Hello, Kamil Klimkiewicz <[email protected]> writes:
> - each service runs in its own Linux Container (lxc) - it means each > service is isolated from each other; this is really fun part; > isolation is really nice - thanks to exportReferenceGraph I can easily > create environments that contain only parts necessary to run each > service; the nix store is mounted in ro mode, so it's not possible to > change anything here, even by root; data directories are mounted with > noexec setting, so even if you somehow get access to, let's say, gcc > and create some nasty executable you can't use it; thanks to lxc there > are plenty of possibilities of limiting services - resources (CPU, > memory, etc); but w/o disnix/nix it would be really PITA to create > nicely isolated environments; Do you have code to share on this? I think a ‘nix-exec’ tool that would do this would be nice: you give it a program name and arguments, and it launches said program in a chroot with a read-only bind mount of the subset of the Nix store that it needs (a bit like Plash). Thanks, Ludo’. _______________________________________________ nix-dev mailing list [email protected] https://mail.cs.uu.nl/mailman/listinfo/nix-dev
