(address . guix-patches@gnu.org)
b1cd89a05da14efb91d83174bf7d486ab06d3334.1516937216.git.mtg@gnu.org
This change is motivated by attempts to run programs (like GNU IceCat) within
containers. The 'fontconfig' program, for example, is configured explicitly
to check ~/.guix-profile for additional fonts.
There were no existing container tests in 'tests/guix-environment.sh', but I
added one anyway for this change.
* doc/guix.texi (Invoking guix environment): Add '--link-profile'.
* guix/scripts/environment.scm (show-help): Add '--link-profile'.
(%options): Add 'link-profile' as '#\P', assigned to 'link-profile?'.
(lnk-environment): New procedure.
(launch-environment/container): Use it when 'link-profile?'.
[link-profile?]: New parameter.
(guix-environment): Leave when '--link-prof' but not '--container'. Add
'#:link-profile?' argument to 'launch-environment/container' application.
* tests/guix-environment.sh: New '--link-profile' test.
---
doc/guix.texi | 17 +++++++++++++++++
guix/scripts/environment.scm | 43 +++++++++++++++++++++++++++++++++++++------
tests/guix-environment.sh | 12 ++++++++++++
3 files changed, 66 insertions(+), 6 deletions(-)
Toggle diff (178 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index 1ecdcd218..3b6ae1ab9 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -46,6 +46,7 @@ Copyright @copyright{} 2017 Andy Wingo@*
Copyright @copyright{} 2017 Arun Isaac@*
Copyright @copyright{} 2017 nee@*
Copyright @copyright{} 2018 Rutger Helling
+Copyright @copyright{} 2018 Mike Gerwitz
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -7166,6 +7167,22 @@ For containers, share the network namespace with the host system.
Containers created without this flag only have access to the loopback
device.
+@item --link-profile
+@itemx -P
+For containers, link the environment profile to
+@file{~/.guix-profile} within the container. This is equivalent to
+running the command @command{ln -s $GUIX_ENVIRONMENT ~/.guix-profile}
+within the container. Linking will fail and abort the environment if
+the directory already exists, which will certainly be the case if
+@command{guix environment} was invoked in the user's home directory.
+
+Certain packages are configured to look in
+@code{~/.guix-profile} for configuration files and data;@footnote{For
+example, the @code{fontconfig} package inspects
+@file{~/.guix-profile/share/fonts} for additional fonts.}
+@code{--link-profile} allows these programs to behave as expected within
+the environment.
+
@item --expose=@var{source}[=@var{target}]
For containers, expose the file system @var{source} from the host system
as the read-only file system @var{target} within the container. If
diff --git a/guix/scripts/environment.scm b/guix/scripts/environment.scm
index d2568e6a7..771574c15 100644
--- a/guix/scripts/environment.scm
+++ b/guix/scripts/environment.scm
@@ -1,6 +1,7 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2014, 2015 David Thompson <davet@gnu.org>
;;; Copyright © 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2018 Mike Gerwitz <mtg@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -157,6 +158,9 @@ COMMAND or an interactive shell in that environment.\n"))
-C, --container run command within an isolated container"))
(display (G_ "
-N, --network allow containers to access the network"))
+ (display (G_ "
+ -P, --link-profile link environment profile to ~/.guix-profile within
+ an isolated container"))
(display (G_ "
--share=SPEC for containers, share writable host file system
according to SPEC"))
@@ -236,6 +240,9 @@ COMMAND or an interactive shell in that environment.\n"))
(option '(#\N "network") #f #f
(lambda (opt name arg result)
(alist-cons 'network? #t result)))
+ (option '(#\P "link-profile") #f #f
+ (lambda (opt name arg result)
+ (alist-cons 'link-profile? #t result)))
(option '("share") #t #f
(lambda (opt name arg result)
(alist-cons 'file-system-mapping
@@ -384,18 +391,20 @@ environment variables are cleared before setting the new ones."
((_ . status) status)))))
(define* (launch-environment/container #:key command bash user-mappings
- profile paths network?)
+ profile paths link-profile? network?)
"Run COMMAND within a container that features the software in PROFILE.
Environment variables are set according to PATHS, a list of native search
paths. The global shell is BASH, a file name for a GNU Bash binary in the
store. When NETWORK?, access to the host system network is permitted.
USER-MAPPINGS, a list of file system mappings, contains the user-specified
-host file systems to mount inside the container."
+host file systems to mount inside the container. LINK-PROFILE? creates a
+symbolic link from ~/.guix-profile to the environment profile."
(mlet %store-monad ((reqs (inputs->requisites
(list (direct-store-path bash) profile))))
(return
- (let* ((cwd (getcwd))
- (passwd (getpwuid (getuid)))
+ (let* ((cwd (getcwd))
+ (passwd (getpwuid (getuid)))
+ (home-dir (passwd:dir passwd))
;; Bind-mount all requisite store items, user-specified mappings,
;; /bin/sh, the current working directory, and possibly networking
;; configuration files within the container.
@@ -440,8 +449,13 @@ host file systems to mount inside the container."
;; Create a dummy home directory under the same name as on the
;; host.
- (mkdir-p (passwd:dir passwd))
- (setenv "HOME" (passwd:dir passwd))
+ (mkdir-p home-dir)
+ (setenv "HOME" home-dir)
+
+ ;; If requested, link $GUIX_ENVIRONMENT to $HOME/.guix-profile;
+ ;; this allows programs expecting that path to continue working as
+ ;; expected within a container.
+ (when link-profile? (link-environment profile home-dir))
;; Create a dummy /etc/passwd to satisfy applications that demand
;; to read it, such as 'git clone' over SSH, a valid use-case when
@@ -471,6 +485,18 @@ host file systems to mount inside the container."
(delq 'net %namespaces) ; share host network
%namespaces)))))))
+(define (link-environment profile home-dir)
+ "Create a symbolic link from HOME-DIR/.guix-profile to PROFILE."
+ (let ((profile-dir (string-append home-dir "/.guix-profile")))
+ (catch 'system-error
+ (lambda ()
+ (symlink profile profile-dir))
+ (lambda args
+ (if (= EEXIST (system-error-errno args))
+ (leave (G_ "cannot link profile: path '~a' already exists within container~%")
+ profile-dir)
+ (apply throw args))))))
+
(define (environment-bash container? bootstrap? system)
"Return a monadic value in the store monad for the version of GNU Bash
needed in the environment for SYSTEM, if any. If CONTAINER? is #f, return #f.
@@ -544,6 +570,7 @@ message if any test fails."
(let* ((opts (parse-args args))
(pure? (assoc-ref opts 'pure))
(container? (assoc-ref opts 'container?))
+ (link-prof? (assoc-ref opts 'link-profile?))
(network? (assoc-ref opts 'network?))
(bootstrap? (assoc-ref opts 'bootstrap?))
(system (assoc-ref opts 'system))
@@ -577,6 +604,9 @@ message if any test fails."
(when container? (assert-container-features))
+ (when (and (not container?) link-prof?)
+ (leave (G_ "--link-prof cannot be used without --container~%")))
+
(with-store store
(set-build-options-from-command-line store opts)
@@ -626,6 +656,7 @@ message if any test fails."
#:user-mappings mappings
#:profile profile
#:paths paths
+ #:link-profile? link-prof?
#:network? network?)))
(else
(return
diff --git a/tests/guix-environment.sh b/tests/guix-environment.sh
index bf5ca17fa..e995636df 100644
--- a/tests/guix-environment.sh
+++ b/tests/guix-environment.sh
@@ -62,6 +62,18 @@ fi
guix environment --bootstrap --ad-hoc guile-bootstrap --pure \
-- "$SHELL" -c 'test -f "$GUIX_ENVIRONMENT/bin/guile"'
+# Make sure 'GUIX_ENVIRONMENT' is linked to '~/.guix-profile' when requested
+# within a container
+(
+ linktest='(exit (string=? (getenv "GUIX_ENVIRONMENT")
+(readlink (string-append (getenv "HOME") "/.guix-profile"))))'
+
+ cd "$tmpdir" \
+ && guix environment --bootstrap --container --link-profile \
+ --ad-hoc guile-bootstrap --pure \
+ -- guile -c "$linktest"
+)
+
# Make sure '-r' works as expected.
rm -f "$gcroot"
expected="`guix environment --bootstrap --ad-hoc guile-bootstrap \
--
2.15.1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJaaqCLAAoJEIyRe39dxRuiOdAP/jqTM1ukWG+O9Z55wULIbGsA
qOKF5jYnF43nCDsnzhG8IQ8xDJ1v2rqgKH2JUN62nn1iDXo64m9oN/qY1LFsWP7D
LnG31VB9umg6GJZQRQ0AOWLZggcRoIt2WNwzjxSFsyJZ2NXLf/wxCw2AgimL5ZMy
RBb3QNQ1V1O7EsGuxtCzKO3vsiOvHW5XTEJ8x8sfaRKaNxnshgJ/51ACfodjxw4L
s0OlrQr/ZpWN/6XJmuVQ4gWw/vz6nJww89Pt8JOe44yltgRyC/16s5P2O+72iNDU
sTqEQwURJSx2BB5yHZ7X3P58ZGqH2cJYHa7FKyb+L6L1NO0Qub0BUx7qkpBd0uNV
/5zHi/F5EqSYJRiaEd5Gl3gSD5AGF7869KJwee1V2MUmDjsjgQkv8hUXzV02EZxi
EoDZSfCms3PVAjfteclXtpL6kdMUez6ySjd0SJKu/AXKyQy/6NpZ8m6nP3PSb9yQ
hiS1BMNucR4WYtDIGKeGYAqK4Hy8Gfe/Tv+PUzcV+qRBUWaqGk/Mvd+idg6spHF2
qUDRCteBu57VSpR//a/tRe3S3usklVNuvCC3eg8s0SdjHZtzkWY68NmW2Eu95xgI
iAQjzuUXQrQzivTz/WFOoGclhIBmJpveFSisGRiVOOq6mfaZMznjV5rcwzRIAohP
YBts3gN4TWs5F+ywA//Q
=UvhA
-----END PGP SIGNATURE-----