[bug#34638,0/4] Isolated inferiors.

Message ID	875zt9go87.fsf@cbaines.net
Headers	show Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org> Subject: [bug#34638] [PATCH 0/4] Isolated inferiors. Resent-From: Christopher Baines <mail@cbaines.net> Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org> Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 24 Feb 2019 16:13:02 +0000 Resent-Message-ID: <handler.34638.B.155102474611787@debbugs.gnu.org> Resent-Sender: help-debbugs@gnu.org To: 34638@debbugs.gnu.org User-agent: mu4e 1.0; emacs 26.1 From: Christopher Baines <mail@cbaines.net> Date: Sun, 24 Feb 2019 16:12:08 +0000 Message-ID: <875zt9go87.fsf@cbaines.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Precedence: list Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org> X-getmail-retrieved-from-mailbox: Patches
Series	Isolated inferiors. \| expand [bug#34638,0/4] Isolated inferiors. [bug#34638,1/4] utils: Add #:base-directory to call-with-temporary-directory. [bug#34638,2/4] linux-container: Add 'start-child-in-container'. [bug#34638,3/4] inferior: Add a shared-directory field to <inferior> [bug#34638,4/4] inferior: Add 'open-inferior/container'.

Message ID

875zt9go87.fsf@cbaines.net

Headers

Subject: [bug#34638] [PATCH 0/4] Isolated inferiors.
Resent-From: Christopher Baines <mail@cbaines.net>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Sun, 24 Feb 2019 16:13:02 +0000
Resent-Message-ID: <handler.34638.B.155102474611787@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
To: 34638@debbugs.gnu.org
User-agent: mu4e 1.0; emacs 26.1
From: Christopher Baines <mail@cbaines.net>
Date: Sun, 24 Feb 2019 16:12:08 +0000
Message-ID: <875zt9go87.fsf@cbaines.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha512; protocol="application/pgp-signature"
Precedence: list
Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
Sender: "Guix-patches"
	<guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>

Series

Isolated inferiors. | expand

Message

Christopher Baines Feb. 24, 2019, 4:12 p.m. UTC

These patches form a prototype for Guix inferiors, that are
isolated. Access to the inferior Guix is done through running a REPL as
a separate process. These patches provide a way of launching that REPL
in an isolated environment through Linux namespaces, providing some
isolation from the wider system.

These patches should work, at least enough to get the derivations for
packages within the inferior Guix, as well as doing 'guix pull' within
the inferior Guix.

They're not ready to be merged just yet though. I think some of the
approaches are a little odd (e.g. using (ice-9 popen) internals) and
I've got no idea if the isolation is actually working properly.


Christopher Baines (4):
  utils: Add #:base-directory to call-with-temporary-directory.
  linux-container: Add 'start-child-in-container'.
  inferior: Add a shared-directory field to <inferior>
  inferior: Add 'open-inferior/container'.

 gnu/build/linux-container.scm | 82 +++++++++++++++++++++++++++++++
 guix/inferior.scm             | 90 ++++++++++++++++++++++++++++++-----
 guix/utils.scm                |  4 +-
 3 files changed, 163 insertions(+), 13 deletions(-)

Comments

Ludovic Courtès March 14, 2019, 7:35 p.m. UTC | #1

Hello!

Christopher Baines <mail@cbaines.net> skribis:

> These patches form a prototype for Guix inferiors, that are
> isolated. Access to the inferior Guix is done through running a REPL as
> a separate process. These patches provide a way of launching that REPL
> in an isolated environment through Linux namespaces, providing some
> isolation from the wider system.
>
> These patches should work, at least enough to get the derivations for
> packages within the inferior Guix, as well as doing 'guix pull' within
> the inferior Guix.

This is really cool.

When we do this kind of thing (like also the “Compute Guix derivation”
trampoline used by ‘guix pull’), it reminds me of what the Nix people
call “recursive Nix”—the ability for a derivation’s build process to
compute other derivation.  If we had that, then basically what you’re
doing might just as well be a derivation.

BTW, thinking about it, for the Guix Data Service, would
‘gexp->derivation-in-inferior’ be of any use?  This is used, for
example, to compute the package cache when running ‘guix pull’.  I
think it’s good enough if all you want is to extract basic file
meta-data, but it’s no good if you also want to extract package
derivations and the likes.

Or we could have a new store back-end that computes derivations in
memory and eventually spits a Nar…

I’m just thinking out loud!

Thanks,
Ludo’.