[bug#75810,v7,00/16] Rootless guix-daemon

Message ID	cover.1742503590.git.ludo@gnu.org
Headers	Subject: [bug#75810] [PATCH v7 00/16] Rootless guix-daemon References: <cover.1737738362.git.ludo@gnu.org> In-Reply-To: <cover.1737738362.git.ludo@gnu.org> Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org> Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org> Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 20 Mar 2025 20:57:05 +0000 Resent-Message-ID: <handler.75810.B75810.174250420225016@debbugs.gnu.org> Resent-Sender: help-debbugs@gnu.org To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org>, Reepca Russelstein <reepca@russelstein.xyz> From: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org> Date: Thu, 20 Mar 2025 21:54:33 +0100 Message-ID: <cover.1742503590.git.ludo@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: list Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches
Series	Rootless guix-daemon \| [bug#75810,v7,00/16] Rootless guix-daemon [bug#75810,v7,01/16] daemon: Use ‘close_range’ where available. [bug#75810,v7,02/16] daemon: Close the read end of the logging pipe. [bug#75810,v7,03/16] daemon: Bind-mount /etc/nsswitch.conf & co. only if it exists. [bug#75810,v7,04/16] daemon: Bind-mount all the inputs, not just directories. [bug#75810,v7,05/16] daemon: Remount inputs as read-only. [bug#75810,v7,06/16] daemon: Remount root directory as read-only. [bug#75810,v7,07/16] daemon: Allow running as non-root with unprivileged user namespaces. [bug#75810,v7,08/16] daemon: Create /var/guix/profiles/per-user unconditionally. [bug#75810,v7,09/16] daemon: Drop Linux ambient capabilities before executing builder. [bug#75810,v7,10/16] daemon: Move comments where they belong. [bug#75810,v7,11/16] linux-container: ‘unprivileged-user-namespace-supported?’ returns #f on non-Li… [bug#75810,v7,12/16] tests: Add missing derivation inputs. [bug#75810,v7,13/16] tests: Run in a chroot and unprivileged user namespaces. [bug#75810,v7,14/16] etc: systemd services: Run ‘guix-daemon’ as an unprivileged user. [bug#75810,v7,15/16] guix-install.sh: Support the unprivileged daemon where possible. [bug#75810,v7,16/16] DRAFT gnu: guix: Update to f447941.

Message ID

cover.1742503590.git.ludo@gnu.org

Headers

Subject: [bug#75810] [PATCH v7 00/16] Rootless guix-daemon
References: <cover.1737738362.git.ludo@gnu.org>
In-Reply-To: <cover.1737738362.git.ludo@gnu.org>
Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Thu, 20 Mar 2025 20:57:05 +0000
Resent-Message-ID: <handler.75810.B75810.174250420225016@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
To: 75810@debbugs.gnu.org
Cc: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org>,
 Reepca Russelstein <reepca@russelstein.xyz>
From: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org>
Date: Thu, 20 Mar 2025 21:54:33 +0100
Message-ID: <cover.1742503590.git.ludo@gnu.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: list
Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org

Series

Rootless guix-daemon |

Message

Ludovic Courtès March 20, 2025, 8:54 p.m. UTC

  Hello,

Changes compared to v6 (all suggested by Reepca):

  • Canonicalize the builder’s file name before ‘execve’
    and add the “builder is outside the store” test in
    ‘tests/derivations.scm’ (though the test would already
    succeed before due to the ELF interpreter being unavailable
    in the chroot).

  • Explicitly close both ends of the ‘readiness’ pipe.

  • Use ‘mkdir -p’ to create /var/log/guix in ‘guix-install.sh’.

Thoughts?

Ludo’.

Ludovic Courtès (16):
  daemon: Use ‘close_range’ where available.
  daemon: Close the read end of the logging pipe.
  daemon: Bind-mount /etc/nsswitch.conf & co. only if it exists.
  daemon: Bind-mount all the inputs, not just directories.
  daemon: Remount inputs as read-only.
  daemon: Remount root directory as read-only.
  daemon: Allow running as non-root with unprivileged user namespaces.
  daemon: Create /var/guix/profiles/per-user unconditionally.
  daemon: Drop Linux ambient capabilities before executing builder.
  daemon: Move comments where they belong.
  linux-container: ‘unprivileged-user-namespace-supported?’ returns #f
    on non-Linux.
  tests: Add missing derivation inputs.
  tests: Run in a chroot and unprivileged user namespaces.
  etc: systemd services: Run ‘guix-daemon’ as an unprivileged user.
  guix-install.sh: Support the unprivileged daemon where possible.
  DRAFT gnu: guix: Update to f447941.

 build-aux/test-env.in               |  18 +-
 config-daemon.ac                    |   5 +-
 doc/guix.texi                       | 102 ++++++++---
 etc/gnu-store.mount.in              |   3 +-
 etc/guix-daemon.service.in          |  22 ++-
 etc/guix-install.sh                 | 124 ++++++++++---
 gnu/build/linux-container.scm       |   4 +-
 gnu/packages/package-management.scm |   6 +-
 guix/substitutes.scm                |   2 +-
 nix/libstore/build.cc               | 271 ++++++++++++++++++++++------
 nix/libstore/local-store.cc         |  26 ++-
 nix/libutil/util.cc                 |  26 ++-
 tests/derivations.scm               |  34 +++-
 tests/packages.scm                  |  13 +-
 tests/processes.scm                 |   9 +-
 tests/store.scm                     | 247 +++++++++++++++++++++----
 16 files changed, 726 insertions(+), 186 deletions(-)


base-commit: cbd2db98954739db1cdda208e1667c5d50976bf1