From patchwork Fri Apr 18 19:46:47 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= <ludo@gnu.org>
X-Patchwork-Id: 41787
Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>
X-Original-To: patchwork@mira.cbaines.net
Delivered-To: patchwork@mira.cbaines.net
Received: by mira.cbaines.net (Postfix, from userid 113)
	id 637BE27BC4B; Fri, 18 Apr 2025 20:49:01 +0100 (BST)
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net
X-Spam-Level: 
X-Spam-Status: No, score=-6.4 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED,
	RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE,
	SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no
	version=3.4.6
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	by mira.cbaines.net (Postfix) with ESMTPS id D342927BC49
	for <patchwork@mira.cbaines.net>; Fri, 18 Apr 2025 20:49:00 +0100 (BST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces@gnu.org>)
	id 1u5rhR-0005Z9-MH; Fri, 18 Apr 2025 15:48:34 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1u5rh7-0005Uh-N6
 for guix-patches@gnu.org; Fri, 18 Apr 2025 15:48:13 -0400
Received: from debbugs.gnu.org ([2001:470:142:5::43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1u5rh6-0000by-8p; Fri, 18 Apr 2025 15:48:13 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=debbugs.gnu.org; s=debbugs-gnu-org;
 h=MIME-Version:References:In-Reply-To:Date:From:To:Subject;
 bh=gexwjnZR4fw9UYYQljS6pnzdSTm4OAUOYgKKkKiyua8=;
 b=PUD744SOpi7O1Dw9YIiT6msR2vEPn9/cmL99rkSd6tHQTyWwEOFcD9KLrQT/6GthQ4Icjb5zA+6n+7feH9hKzPCvBLjgPbHUu1lwLEFU14PnDwWoFIEznW/oqD/JBAccx91HVlmv8Z9DJ+5U1DFuG4NN34nmcLYf7+NsrM/ON9KGwGBDejSLsPn90N4BeCGRXAgjqYFVsSfW7esKXJRNS4ILM3rXjKrHbu54gFVkCxHNar91KpW1tA8v7/LFUWabYYPUVjf/gZfZcjESOwRcxDRLyoplVTDnfWxqK+jhD5q4JbGcAcufviwXs7TWc6x1gakOp7snUYKkO255oiTYYQ==;
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1u5rh5-0008Ne-RX; Fri, 18 Apr 2025 15:48:11 -0400
X-Loop: help-debbugs@gnu.org
Subject: [bug#77288] [PATCH v3 2/8] doc: Document migration to the
 unprivileged daemon.
Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: ludo@gnu.org, maxim.cournoyer@gmail.com, guix-patches@gnu.org
Resent-Date: Fri, 18 Apr 2025 19:48:11 +0000
Resent-Message-ID: <handler.77288.B77288.174500568032061@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 77288
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 77288@debbugs.gnu.org
Cc: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org>, Ludovic =?utf-8?q?Court?=
	=?utf-8?q?=C3=A8s?= <ludo@gnu.org>,
 Maxim Cournoyer <maxim.cournoyer@gmail.com>
X-Debbugs-Original-Xcc: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org>,
 Maxim Cournoyer <maxim.cournoyer@gmail.com>
Received: via spool by 77288-submit@debbugs.gnu.org id=B77288.174500568032061
 (code B ref 77288); Fri, 18 Apr 2025 19:48:11 +0000
Received: (at 77288) by debbugs.gnu.org; 18 Apr 2025 19:48:00 +0000
Received: from localhost ([127.0.0.1]:52958 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1u5rgq-0008KG-7j
 for submit@debbugs.gnu.org; Fri, 18 Apr 2025 15:48:00 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:34326)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <ludo@gnu.org>) id 1u5rg9-0008Bu-B8
 for 77288@debbugs.gnu.org; Fri, 18 Apr 2025 15:47:15 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@gnu.org>)
 id 1u5rg3-0000Ux-Tw; Fri, 18 Apr 2025 15:47:07 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To:
 From; bh=gexwjnZR4fw9UYYQljS6pnzdSTm4OAUOYgKKkKiyua8=; b=r9l0PFKz5FRSqmMGB36u
 lAxjjUHaK3GcN1oUwGTBpNmAEpFike2DDe//pWx0THq9FP9Jy7GmEoi54E+LoAJHrSgJ0215Ti8gy
 ZqKFvR7nFzjqD/b6V3su9zbzXLccS603tihcWFNT355v9fudkFbVGuFYRz4kBVjuksd0zSfdP/LnG
 ulAeb/7rFXRlMcQz0VRvD5aANIZPX8IPLn63gbr82nDocUdqZTAr6+uhiPDbD2NOwQVehWx6XF2DK
 MisQRc/T2zSPjDTQudw6/YsoWcsmXVGRJ4CeRr24l/P0Y0QEiZMILlFBGNxK56McsN1mNqiUPZ2n7
 569BMa0p1YWUuA==;
From: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org>
Date: Fri, 18 Apr 2025 21:46:47 +0200
Message-ID: 
 <e551a3a7145f24c44e2c764c78930722f32798b3.1745005408.git.ludo@gnu.org>
X-Mailer: git-send-email 2.49.0
In-Reply-To: <cover.1745005408.git.ludo@gnu.org>
References: <cover.1745005408.git.ludo@gnu.org>
MIME-Version: 1.0
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
X-getmail-retrieved-from-mailbox: Patches

* doc/guix.texi (Build Environment Setup): Add “Migrating to the
Unprivileged Daemon” section.
(Upgrading Guix): Link to it.

Change-Id: I2bac3f4419d85b7c718c6c4a3908387b4f6ee582
---
 doc/guix.texi | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 67 insertions(+), 1 deletion(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 070528667f..377cb65326 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -1026,13 +1026,75 @@ Build Environment Setup
 In this configuration, @file{/gnu/store} is owned by the
 @code{guix-daemon} user.
 
+@anchor{unprivileged-daemon-migration}
+@unnumberedsubsubsec Migrating to the Unprivileged Daemon
+
+@cindex unprivileged daemon, migration
+@cindex rootless daemon, migration
+To switch an existing installation to the unprivileged execution mode, a
+number of steps must be taken: creating a new dedicated
+@code{guix-daemon} user account, changing ownership of the relevant
+files to @code{guix-daemon}, and ensuring that the @command{guix-daemon}
+program runs as @code{guix-daemon}.
+
+@quotation Warning
+Follow the instructions below only after making sure you have a recent
+version of @command{guix-daemon} with support for unprivileged
+execution.
+@end quotation
+
+File ownership can be changed, after stopping the daemon, by running the
+following commands as root (the @command{chown} can take a while if
+there are many files in @file{/gnu/store}):
+
+@example
+groupadd --system guix-daemon
+useradd -g guix-daemon -G guix-daemon,kvm               \
+        -d /var/empty -s $(which nologin)               \
+        -c "Guix daemon privilege separation user"      \
+        --system guix-daemon
+
+chown -R guix-daemon:guix-daemon                        \
+  /gnu                                                  \
+  /var/guix/@{daemon-socket,db,discover@}                 \
+  /var/guix/@{gcroots,offload,substitute,temproots@}      \
+  /var/log/guix                                         \
+  /etc/guix
+@end example
+
+If your system uses the systemd service manager, running the daemon as
+@code{guix-daemon} will be a matter of copying the relevant
+configuration files---make sure to review any changes you might have
+made in your own @file{.service} files before overwriting them:
+
+@example
+cp /var/guix/profiles/per-user/root/current-guix/lib/systemd/system/*.service \
+   /etc/systemd/system
+systemctl daemon-reload
+systemctl start guix-daemon
+@end example
+
+@quotation Warning
+The commands above assume that @command{guix pull} was run for the root
+user.  You can check whether this is the case by running this command:
+
+@example
+grep User=guix-daemon \
+  /var/guix/profiles/per-user/root/current-guix/lib/systemd/system/guix-daemon.service
+@end example
+
+If that command does not show the @code{User=guix-daemon} line, then run
+@command{guix pull} as the root user.
+@end quotation
+
 @unnumberedsubsubsec The Isolated Build Environment
 
 @cindex chroot
 @cindex build environment isolation
 @cindex isolated build environment
 @cindex hermetic build environment
-In both cases, the daemon starts build processes without privileges in
+In both cases, privileged and unprivileged,
+the daemon starts build processes without privileges in
 an @emph{isolated} or @emph{hermetic} build environment---a ``chroot''.
 On GNU/Linux, by default, the build environment contains nothing but:
 
@@ -2035,6 +2097,10 @@ Upgrading Guix
 On Guix System, upgrading the daemon is achieved by reconfiguring the
 system (@pxref{Invoking guix system, @code{guix system reconfigure}}).
 
+To migrate an existing installation to the @emph{unprivileged daemon}
+where @command{guix-daemon} does not run as root,
+@pxref{unprivileged-daemon-migration}.
+
 @c TODO What else?
 
 @c *********************************************************************