From patchwork Fri Mar 14 17:47:57 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 2800 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 9D4D027BBE9; Fri, 14 Mar 2025 17:51:31 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 5578627BBE2 for ; Fri, 14 Mar 2025 17:51:31 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tt9Aq-00058Y-15; Fri, 14 Mar 2025 13:50:20 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tt9Ac-00051d-4p for guix-patches@gnu.org; Fri, 14 Mar 2025 13:50:06 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tt9Aa-00021X-RT for guix-patches@gnu.org; Fri, 14 Mar 2025 13:50:05 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:Date:From:To:In-Reply-To:References:Subject; bh=bCaK0d/HiPtBq1zMzQwCfvjTWkFpAA0DcHPTXIeecUQ=; b=jm6aLROoo0wpvN+4vSB1SwZqeOUy6/3aZm4+DncScSzWjUAo1aJEyBTY5hB03ndF1y/G8OeZpcUu0FnZ6vtR+80Zcn1204U7G4AHWsWHOf/x/x4/PWefqyWWY3dC9GQq/BQ1ZbigzlNNSLL5bdCusAKV+A2AOGdKjAnMknWl2uPpLqUJu5P+DElJMWo3La0KZpR0Hkx/Eb3qXV9w5VF3PoVS7vTUN458lAb593Znp9XpDT/6jslt558SQlpVRNSTttUDu7JfBWrnAPOc3bhMYidP1pdk8f10U08+0wr1HWjva5fxY94GvBzZ16xf8kOAXrGoXJMCHx4Kw/dgW5k4KQ==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tt9AY-0004Ql-DK for guix-patches@gnu.org; Fri, 14 Mar 2025 13:50:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v5 00/14] Rootless guix-daemon References: In-Reply-To: Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 14 Mar 2025 17:50:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= , Reepca Russelstein Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174197458816929 (code B ref 75810); Fri, 14 Mar 2025 17:50:02 +0000 Received: (at 75810) by debbugs.gnu.org; 14 Mar 2025 17:49:48 +0000 Received: from localhost ([127.0.0.1]:35995 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tt9AG-0004Oh-SN for submit@debbugs.gnu.org; Fri, 14 Mar 2025 13:49:48 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:44248) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tt9AA-0004O5-IW for 75810@debbugs.gnu.org; Fri, 14 Mar 2025 13:49:42 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tt9A2-0001xR-S4; Fri, 14 Mar 2025 13:49:30 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:Subject:To:From:in-reply-to: references; bh=bCaK0d/HiPtBq1zMzQwCfvjTWkFpAA0DcHPTXIeecUQ=; b=NTJO3xgFiwkMbE Jug0QaiAgx9QpsPVWGwyder5J9UFYH4fti09i9kpnfZqy6Vy9Acb1MFdt8ow6aEI/KkP1Zdvd1SvK g4D39D8LmbEHD+GJvzpL/Vrxt4Wify0aLwBtdNeLVu4GSarBMEUtnz9gQg1zYs03YYgVGlSiD1TiA wPKNt+pPAbLjqc4YnKHoocppmmGu7JYA9ODOYmoX0Rde8lPlI8e31uilF7Rc8qZDDjh3dt+DioILP lDmd6W8IA+mzgZwRjS0VGBScpIIjdsuyFZrDDAxvRqzaNFv3V5u4fb/0imeoddXufF3SBx9A0s/vs oAhnghN1GRApHdNUAi5w==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Fri, 14 Mar 2025 18:47:57 +0100 Message-ID: X-Mailer: git-send-email 2.48.1 MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches Hello Guix! Changes since v4: • Remove qualifiers such as “new” from the documentation and clarify that unprivileged guix-daemon is the option chosen by default in some cases (Simon, Maxim). • Change ‘deleteTmpDir’ to deal with the case where CAP_SYS_CHOWN is available but ‘--disable-chroot’ is used (Reepca). • Add ‘unshare’ call in the build process before ‘execve’ to create new user and mount namespaces, thereby locking together all the previous mounts; check by calling ‘umount’ and ensuring that it returns EINVAL that mounts are indeed locked (Reepca). • In ‘guix-install.sh’, keep /var/guix/profiles/per-user/root root-owned (previously it was chowned to ‘guix-daemon’). • In ‘guix-install.sh’, start ‘gnu-store.mount’ explicitly since it is no longer a dependency of ‘guix-daemon.service’. • In ‘guix-daemon.service.in’, set ‘GUIX_DATABASE_DIRECTORY=/var/guix’ for forward compatibility (I’m thinking of eventually changing the default database location when not running as root). With these changes, the ‘debian-install’ and ‘guix-daemon’ system tests both pass. I think we’ve never been this close to completion. :-) Thoughts? Thanks a lot for your feedback, comrades. Ludo’. Ludovic Courtès (14): daemon: Use ‘close_range’ where available. daemon: Bind-mount /etc/nsswitch.conf & co. only if it exists. daemon: Bind-mount all the inputs, not just directories. daemon: Remount inputs as read-only. daemon: Remount root directory as read-only. daemon: Allow running as non-root with unprivileged user namespaces. daemon: Create /var/guix/profiles/per-user unconditionally. daemon: Drop Linux ambient capabilities before executing builder. daemon: Move comments where they belong. tests: Add missing derivation inputs. tests: Run in a chroot and unprivileged user namespaces. etc: systemd services: Run ‘guix-daemon’ as an unprivileged user. guix-install.sh: Support the unprivileged daemon where possible. DRAFT gnu: guix: Update to 00562be. build-aux/test-env.in | 16 +- config-daemon.ac | 5 +- doc/guix.texi | 102 +++++++++--- etc/gnu-store.mount.in | 3 +- etc/guix-daemon.service.in | 22 ++- etc/guix-install.sh | 109 +++++++++--- gnu/packages/package-management.scm | 6 +- guix/substitutes.scm | 2 +- nix/libstore/build.cc | 247 ++++++++++++++++++++------- nix/libstore/local-store.cc | 26 ++- nix/libutil/util.cc | 23 ++- tests/derivations.scm | 24 ++- tests/packages.scm | 13 +- tests/processes.scm | 9 +- tests/store.scm | 250 ++++++++++++++++++++++++---- 15 files changed, 675 insertions(+), 182 deletions(-) base-commit: 519fc51b6ecfe9ac9f2fa2f4ae052ab1984eed22