[Nix-dev] Isolated programs

Kamil Klimkiewicz miglanz at gmail.com
Sat Apr 16 00:12:35 CEST 2011


Hi Ludovic,

> Do you have code to share on this?

Once I'm done with the whole setup and clean everything up I'll share
it. It's currently a huge mess - I was learning nix expression language
and the whole ecosystem along the way.

> I think a ‘nix-exec’ tool that would do this would be nice: you give it
> a program name and arguments, and it launches said program in a chroot
> with a read-only bind mount of the subset of the Nix store that it needs
> (a bit like Plash).

Sure, that's certainly interesting. I'm aware of Plash, I used it in one
project. Lxc (Linux Containers) is a much better technology IMO. First
of all it's built into Linux kernel (reasonably modern one - >= 2.6.29).
It also allows for more fine grained control of other resources (Plash
only isolates the file system). With lxc you get separate file system
(it's not chroot, it's implemented with pivot_root syscall + fs
namespace, and then, as you say, bind mounts are involved), networking
(each of my services gets separate internal IP address, I use iptables
to perform forwarding, NATing among these services and outside world),
process IDs namespace, etc.  You may also limit such resources as CPU
and memory. You may also simply drop unnecessary capabilities (for
example sys_admin). You basically get separate operating system, except
you use host kernel. There are still some parts that aren't easily
isolated (I believe you only get one syslog, but I'm not sure). Lxc is
quite new technology and is actively developed.

As a side note - I stopped using Plash because it's tightly coupled to
glibc and it simply broke every time I updated glibc.

For such nix-exec tool (or nix-lxc?) you would still need to provide
some data directories (/var/log, /var/run, etc.), network configuration
(optionally), etc.  But, other than that, I think it would be reasonably
easy to write it thanks to the whole machinery provided by nix.

I think the whole thing could simply get a configuration in a form of
simple nix expression, and then do the rest.

I think such a tool could become part of my mini deployment framework I
wrote about earlier today. I'll keep you updated on my progress
(unfortunately I first have to finish the project I'm actually
deploying...).

-- 
Best regards,
Kamil




More information about the nix-dev mailing list