ^DISPLAY$ …
>
> which in turn allows you to remove ‘coreutils’, maybe.

Good tip, thanks! It's strange that I've seen this "coreutils + env"
trick so many times around. I guess we really lacked examples like this
one :)

--
Pierre Neidhardt
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEUPM+LlsMPZAEJKvom9z0l6S7zH8FAl6zvSkACgkQm9z0l6S7
zH88aAgAiT4e/nxZOrDY9YhsBLtQu1h3tnV8iFqPGOoOfoQ6ombAK5ddpt1gZ6Lp
LYE4k58xlIMHZh+lXaCVkHNA6eLLiI5sOptgA7LZzSEkMAg750W0C91FiUeAvUjp
XWZ+JchWhPeekpZk76DDwRm2qcjn2Oc63311/FHlGRorrKtH1pUHBiK3HHnig2oA
GmdMcAQ97GqyXJ4wR2yiu+/bfPTFhne61BwD59TyVAya71CtouZfq9iJrtOZZ38g
7ss4GraOTSKhMM8Ucwpc35gkKMq/ACDIcfM3NsIQoEI2LWZ40Q3mWfVKUgM22ZY7
9+8JvfuUR60dZh8rurx0KTM485sz8g==
=3cLu
-----END PGP SIGNATURE-----

C
C
Caleb Ristvedt wrote on 7 May 2020 10:02
(name . Pierre Neidhardt)(address . mail@ambrevar.xyz)(address . 41041@debbugs.gnu.org)
87d07gqijw.fsf@cune.org
Pierre Neidhardt <mail@ambrevar.xyz> writes:

Toggle quote (3 lines)
> +share some files and directories; we include @code{nss-certs} and expose
> +@file{/etc/sll/certs/} for HTTPS authentication; finally we use

Typo: sll --> ssl

- reepca
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEdNapMPRLm4SepVYGwWaqSV9/GJwFAl6zwJQACgkQwWaqSV9/
GJxHRggAjgOI6FgcBlJlsS+y8U7a5hGmB4i/oQ+qjTaQHcfC4sh8arp6Cr/Ik/0b
2W4oTRlz0pjOKnHI2T0KwQtl+75EmacprioiI3Jlbpy9AFQNlWx0sLgTmip7MnEY
I4mxwZHbnVQDu9Sq2aR5YSrME7H7CAFV7AP4JLBiZmEUVVSD7euWQMjfpCc/3z8A
zQTnL4B0aLo7/x6q8RbHz4oeroFV5/l3n/AahU6FKXWP17IF145DRxxG265+VxBb
849/Kfe+bcAIpD89N5GnhXbDCVC78umkcrX2z2th0aTsVTtahjTpJK3/WYxWdH6f
t/cFdYH6GLCb3ignv6dKnWI1XlbqNw==
=7yJ/
-----END PGP SIGNATURE-----

P
P
Pierre Neidhardt wrote on 7 May 2020 10:05
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 41041@debbugs.gnu.org)
87o8r0tbkf.fsf@ambrevar.xyz
Merged with 60131df02b521235a311031f9410f530ded60f33.

--
Pierre Neidhardt
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEUPM+LlsMPZAEJKvom9z0l6S7zH8FAl6zwTAACgkQm9z0l6S7
zH/qOgf/fPXCOfuZOAg87Mtw2Ix8s81BAfffXiU9esQT0JD/M1AuYCEoH5oPSfa3
Bd7UfQ/4sxIQZPY/EGGmM2NhbmgiS0cc1rl3fLHEbV79gwKEMfH79KgD5LLqmwAV
acrsdKF6/ClL2q1LoNFlos4q1pHJuvWTqT2mqa51ckDVdMpERcy08p/oPT2ize0V
l0nS8A+aFFIPSw/5ilsZQPueM1rTvVwBcRW8JBbaY6HYyaiFG4EXcfr/S2JfgGKp
8Sl7SmwoNcdmJlspTo3C7p7aWuRKSffYT7d9+39cLEU18PVdEoGmpiCxDMW108hR
fj9VNv8woms999P2GMoEmQUVCGc2Dg==
=4009
-----END PGP SIGNATURE-----

P
P
Pierre Neidhardt wrote on 7 May 2020 10:05
control message for bug #41041
(address . control@debbugs.gnu.org)
87mu6ktbji.fsf@ambrevar.xyz
close 41041
quit
P
P
Pierre Neidhardt wrote on 7 May 2020 10:38
Re: [bug#41041] [PATCH] doc: Add container example to run a web browser.
(name . Caleb Ristvedt)(address . caleb.ristvedt@cune.org)(address . 41041@debbugs.gnu.org)
87k11ota1g.fsf@ambrevar.xyz
Good catch! I've just fixed it.

--
Pierre Neidhardt
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEUPM+LlsMPZAEJKvom9z0l6S7zH8FAl6zyOsACgkQm9z0l6S7
zH/itAf+MAHaelQX65DgAeXV1D2GxpYJBN2XjA7Akhb/E7vCVS4fzHxUgDackxCs
VRbygq64EKvSLWUPo5Dw9QWX3O06n/wRbUAlah87BbZ2+07iWSpTP6Kn2fKp7sNI
gGL7aQKI29XESmXl9Ww0HTAGoeaYIxBrILRc9qlYtKRZhvEIbrNYCtum4HVgYV2T
Mg5bCCq1xhbXjlnqDFrV8mZ5Tmln7lkcBbRjEatZ9Wgwpb+4xwQYujF1JD8PV6/P
hlSsH+Z/88NrO/gb+hP0tIIpREBaGMck7NMWwY08+r1uIj2G1nWL8+kmXST7rFhP
gBJN5vIYAG3pV1N2laowZaLz7u3feQ==
=gXf4
-----END PGP SIGNATURE-----

?