[bug#41259] etc: Add a systemd unit to bind-mount @storedir@ read-only.

* etc/gnu-store.mount.in: New file.
* nix/local.mk (nodist_systemdservice_DATA): Add it.
(etc/%.mount): New rule.
* etc/guix-install.sh (sys_enable_guix_daemon): Install it.
* doc/guix.texi (Binary Installation): Document it.
---

For <https://lists.gnu.org/archive/html/help-guix/2020-05/msg00097.html>.

 doc/guix.texi          |  5 +++--
 etc/gnu-store.mount.in | 14 ++++++++++++++
 etc/guix-install.sh    | 12 +++++++++---
 nix/local.mk           | 12 +++++++++++-
 4 files changed, 37 insertions(+), 6 deletions(-)
 create mode 100644 etc/gnu-store.mount.in

Le 14 mai 2020 09:48:46 GMT-04:00, Tobias Geerinckx-Rice via Guix-patches via <guix-patches@gnu.org> a écrit :
>* etc/gnu-store.mount.in: New file.
>* nix/local.mk (nodist_systemdservice_DATA): Add it.
>(etc/%.mount): New rule.
>* etc/guix-install.sh (sys_enable_guix_daemon): Install it.
>* doc/guix.texi (Binary Installation): Document it.
>---
>
>For
><https://lists.gnu.org/archive/html/help-guix/2020-05/msg00097.html>.
>
> doc/guix.texi          |  5 +++--
> etc/gnu-store.mount.in | 14 ++++++++++++++
> etc/guix-install.sh    | 12 +++++++++---
> nix/local.mk           | 12 +++++++++++-
> 4 files changed, 37 insertions(+), 6 deletions(-)
> create mode 100644 etc/gnu-store.mount.in
>
>diff --git a/doc/guix.texi b/doc/guix.texi
>index d6fbd85fde..5d80a7e405 100644
>--- a/doc/guix.texi
>+++ b/doc/guix.texi
>@@ -659,9 +659,10 @@ with these commands:
> @c https://lists.gnu.org/archive/html/guix-devel/2017-01/msg01199.html
> 
> @example
>-# cp ~root/.config/guix/current/lib/systemd/system/guix-daemon.service
>\
>+# cp ~root/.config/guix/current/lib/systemd/system/gnu-store.mount \
>+     ~root/.config/guix/current/lib/systemd/system/guix-daemon.service
>\
>      /etc/systemd/system/
>-# systemctl enable --now guix-daemon
>+# systemctl enable --now gnu-store.mount guix-daemon
> @end example
> 
> If your host distro uses the Upstart init system:
>diff --git a/etc/gnu-store.mount.in b/etc/gnu-store.mount.in
>new file mode 100644
>index 0000000000..c94f2db72b
>--- /dev/null
>+++ b/etc/gnu-store.mount.in
>@@ -0,0 +1,14 @@
>+[Unit]
>+Description=Read-only @storedir@ for GNU Guix
>+DefaultDependencies=no
>+ConditionPathExists=@storedir@
>+Before=guix-daemon.service
>+
>+[Install]
>+WantedBy=guix-daemon.service
>+
>+[Mount]
>+What=@storedir@
>+Where=@storedir@
>+Type=none
>+Options=bind,ro
>diff --git a/etc/guix-install.sh b/etc/guix-install.sh
>index 4909d3f162..d252c132fb 100755
>--- a/etc/guix-install.sh
>+++ b/etc/guix-install.sh
>@@ -342,7 +342,13 @@ sys_enable_guix_daemon()
>                 _msg "${PAS}enabled Guix daemon via upstart"
>             ;;
>         systemd)
>-            { cp
>"${ROOT_HOME}/.config/guix/current/lib/systemd/system/guix-daemon.service"
>\
>+            { # systemd .mount units must be named after the target
>directory.
>+              # Here we assume a hard-coded name of /gnu/store.
>+              cp
>"${ROOT_HOME}/.config/guix/current/lib/systemd/system/gnu-store.mount"
>\
>+                 /etc/systemd/system/;
>+              chmod 664 /etc/systemd/system/gnu-store.mount;
>+
>+              cp
>"${ROOT_HOME}/.config/guix/current/lib/systemd/system/guix-daemon.service"
>\
>                  /etc/systemd/system/;
>               chmod 664 /etc/systemd/system/guix-daemon.service;
> 
>@@ -357,8 +363,8 @@ sys_enable_guix_daemon()
> 	      fi;
> 
>               systemctl daemon-reload &&
>-                  systemctl start guix-daemon &&
>-                  systemctl enable guix-daemon; } &&
>+                  systemctl start  gnu-store.mount guix-daemon &&
>+                  systemctl enable gnu-store.mount guix-daemon; } &&
>                 _msg "${PAS}enabled Guix daemon via systemd"
>             ;;
>         sysv-init)
>diff --git a/nix/local.mk b/nix/local.mk
>index a64bdd2137..435fdd389a 100644
>--- a/nix/local.mk
>+++ b/nix/local.mk
>@@ -155,7 +155,17 @@ noinst_HEADERS =						\
> 
> # The '.service' files for systemd.
> systemdservicedir = $(libdir)/systemd/system
>-nodist_systemdservice_DATA = etc/guix-daemon.service
>etc/guix-publish.service
>+nodist_systemdservice_DATA =			\
>+  etc/gnu-store.mount				\
>+  etc/guix-daemon.service			\
>+  etc/guix-publish.service
>+
>+etc/%.mount: etc/%.mount.in	\
>+			 $(top_builddir)/config.status
>+	$(AM_V_GEN)$(MKDIR_P) "`dirname $@`";	\
>+	$(SED) -e 's|@''storedir''@|$(storedir)|' <	\
>+	       "$<" > "$@.tmp";		\
>+	mv "$@.tmp" "$@"
> 
> etc/guix-%.service: etc/guix-%.service.in	\
> 			 $(top_builddir)/config.status

I see that's how it's done with the existing service, but why sed the .in file when we could let configure.ac take care of it?

I'll try that on a VM of a foreign distro soonish and report. Thanks!

Julien Lepiller <julien@lepiller.eu> writes:

>>+etc/%.mount: etc/%.mount.in	\
>>+			 $(top_builddir)/config.status
>>+	$(AM_V_GEN)$(MKDIR_P) "`dirname $@`";	\
>>+	$(SED) -e 's|@''storedir''@|$(storedir)|' <	\
>>+	       "$<" > "$@.tmp";		\
>>+	mv "$@.tmp" "$@"
>> 
>> etc/guix-%.service: etc/guix-%.service.in	\
>> 			 $(top_builddir)/config.status
>
> I see that's how it's done with the existing service, but why sed the .in file when we could let configure.ac take care of it?

Because --storedir can in theory be something like '$prefix/store',
which would not get properly expanded by configure.  See "Installation
Directory Variables" in the GNU Autoconf manual:

  https://www.gnu.org/savannah-checkouts/gnu/autoconf/manual/autoconf-2.69/html_node/Installation-Directory-Variables.html

(in particular scroll down to the notice about AC_CONFIG_FILES)

Julien,

Julien Lepiller 写道：
>> etc/guix-%.service: etc/guix-%.service.in	\
>> 			 $(top_builddir)/config.status
>
> I see that's how it's done with the existing service, but why 
> sed the .in file when we could let configure.ac take care of it?

¯\_(ツ)_/¯!

TBH I wondered the same thing but am not in deep-dive mode ATM.

> I'll try that on a VM of a foreign distro soonish and 
> report. Thanks!

Thank you!  I'm still in the middle of reinstalling Guix on my 
main laptop, which should give me back my magical KVM powers.

Kind regards,

T G-R

Tobias Geerinckx-Rice via Guix-patches via 写道：
>                systemctl daemon-reload &&
> -                  systemctl start guix-daemon &&
> -                  systemctl enable guix-daemon; } &&
> +                  systemctl start  gnu-store.mount guix-daemon 
> &&
> +                  systemctl enable gnu-store.mount guix-daemon; 
> } &&

Speaking of things I wondered: I'm no systemd wizard but I think 
‘enable --now’ would be equivalent and less repetitive.

Kind regards,

T G-R

Marius Bakke 写道：
>> I see that's how it's done with the existing service, but why 
>> sed the .in file when we could let configure.ac take care of 
>> it?
>
> Because --storedir can in theory be something like 
> '$prefix/store',
> which would not get properly expanded by configure.

Makes sense.  Thanks Marius,

T G-R

Le 14 mai 2020 10:01:51 GMT-04:00, Julien Lepiller <julien@lepiller.eu> a écrit :
>Le 14 mai 2020 09:48:46 GMT-04:00, Tobias Geerinckx-Rice via
>Guix-patches via <guix-patches@gnu.org> a écrit :
>>* etc/gnu-store.mount.in: New file.
>>* nix/local.mk (nodist_systemdservice_DATA): Add it.
>>(etc/%.mount): New rule.
>>* etc/guix-install.sh (sys_enable_guix_daemon): Install it.
>>* doc/guix.texi (Binary Installation): Document it.
>>---
>>
>>For
>><https://lists.gnu.org/archive/html/help-guix/2020-05/msg00097.html>.
>>
>> doc/guix.texi          |  5 +++--
>> etc/gnu-store.mount.in | 14 ++++++++++++++
>> etc/guix-install.sh    | 12 +++++++++---
>> nix/local.mk           | 12 +++++++++++-
>> 4 files changed, 37 insertions(+), 6 deletions(-)
>> create mode 100644 etc/gnu-store.mount.in
>>
>>diff --git a/doc/guix.texi b/doc/guix.texi
>>index d6fbd85fde..5d80a7e405 100644
>>--- a/doc/guix.texi
>>+++ b/doc/guix.texi
>>@@ -659,9 +659,10 @@ with these commands:
>> @c
>https://lists.gnu.org/archive/html/guix-devel/2017-01/msg01199.html
>> 
>> @example
>>-# cp
>~root/.config/guix/current/lib/systemd/system/guix-daemon.service
>>\
>>+# cp ~root/.config/guix/current/lib/systemd/system/gnu-store.mount \
>>+    
>~root/.config/guix/current/lib/systemd/system/guix-daemon.service
>>\
>>      /etc/systemd/system/
>>-# systemctl enable --now guix-daemon
>>+# systemctl enable --now gnu-store.mount guix-daemon
>> @end example
>> 
>> If your host distro uses the Upstart init system:
>>diff --git a/etc/gnu-store.mount.in b/etc/gnu-store.mount.in
>>new file mode 100644
>>index 0000000000..c94f2db72b
>>--- /dev/null
>>+++ b/etc/gnu-store.mount.in
>>@@ -0,0 +1,14 @@
>>+[Unit]
>>+Description=Read-only @storedir@ for GNU Guix
>>+DefaultDependencies=no
>>+ConditionPathExists=@storedir@
>>+Before=guix-daemon.service
>>+
>>+[Install]
>>+WantedBy=guix-daemon.service
>>+
>>+[Mount]
>>+What=@storedir@
>>+Where=@storedir@
>>+Type=none
>>+Options=bind,ro
>>diff --git a/etc/guix-install.sh b/etc/guix-install.sh
>>index 4909d3f162..d252c132fb 100755
>>--- a/etc/guix-install.sh
>>+++ b/etc/guix-install.sh
>>@@ -342,7 +342,13 @@ sys_enable_guix_daemon()
>>                 _msg "${PAS}enabled Guix daemon via upstart"
>>             ;;
>>         systemd)
>>-            { cp
>>"${ROOT_HOME}/.config/guix/current/lib/systemd/system/guix-daemon.service"
>>\
>>+            { # systemd .mount units must be named after the target
>>directory.
>>+              # Here we assume a hard-coded name of /gnu/store.
>>+              cp
>>"${ROOT_HOME}/.config/guix/current/lib/systemd/system/gnu-store.mount"
>>\
>>+                 /etc/systemd/system/;
>>+              chmod 664 /etc/systemd/system/gnu-store.mount;
>>+
>>+              cp
>>"${ROOT_HOME}/.config/guix/current/lib/systemd/system/guix-daemon.service"
>>\
>>                  /etc/systemd/system/;
>>               chmod 664 /etc/systemd/system/guix-daemon.service;
>> 
>>@@ -357,8 +363,8 @@ sys_enable_guix_daemon()
>> 	      fi;
>> 
>>               systemctl daemon-reload &&
>>-                  systemctl start guix-daemon &&
>>-                  systemctl enable guix-daemon; } &&
>>+                  systemctl start  gnu-store.mount guix-daemon &&
>>+                  systemctl enable gnu-store.mount guix-daemon; } &&
>>                 _msg "${PAS}enabled Guix daemon via systemd"
>>             ;;
>>         sysv-init)
>>diff --git a/nix/local.mk b/nix/local.mk
>>index a64bdd2137..435fdd389a 100644
>>--- a/nix/local.mk
>>+++ b/nix/local.mk
>>@@ -155,7 +155,17 @@ noinst_HEADERS =						\
>> 
>> # The '.service' files for systemd.
>> systemdservicedir = $(libdir)/systemd/system
>>-nodist_systemdservice_DATA = etc/guix-daemon.service
>>etc/guix-publish.service
>>+nodist_systemdservice_DATA =			\
>>+  etc/gnu-store.mount				\
>>+  etc/guix-daemon.service			\
>>+  etc/guix-publish.service
>>+
>>+etc/%.mount: etc/%.mount.in	\
>>+			 $(top_builddir)/config.status
>>+	$(AM_V_GEN)$(MKDIR_P) "`dirname $@`";	\
>>+	$(SED) -e 's|@''storedir''@|$(storedir)|' <	\
>>+	       "$<" > "$@.tmp";		\
>>+	mv "$@.tmp" "$@"
>> 
>> etc/guix-%.service: etc/guix-%.service.in	\
>> 			 $(top_builddir)/config.status
>
>I see that's how it's done with the existing service, but why sed the
>.in file when we could let configure.ac take care of it?
>
>I'll try that on a VM of a foreign distro soonish and report. Thanks!

I tested it on a debian VM and it worked well. I tested the installer script and it fails at installing the .mount unit, because it does not exist in the tarball.

After installing the unit manually, I could start the .mount service and found that I was not able to remove store store items with rm. I checked that Guix is able to install new store items.

Le 14 mai 2020 12:35:12 GMT-04:00, Julien Lepiller <julien@lepiller.eu> a écrit :
>Le 14 mai 2020 10:01:51 GMT-04:00, Julien Lepiller <julien@lepiller.eu>
>a écrit :
>>Le 14 mai 2020 09:48:46 GMT-04:00, Tobias Geerinckx-Rice via
>>Guix-patches via <guix-patches@gnu.org> a écrit :
>>>* etc/gnu-store.mount.in: New file.
>>>* nix/local.mk (nodist_systemdservice_DATA): Add it.
>>>(etc/%.mount): New rule.
>>>* etc/guix-install.sh (sys_enable_guix_daemon): Install it.
>>>* doc/guix.texi (Binary Installation): Document it.
>>>---
>>>
>>>For
>>><https://lists.gnu.org/archive/html/help-guix/2020-05/msg00097.html>.
>>>
>>> doc/guix.texi          |  5 +++--
>>> etc/gnu-store.mount.in | 14 ++++++++++++++
>>> etc/guix-install.sh    | 12 +++++++++---
>>> nix/local.mk           | 12 +++++++++++-
>>> 4 files changed, 37 insertions(+), 6 deletions(-)
>>> create mode 100644 etc/gnu-store.mount.in
>>>
>>>diff --git a/doc/guix.texi b/doc/guix.texi
>>>index d6fbd85fde..5d80a7e405 100644
>>>--- a/doc/guix.texi
>>>+++ b/doc/guix.texi
>>>@@ -659,9 +659,10 @@ with these commands:
>>> @c
>>https://lists.gnu.org/archive/html/guix-devel/2017-01/msg01199.html
>>> 
>>> @example
>>>-# cp
>>~root/.config/guix/current/lib/systemd/system/guix-daemon.service
>>>\
>>>+# cp ~root/.config/guix/current/lib/systemd/system/gnu-store.mount \
>>>+    
>>~root/.config/guix/current/lib/systemd/system/guix-daemon.service
>>>\
>>>      /etc/systemd/system/
>>>-# systemctl enable --now guix-daemon
>>>+# systemctl enable --now gnu-store.mount guix-daemon
>>> @end example
>>> 
>>> If your host distro uses the Upstart init system:
>>>diff --git a/etc/gnu-store.mount.in b/etc/gnu-store.mount.in
>>>new file mode 100644
>>>index 0000000000..c94f2db72b
>>>--- /dev/null
>>>+++ b/etc/gnu-store.mount.in
>>>@@ -0,0 +1,14 @@
>>>+[Unit]
>>>+Description=Read-only @storedir@ for GNU Guix
>>>+DefaultDependencies=no
>>>+ConditionPathExists=@storedir@
>>>+Before=guix-daemon.service
>>>+
>>>+[Install]
>>>+WantedBy=guix-daemon.service
>>>+
>>>+[Mount]
>>>+What=@storedir@
>>>+Where=@storedir@
>>>+Type=none
>>>+Options=bind,ro
>>>diff --git a/etc/guix-install.sh b/etc/guix-install.sh
>>>index 4909d3f162..d252c132fb 100755
>>>--- a/etc/guix-install.sh
>>>+++ b/etc/guix-install.sh
>>>@@ -342,7 +342,13 @@ sys_enable_guix_daemon()
>>>                 _msg "${PAS}enabled Guix daemon via upstart"
>>>             ;;
>>>         systemd)
>>>-            { cp
>>>"${ROOT_HOME}/.config/guix/current/lib/systemd/system/guix-daemon.service"
>>>\
>>>+            { # systemd .mount units must be named after the target
>>>directory.
>>>+              # Here we assume a hard-coded name of /gnu/store.
>>>+              cp
>>>"${ROOT_HOME}/.config/guix/current/lib/systemd/system/gnu-store.mount"
>>>\
>>>+                 /etc/systemd/system/;
>>>+              chmod 664 /etc/systemd/system/gnu-store.mount;
>>>+
>>>+              cp
>>>"${ROOT_HOME}/.config/guix/current/lib/systemd/system/guix-daemon.service"
>>>\
>>>                  /etc/systemd/system/;
>>>               chmod 664 /etc/systemd/system/guix-daemon.service;
>>> 
>>>@@ -357,8 +363,8 @@ sys_enable_guix_daemon()
>>> 	      fi;
>>> 
>>>               systemctl daemon-reload &&
>>>-                  systemctl start guix-daemon &&
>>>-                  systemctl enable guix-daemon; } &&
>>>+                  systemctl start  gnu-store.mount guix-daemon &&
>>>+                  systemctl enable gnu-store.mount guix-daemon; } &&
>>>                 _msg "${PAS}enabled Guix daemon via systemd"
>>>             ;;
>>>         sysv-init)
>>>diff --git a/nix/local.mk b/nix/local.mk
>>>index a64bdd2137..435fdd389a 100644
>>>--- a/nix/local.mk
>>>+++ b/nix/local.mk
>>>@@ -155,7 +155,17 @@ noinst_HEADERS =						\
>>> 
>>> # The '.service' files for systemd.
>>> systemdservicedir = $(libdir)/systemd/system
>>>-nodist_systemdservice_DATA = etc/guix-daemon.service
>>>etc/guix-publish.service
>>>+nodist_systemdservice_DATA =			\
>>>+  etc/gnu-store.mount				\
>>>+  etc/guix-daemon.service			\
>>>+  etc/guix-publish.service
>>>+
>>>+etc/%.mount: etc/%.mount.in	\
>>>+			 $(top_builddir)/config.status
>>>+	$(AM_V_GEN)$(MKDIR_P) "`dirname $@`";	\
>>>+	$(SED) -e 's|@''storedir''@|$(storedir)|' <	\
>>>+	       "$<" > "$@.tmp";		\
>>>+	mv "$@.tmp" "$@"
>>> 
>>> etc/guix-%.service: etc/guix-%.service.in	\
>>> 			 $(top_builddir)/config.status
>>
>>I see that's how it's done with the existing service, but why sed the
>>.in file when we could let configure.ac take care of it?
>>
>>I'll try that on a VM of a foreign distro soonish and report. Thanks!
>
>I tested it on a debian VM and it worked well. I tested the installer
>script and it fails at installing the .mount unit, because it does not
>exist in the tarball.
>
>After installing the unit manually, I could start the .mount service
>and found that I was not able to remove store store items with rm. I
>checked that Guix is able to install new store items.

For non systemd distros, adding the following line to /etc/fstab works:

@storedir@ @storedir@ none defaults,bind,ro 0 0

Then running "mount -a" remounts the store read-only.

I'm not sure how to integrate this properly in the installer script.

Hello Tobias,

As this will conflict with the work I'm preparing (runit, openrc,
non-interactive-mode, busybox compatibility, local binary tarball
& misc cleanups)

I'll give it a spin on a bunch of different OS versions (fedora
rawhide, debian 9 & 10, devuan, alpine & void/i686) later today.

Hello Tobias,

shouldn't your patch also add: /etc/gnu-store.mount
to .gitignore ?

I'm doing the tests now, stay tuned for the results.

Vincent,

Vincent Legoll 写道：
> shouldn't your patch also add: /etc/gnu-store.mount
> to .gitignore ?

Probably, it's not a file I ever think of.  Done.

How does this conflict with your work?

Thanks,

T G-R

Hello,

On 15/05/2020 18:52, Tobias Geerinckx-Rice wrote:
> How does this conflict with your work?

I'll get a merge conflict in etc/guix-install.sh and
maybe also in nix/local.mk but that's OK, it will be
simple enough to handle.

Hello Tobias,

yesterday's today is in fact today's today...

On 15/05/2020 18:55, Vincent Legoll wrote:
> I'll get a merge conflict in etc/guix-install.sh and
> maybe also in nix/local.mk but that's OK, it will be
> simple enough to handle.

I was too pessimistic, I'm not getting any merge conflict.

Your patch seems to be working nicely, I tested on a range
of VMs:

x86_64: alpine devuan fedora debian_stretch debian_buster
i686: void

guix is still working properly (search, show, build, gc,
package -i, -r, -l, -d)

And `rm -rf /gnu/store/*hello*' was correctly prevented
on the systemds (debian*, fedora) and the other ones let
the delete run.

LGTM

I'll try to come with something for the other init systems
and add that to my series...

Vincent,

Vincent Legoll 写道：
> yesterday's today is in fact today's today...

I've tried to stop that but to no avail.

> I was too pessimistic, I'm not getting any merge conflict.

Happy to hear it.  Git can be remarkably clever with 3-way merges 
sometimes (and disappointingly dense at others).

> Your patch seems to be working nicely, I tested on a range
> of VMs:
>
> x86_64: alpine devuan fedora debian_stretch debian_buster
> i686: void

Thank you for being so thorough.  You've given me the confidence 
to push this to master as 
1a1faa78b0498fbb71f1533beb4b65817c1d3f2a.  Guess I'll leave this 
bug open since it only solves it for systemd.

> I'll try to come with something for the other init systems
> and add that to my series...

I hope we can avoid touching users' fstab but don't know enough 
about these other systems to say.

Thanks!

T G-R

Tobias Geerinckx-Rice <me@tobias.gr> writes:

> Vincent,
>
> Vincent Legoll 写道：
>> yesterday's today is in fact today's today...
>
> I've tried to stop that but to no avail.
>
>> I was too pessimistic, I'm not getting any merge conflict.
>
> Happy to hear it.  Git can be remarkably clever with 3-way merges
> sometimes (and disappointingly dense at others).
>
>> Your patch seems to be working nicely, I tested on a range
>> of VMs:
>>
>> x86_64: alpine devuan fedora debian_stretch debian_buster
>> i686: void
>
> Thank you for being so thorough.  You've given me the confidence to
> push this to master as 1a1faa78b0498fbb71f1533beb4b65817c1d3f2a.
> Guess I'll leave this bug open since it only solves it for systemd.

That's a patch, not a bug, though :-).

I'll close it now to spare someone else the time it took me to read
through and see whether bits had gone uncommitted :-).

Thank you,

Maxim