Message ID | 20211212183614.19730-1-brice@waegenei.re |
---|---|
State | New |
Headers | show |
Series | Ensure correct ownership of directory trees in services.Hello Guix, | expand |
Hi!
Great patch series!
This has been discussed a few times: I wonder if we should simply chown
service home directories systematically?
Brice Waegeneire <brice@waegenei.re> skribis:
> * guix/build/syscalls.scm (lchown): New procedure.
Would be nice to add even trivial tests to tests/syscalls.scm.
Unfortunately, this doesn’t work for service activation because when
booting, activation snippets are run from the initrd’s Guile, which is
statically linked and lacks dlopen.
This leads to failures like:
--8<---------------cut here---------------start------------->8---
$ make check-system TESTS="postgresql" -j4
[...]
populating /etc from /gnu/store/bchxln4wkfmdbsxww9jaxafsyvlpdbmg-etc...
Please wait while gathering entropy to generate the key pair;
this may take time...
warning: failed to chown "/var/lib/postgresql/data": Function not implemented
warning: failed to chown "/var/run/postgresql": Function not implemented
warning: failed to chown "/var/log/postgresql": Function not implemented
The files belonging to this database system will be owned by user "postgres".
This user must also own the server process.
[...]
fixing permissions on existing directory /var/lib/postgresql/data ... initdb: could not change permissions of directory "/var/lib/postgresql/data": Operation not permitted
--8<---------------cut here---------------end--------------->8---
(The ENOSYS error above comes from the ‘lchown’ wrapper.)
For this strategy to work, you need to add ‘lchown’ in
‘guile-3.0-linux-syscalls.patch’ and to use ‘define-as-needed’ in (guix
build syscalls).
(I’m surprised we didn’t already have recursive chown.)
With this in place, we should be all set!
Thanks,
Ludo’.
diff --git a/guix/build/syscalls.scm b/guix/build/syscalls.scm index 63bd017d1d..1c432507c3 100644 --- a/guix/build/syscalls.scm +++ b/guix/build/syscalls.scm @@ -8,6 +8,7 @@ ;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <janneke@gnu.org> ;;; Copyright © 2021 Chris Marusich <cmmarusich@gmail.com> ;;; Copyright © 2021 Tobias Geerinckx-Rice <me@tobias.gr> +;;; Copyright © 2021 Brice Waegeneire <brice@waegenei.re> ;;; ;;; This file is part of GNU Guix. ;;; @@ -118,6 +119,7 @@ (define-module (guix build syscalls) scandir* getxattr setxattr + lchown fcntl-flock lock-file @@ -1275,6 +1277,20 @@ (define* (scandir* name #:optional (lambda () (closedir* directory))))) +(define lchown + (let ((proc (syscall->procedure int "lchown" (list '* int int)))) + (lambda (file owner group) + "As 'chown', change the ownership and group of the file referred to by +FILE to the integer values OWNER and GROUP but doesn't dereference symbolic +links. Unlike 'chown' this doesn't support port or integer file descriptor +via 'fchown'." + (let-values (((ret err) + (proc (string->pointer file) owner group))) + (unless (zero? ret) + (throw 'system-error "lchown" "~S: ~A" + (list file (strerror err)) + (list err))))))) + ;;; ;;; Advisory file locking.