[bug#77288,v2,8/8] DRAFT news: Add entry about unprivileged guix-daemon on Guix System.

Message ID fdf68baf11107aee8fa657f62a4d53caccbe5926.1744899444.git.ludo@gnu.org
State New
Headers
Series Rootless guix-daemon on Guix System |

Commit Message

Ludovic Courtès April 17, 2025, 2:21 p.m. UTC
  DRAFT: Temporary commit.

* etc/news.scm: Add it.

Change-Id: I28eae7f7b4305225b13281b99458cbedda3c3b94
---
 etc/news.scm | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
  

Comments

pelzflorian (Florian Pelz) April 18, 2025, 1:32 p.m. UTC | #1
Thank you Ludo for writing “Migrating to the Unprivileged Daemon”.
I have not tested on a foreign distro yet, though.

I try on Guix System the (privileged? #f) and get an error

florian@florianhp ~/src/guix$ sudo guix system reconfigure /etc/config.scm --allow-downgrades
guix system: error: the group `guixbuild' specified in `build-users-group' does not exist

It may have been that there were messages before like


The following derivation will be built:
  /gnu/store/w2bx5x6ms3drrcpyysc2jj5lzyjnxyf0-grub.cfg.drv

I temporarily added guixbuild with groupadd, but

substitute: looking for substitutes on 'https://substitutes.nonguix.org'... 100.0%
substitute: looking for substitutes on 'https://bordeaux.guix.gnu.org'... 100.0%
substitute: looking for substitutes on 'https://ci.guix.gnu.org'... 100.0%
The following derivations will be built:
  /gnu/store/s2xpbc0qy7nkwfca3cjy15ccbinz3lis-provenance.drv
  /gnu/store/sl57i03xygqc87q4853n6g3mmys066lm-system.drv
  /gnu/store/awwrr72s7z43nvrfp74wgqihr5qsa272-grub.cfg.drv

guix system: error: the group `guixbuild' specified in `build-users-group' does not exist


So the old daemon is still running and needs to build derivations, but its 
build-group is already gone?  I roll back for now.

Anyway.  Could you add this German translation?
(entry (commit "XXX")
        (title
         (en "Guix System can run @command{guix-daemon} without root
privileges")
         (de "Guix System kann @command{guix-daemon} ohne root-Berechtigungen
ausführen"))
        (body
         (en "On Guix System, @code{guix-service-type} can now be configured
to run the build daemon, @command{guix-daemon}, without root privileges.  In
that configuration, the daemon runs with the authority of the
@code{guix-daemon} user, which we think can reduce the impact of some classes
of vulnerabilities that could affect it.

For now, this is opt-in: you have to change @code{guix-configuration} to set
the @code{privileged?} field to @code{#f}.  When you do this, all the files in
@file{/gnu/store}, @file{/var/guix}, etc. will have their ownership changed to
the @code{guix-daemon} user (instead of @code{root}); this can take a while,
especially if the store is big.  To learn more about it, run:

@example
info guix --index-search=guix-service-type
@end example

Running @command{guix-daemon} without root privileges will likely become the
default in the future.

Users of Guix on other distributions can find information on how to migrate in
the manual:

@example
info guix --index-search=migration
@end example")
         (de "Auf Guix System kann @code{guix-service-type} jetzt so
konfiguriert werden, dass der Erstellungs-Daemon @command{guix-daemon} ohne
root-Berechtigungen ausgeführt wird.  In dieser Konfiguration läuft der Daemon
mit den Berechtigungen des Benutzers @code{guix-daemon}, wovon wir glauben,
dass es die Auswirkungen mancher Schwachstellen-Kategorien verringert, die ihn
betreffen könnten.

Fürs Erste bleibt es Ihnen überlassen: Sie müssen @code{guix-configuration}
anpassen und dort das Feld @code{privileged?} auf @code{#f} setzen.  Wenn Sie
das tun, wird der Besitzer aller Dateien in @file{/gnu/store},
@file{/var/guix}, usw. auf den Benutzer @code{guix-daemon} geändert (anstelle
von @code{root}); das kann eine Weile dauern, besonders wenn der Store groß
ist.  Um mehr zu erfahren, führen Sie aus:

@example
info guix --index-search=guix-service-type
@end example

Schließlich wird das Ausführen von @command{guix-daemon} ohne
root-Berechtigungen wahrscheinlich die Vorgabe.

Wer Guix auf anderen Distributionen benutzt, kann sich mit dem Handbuch
informieren, wie man umsteigt:

@example
info guix --index-search=migration
@end example")))
Regards,
Florian
  
Ludovic Courtès April 18, 2025, 5:04 p.m. UTC | #2
Hello Florian,

"pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de> writes:

> I try on Guix System the (privileged? #f) and get an error
>
> florian@florianhp ~/src/guix$ sudo guix system reconfigure /etc/config.scm --allow-downgrades
> guix system: error: the group `guixbuild' specified in `build-users-group' does not exist
>
> It may have been that there were messages before like
>
>
> The following derivation will be built:
>   /gnu/store/w2bx5x6ms3drrcpyysc2jj5lzyjnxyf0-grub.cfg.drv
>
> I temporarily added guixbuild with groupadd, but
>
> substitute: looking for substitutes on 'https://substitutes.nonguix.org'... 100.0%
> substitute: looking for substitutes on 'https://bordeaux.guix.gnu.org'... 100.0%
> substitute: looking for substitutes on 'https://ci.guix.gnu.org'... 100.0%
> The following derivations will be built:
>   /gnu/store/s2xpbc0qy7nkwfca3cjy15ccbinz3lis-provenance.drv
>   /gnu/store/sl57i03xygqc87q4853n6g3mmys066lm-system.drv
>   /gnu/store/awwrr72s7z43nvrfp74wgqihr5qsa272-grub.cfg.drv
>
> guix system: error: the group `guixbuild' specified in `build-users-group' does not exist

That’s actually a message from guix-daemon (from ‘build.cc’).

Oh, I see where this is coming from: when running ‘guix system
reconfigure’, the activation snippet creating accounts and groups
immediately runs, thereby deleting ‘guixbuild’ and all the build users.

But at that point, we’re still running the privileged daemon.  So when
attempting a derivation after that, like ‘provenance.drv’ above, it
errors out because the build group and accounts are gone.

Problem is that this happens before the new generation has been added to
‘grub.cfg’.  So if you reboot, you’ll reboot into the previous
generation.

The safest way to work around that is to keep those accounts/groups
unconditionally.  It’s less pleasant to the eye, but it doesn’t hurt.
I guess I’ll have to send v3!

> Anyway.  Could you add this German translation?

Will do.

Thanks for testing & for updating the translation!

Ludo’.
  

Patch

diff --git a/etc/news.scm b/etc/news.scm
index 4b3da44540..c1f2315e33 100644
--- a/etc/news.scm
+++ b/etc/news.scm
@@ -37,6 +37,37 @@ 
 (channel-news
  (version 0)
 
+ (entry (commit "XXX")
+        (title
+         (en "Guix System can run @command{guix-daemon} without root
+privileges"))
+        (body
+         (en "On Guix System, @code{guix-service-type} can now be configured
+to run the build daemon, @command{guix-daemon}, without root privileges.  In
+that configuration, the daemon runs with the authority of the
+@code{guix-daemon} user, which we think can reduce the impact of some classes
+of vulnerabilities that could affect it.
+
+For now, this is opt-in: you have to change @code{guix-configuration} to set
+the @code{privileged?} field to @code{#f}.  When you do this, all the files in
+@file{/gnu/store}, @file{/var/guix}, etc. will have their ownership changed to
+the @code{guix-daemon} user (instead of @code{root}); this can take a while,
+especially if the store is big.  To learn more about it, run:
+
+@example
+info guix --index-search=guix-service-type
+@end example
+
+Running @command{guix-daemon} without root privileges will likely become the
+default in the future.
+
+Users of Guix on other distributions can find information on how to migrate in
+the manual:
+
+@example
+info guix --index-search=migration
+@end example")))
+
  (entry (commit "0e51c6547ffdaf91777f7383da4a52a1a07b7286")
         (title
          (en "Incompatible upgrade of the Syncthing service"))