|Paste number 157515:||ann|
|When:||6 years, 9 months ago|
|Share:||Tweet this! | http://paste.lisp.org/+3DJF|
The upcoming release of GNU Guix will feature an implementation of Linux containers named, following Scheme conventions, call-with-container. Containers are a lightweight virtualization technique used to isolate processes sharing the same host machine. A container has its own separate global kernel resources such as mount points, networking interfaces, users, hostname, and processes. Containers are a hot topic, and there are many implementations out there, but Guix containers are built differently. The most notable difference is that disk images and layered file systems are not used. Instead, the necessary software packages are inserted into containers via simple bind mounts. A pleasant consequence of this structure is that software is deduplicated system-wide. A package used in any number of containers is only on disk in a single place. Also, unlike some other implementations, some containers may be created by unprivileged users, allowing any Guix user to create isolated sandboxes for their applications to play in. The first tool to use call-with-container is 'guix environment', the generic virtual development environment creation tool. A --container flag has been introduced that will, as the name suggests, spawn the environment inside of a container. The container only has file system access to the directory from which 'guix environment' was invoked and the read-only store directories of the dependencies. Additional directories and files may be shared from the host using the --expose and --share flags. For example, a "containerized" development environment that is capable of building Guix from source may be created like so: guix environment --container guix Likewise, the 'guix system' tool has been extended with a 'container' action for creating scripts that launch full-blown GuixSD containers: guix system container my-system.scm However, GuixSD containers may only be created by the root user at this time. In order to use call-with-container, a kernel with support for user namespaces is required. User namespaces were introduced in Linux 3.8, but several distributions disable them by default. There is still much work to be done in order to make call-with-container a robust container platform. For example, control groups could be used to arbitrarily limit the resources a container can consume, and virtual network interfaces could be used to give containers access to the net without sharing the host system's network interfaces. If you would like to help improve call-with-container, or any other part of the Guix codebase, please join the fun! http://www.gnu.org/software/guix/contribute/
This paste has no annotations.