Using GNU Guix Containers with FHS Support
FOSDEM 2023
1. Intro
Me, briefly
I teach, photograph, code and write; formerly a physicist
Lisp LoverTM, mainly using Common Lisp in the past
Using and contributing to Guix for ~1.5 years; now with commit access ☻
I'm not a container expert, but hey I've suffered through some containers
FHS?
The Filesystem Hierarchy Standard1
The goodies in the "usual" places: /lib
, /bin
etc.
But this is a rather big assumption we often don't realize
2. GNU Guix2
A distribution of the GNU operating system following the Free System Distribution Guidelines3
Built on Guile Scheme, including the service manager Shepherd4 (PID 1)
Lots of cool features: transactional, roll-backs, declarative system configuration, transformations, …
To provide these features, does not follow FHS
3. Guix Shell
Handy one-off environments: doesn't pollute your profile, quick testing
Cached after first use for speed
Some personal examples:
Use python with python packages to run a script:
guix shell python python-canvasapi -- python3 my-script.py "an argument"
ExifTool to wipe metadata from an image:
guix shell perl-image-exiftool -- exiftool -all= --icc_profile:all some-image.jpg
Take a screenshot of a selected area:
guix shell scrot -- scrot --select
4. Guix Containers
Add the --container
or -C
option to run in a (surprise!) container for isolation/reproducibility
This uses namespaces, same basic idea as other containers
Uses: completely specify the environment (but not a VM), isolate from the host
5. FHS Containers
A new option extending containers: --emulate-fhs
or -F
Sets up an FHS container plus a "vanilla" glibc
- This glibc will read from the global cache (
/etc/ld.so.cache
)
Uses: developing or running something in a more "typical" yet minimal environment, using language-specific tooling, binaries, testing
6. Examples
Tor Browser
For privacy (fingerprinting) purposes, running the official Tor Browser binary is a good idea.
And add in some extra isolation and being able to easily control the environment, too!
cd tor-browser ; \ guix shell --container --network --emulate-fhs \ --preserve='^DISPLAY$' \ --preserve='^XAUTHORITY$' --expose=$XAUTHORITY \ alsa-lib bash coreutils dbus-glib file gcc:lib \ grep gtk+ libcxx pciutils sed \ -- ./start-tor-browser.desktop -v ; cd ../
Rust
Rust moves quickly and some projects might want or need the latest toolchain.
We can easily use rustup in an FHS container:
guix shell --network --container --emulate-fhs \ bash coreutils curl grep nss-certs gcc:lib gcc-toolchain \ pkg-config glib cairo atk pango@1.48.10 gdk-pixbuf gtk+ git \ --share=$HOME/temphome=$HOME --no-cwd curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
And then use the usual instructions for a project, e.g. cargo build
AppImages (VSCodium)
In Guix we don't have electron-based applications currently (the problem of JS packaging from source), so how about running an AppImage of free software?
guix shell --container --network --emulate-fhs \ --development ungoogled-chromium gcc:lib \ --preserve='^DISPLAY$' \ --preserve='^XAUTHORITY$' --expose=$XAUTHORITY \ --preserve='^DBUS_' --expose=/var/run/dbus \ --expose=/sys/dev --expose=/sys/devices --expose=/dev/dri \ -- ./VSCodium-1.74.0.22342.glibc2.17-x86_64.AppImage --appimage-extract-and-run
Note the need for more host exposure, to communicate with host desktop and use hardware.
7. Tips/Discovery
How do you find what you need in the container?
strace
ldd
- even READMEs
Often you'll need to expose more of the host (display and hardware access especially)
Punching out to the host: Flatpak's xdg-utils
8. What's Next?
- utilities to use as script more easily
- bridging the gap of hard to package ecosystems and working outside Guix
- ???
9. The End
Another great tool in the guix shell
toolbox
Always learning and having fun with Guix
Not a tool I need much but very useful when needed
Questions and discussion time!