Using GNU Guix Containers with FHS Support


1. Intro

Me, briefly

I teach, photograph, code and write; formerly a physicist

Lisp LoverTM, mainly using Common Lisp in the past

Using and contributing to Guix for ~1.5 years; now with commit access ☻

I'm not a container expert, but hey I've suffered through some containers


The Filesystem Hierarchy Standard1

The goodies in the "usual" places: /lib, /bin etc.

But this is a rather big assumption we often don't realize

2. GNU Guix2

A distribution of the GNU operating system following the Free System Distribution Guidelines3

Built on Guile Scheme, including the service manager Shepherd4 (PID 1)

Lots of cool features: transactional, roll-backs, declarative system configuration, transformations, …

To provide these features, does not follow FHS

3. Guix Shell

Handy one-off environments: doesn't pollute your profile, quick testing

Cached after first use for speed

Some personal examples:

Use python with python packages to run a script:

guix shell python python-canvasapi -- python3 "an argument"

ExifTool to wipe metadata from an image:

guix shell perl-image-exiftool -- exiftool -all= --icc_profile:all some-image.jpg

Take a screenshot of a selected area:

guix shell scrot -- scrot --select

4. Guix Containers

Add the --container or -C option to run in a (surprise!) container for isolation/reproducibility

This uses namespaces, same basic idea as other containers

Uses: completely specify the environment (but not a VM), isolate from the host

5. FHS Containers

A new option extending containers: --emulate-fhs or -F

Sets up an FHS container plus a "vanilla" glibc

  • This glibc will read from the global cache (/etc/

Uses: developing or running something in a more "typical" yet minimal environment, using language-specific tooling, binaries, testing

6. Examples

Tor Browser

For privacy (fingerprinting) purposes, running the official Tor Browser binary is a good idea.

And add in some extra isolation and being able to easily control the environment, too!

cd tor-browser ; \
guix shell --container --network --emulate-fhs \
    --preserve='^DISPLAY$' \
    --preserve='^XAUTHORITY$' --expose=$XAUTHORITY \
    alsa-lib bash coreutils dbus-glib file gcc:lib \
    grep gtk+ libcxx pciutils sed \
    -- ./start-tor-browser.desktop -v ;
cd ../


Rust moves quickly and some projects might want or need the latest toolchain.

We can easily use rustup in an FHS container:

guix shell --network --container --emulate-fhs \
    bash coreutils curl grep nss-certs gcc:lib gcc-toolchain \
    pkg-config glib cairo atk pango@1.48.10 gdk-pixbuf gtk+ git \
    --share=$HOME/temphome=$HOME --no-cwd

curl --proto '=https' --tlsv1.2 -sSf | sh

And then use the usual instructions for a project, e.g. cargo build

AppImages (VSCodium)

In Guix we don't have electron-based applications currently (the problem of JS packaging from source), so how about running an AppImage of free software?

guix shell --container --network --emulate-fhs \
    --development ungoogled-chromium gcc:lib \
    --preserve='^DISPLAY$' \
    --preserve='^XAUTHORITY$' --expose=$XAUTHORITY \
    --preserve='^DBUS_' --expose=/var/run/dbus \
    --expose=/sys/dev --expose=/sys/devices --expose=/dev/dri \
    -- ./VSCodium- --appimage-extract-and-run

Note the need for more host exposure, to communicate with host desktop and use hardware.

7. Tips/Discovery

How do you find what you need in the container?

  • strace
  • ldd
  • even READMEs

Often you'll need to expose more of the host (display and hardware access especially)

Punching out to the host: Flatpak's xdg-utils

8. What's Next?

  • utilities to use as script more easily
  • bridging the gap of hard to package ecosystems and working outside Guix
  • ???

9. The End

Another great tool in the guix shell toolbox

Always learning and having fun with Guix

Not a tool I need much but very useful when needed

Questions and discussion time!

10. Thanks!

Special thanks to Ludovic Courtès for helping to tweak and polish the FHS container patches and previous work done at Nonguix

Made and presented in Emacs with org-present5 with some tweaks from David Wilson6

See also my blog post7 on the GNU Guix Blog


Date: February 4, 2023

Author: John Kehayias

Created: 2023-01-29 Sun 20:23