[bug#77288,v2,8/8] DRAFT news: Add entry about unprivileged guix-daemon on Guix System.
Message ID | fdf68baf11107aee8fa657f62a4d53caccbe5926.1744899444.git.ludo@gnu.org |
---|---|
State | New |
Headers |
Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org> X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id E957527BC4B; Thu, 17 Apr 2025 15:23:54 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-6.4 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 9F08A27BC49 for <patchwork@mira.cbaines.net>; Thu, 17 Apr 2025 15:23:54 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from <guix-patches-bounces@gnu.org>) id 1u5Q9R-0000le-UA; Thu, 17 Apr 2025 10:23:38 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1u5Q8z-0000VQ-5I for guix-patches@gnu.org; Thu, 17 Apr 2025 10:23:11 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1u5Q8y-0001fM-So for guix-patches@gnu.org; Thu, 17 Apr 2025 10:23:08 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=NvETS3a7wS7cajId857MOkfgRUdTvu19iavdD7nbxws=; b=Q9iFRzLH0R5lGWZtoPH0cYJync0Zv6nhvC4hPbbZfBSqF3T8uhmxJfcgGa+EV/gJK9QYDfSSPQtFm+aLBdcxoL3S9WJqCHwjtcYtyQePI2wFc3wyMgpQEpL9aAKVhu4bPqAP9oVyUnpeoYojrKJ89TQY3EwVXJRdVTsEuNt6hvH48CSANCG9Ecr1/JMkTvrGXBjSOB5VVP+yV4gFfyG/efPcEehTvrFWX/mjIY+vn04+JRdI9V7d4jWu5QzCIAaUdLJ7/3SOT8marqBzix+oYDVUOEGnk/KaEeYDAniq6TlPZLXjSZnEx/1bZ2fMJ0ofJbdaO2+xg45+deCq9XnlVg==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1u5Q8y-0004wd-Nk; Thu, 17 Apr 2025 10:23:08 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#77288] [PATCH v2 8/8] DRAFT news: Add entry about unprivileged guix-daemon on Guix System. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org> Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org> Resent-CC: pelzflorian@pelzflorian.de, julien@lepiller.eu, guix-patches@gnu.org Resent-Date: Thu, 17 Apr 2025 14:23:08 +0000 Resent-Message-ID: <handler.77288.B77288.174489974918791@debbugs.gnu.org> Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 77288 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 77288@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org>, Florian Pelz <pelzflorian@pelzflorian.de>, Julien Lepiller <julien@lepiller.eu> X-Debbugs-Original-Xcc: Florian Pelz <pelzflorian@pelzflorian.de>, Julien Lepiller <julien@lepiller.eu> Received: via spool by 77288-submit@debbugs.gnu.org id=B77288.174489974918791 (code B ref 77288); Thu, 17 Apr 2025 14:23:08 +0000 Received: (at 77288) by debbugs.gnu.org; 17 Apr 2025 14:22:29 +0000 Received: from localhost ([127.0.0.1]:48002 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>) id 1u5Q8K-0004sz-Jt for submit@debbugs.gnu.org; Thu, 17 Apr 2025 10:22:29 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43230) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <ludo@gnu.org>) id 1u5Q83-0004pt-OX for 77288@debbugs.gnu.org; Thu, 17 Apr 2025 10:22:13 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <ludo@gnu.org>) id 1u5Q7y-0001UT-9u; Thu, 17 Apr 2025 10:22:06 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=NvETS3a7wS7cajId857MOkfgRUdTvu19iavdD7nbxws=; b=MKJqnwyuuXenz2HsCm56 /sPzFtUF1ZXGNUuvQbXfqLyNy9Xx4vDmjIEsJq3whX8/2D/Vitia2y6elAmySlYNfj6Z0Otfjbvyy 8ta4FzA7Ocf9NwYFeeKV7G4Kb3mfPO0fVxuR64KcpZkU8QlGRR0aseKdveccx0lLBQWfshqGGamVt 9oAmtw787oxyhdCA8Z/gfyIxJ2swUdVFep6k6kzLMY1SI0IThPTw9naRnqZOfIfD9krdAS5bdjkt9 EVqMRfi1KKNJ9RHAdXYdp8Z2d9HasdANjlGNhC8/RZjiSi7M5e9QOm6XLQbg0CcFWrRTJoiAuVxS8 QjLhm/HZdHBKow==; From: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org> Date: Thu, 17 Apr 2025 16:21:43 +0200 Message-ID: <fdf68baf11107aee8fa657f62a4d53caccbe5926.1744899444.git.ludo@gnu.org> X-Mailer: git-send-email 2.49.0 In-Reply-To: <cover.1744899444.git.ludo@gnu.org> References: <cover.1744899444.git.ludo@gnu.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: <guix-patches.gnu.org> List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>, <mailto:guix-patches-request@gnu.org?subject=unsubscribe> List-Archive: <https://lists.gnu.org/archive/html/guix-patches> List-Post: <mailto:guix-patches@gnu.org> List-Help: <mailto:guix-patches-request@gnu.org?subject=help> List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>, <mailto:guix-patches-request@gnu.org?subject=subscribe> Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches |
Series |
Rootless guix-daemon on Guix System
|
|
Commit Message
Ludovic Courtès
April 17, 2025, 2:21 p.m. UTC
DRAFT: Temporary commit. * etc/news.scm: Add it. Change-Id: I28eae7f7b4305225b13281b99458cbedda3c3b94 --- etc/news.scm | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+)
Comments
Thank you Ludo for writing “Migrating to the Unprivileged Daemon”. I have not tested on a foreign distro yet, though. I try on Guix System the (privileged? #f) and get an error florian@florianhp ~/src/guix$ sudo guix system reconfigure /etc/config.scm --allow-downgrades guix system: error: the group `guixbuild' specified in `build-users-group' does not exist It may have been that there were messages before like The following derivation will be built: /gnu/store/w2bx5x6ms3drrcpyysc2jj5lzyjnxyf0-grub.cfg.drv I temporarily added guixbuild with groupadd, but substitute: looking for substitutes on 'https://substitutes.nonguix.org'... 100.0% substitute: looking for substitutes on 'https://bordeaux.guix.gnu.org'... 100.0% substitute: looking for substitutes on 'https://ci.guix.gnu.org'... 100.0% The following derivations will be built: /gnu/store/s2xpbc0qy7nkwfca3cjy15ccbinz3lis-provenance.drv /gnu/store/sl57i03xygqc87q4853n6g3mmys066lm-system.drv /gnu/store/awwrr72s7z43nvrfp74wgqihr5qsa272-grub.cfg.drv guix system: error: the group `guixbuild' specified in `build-users-group' does not exist So the old daemon is still running and needs to build derivations, but its build-group is already gone? I roll back for now. Anyway. Could you add this German translation? (entry (commit "XXX") (title (en "Guix System can run @command{guix-daemon} without root privileges") (de "Guix System kann @command{guix-daemon} ohne root-Berechtigungen ausführen")) (body (en "On Guix System, @code{guix-service-type} can now be configured to run the build daemon, @command{guix-daemon}, without root privileges. In that configuration, the daemon runs with the authority of the @code{guix-daemon} user, which we think can reduce the impact of some classes of vulnerabilities that could affect it. For now, this is opt-in: you have to change @code{guix-configuration} to set the @code{privileged?} field to @code{#f}. When you do this, all the files in @file{/gnu/store}, @file{/var/guix}, etc. will have their ownership changed to the @code{guix-daemon} user (instead of @code{root}); this can take a while, especially if the store is big. To learn more about it, run: @example info guix --index-search=guix-service-type @end example Running @command{guix-daemon} without root privileges will likely become the default in the future. Users of Guix on other distributions can find information on how to migrate in the manual: @example info guix --index-search=migration @end example") (de "Auf Guix System kann @code{guix-service-type} jetzt so konfiguriert werden, dass der Erstellungs-Daemon @command{guix-daemon} ohne root-Berechtigungen ausgeführt wird. In dieser Konfiguration läuft der Daemon mit den Berechtigungen des Benutzers @code{guix-daemon}, wovon wir glauben, dass es die Auswirkungen mancher Schwachstellen-Kategorien verringert, die ihn betreffen könnten. Fürs Erste bleibt es Ihnen überlassen: Sie müssen @code{guix-configuration} anpassen und dort das Feld @code{privileged?} auf @code{#f} setzen. Wenn Sie das tun, wird der Besitzer aller Dateien in @file{/gnu/store}, @file{/var/guix}, usw. auf den Benutzer @code{guix-daemon} geändert (anstelle von @code{root}); das kann eine Weile dauern, besonders wenn der Store groß ist. Um mehr zu erfahren, führen Sie aus: @example info guix --index-search=guix-service-type @end example Schließlich wird das Ausführen von @command{guix-daemon} ohne root-Berechtigungen wahrscheinlich die Vorgabe. Wer Guix auf anderen Distributionen benutzt, kann sich mit dem Handbuch informieren, wie man umsteigt: @example info guix --index-search=migration @end example"))) Regards, Florian
Hello Florian, "pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de> writes: > I try on Guix System the (privileged? #f) and get an error > > florian@florianhp ~/src/guix$ sudo guix system reconfigure /etc/config.scm --allow-downgrades > guix system: error: the group `guixbuild' specified in `build-users-group' does not exist > > It may have been that there were messages before like > > > The following derivation will be built: > /gnu/store/w2bx5x6ms3drrcpyysc2jj5lzyjnxyf0-grub.cfg.drv > > I temporarily added guixbuild with groupadd, but > > substitute: looking for substitutes on 'https://substitutes.nonguix.org'... 100.0% > substitute: looking for substitutes on 'https://bordeaux.guix.gnu.org'... 100.0% > substitute: looking for substitutes on 'https://ci.guix.gnu.org'... 100.0% > The following derivations will be built: > /gnu/store/s2xpbc0qy7nkwfca3cjy15ccbinz3lis-provenance.drv > /gnu/store/sl57i03xygqc87q4853n6g3mmys066lm-system.drv > /gnu/store/awwrr72s7z43nvrfp74wgqihr5qsa272-grub.cfg.drv > > guix system: error: the group `guixbuild' specified in `build-users-group' does not exist That’s actually a message from guix-daemon (from ‘build.cc’). Oh, I see where this is coming from: when running ‘guix system reconfigure’, the activation snippet creating accounts and groups immediately runs, thereby deleting ‘guixbuild’ and all the build users. But at that point, we’re still running the privileged daemon. So when attempting a derivation after that, like ‘provenance.drv’ above, it errors out because the build group and accounts are gone. Problem is that this happens before the new generation has been added to ‘grub.cfg’. So if you reboot, you’ll reboot into the previous generation. The safest way to work around that is to keep those accounts/groups unconditionally. It’s less pleasant to the eye, but it doesn’t hurt. I guess I’ll have to send v3! > Anyway. Could you add this German translation? Will do. Thanks for testing & for updating the translation! Ludo’.
diff --git a/etc/news.scm b/etc/news.scm index 4b3da44540..c1f2315e33 100644 --- a/etc/news.scm +++ b/etc/news.scm @@ -37,6 +37,37 @@ (channel-news (version 0) + (entry (commit "XXX") + (title + (en "Guix System can run @command{guix-daemon} without root +privileges")) + (body + (en "On Guix System, @code{guix-service-type} can now be configured +to run the build daemon, @command{guix-daemon}, without root privileges. In +that configuration, the daemon runs with the authority of the +@code{guix-daemon} user, which we think can reduce the impact of some classes +of vulnerabilities that could affect it. + +For now, this is opt-in: you have to change @code{guix-configuration} to set +the @code{privileged?} field to @code{#f}. When you do this, all the files in +@file{/gnu/store}, @file{/var/guix}, etc. will have their ownership changed to +the @code{guix-daemon} user (instead of @code{root}); this can take a while, +especially if the store is big. To learn more about it, run: + +@example +info guix --index-search=guix-service-type +@end example + +Running @command{guix-daemon} without root privileges will likely become the +default in the future. + +Users of Guix on other distributions can find information on how to migrate in +the manual: + +@example +info guix --index-search=migration +@end example"))) + (entry (commit "0e51c6547ffdaf91777f7383da4a52a1a07b7286") (title (en "Incompatible upgrade of the Syncthing service"))