[Nix-dev] Isolated programs
Ludovic Courtès
ludo at gnu.org
Fri Apr 15 23:50:56 CEST 2011
Hello,
Kamil Klimkiewicz <miglanz at gmail.com> writes:
> - each service runs in its own Linux Container (lxc) - it means each
> service is isolated from each other; this is really fun part;
> isolation is really nice - thanks to exportReferenceGraph I can easily
> create environments that contain only parts necessary to run each
> service; the nix store is mounted in ro mode, so it's not possible to
> change anything here, even by root; data directories are mounted with
> noexec setting, so even if you somehow get access to, let's say, gcc
> and create some nasty executable you can't use it; thanks to lxc there
> are plenty of possibilities of limiting services - resources (CPU,
> memory, etc); but w/o disnix/nix it would be really PITA to create
> nicely isolated environments;
Do you have code to share on this?
I think a ‘nix-exec’ tool that would do this would be nice: you give it
a program name and arguments, and it launches said program in a chroot
with a read-only bind mount of the subset of the Nix store that it needs
(a bit like Plash).
Thanks,
Ludo’.
More information about the nix-dev
mailing list