When a guix-builder container runs without the store attached, it should still be able to use
ssl certificates. This was not possible prior to this change without adjusting the
SSL_CERT_FILE and SSL_CERT_DIR environment variables to be prefixed with '/guix-builder'.
Preferably and as implemented in this commit, we can keep standard values of these
environment variables and provide a link from /etc/ssl -> /guix-builder/etc/ssl where the
certificate files reference /guix-builder/gnu/store instead of /gnu/store.
This allows correct functioning in either case of the store being mounted or not. Its
important to note that if a users mounts their guix hosts certificates, they must also mount
its store as the certificate files in /etc/ssl/certs will be links to files in the store.
Unbeknownst to me, the docker image produced by previous versions of guix-builder actually
had a hidden dependency on the hosts /gnu/store. I have not been able to fully characterize
it, but the following proves it to be true.
This fails with an error 139, segfault:
docker run -it guix-builder:latest
However it succeeds when provided the hosts guix store:
docker run -it -v /gnu/store:/gnu/store:ro guix-builder:latest
By using GUIX_EXECUTION_ENGINE=proot (which is implied by the '-RR' option to 'guix pack'),
we avoid the segfaults and hidden dependency on the hosts /gnu/store. Sadly using proot will
have performance impacts, but I'm not sure yet to what extent this will impact my usecase.
Collin J. Doering