Container provisioning with Guix
The upcoming release of GNU Guix will feature an implementation of Linux containers named, following Scheme conventions, call-with-container. Containers are a lightweight virtualization technique used to isolate processes sharing the same host machine. A container has its own separate global kernel resources such as mount points, networking interfaces, users, hostname, and processes.
Containers are a hot topic, and there are many implementations available, but Guix containers are built differently. Compared to other container implementations such as Docker, the most notable difference is that disk images and layered file systems are not used. Instead, the necessary software packages are inserted into containers via simple bind mounts. A pleasant consequence of this structure is that software is deduplicated system-wide. A package used in any number of containers is only on disk in a single place. Additionally, some containers may be created by unprivileged users, allowing any Guix user to create isolated sandboxes for their applications to play in.
One of the programs that uses call-with-container is 'guix environment', the generic virtual development environment creation tool. A --container flag has been introduced that will, as the name suggests, spawn the environment inside of a container. The container only has file system access to the directory from which 'guix environment' was invoked and the read-only store directories of the dependencies. Additional directories and files may be shared from the host using the --expose and --share flags. For example, a "containerized" development environment that is capable of building Guix from source may be created like so:
guix environment --container guix
Likewise, the 'guix system' tool has been extended with a 'container' action for creating scripts that launch full-blown GuixSD containers:
guix system container my-system.scm
Please note, however, that GuixSD containers may only be created by the root user at this time.
In order to use call-with-container, a kernel with support for user namespaces is required. User namespaces were introduced in Linux 3.8, but several distributions disable them by default.
There is still much work to be done in order to make call-with-container a robust container platform. For example, control groups could be used to arbitrarily limit the resources a container can consume, and virtual network interfaces could be used to give containers access to the net without sharing the host system's network interfaces. If you would like to help improve call-with-container, or any other part of the Guix codebase, please join the fun!
About GNU Guix
GNU Guix is a functional package manager for the GNU system. The Guix System Distribution or GuixSD is an advanced distribution of the GNU system that relies on GNU Guix and respects the user's freedom.
In addition to standard package management features, Guix supports transactional upgrades and roll-backs, unprivileged package management, per-user profiles, and garbage collection. Guix uses low-level mechanisms from the Nix package manager, except that packages are defined as native Guile modules, using extensions to the Scheme language. GuixSD offers a declarative approach to operating system configuration management, and is highly customizable and hackable.
GuixSD can be used on an i686 or x86_64 machine. It is also possible to use Guix on top of an already installed GNU/Linux system, including on mips64el and armv7.