The Filesystem Hierarchy Standard Comes to Guix Containers
GNU Guix is different from most other GNU/Linux distributions and perhaps nowhere is that
more obvious than the organization of the filesystem: Guix does not conform to the
Filesystem Hierarchy Standard (FHS). In
practical terms, this means there is no global /lib
containing libraries, /bin
containing binaries,¹ and so on. This is very much at the core of how Guix works and some
of the convenient features, like per-user installation of programs (different versions,
for instance) and a declarative system configuration where the system is determined from a
configuration file.
However, this also leads to a difference in how many pieces of software expect their world
to look like, relying on finding a library in /lib
or an external tool in /bin
. When
these are hard coded and not overcome with appropriate build options, we patch code to
refer to absolute paths in the store, like
/gnu/store/hrgqa7m498wfavq4awai3xz86ifkjxdr-grep-3.6/bin/grep
, to keep everything
consistently contained within the store.
It all works great and is thanks to the hard work of everyone that has contributed to Guix. But what if we need a more FHS-like environment for developing, testing, or running a piece of software?
To that end, we've recently
added (available in Guix 1.4.0)
a new option for guix shell
(previously called guix environment
):
--emulate-fhs
(or -F
). This option is used in conjunction with the
--container
(or -C
)
option which creates an isolated, you guessed it, container. The new --emulate-fhs
option will set up an environment in the container that follows FHS expectations, so that
libraries are visible in /lib
in the container, as an example.
Here is a very simple example:
$ guix shell --container --emulate-fhs coreutils -- ls /bin | head
[
b2sum
base32
base64
basename
basenc
cat
catchsegv
chcon
chgrp
and
$ guix shell --container --emulate-fhs coreutils -- ls /lib | head
Mcrt1.o
Scrt1.o
audit
crt1.o
crti.o
crtn.o
gconv
gcrt1.o
ld-2.33.so
ld-linux-x86-64.so.2
Contrast that with /bin
on a Guix system:
$ ls /bin -l
total 4
lrwxrwxrwx 1 root root 61 Dec 12 09:57 sh -> \
/gnu/store/d99ykvj3axzzidygsmdmzxah4lvxd6hw-bash-5.1.8/bin/sh*
and /lib
$ ls /lib
ls: cannot access '/lib': No such file or directory
Or, if you like to see it more in motion, here's a gif (courtesy of Ludovic Courtès):
Additionally, for the more technically-minded, the glibc
used in this
container
will read from a global cache in /etc/ld.so.cache
contrary to the behavior in
Guix
otherwise. This can help ensure that libraries are found when querying the ld cache or
using the output of ldconfig -p
, for example.
There are several uses that spring to mind for such a container in Guix. For developers, or those aspiring to hack on a project, this is a helpful tool when needing to emulate a different (non-Guix) environment. For example, one could use this to more easily follow build instructions meant for a general distribution, say when a Guix package is not (yet) available or easy to write immediately.
Another usage is to be able to use tools that don't really fit into Guix's model, like ones that use pre-built binaries. There are many reasons why this is not ideal and Guix strives to replace or supplement such tools, but practically speaking they can be hard to avoid entirely. The FHS container helps bridge this gap, providing an isolated and reproducible environment as needed.
Users not interested in development will also find the FHS container useful. For example, there may be software that is free and conforms to the Free System Distribution Guidelines (FSDG) Guix follows, yet is not feasible to be packaged by our standards. JavaScript and particularly Electron applications are not yet packaged for Guix due to the difficulties of a properly source-based and bootstrapable approach in this ecosystem.
As a more interesting example for this last point, let's dive right into a big one: the
popular VSCodium editor. This is a freely
licensed build of Microsoft's
VS Code editor. This is based on Electron and pre-built AppImages
are available. Downloading and making the
AppImage executable (with a chmod +x
), we can run it in a container with
guix shell --container --network --emulate-fhs \
--development ungoogled-chromium gcc:lib \
--preserve='^DISPLAY$' --preserve='^XAUTHORITY$' --expose=$XAUTHORITY \
--preserve='^DBUS_' --expose=/var/run/dbus \
--expose=/sys/dev --expose=/sys/devices --expose=/dev/dri \
-- ./VSCodium-1.74.0.22342.glibc2.17-x86_64.AppImage --appimage-extract-and-run
The second line is a handy cheat to get lots of libraries often needed for graphical
applications (development inputs of the package ungoogled-chromium
) though it can be
overkill if the AppImage does actually bundle everything (they don't!). The next line is
for display on the host's X server, the one after for DBus communication, and lastly
exposing some of the host hardware for rendering. This last part may be different on
different hardware. That should do it, at least to see basic functionality of VSCodium.
Note that we can't run an AppImage without the --appimage-extract-and-run
option as it
will want to use FUSE to
mount the image which is not possible from the container.²
The FHS container is also useful to be able to run the exact same binary as anyone else, as you might want to for privacy reasons with the Tor Browser. While there is a long-standing set of patches to build the Tor Browser from source, with a container we can run the official build directly. After downloading, checking the signature, and unpacking, we can launch the Tor Browser from the root of the unpacked directory with:
guix shell --container --network --emulate-fhs \
--preserve='^DISPLAY$' --preserve='^XAUTHORITY$' --expose=$XAUTHORITY \
alsa-lib bash coreutils dbus-glib file gcc:lib \
grep gtk+ libcxx pciutils sed \
-- ./start-tor-browser.desktop -v
Here we've used a more minimal set of package inputs, rather than the ungoogled-chromium
trick above. Usually this is found through some trial and error, looking at log output,
maybe tracing, and sometimes from documentation. Though documentation of needed packages
often has some assumptions on what is already available on typical systems. (Thanks to Jim
Newsome for pointing out this example on the guix-devel mailing
list.)
Another example is to get the latest nightly builds of Rust, via rustup
.
$ mkdir ~/temphome
$ guix shell --network --container --emulate-fhs \
bash coreutils curl grep nss-certs gcc:lib gcc-toolchain \
pkg-config glib cairo atk pango@1.48.10 gdk-pixbuf gtk+ git \
--share=$HOME/temphome=$HOME
~/temphome [env]$ curl --proto '=https' --tlsv1.2 -sSf <https://sh.rustup.rs> | sh
First we created a ~/temphome
directory to use as $HOME
in the container and then
included a bunch of libraries in the container for the next example.
This will proceed without problem and we'll see
info: downloading installer
Welcome to Rust!
This will download and install the official compiler for the Rust
programming language, and its package manager, Cargo.
...
Rust is installed now. Great!
To get started you may need to restart your current shell.
This would reload your PATH environment variable to include
Cargo's bin directory ($HOME/.cargo/bin).
To configure your current shell, run:
source "$HOME/.cargo/env"
After updating the shells environment as instructed, we can see it all worked
~/temphome [env]$ rustc --version
rustc 1.65.0 (897e37553 2022-11-02)
as Guix's current Rust is at 1.61.0 and we didn't even include Rust in the container, of course.
Finally, we can build a Rust project of desktop widgets, ElKowars wacky widgets
(eww), following their
directions. Ultimately this uses just the standard cargo build --release
and builds after downloading all the needed libraries.
~/temphome/eww [env]$ git clone https://github.com/elkowar/eww
...
~/temphome/eww [env]$ cd eww
~/temphome/eww [env]$ cargo build --release
info: syncing channel updates for 'nightly-2022-08-27-x86_64-unknown-linux-gnu'
info: latest update on 2022-08-27, rust version 1.65.0-nightly (c07a8b4e0 2022-08-26)
...
Finished release [optimized] target(s) in 2m 06s
With this being a fresh container, you will need to make some directories that normally
exist, like ~/.config
and ~/.cache
in this case. For basic display support, it is
enough to add --preserve='^DISPLAY$' --preserve='^XAUTHORITY$' --expose=$XAUTHORITY
to
the container launch options and run the first example widget in the
documentation.
As we can see, with containers more generally we have to provide the right inputs and options as the environment is completely specified at creation. Once you want to run something that needs hardware from the host or to access host files, the container becomes increasingly porous for more functionality. This is certainly a trade-off, but one which we have agency with a container we wouldn't get otherwise.
The FHS option provides another option to make a container in Guix to produce other environments, even those with a vastly different philosophy of the root filesystem! This is one more tool in the Guix toolbox for controlled and reproducible environments that also let's us do some things we couldn't (easily) do otherwise.
Notes
¹ Other than a symlink for sh
from the bash
package, for compatibility reasons.
² Actually, one can use flatpak-spawn
from
flatpak-xdg-utils
to launch something
on the host and get the AppImage to mount itself. However, it is not visible from the same
container. Or, we can use a normal mounting
process
outside of the container to inspect the contents, but AppImages will have an offset. We
can use the FHS container option to get this offset and then mount in one line with mount VSCodium-1.74.0.22342.glibc2.17-x86_64.AppImage <mountpoint> -o offset=$(guix shell --container --emulate-fhs zlib -- ./VSCodium-1.74.0.22342.glibc2.17-x86_64.AppImage --appimage-offset)
About GNU Guix
GNU Guix is a transactional package manager and an advanced distribution of the GNU system that respects user freedom. Guix can be used on top of any system running the Hurd or the Linux kernel, or it can be used as a standalone operating system distribution for i686, x86_64, ARMv7, AArch64, and POWER9 machines.
In addition to standard package management features, Guix supports transactional upgrades and roll-backs, unprivileged package management, per-user profiles, and garbage collection. When used as a standalone GNU/Linux distribution, Guix offers a declarative, stateless approach to operating system configuration management. Guix is highly customizable and hackable through Guile programming interfaces and extensions to the Scheme language.
Pokud není uvedeno jinak, příspěvky na blogu na těchto stránkách jsou chráněny autorskými právy příslušných autorů a zveřejněny za podmínek licence CC-BY-SA 4.0 a podmínek licence GNU Free Documentation License (verze 1.3 nebo novější, bez invariantních částí, bez textů na přední straně obálky a bez textů na zadní straně obálky).