Paste number 157515: ann

Paste number 157515: ann
Pasted by: davexunit
When:6 years, 9 months ago
Share:Tweet this! |
Paste contents:
Raw Source | XML | Display As
The upcoming release of GNU Guix will feature an implementation of
Linux containers named, following Scheme conventions,
call-with-container.  Containers are a lightweight virtualization
technique used to isolate processes sharing the same host machine.  A
container has its own separate global kernel resources such as mount
points, networking interfaces, users, hostname, and processes.

Containers are a hot topic, and there are many implementations out
there, but Guix containers are built differently.  The most notable
difference is that disk images and layered file systems are not used.
Instead, the necessary software packages are inserted into containers
via simple bind mounts.  A pleasant consequence of this structure is
that software is deduplicated system-wide.  A package used in any
number of containers is only on disk in a single place.  Also, unlike
some other implementations, some containers may be created by
unprivileged users, allowing any Guix user to create isolated
sandboxes for their applications to play in.

The first tool to use call-with-container is 'guix environment', the
generic virtual development environment creation tool.  A --container
flag has been introduced that will, as the name suggests, spawn the
environment inside of a container.  The container only has file system
access to the directory from which 'guix environment' was invoked and
the read-only store directories of the dependencies.  Additional
directories and files may be shared from the host using the --expose
and --share flags.  For example, a "containerized" development
environment that is capable of building Guix from source may be
created like so:

    guix environment --container guix

Likewise, the 'guix system' tool has been extended with a 'container'
action for creating scripts that launch full-blown GuixSD containers:

    guix system container my-system.scm

However, GuixSD containers may only be created by the root user at
this time.

In order to use call-with-container, a kernel with support for user
namespaces is required.  User namespaces were introduced in Linux 3.8,
but several distributions disable them by default.

There is still much work to be done in order to make
call-with-container a robust container platform.  For example, control
groups could be used to arbitrarily limit the resources a container
can consume, and virtual network interfaces could be used to give
containers access to the net without sharing the host system's network
interfaces.  If you would like to help improve call-with-container, or
any other part of the Guix codebase, please join the fun!

This paste has no annotations.

Colorize as:
Show Line Numbers

Lisppaste pastes can be made by anyone at any time. Imagine a fearsomely comprehensive disclaimer of liability. Now fear, comprehensively.