Using GNU Guix Containers with FHS Support
I teach, photograph, code and write; formerly a physicist
Lisp LoverTM, mainly using Common Lisp in the past
Using and contributing to Guix for ~1.5 years; now with commit access ☻
I'm not a container expert, but hey I've suffered through some containers
The Filesystem Hierarchy Standard1
The goodies in the "usual" places:
But this is a rather big assumption we often don't realize
2. GNU Guix2
A distribution of the GNU operating system following the Free System Distribution Guidelines3
Built on Guile Scheme, including the service manager Shepherd4 (PID 1)
Lots of cool features: transactional, roll-backs, declarative system configuration, transformations, …
To provide these features, does not follow FHS
3. Guix Shell
Handy one-off environments: doesn't pollute your profile, quick testing
Cached after first use for speed
Some personal examples:
Use python with python packages to run a script:
guix shell python python-canvasapi -- python3 my-script.py "an argument"
ExifTool to wipe metadata from an image:
guix shell perl-image-exiftool -- exiftool -all= --icc_profile:all some-image.jpg
Take a screenshot of a selected area:
guix shell scrot -- scrot --select
4. Guix Containers
-C option to run in a (surprise!) container for isolation/reproducibility
This uses namespaces, same basic idea as other containers
Uses: completely specify the environment (but not a VM), isolate from the host
5. FHS Containers
A new option extending containers:
Sets up an FHS container plus a "vanilla" glibc
- This glibc will read from the global cache (
Uses: developing or running something in a more "typical" yet minimal environment, using language-specific tooling, binaries, testing
For privacy (fingerprinting) purposes, running the official Tor Browser binary is a good idea.
And add in some extra isolation and being able to easily control the environment, too!
cd tor-browser ; \ guix shell --container --network --emulate-fhs \ --preserve='^DISPLAY$' \ --preserve='^XAUTHORITY$' --expose=$XAUTHORITY \ alsa-lib bash coreutils dbus-glib file gcc:lib \ grep gtk+ libcxx pciutils sed \ -- ./start-tor-browser.desktop -v ; cd ../
Rust moves quickly and some projects might want or need the latest toolchain.
We can easily use rustup in an FHS container:
guix shell --network --container --emulate-fhs \ bash coreutils curl grep nss-certs gcc:lib gcc-toolchain \ pkg-config glib cairo atk email@example.com gdk-pixbuf gtk+ git \ --share=$HOME/temphome=$HOME --no-cwd curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
And then use the usual instructions for a project, e.g.
In Guix we don't have electron-based applications currently (the problem of JS packaging from source), so how about running an AppImage of free software?
guix shell --container --network --emulate-fhs \ --development ungoogled-chromium gcc:lib \ --preserve='^DISPLAY$' \ --preserve='^XAUTHORITY$' --expose=$XAUTHORITY \ --preserve='^DBUS_' --expose=/var/run/dbus \ --expose=/sys/dev --expose=/sys/devices --expose=/dev/dri \ -- ./VSCodium-18.104.22.16842.glibc2.17-x86_64.AppImage --appimage-extract-and-run
Note the need for more host exposure, to communicate with host desktop and use hardware.
How do you find what you need in the container?
- even READMEs
Often you'll need to expose more of the host (display and hardware access especially)
Punching out to the host: Flatpak's
8. What's Next?
- utilities to use as script more easily
- bridging the gap of hard to package ecosystems and working outside Guix
9. The End
Another great tool in the
guix shell toolbox
Always learning and having fun with Guix
Not a tool I need much but very useful when needed
Questions and discussion time!