| Message ID | cover.1742739608.git.ludo@gnu.org |
|---|---|
| Headers |
Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org> X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 430A727BBE2; Sun, 23 Mar 2025 14:27:00 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id D524527BBE9 for <patchwork@mira.cbaines.net>; Sun, 23 Mar 2025 14:26:59 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from <guix-patches-bounces@gnu.org>) id 1twMHB-0002yn-LR; Sun, 23 Mar 2025 10:26:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1twMH9-0002yL-PX for guix-patches@gnu.org; Sun, 23 Mar 2025 10:26:07 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1twMH9-0005Um-8j for guix-patches@gnu.org; Sun, 23 Mar 2025 10:26:07 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:Date:From:To:In-Reply-To:References:Subject; bh=iw1KUHmoyRnlQbxIFVIyyHc/jl6KWNGfYdStioyMMoE=; b=BgXDB4BmrrmUPJiR0VBDftXPEizXexf3LmwLM4XodLxw6zP+Bngb4M34Ox+oZY3L7prBrzQD+Q/o1oInzybVBc68DqrmTuethxEwnCXquy2bhtUrj78JyK5PITbCYQAOHOHIR1+eCSPdxTlzQsPqdZLh3LeI9nqkvkfI63V4nIdeWjQL4jgFxGHZR5FpcrQp9q2ErnAmGxxJtxM8NFdAQMdtYoujUDylpsSzwyzg3AOuij8gP/d0epCNIEQZ1aJNeP5foKnqALkbJLEHw3iblFAfYW8TWyXxYwXKV5RkLsWbr2xOwV7y8czr3o5G/qJSGxV3oNr49ItC+f7+FXrx5A==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1twMH8-0005WE-ST for guix-patches@gnu.org; Sun, 23 Mar 2025 10:26:06 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v8 00/16] Rootless guix-daemon References: <cover.1737738362.git.ludo@gnu.org> In-Reply-To: <cover.1737738362.git.ludo@gnu.org> Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org> Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org> Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 23 Mar 2025 14:26:06 +0000 Resent-Message-ID: <handler.75810.B75810.174273994120923@debbugs.gnu.org> Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org> Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174273994120923 (code B ref 75810); Sun, 23 Mar 2025 14:26:06 +0000 Received: (at 75810) by debbugs.gnu.org; 23 Mar 2025 14:25:41 +0000 Received: from localhost ([127.0.0.1]:51838 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>) id 1twMGd-0005QO-OE for submit@debbugs.gnu.org; Sun, 23 Mar 2025 10:25:40 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:40388) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <ludo@gnu.org>) id 1twMGa-0005Oc-B3 for 75810@debbugs.gnu.org; Sun, 23 Mar 2025 10:25:33 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <ludo@gnu.org>) id 1twMGT-0005RL-Cx; Sun, 23 Mar 2025 10:25:25 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:Subject:To:From:in-reply-to: references; bh=iw1KUHmoyRnlQbxIFVIyyHc/jl6KWNGfYdStioyMMoE=; b=dv7cPGgrv7nl2s vxxxLO4qhYxG7ORVJR4uzCgtyvF3po4fRsD4QzyJ/zjkyfhQSGQK19pXZr3rtyeyJKwSJwuTVMjPJ cvKc558i4BDxYGhTNdV0ef5RnvQG5zSEocBkoxI0h1TmXFaAguvNfGVm55sQYK0ASig3+trLU9EvT 47JImxoS6qmwjqtbThvb8/oEMzeO+xhyTM2aqxHC6l040NIRGFQsPAVR+mm5U0yQD6SyWhaXnwzY7 MxJTr0NcjADKLTg5zWXxU53Xy3+mkM/a5NUcpWXX8qeDYT252SpC7LvxhZxYqU0BrE8ueCCe451kJ jgdfDgFcwraGSqRvzPbQ==; From: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org> Date: Sun, 23 Mar 2025 15:24:53 +0100 Message-ID: <cover.1742739608.git.ludo@gnu.org> X-Mailer: git-send-email 2.48.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: <guix-patches.gnu.org> List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>, <mailto:guix-patches-request@gnu.org?subject=unsubscribe> List-Archive: <https://lists.gnu.org/archive/html/guix-patches> List-Post: <mailto:guix-patches@gnu.org> List-Help: <mailto:guix-patches-request@gnu.org?subject=help> List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>, <mailto:guix-patches-request@gnu.org?subject=subscribe> Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches |
| Series |
Rootless guix-daemon
|
|
Message
Ludovic Courtès
March 23, 2025, 2:24 p.m. UTC
Hello,
Changes since v7, both in the patch entitled “daemon: Allow
running as non-root […]”:
• Check “isInStore(drv.builder)” before calling ‘execve’, as
suggested by Reepca.
• Add comment in “builder is outside the store” test in
‘tests/derivations.scm’.
I believe these were the last outstanding issues. I’ll merge it
in the coming days if there are no objections.
Thanks,
Ludo’.
Ludovic Courtès (16):
daemon: Use ‘close_range’ where available.
daemon: Close the read end of the logging pipe.
daemon: Bind-mount /etc/nsswitch.conf & co. only if it exists.
daemon: Bind-mount all the inputs, not just directories.
daemon: Remount inputs as read-only.
daemon: Remount root directory as read-only.
daemon: Allow running as non-root with unprivileged user namespaces.
daemon: Create /var/guix/profiles/per-user unconditionally.
daemon: Drop Linux ambient capabilities before executing builder.
daemon: Move comments where they belong.
linux-container: ‘unprivileged-user-namespace-supported?’ returns #f
on non-Linux.
tests: Add missing derivation inputs.
tests: Run in a chroot and unprivileged user namespaces.
etc: systemd services: Run ‘guix-daemon’ as an unprivileged user.
guix-install.sh: Support the unprivileged daemon where possible.
DRAFT gnu: guix: Update to c9c7f87.
build-aux/test-env.in | 18 +-
config-daemon.ac | 5 +-
doc/guix.texi | 102 ++++++++---
etc/gnu-store.mount.in | 3 +-
etc/guix-daemon.service.in | 22 ++-
etc/guix-install.sh | 124 ++++++++++---
gnu/build/linux-container.scm | 4 +-
gnu/packages/package-management.scm | 6 +-
guix/substitutes.scm | 2 +-
nix/libstore/build.cc | 274 ++++++++++++++++++++++------
nix/libstore/local-store.cc | 26 ++-
nix/libutil/util.cc | 26 ++-
tests/derivations.scm | 38 +++-
tests/packages.scm | 13 +-
tests/processes.scm | 9 +-
tests/store.scm | 247 +++++++++++++++++++++----
16 files changed, 733 insertions(+), 186 deletions(-)
base-commit: efac1498c15198afc4f9a2bc700408bde1b3b3ed