From patchwork Thu Apr 17 14:21:36 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 41738 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 55CD727BC4B; Thu, 17 Apr 2025 15:24:17 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-6.4 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 9270327BC49 for ; Thu, 17 Apr 2025 15:24:16 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u5Q9N-0000gB-H0; Thu, 17 Apr 2025 10:23:33 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u5Q8y-0000VM-MW for guix-patches@gnu.org; Thu, 17 Apr 2025 10:23:11 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1u5Q8y-0001f8-Bs; Thu, 17 Apr 2025 10:23:08 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=mtPCkcmWLIjQsjjBWKM0cyrevvUhhUSD9sywJ8G4WU4=; b=pk7iWKr+C5b3AtMI2CgbHoHTrjNtG4B+g9PToEeXyQrdrCDD4z9Q4qpkrh+VBSk1dKwsbX7qUYMO/VbKaggLSRWH8XKq8zYEXS+a5oo3cPD1JjhXsc0olUTWi/2W4yxMd5ZOPuwRhZ8vdQpR83NbQ7n+jlM3zIUVIe8Vv13WJyj+JY5Jy0qUDR7ylpVkCAHU0Ns20wEFD2KfYGT7Y07bSh6DXntCnKcEi8PzHnLtQj9IUHanJSshrTY+QD4Oeu2TdGWT5cEA3uKSLRFDF1+ywvmZCOpbo9VxWe7u18349/vhPv1aHPr7avLK0/KCmoMPSCGfHvBgPmRmnzd17aTZRA==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1u5Q8u-0004va-22; Thu, 17 Apr 2025 10:23:04 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#77288] [PATCH v2 1/8] self: Install systemd =?utf-8?b?4oCYLnNl?= =?utf-8?b?cnZpY2XigJk=?= files. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix@cbaines.net, dev@jpoiret.xyz, ludo@gnu.org, othacehe@gnu.org, zimon.toutoune@gmail.com, me@tobias.gr, guix-patches@gnu.org Resent-Date: Thu, 17 Apr 2025 14:23:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 77288 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 77288@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= , Christopher Baines , Josselin Poiret , Ludovic =?utf-8?q?Court=C3=A8s?= , Mathieu Othacehe , Simon Tournier , Tobias Geerinckx-Rice X-Debbugs-Original-Xcc: Christopher Baines , Josselin Poiret , Ludovic =?utf-8?q?Court=C3=A8s?= , Mathieu Othacehe , Simon Tournier , Tobias Geerinckx-Rice Received: via spool by 77288-submit@debbugs.gnu.org id=B77288.174489974318716 (code B ref 77288); Thu, 17 Apr 2025 14:23:03 +0000 Received: (at 77288) by debbugs.gnu.org; 17 Apr 2025 14:22:23 +0000 Received: from localhost ([127.0.0.1]:47990 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u5Q8D-0004rm-OU for submit@debbugs.gnu.org; Thu, 17 Apr 2025 10:22:23 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:44866) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1u5Q7w-0004oq-L0 for 77288@debbugs.gnu.org; Thu, 17 Apr 2025 10:22:09 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u5Q7r-0001T3-5T; Thu, 17 Apr 2025 10:21:59 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=mtPCkcmWLIjQsjjBWKM0cyrevvUhhUSD9sywJ8G4WU4=; b=OyCJGmEH1KUvDB6+aO1m eiSSbMdfp1Xj6GrWz8hF0ElQ9kdFuMBuPw4+S3acFP58aWkUalFsB0LW5BEl+XCPgnnkrNyvvjRmQ zuQjND4z3csiKDDvdOz088D860s0/hwZsPgpdreQ/FW61PxvGVmFMTIXWCW2g6me/guKnbgDXd+w2 kH72zQC+uWJ03pCRyFgg90ViNYYThqCpAkJqn+h3aOPZ3DErBggArCET02BtSGwohBPOFrfii1PIw SPARpNyhSprXGjKCltfShLN3YX9Nac/GUlij4GDiiZmUDI3Vw1y1GAB0hFd9nYiNaYi18wiK6wHbG MV8KTJ+UHmXuaQ==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Thu, 17 Apr 2025 16:21:36 +0200 Message-ID: <20e400054c70809a7a920b0c2167f5b07ca3ee1b.1744899444.git.ludo@gnu.org> X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches This is consistent with the ‘guix’ package and will prove helpful when people want to replace /etc/systemd/system/guix*.service with newer versions thereof. * guix/self.scm (parameterized-file): New procedure, based on… (selinux-policy): … this. Use ‘parameterized-file’. (systemd-file): New procedure. (miscellaneous-files): Add systemd files. Change-Id: Ia489a955347cf648a86000cc1265769d66c3f0e8 --- guix/self.scm | 42 ++++++++++++++++++++++++++++++++---------- 1 file changed, 32 insertions(+), 10 deletions(-) diff --git a/guix/self.scm b/guix/self.scm index 28239d53f5..2a99765359 100644 --- a/guix/self.scm +++ b/guix/self.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2017-2023 Ludovic Courtès +;;; Copyright © 2017-2023, 2025 Ludovic Courtès ;;; Copyright © 2020 Martin Becze ;;; Copyright © 2023 Janneke Nieuwenhuizen ;;; Copyright © 2024 gemmaro @@ -666,24 +666,40 @@ (define* (guix-command modules ;; Use a 'guile' variant that doesn't complain about locales. #:guile (quiet-guile guile))) -(define (selinux-policy source daemon) - "Return the SELinux policy file taken from SOURCE and adjusted to refer to -DAEMON and to the current configuration variables." +(define (parameterized-file source daemon file name) + "Return FILE taken from SOURCE (typically a '.in' file) and adjusted to +refer to DAEMON and to the current configuration variables." (define build (with-imported-modules '((guix build utils)) #~(begin (use-modules (guix build utils)) - (copy-file #+(file-append* source "/etc/guix-daemon.cil.in") - "guix-daemon.cil") - (substitute* "guix-daemon.cil" + (fluid-set! %default-port-encoding "UTF-8") + (copy-file #+(file-append* source file) #$name) + (substitute* #$name (("@guix_sysconfdir@") #$%sysconfdir) (("@guix_localstatedir@") #$%localstatedir) + (("@localstatedir@") #$%localstatedir) (("@storedir@") #$%storedir) - (("@prefix@") #$daemon)) - (copy-file "guix-daemon.cil" #$output)))) + (("@prefix@") #$daemon) + (("@GUIX_SUBSTITUTE_URLS@") + #$(string-join %default-substitute-urls))) + (copy-file #$name #$output)))) - (computed-file "guix-daemon.cil" build)) + (computed-file name build)) + +(define (selinux-policy source daemon) + "Return the SELinux policy file taken from SOURCE and adjusted to refer to +DAEMON and to the current configuration variables." + (parameterized-file source daemon + "etc/guix-daemon.cil.in" + "guix-daemon.cil")) + +(define (systemd-file source daemon file) + "Return the given systemd file from SOURCE parameterized for DAEMON." + (parameterized-file source daemon + (string-append "etc/" file ".in") + file)) (define (miscellaneous-files source daemon) "Return data files taken from SOURCE." @@ -698,6 +714,12 @@ (define (miscellaneous-files source daemon) ,(file-append* source "/etc/completion/fish/guix.fish")) ("share/selinux/guix-daemon.cil" ,(selinux-policy source daemon)) + ,@(map (lambda (file) + `(,(string-append "lib/systemd/system/" file) + ,(systemd-file source daemon file))) + '("guix-gc.service" + "guix-publish.service" + "guix-daemon.service")) ("share/guix/berlin.guix.gnu.org.pub" ,(file-append* source "/etc/substitutes/berlin.guix.gnu.org.pub")) From patchwork Thu Apr 17 14:21:37 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 41740 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 6493A27BC4B; Thu, 17 Apr 2025 15:24:32 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-6.4 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 4AA7627BC4D for ; Thu, 17 Apr 2025 15:24:30 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u5Q9T-0000mt-6p; Thu, 17 Apr 2025 10:23:39 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u5Q8w-0000VG-D5 for guix-patches@gnu.org; Thu, 17 Apr 2025 10:23:08 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1u5Q8u-0001eG-Uc; Thu, 17 Apr 2025 10:23:05 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=gexwjnZR4fw9UYYQljS6pnzdSTm4OAUOYgKKkKiyua8=; b=M/2Bz+xxCzeE5WmuxEeIoMn1tOSzuIeep2/slwsZjUS9Lcav/dW7sPtlPPqOI/BVt+HcQgvYLrY88SQp3JiK9CmS5m7jpunPWqoQ3ds9nHNrkkTM30wV+FSCtlCjC6gMXNiy9BDVxs8g/t+5kUeGBpyA1hzsMkGLq+RRXuVS0DG2CDc0QTdlAtuw6n+TuZjLn0mrTp7Kg+YajBRLdBr5bINmofxQPtUD3TQrRyEmgtFCBsYpEHFczfuS3UILbq7Vj76uwGR69cWdScAElQKil7KRk3+/apmBfeA5FEPXSDutQlxFRuXUtLbzoHF1P3RSa1WxkcW9OTmuz/3h9nONIg==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1u5Q8u-0004vk-Kh; Thu, 17 Apr 2025 10:23:04 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#77288] [PATCH v2 2/8] doc: Document migration to the unprivileged daemon. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: ludo@gnu.org, maxim.cournoyer@gmail.com, guix-patches@gnu.org Resent-Date: Thu, 17 Apr 2025 14:23:04 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 77288 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 77288@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= , Ludovic =?utf-8?q?Court?= =?utf-8?q?=C3=A8s?= , Maxim Cournoyer X-Debbugs-Original-Xcc: Ludovic =?utf-8?q?Court=C3=A8s?= , Maxim Cournoyer Received: via spool by 77288-submit@debbugs.gnu.org id=B77288.174489974418723 (code B ref 77288); Thu, 17 Apr 2025 14:23:04 +0000 Received: (at 77288) by debbugs.gnu.org; 17 Apr 2025 14:22:24 +0000 Received: from localhost ([127.0.0.1]:47992 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u5Q8F-0004ru-DN for submit@debbugs.gnu.org; Thu, 17 Apr 2025 10:22:23 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43184) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1u5Q7x-0004p0-RV for 77288@debbugs.gnu.org; Thu, 17 Apr 2025 10:22:08 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u5Q7s-0001TJ-4p; Thu, 17 Apr 2025 10:22:00 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=gexwjnZR4fw9UYYQljS6pnzdSTm4OAUOYgKKkKiyua8=; b=lrrJ9pwkqw4ojM0ab/PV 7j0UZiFy9h2mAmXwGz9k9XEQT2pQpiWJVKI3GXeGZbPyqnmqkGj4wbsENhaJhgtN+9efovqbYK2ex acS8mf2CKhBCoxnNGFNyunp3P7TuPZgMd0dGbBOfOzWbC9qO4Ykn3znHE3dWMGjjd2Lwm2iYF2wvB itEjiIxgOaIiw+R2dsAqUTJRpJ+WXI3vcN0/YTozjFS+7F/Nr1kW3D95TIJv5dYPTQ6sBrB1FiI9a 2IdhmNfFOUAGsR1MzCryzHu79q+bjlOfVsvW/gkDNsuJNpQRQUqBN/fx5/yiIlm6WC4bmCmi+cX7X rjCTw5W6nJtJCQ==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Thu, 17 Apr 2025 16:21:37 +0200 Message-ID: X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * doc/guix.texi (Build Environment Setup): Add “Migrating to the Unprivileged Daemon” section. (Upgrading Guix): Link to it. Change-Id: I2bac3f4419d85b7c718c6c4a3908387b4f6ee582 --- doc/guix.texi | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 67 insertions(+), 1 deletion(-) diff --git a/doc/guix.texi b/doc/guix.texi index 070528667f..377cb65326 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -1026,13 +1026,75 @@ Build Environment Setup In this configuration, @file{/gnu/store} is owned by the @code{guix-daemon} user. +@anchor{unprivileged-daemon-migration} +@unnumberedsubsubsec Migrating to the Unprivileged Daemon + +@cindex unprivileged daemon, migration +@cindex rootless daemon, migration +To switch an existing installation to the unprivileged execution mode, a +number of steps must be taken: creating a new dedicated +@code{guix-daemon} user account, changing ownership of the relevant +files to @code{guix-daemon}, and ensuring that the @command{guix-daemon} +program runs as @code{guix-daemon}. + +@quotation Warning +Follow the instructions below only after making sure you have a recent +version of @command{guix-daemon} with support for unprivileged +execution. +@end quotation + +File ownership can be changed, after stopping the daemon, by running the +following commands as root (the @command{chown} can take a while if +there are many files in @file{/gnu/store}): + +@example +groupadd --system guix-daemon +useradd -g guix-daemon -G guix-daemon,kvm \ + -d /var/empty -s $(which nologin) \ + -c "Guix daemon privilege separation user" \ + --system guix-daemon + +chown -R guix-daemon:guix-daemon \ + /gnu \ + /var/guix/@{daemon-socket,db,discover@} \ + /var/guix/@{gcroots,offload,substitute,temproots@} \ + /var/log/guix \ + /etc/guix +@end example + +If your system uses the systemd service manager, running the daemon as +@code{guix-daemon} will be a matter of copying the relevant +configuration files---make sure to review any changes you might have +made in your own @file{.service} files before overwriting them: + +@example +cp /var/guix/profiles/per-user/root/current-guix/lib/systemd/system/*.service \ + /etc/systemd/system +systemctl daemon-reload +systemctl start guix-daemon +@end example + +@quotation Warning +The commands above assume that @command{guix pull} was run for the root +user. You can check whether this is the case by running this command: + +@example +grep User=guix-daemon \ + /var/guix/profiles/per-user/root/current-guix/lib/systemd/system/guix-daemon.service +@end example + +If that command does not show the @code{User=guix-daemon} line, then run +@command{guix pull} as the root user. +@end quotation + @unnumberedsubsubsec The Isolated Build Environment @cindex chroot @cindex build environment isolation @cindex isolated build environment @cindex hermetic build environment -In both cases, the daemon starts build processes without privileges in +In both cases, privileged and unprivileged, +the daemon starts build processes without privileges in an @emph{isolated} or @emph{hermetic} build environment---a ``chroot''. On GNU/Linux, by default, the build environment contains nothing but: @@ -2035,6 +2097,10 @@ Upgrading Guix On Guix System, upgrading the daemon is achieved by reconfiguring the system (@pxref{Invoking guix system, @code{guix system reconfigure}}). +To migrate an existing installation to the @emph{unprivileged daemon} +where @command{guix-daemon} does not run as root, +@pxref{unprivileged-daemon-migration}. + @c TODO What else? @c ********************************************************************* From patchwork Thu Apr 17 14:21:38 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 41736 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 5ED5E27BC4B; Thu, 17 Apr 2025 15:24:01 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-6.4 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 1EAF227BC49 for ; Thu, 17 Apr 2025 15:24:01 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u5Q9H-0000dl-36; Thu, 17 Apr 2025 10:23:29 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u5Q8w-0000VF-Ce for guix-patches@gnu.org; Thu, 17 Apr 2025 10:23:08 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1u5Q8v-0001eN-EX for guix-patches@gnu.org; Thu, 17 Apr 2025 10:23:05 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=pX3LSffILOqR/UkDvibjIkTZohWxhjxg21izy7L/1yo=; b=btEIMIu9V6iaPvZvHj+Jkof/n8EJuP3+Cd/b+YU1iS9pja6V3FHP4+IFBqb3k7E1qEbZmkCGEskIQTe+kI9bdwJ0u2TWtLclF0yDpf9jtPckBTW1xywwZmvuqGw1LuBpWOoIUcnG68Pnwxg4dW9oJm+o21rtvdx5iXlbCwRLUwRSWirWIBNPVLxpDfPL47gz4iwo+1sSPioJCG0VUGNBcNRytb84mxjSmxNVFDrdcR82LLIgpZOTbuTrIWAxSliiisRl+IretABIL0E5I6rLLQB5CqELrMM+uMvmq/SC2+5itMIBBNe0rOqJAdhrQ+4k/kgWpsVLEmH91/M6c4Ur/A==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1u5Q8v-0004vs-8I for guix-patches@gnu.org; Thu, 17 Apr 2025 10:23:05 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#77288] [PATCH v2 3/8] syscalls: Add =?utf-8?b?4oCYdW5zaGFyZQ==?= =?utf-8?b?4oCZLg==?= Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 17 Apr 2025 14:23:05 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 77288 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 77288@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 77288-submit@debbugs.gnu.org id=B77288.174489974518740 (code B ref 77288); Thu, 17 Apr 2025 14:23:05 +0000 Received: (at 77288) by debbugs.gnu.org; 17 Apr 2025 14:22:25 +0000 Received: from localhost ([127.0.0.1]:47994 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u5Q8G-0004s3-23 for submit@debbugs.gnu.org; Thu, 17 Apr 2025 10:22:24 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43198) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1u5Q7y-0004p1-H3 for 77288@debbugs.gnu.org; Thu, 17 Apr 2025 10:22:11 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u5Q7t-0001TR-4N; Thu, 17 Apr 2025 10:22:01 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=pX3LSffILOqR/UkDvibjIkTZohWxhjxg21izy7L/1yo=; b=dt5Sl0Xcy7wfhBfPWc3+ 4cVdxWhMnzdprRYtq+eGLTlyyVkHIdAeyEVd53i0F1AxcD7mmz/XARN4SfcevdYlwToYSj5DLmpFd tOhhTACyGZwDhY1+k+0l5MH9TOi+1meNRPGvoBSksvXfzOSQcRUafjRn664dL2+e5ih8IzqhF+lWi H4aTmHdHqlMQZPShoHPfVaMal1G586oXtvjnXyLTpZcXf0IqZXmNnNsgt8X/YWACwxrFR6ZeigdnE d2BUFYSYFiOo0mH9xsTSzAwKJ/lM9N5ZDsi+Suw5N+pour9allAL4NIMvwQDp7AyCFkXVN4RQWC5E gcsaplHBr1hY9Q==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Thu, 17 Apr 2025 16:21:38 +0200 Message-ID: <3686350af60a8eb68e7e6453cb258a0f7b747bbf.1744899444.git.ludo@gnu.org> X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * guix/build/syscalls.scm (unshare): New procedure. Change-Id: I344273b8bdeaa9366334e6e20ee7efc37eb6c8f7 --- guix/build/syscalls.scm | 18 ++++++++++++++++++ tests/syscalls.scm | 9 +++++++++ 2 files changed, 27 insertions(+) diff --git a/guix/build/syscalls.scm b/guix/build/syscalls.scm index 42232fc7f1..cf09cae3a4 100644 --- a/guix/build/syscalls.scm +++ b/guix/build/syscalls.scm @@ -145,6 +145,7 @@ (define-module (guix build syscalls) CLONE_NEWPID CLONE_NEWNET clone + unshare setns kexec-load-file @@ -1213,6 +1214,23 @@ (define clone (list err)) ret))))) +(define unshare + (let ((proc (syscall->procedure int "unshare" (list int)))) + (lambda (flags) + "Disassociate the current process from parts of its execution context +according to FLAGS, which must be a logical or of CLONE_NEW* constants. + +Note that CLONE_NEWUSER requires that the calling process be single-threaded, +which is possible if and only if libgc is running a single marker thread; this +can be achieved by setting the GC_MARKERS environment variable to 1. If the +calling process is multi-threaded, this throws to 'system-error' with EINVAL." + (let-values (((ret err) + (without-automatic-finalization (proc flags)))) + (unless (zero? ret) + (throw 'system-error "unshare" "~a: ~A" + (list flags (strerror err)) + (list err))))))) + (define setns ;; Some systems may be using an old (pre-2.14) version of glibc where there ;; is no 'setns' function available. diff --git a/tests/syscalls.scm b/tests/syscalls.scm index d2848879d7..879c3e4f25 100644 --- a/tests/syscalls.scm +++ b/tests/syscalls.scm @@ -149,6 +149,15 @@ (define perform-container-tests? ((_ . status) (= 42 (status:exit-val status)))))))) +(test-equal "unshare" + EPERM + ;; Unless running as root, (unshare CLONE_NEWNS) returns EPERM. + (catch 'system-error + (lambda () + (unshare CLONE_NEWNS)) + (lambda args + (system-error-errno args)))) + (unless perform-container-tests? (test-skip 1)) (test-assert "setns" From patchwork Thu Apr 17 14:21:39 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 41735 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 6B09827BC4C; Thu, 17 Apr 2025 15:23:55 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-6.4 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 4302327BC49 for ; Thu, 17 Apr 2025 15:23:55 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u5Q9O-0000gz-2s; Thu, 17 Apr 2025 10:23:34 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u5Q8y-0000VN-Mv for guix-patches@gnu.org; Thu, 17 Apr 2025 10:23:11 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1u5Q8y-0001f9-DC for guix-patches@gnu.org; Thu, 17 Apr 2025 10:23:08 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=CJ/L9kunERGnh6KdCeg3IMWjSzFeEbgPhD2pk3HBqVQ=; b=fhXcOQaGHMqyYfDlKsao3crWKjgSC1gH1WUomxcsVFqh00zvo74B6WI45yAQDwpIIMJEFOD1L5PkLapm7GYXyPYuPfyyG3F8375rTwE6whYHf2J1jvH0UbBXw53xwgD1qzIdmGQrSxyClXuE+C/m7fJkpC/Rb02omh5SNGl9WlEb/9ixG/1URLr4h+vWycZUZEyO22ItLhwYBkZLqOmTgH26MMdtOALSg5nSvE6+GyaX8FpV19LVhjek8CO2YrDSRGW2dJcgsFRCBK2SJVlUxKg5XMApReAXR0IPKBnp8loQ6c3Hj8o9g7S/11fEzPZnNIqe024j2LubOnmAzI8QFw==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1u5Q8y-0004wS-7m for guix-patches@gnu.org; Thu, 17 Apr 2025 10:23:08 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#77288] [PATCH v2 4/8] services: account: Create /var/guix/profiles/per-user/$USER. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 17 Apr 2025 14:23:08 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 77288 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 77288@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 77288-submit@debbugs.gnu.org id=B77288.174489974818780 (code B ref 77288); Thu, 17 Apr 2025 14:23:08 +0000 Received: (at 77288) by debbugs.gnu.org; 17 Apr 2025 14:22:28 +0000 Received: from localhost ([127.0.0.1]:48000 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u5Q8J-0004si-8O for submit@debbugs.gnu.org; Thu, 17 Apr 2025 10:22:28 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43202) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1u5Q7z-0004pB-N5 for 77288@debbugs.gnu.org; Thu, 17 Apr 2025 10:22:13 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u5Q7u-0001Tc-41; Thu, 17 Apr 2025 10:22:02 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=CJ/L9kunERGnh6KdCeg3IMWjSzFeEbgPhD2pk3HBqVQ=; b=kEp5I6kKH2he3s5ng8Vu VPkPFVV/bUIQXKhPjkzUFqYhwwoNHo/5NBTS9zZBJLETH4OeRhxSL3lVTXA3l7l+NWriLfquEgj5A mRuQX8uoW+OAVci4uudmszzmpxBp6uO4yrcKkMmzFTOC2CQyL2tD1C/oqN8l1/vRfoDMEpQQN7uRA LnEcWXPKgBaNCrvsjua8nau2ggu8VhsoKP7ngurAB36LJKPeZzRQfZzBM6IctlDgSIRbmN7dSEZkG hhQA9DnMdIHKQ4Pbf69+NVkDnz5IorGYQiANN86iQlKdY139lxsGchsjFRKRY9L2CEMSnbK1/jhk1 4RiNd7OWvqHYPw==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Thu, 17 Apr 2025 16:21:39 +0200 Message-ID: <0924e8378e0e526aacd04e498e31365b213c0ab0.1744899444.git.ludo@gnu.org> X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * gnu/system/shadow.scm (account-shepherd-service): Create /var/guix/profiles/per-user/$USER in ‘user-homes’ service. Change-Id: I22e66e8a34d63686df9bae64c68df65c8889e72a --- gnu/system/shadow.scm | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/gnu/system/shadow.scm b/gnu/system/shadow.scm index b68a818871..d0f1b6b2b1 100644 --- a/gnu/system/shadow.scm +++ b/gnu/system/shadow.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2013-2020, 2022, 2023 Ludovic Courtès +;;; Copyright © 2013-2020, 2022-2023, 2025 Ludovic Courtès ;;; Copyright © 2016 Alex Griffin ;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen ;;; Copyright © 2020, 2023 Efraim Flashner @@ -460,6 +460,12 @@ (define (account-shepherd-service accounts+groups) (define accounts (filter user-account? accounts+groups)) + (define regular-account-names + (filter-map (lambda (account) + (and (not (user-account-system? account)) + (user-account-name account))) + accounts)) + ;; Create home directories only once 'file-systems' is up. This makes sure ;; they are created in the right place if /home lives on a separate ;; partition. @@ -480,6 +486,17 @@ (define (account-shepherd-service accounts+groups) (activate-user-home (map sexp->user-account (list #$@(map user-account->gexp accounts)))) + + ;; Create the user's profile directory upfront: + ;; guix-daemon lacks permissions to create it when it is + ;; running as an unprivileged user. + (for-each (lambda (account) + (let ((profile (in-vicinity + "/var/guix/profiles/per-user" + account)) + (owner (getpwnam account))) + (mkdir-p/perms profile owner #o755))) + '#$regular-account-names) #t))) ;success (documentation "Create user home directories.")))) From patchwork Thu Apr 17 14:21:40 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 41733 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 93F2727BC4B; Thu, 17 Apr 2025 15:23:52 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-6.4 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id E48D227BC49 for ; Thu, 17 Apr 2025 15:23:51 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u5Q9H-0000dY-3U; Thu, 17 Apr 2025 10:23:29 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u5Q8y-0000VL-7F for guix-patches@gnu.org; Thu, 17 Apr 2025 10:23:11 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1u5Q8x-0001f0-PH for guix-patches@gnu.org; Thu, 17 Apr 2025 10:23:07 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=xCCzckKP82CnyuCIo9fuJVhLYLiOCYeDm9GnRHKF0VY=; b=MVnk3Af3JG8MPA0czsTEMQzXeJR1ckV4wsBPHgCnSFFclmue20D/TES1kbCkdQW7GK3P5iaQAbaKr+BB9JbL5YnbvO840YezGN0ZJTK8PZioBGO9aejKHuX+E/wlfxgNHSj+sL2dzeLuNxMMZptW+9Bgat9sQSFKi9oIAxsOomlNbNNtgDiLBk1+e71xN3aw4ZTKNiFYlz36fx30fzmEX6iN+4Q/GWw2AT//bwGeDLj07CDL7fqLbDH35zboNfUxlOPpZL7KIQBYGpT7MyYIvqpOKDLb/dh01eDN9gWYYNlLDNymkN9ew4Q06Wrnf3SldfFvUCnzTrPA7i4CLRRwiw==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1u5Q8x-0004wD-9T for guix-patches@gnu.org; Thu, 17 Apr 2025 10:23:07 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#77288] [PATCH v2 5/8] tests: guix-daemon: Send system log output to /dev/console. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 17 Apr 2025 14:23:07 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 77288 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 77288@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 77288-submit@debbugs.gnu.org id=B77288.174489974718769 (code B ref 77288); Thu, 17 Apr 2025 14:23:07 +0000 Received: (at 77288) by debbugs.gnu.org; 17 Apr 2025 14:22:27 +0000 Received: from localhost ([127.0.0.1]:47998 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u5Q8I-0004sX-7x for submit@debbugs.gnu.org; Thu, 17 Apr 2025 10:22:27 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43212) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1u5Q81-0004pR-12 for 77288@debbugs.gnu.org; Thu, 17 Apr 2025 10:22:13 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u5Q7v-0001Tr-4o; Thu, 17 Apr 2025 10:22:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=xCCzckKP82CnyuCIo9fuJVhLYLiOCYeDm9GnRHKF0VY=; b=OGetIkN8zklfZuSZNtIn SA0gPtuU0Nv/IVdtNnG16anIOK0CyeEuo82zc7phju0m+Ox4dYVduz5gtMVrSpOFFk/MCC7dVD8YF EJM0d0ifAWPMzlsKwC6LjQmqdLTpoz+ww16GcqDJs7ubDS7eMHIWMvMd1/Y2b5+HGVB4EtzDhwDo9 TdFd81bFeN5l9XnNv/Dv1YYiJ16YPmXu6UxpKvCpZhkYcFDPMX62qsaSXfcgU/YgbAopgD+mMvgbE tMDkY3d49NG3DExKoLp1c7u28w42sv/a4kAEQI8djHWwIVMSsqgvgZtum95iYWJNZ9JgNaFHx0uwb EYgdpDrHhynnsQ==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Thu, 17 Apr 2025 16:21:40 +0200 Message-ID: <1273ef478c23602857023b49cbae0595870abff0.1744899444.git.ludo@gnu.org> X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * gnu/tests/base.scm (%daemon-os): New variable. (%test-guix-daemon): Use it. Change-Id: Iea31808cc59e94971ea4cbc12d565c94348bf7a4 --- gnu/tests/base.scm | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/gnu/tests/base.scm b/gnu/tests/base.scm index a7f8a5bf7c..0f7fb543a7 100644 --- a/gnu/tests/base.scm +++ b/gnu/tests/base.scm @@ -994,6 +994,10 @@ (define %test-activation ;;; Build daemon. ;;; +(define %daemon-os + (operating-system-with-console-syslog + (simple-operating-system))) + (define (manifest-entry-without-grafts entry) "Return ENTRY with grafts disabled on its contents." (manifest-entry @@ -1168,7 +1172,7 @@ (define %test-guix-daemon (let ((os (marionette-operating-system (operating-system (inherit (operating-system-with-gc-roots - %simple-os + %daemon-os (list (profile (name "hello-build-dependencies") (content %hello-dependencies-manifest))))) From patchwork Thu Apr 17 14:21:41 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 41737 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 1750627BC4B; Thu, 17 Apr 2025 15:24:13 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-6.4 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id D255927BC49 for ; Thu, 17 Apr 2025 15:24:12 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u5Q9O-0000ho-Uc; Thu, 17 Apr 2025 10:23:35 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u5Q8y-0000VO-Rk for guix-patches@gnu.org; Thu, 17 Apr 2025 10:23:11 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1u5Q8w-0001eg-Mp for guix-patches@gnu.org; Thu, 17 Apr 2025 10:23:07 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=gKI5dMXI0sDlCCCNGZpFka8Qpc+H6GgunfDTs5URY5s=; b=pD4ZchDUNWwTLrVAQtBYSgBXTjYmqQXp0Zsv5TsWdddcrRoCV4KF6eh/sUN/k4EYO1FxoAmeI4GFg5CxAEb0zGLKqmWY1s4+q0+J326OjOwxH9wA7Vzd3S+x6evUJOXWUH+2KMue+QiUGToVlyuAD3WHS9kUSS5PlOhEoXE6cbdLzIMLV9bIiL4NC0p5X3CyfMAGxDoi3gqBLw8bZmE4GxrkJvxizfTQp8cWqckjC4GP6hrDkZkJ1SffopjM3HioTDqRsMxlZpJdrodDO5G43WpxXlxdw15K4u50rvqkiMdkZBr97yzCOwropx8+5eCWuIpkO3i89hfqQbs+FTV0vQ==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1u5Q8v-0004w0-V4 for guix-patches@gnu.org; Thu, 17 Apr 2025 10:23:06 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#77288] [PATCH v2 6/8] tests: guix-daemon: Wait for the =?utf-8?b?4oCYZ3VpeC1kYWVtb27igJk=?= service to be up. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 17 Apr 2025 14:23:05 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 77288 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 77288@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 77288-submit@debbugs.gnu.org id=B77288.174489974618754 (code B ref 77288); Thu, 17 Apr 2025 14:23:05 +0000 Received: (at 77288) by debbugs.gnu.org; 17 Apr 2025 14:22:26 +0000 Received: from localhost ([127.0.0.1]:47996 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u5Q8H-0004sD-2L for submit@debbugs.gnu.org; Thu, 17 Apr 2025 10:22:25 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43226) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1u5Q81-0004pT-Qi for 77288@debbugs.gnu.org; Thu, 17 Apr 2025 10:22:12 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u5Q7w-0001U4-36; Thu, 17 Apr 2025 10:22:04 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=gKI5dMXI0sDlCCCNGZpFka8Qpc+H6GgunfDTs5URY5s=; b=cpg8B4X5jZ4lbcEKHGvZ ywna/IF87pjnm9MsB9bKk9ZNnJadWrxlXyXJOlI2/765DZqBIELczn2LBlSSXXH3AIlnY4jkWd/aA XPfk9/D18bP5kpgDNEj3+BbGARROBl66XJrOmB2YttdsJHq7j0jhEeQxCUHiIYZX2yiRkTFFk8KV7 Rq7lOZXrAAuopRsW4QHLS/2kxNOx5/zOga0+LxPpoIK2vc1T8aJMqJOlaENrRmWfJb7FisMcAbLTZ nN+YtNkHzhZRcMQfMKgVnyaQYv2Xzn8iKfoo7eObHq+iUnoJTdWaOM2Vox+9BXxIPYPP2ArKCnHEc GX3qqDY2SlOnYQ==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Thu, 17 Apr 2025 16:21:41 +0200 Message-ID: <943d356b935b876fce7177093f0ea78391149482.1744899444.git.ludo@gnu.org> X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * gnu/tests/base.scm (run-guix-daemon-test): Add “guix-daemon service is up” test. Change-Id: I4d44a1248599fec45c854c285d4da201c30eb00c --- gnu/tests/base.scm | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/gnu/tests/base.scm b/gnu/tests/base.scm index 0f7fb543a7..83e047f7e6 100644 --- a/gnu/tests/base.scm +++ b/gnu/tests/base.scm @@ -1157,6 +1157,13 @@ (define (run-guix-daemon-test os) (test-runner-current (system-test-runner #$output)) (test-begin "guix-daemon") + (test-assert "guix-service is running" + ;; Wait for 'guix-daemon' to be up. + (marionette-eval '(begin + (use-modules (gnu services herd)) + (start-service 'guix-daemon)) + marionette)) + #$(guix-daemon-test-cases #~marionette) (test-end)))) From patchwork Thu Apr 17 14:21:42 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 41739 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 4342F27BC4F; Thu, 17 Apr 2025 15:24:31 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-6.4 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 762CC27BC49 for ; Thu, 17 Apr 2025 15:24:28 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u5Q9T-0000n4-VQ; Thu, 17 Apr 2025 10:23:40 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u5Q8z-0000VT-OY for guix-patches@gnu.org; Thu, 17 Apr 2025 10:23:11 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1u5Q8z-0001fW-E1; Thu, 17 Apr 2025 10:23:09 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=j/j93npWd2BR74c6RzAdqutCiho7EGIw0BiV6YWsLBc=; b=fQfGsfsVB6jNlXK+/YJdtSP9u4YWzCpCacHw1mH22z/H7XQr40Umg+2Z8EH9ZHgb0nGv1M98qKetj61/0jWVMLENfMdI7I4bDelld0YIWxuRkCHLJnSrXwf7545pyiHNC2odrzrZSj8zxLrBUGDWsQ3TCfHSIchcUcQHApzmM36rvA4UwqTf5MOXRUHoeRX2V7WmJ6qrsztE9uG1RO7Q46DbJJxEembA/hFxzd3sQ2N6mVI+Nhhu6rBJ20TdkRjYSY/27CR8yrp2R4xIlYmjfQP4ADYeXfHMihw4QPiby5EYGOD+LhJzm3ldbUz6yUSzwcTTcUdM99ChLaia3gWd9g==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1u5Q8z-0004wp-7q; Thu, 17 Apr 2025 10:23:09 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#77288] [PATCH v2 7/8] services: guix: Allow =?utf-8?b?4oCYZ3Vp?= =?utf-8?b?eC1kYWVtb27igJk=?= to run without root privileges. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: ludo@gnu.org, maxim.cournoyer@gmail.com, guix-patches@gnu.org Resent-Date: Thu, 17 Apr 2025 14:23:09 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 77288 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 77288@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= , Ludovic =?utf-8?q?Court?= =?utf-8?q?=C3=A8s?= , Maxim Cournoyer X-Debbugs-Original-Xcc: Ludovic =?utf-8?q?Court=C3=A8s?= , Maxim Cournoyer Received: via spool by 77288-submit@debbugs.gnu.org id=B77288.174489975318819 (code B ref 77288); Thu, 17 Apr 2025 14:23:09 +0000 Received: (at 77288) by debbugs.gnu.org; 17 Apr 2025 14:22:33 +0000 Received: from localhost ([127.0.0.1]:48007 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u5Q8M-0004tG-Ta for submit@debbugs.gnu.org; Thu, 17 Apr 2025 10:22:33 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43228) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1u5Q82-0004pb-PY for 77288@debbugs.gnu.org; Thu, 17 Apr 2025 10:22:14 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u5Q7x-0001UK-6t; Thu, 17 Apr 2025 10:22:05 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=j/j93npWd2BR74c6RzAdqutCiho7EGIw0BiV6YWsLBc=; b=nprmMLh1b2YE9o1sPLYh +OdLidp5ejhTJnp3zy1r/y96JwCl8Li5L+J7kJ+QTQQJfZejxGKx/oR7egSMOFlip1EGyLL+KwMLA 8sxAoep8OM120l3+PC/PxvpTVaJ6pAT+KZPZvb9UTLrzTwjA0gb7eouv3iPLAPab/s98guhZB/DmE NVI4z/+gem4+rmnNkia7/HVTtgJTSC5Y3sOmL4vmB8H7xj21RAdo+BlNUSjhTpI4S2gfmHKqNGjy2 VXyq+KN/gBC5rf4m+ZhLLS54lx6mHppjzA6EdNLwmcACdp9kVtJPfT0+HJYVWSI+zDOZrmmhD0RB6 RdZnQwQ7bOp2QQ==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Thu, 17 Apr 2025 16:21:42 +0200 Message-ID: <950845dc7aa91c412d890d0fa6d905c82e5e3bf4.1744899444.git.ludo@gnu.org> X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * gnu/services/base.scm (run-with-writable-store) (guix-ownership-change-program): New procedures. ()[privileged?]: New field. (guix-shepherd-service): Rename to… (guix-shepherd-services): … this. Add the ‘guix-ownership’ service. Change ‘guix-daemon’ service to depend on it; when unprivileged, prefix ‘daemon-command’ by ‘run-with-writable-store’ and omit ‘--build-users-group’; adjust socket activation endpoints. (guix-accounts): When unprivileged, create the “guix-daemon” user and group. (guix-service-type)[extensions]: Adjust to name change. * gnu/tests/base.scm (run-guix-daemon-test): Add ‘name’ parameter. (%test-guix-daemon): Adjust accordingly. (%test-guix-daemon-unprivileged): New test. * doc/guix.texi (Base Services): Document ‘privileged?’. (Migrating to the Unprivileged Daemon): Explain that this is automatic on Guix System. Change-Id: I28a9a22e617416c551dccb24e43a253b544ba163 --- doc/guix.texi | 38 +++++++++ gnu/services/base.scm | 187 ++++++++++++++++++++++++++++++++++++++---- gnu/tests/base.scm | 47 +++++++++-- 3 files changed, 252 insertions(+), 20 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 377cb65326..8243bd0547 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -1037,6 +1037,14 @@ Build Environment Setup files to @code{guix-daemon}, and ensuring that the @command{guix-daemon} program runs as @code{guix-daemon}. +On Guix System, these steps are carried out automatically when you set +the @code{privileged?} field of the @code{guix-configuration} record to +@code{#f} and reconfigure (@pxref{guix-configuration-type, +@code{guix-configuration}}). + +However, on a foreign distribution, the process is manual. The +following paragraphs describe what you need to do. + @quotation Warning Follow the instructions below only after making sure you have a recent version of @command{guix-daemon} with support for unprivileged @@ -20105,6 +20113,36 @@ Base Services The Guix package to use. @xref{Customizing the System-Wide Guix} to learn how to provide a package with a pre-configured set of channels. +@cindex unprivileged @command{guix-daemon} +@cindex rootless @command{guix-daemon} +@item @code{privileged?} (default: @code{#t}) +Whether to run @command{guix-daemon} as root. + +When true, @command{guix-daemon} runs with root privileges and build +processes run under unprivileged user accounts as specified by +@code{build-group} and @code{build-accounts} (see below); when false, +@command{guix-daemon} run as the @code{guix-daemon} user, which is +unprivileged, and so do build processes. The unprivileged or +``rootless'' mode can reduce the impact of some classes of +vulnerabilities that could affect the daemon. + +The default is currently @code{#t} (@command{guix-daemon} runs with root +privileges) but may eventually be changed to @code{#f}. + +@quotation Warning +When changing this option, @file{/gnu/store}, @file{/var/guix}, and +@file{/etc/guix} have their ownership automatically changed by the +@code{guix-ownership} service to either the @code{guix-daemon} user or +the @code{root} user (@pxref{unprivileged-daemon-migration}). + +This can take a while, especially if @file{/gnu/store} is big; it cannot +be interrupted and @command{guix-daemon} cannot be used until it has +completed. +@end quotation + +@xref{Build Environment Setup}, for more information on the two ways to +run @command{guix-daemon}. + @item @code{build-group} (default: @code{"guixbuild"}) Name of the group for build user accounts. diff --git a/gnu/services/base.scm b/gnu/services/base.scm index 490376d446..c48874b0d9 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -1918,6 +1918,100 @@ (define (guix-machines-files-installation machines) #$machines)) machines-file)))) +(define (run-with-writable-store) + "Return a wrapper that runs the given command under the specified UID and +GID in a context where the store is writable, even if it was bind-mounted +read-only via %IMMUTABLE-STORE (this wrapper must run as root)." + (program-file "run-with-writable-store" + (with-imported-modules (source-module-closure + '((guix build syscalls))) + #~(begin + (use-modules (guix build syscalls) + (ice-9 match)) + + (define (ensure-writable-store store) + ;; Create a new mount namespace and remount STORE with + ;; write permissions if it's read-only. + (unshare CLONE_NEWNS) + (let ((fs (statfs store))) + (unless (zero? (logand (file-system-mount-flags fs) + ST_RDONLY)) + (mount store store "none" + (logior MS_BIND MS_REMOUNT))))) + + (match (command-line) + ((_ user group command args ...) + (ensure-writable-store #$(%store-prefix)) + (let ((uid (or (string->number user) + (passwd:uid (getpwnam user)))) + (gid (or (string->number group) + (group:gid (getgrnam group))))) + (setgroups #()) + (setgid gid) + (setuid uid) + (apply execl command command args)))))))) + +(define (guix-ownership-change-program) + "Return a program that changes ownership of the store and other data files +of Guix to the given UID and GID." + (program-file "validate-guix-ownership" + (with-imported-modules (source-module-closure + '((guix build utils))) + #~(begin + (use-modules (guix build utils) + (ice-9 ftw) + (ice-9 match)) + + (define (lchown file uid gid) + (let ((parent (open (dirname file) O_DIRECTORY))) + (chown-at parent (basename file) uid gid + AT_SYMLINK_NOFOLLOW) + (close-port parent))) + + (define (change-ownership directory uid gid) + ;; chown -R UID:GID DIRECTORY + (file-system-fold (const #t) ;enter? + (lambda (file stat result) ;leaf + (if (eq? 'symlink (stat:type stat)) + (lchown file uid gid) + (chown file uid gid))) + (const #t) ;down + (lambda (directory stat result) ;up + (chown directory uid gid)) + (const #t) ;skip + (lambda (file stat errno result) + (format (current-error-port) "i/o error: ~a: ~a~%" + file (strerror errno)) + #f) + #t ;seed + directory + lstat)) + + (define (claim-data-ownership uid gid) + (format #t "Changing file ownership for /gnu/store \ +and data directories to ~a:~a...~%" + uid gid) + (change-ownership #$(%store-prefix) uid gid) + (let ((excluded '("." ".." "profiles" "userpool"))) + (for-each (lambda (directory) + (change-ownership (in-vicinity "/var/guix" directory) + uid gid)) + (scandir "/var/guix" + (lambda (file) + (not (member file + excluded)))))) + (chown "/var/guix" uid gid) + (change-ownership "/etc/guix" uid gid) + (mkdir-p "/var/log/guix") + (change-ownership "/var/log/guix" uid gid)) + + (match (command-line) + ((_ (= string->number (? integer? uid)) + (= string->number (? integer? gid))) + (setlocale LC_ALL "C.UTF-8") ;for file name decoding + (setvbuf (current-output-port) 'line) + (claim-data-ownership uid gid))))))) + (define-record-type* guix-configuration make-guix-configuration guix-configuration? @@ -1959,6 +2053,8 @@ (define-record-type* (default #f)) (tmpdir guix-tmpdir ;string | #f (default #f)) + (privileged? guix-configuration-privileged? + (default #t)) (build-machines guix-configuration-build-machines ;list of gexps | '() (default '())) (environment guix-configuration-environment ;list of strings @@ -2021,7 +2117,7 @@ (define shepherd-discover-action (environ environment) #t))))) -(define (guix-shepherd-service config) +(define (guix-shepherd-services config) "Return a for the Guix daemon service with CONFIG." (define locales (let-system (system target) @@ -2030,16 +2126,57 @@ (define (guix-shepherd-service config) glibc-utf8-locales))) (match-record config - (guix build-group build-accounts chroot? authorize-key? authorized-keys + (guix privileged? + build-group build-accounts chroot? authorize-key? authorized-keys use-substitutes? substitute-urls max-silent-time timeout log-compression discover? extra-options log-file http-proxy tmpdir chroot-directories environment socket-directory-permissions socket-directory-group socket-directory-user) (list (shepherd-service + (provision '(guix-ownership)) + (requirement '(user-processes user-homes)) + (one-shot? #t) + (start #~(lambda () + (let* ((store #$(%store-prefix)) + (stat (lstat store)) + (privileged? #$(guix-configuration-privileged? + config)) + (change-ownership #$(guix-ownership-change-program)) + (with-writable-store #$(run-with-writable-store))) + ;; Check whether we're switching from privileged to + ;; unprivileged guix-daemon, or vice versa, and adjust + ;; file ownership accordingly. Spawn a child process + ;; if and only if something needs to be changed. + ;; + ;; Note: This service remains in 'starting' state for + ;; as long as CHANGE-OWNERSHIP is running. That way, + ;; 'guix-daemon' starts only once we're done. + (cond ((and (not privileged?) + (or (zero? (stat:uid stat)) + (zero? (stat:gid stat)))) + (let ((user (getpwnam "guix-daemon"))) + (format #t "Changing to unprivileged guix-daemon.~%") + (zero? + (system* with-writable-store "0" "0" + change-ownership + (number->string (passwd:uid user)) + (number->string (passwd:gid user)))))) + ((and privileged? + (and (not (zero? (stat:uid stat))) + (not (zero? (stat:gid stat))))) + (format #t "Changing to privileged guix-daemon.~%") + (zero? (system* with-writable-store "0" "0" + change-ownership "0" "0"))) + (else #t))))) + (documentation "Ensure that the store and other data files used by +guix-daemon have the right ownership.")) + + (shepherd-service (documentation "Run the Guix daemon.") (provision '(guix-daemon)) (requirement `(user-processes + guix-ownership ,@(if discover? '(avahi-daemon) '()))) (actions (list shepherd-set-http-proxy-action shepherd-discover-action)) @@ -2063,8 +2200,15 @@ (define (guix-shepherd-service config) (or (getenv "discover") #$discover?)) (define daemon-command - (cons* #$(file-append guix "/bin/guix-daemon") - "--build-users-group" #$build-group + (cons* #$@(if privileged? + #~() + #~(#$(run-with-writable-store) + "guix-daemon" "guix-daemon")) + + #$(file-append guix "/bin/guix-daemon") + #$@(if privileged? + #~("--build-users-group" #$build-group) + #~()) "--max-silent-time" #$(number->string max-silent-time) "--timeout" #$(number->string timeout) @@ -2145,9 +2289,11 @@ (define (guix-shepherd-service config) "/var/guix/daemon-socket/socket") #:name "socket" #:socket-owner - (or #$socket-directory-user 0) + (or #$socket-directory-user + #$(if privileged? 0 "guix-daemon")) #:socket-group - (or #$socket-directory-group 0) + (or #$socket-directory-group + #$(if privileged? 0 "guix-daemon")) #:socket-directory-permissions #$socket-directory-permissions))) ((make-systemd-constructor daemon-command @@ -2162,15 +2308,26 @@ (define (guix-shepherd-service config) (define (guix-accounts config) "Return the user accounts and user groups for CONFIG." - (cons (user-group - (name (guix-configuration-build-group config)) - (system? #t) + (if (guix-configuration-privileged? config) + (cons (user-group + (name (guix-configuration-build-group config)) + (system? #t) - ;; Use a fixed GID so that we can create the store with the right - ;; owner. - (id 30000)) - (guix-build-accounts (guix-configuration-build-accounts config) - #:group (guix-configuration-build-group config)))) + ;; Use a fixed GID so that we can create the store with the right + ;; owner. + (id 30000)) + (guix-build-accounts (guix-configuration-build-accounts config) + #:group (guix-configuration-build-group + config))) + (list (user-group (name "guix-daemon") (system? #t)) + (user-account + (name "guix-daemon") + (group "guix-daemon") + (system? #t) + (supplementary-groups '("kvm")) + (comment "Guix Daemon User") + (home-directory "/var/empty") + (shell (file-append shadow "/sbin/nologin")))))) (define (guix-activation config) "Return the activation gexp for CONFIG." @@ -2228,7 +2385,7 @@ (define guix-service-type (service-type (name 'guix) (extensions - (list (service-extension shepherd-root-service-type guix-shepherd-service) + (list (service-extension shepherd-root-service-type guix-shepherd-services) (service-extension account-service-type guix-accounts) (service-extension activation-service-type guix-activation) (service-extension profile-service-type diff --git a/gnu/tests/base.scm b/gnu/tests/base.scm index 83e047f7e6..12d4e70ee5 100644 --- a/gnu/tests/base.scm +++ b/gnu/tests/base.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2016-2020, 2022, 2024 Ludovic Courtès +;;; Copyright © 2016-2020, 2022, 2024-2025 Ludovic Courtès ;;; Copyright © 2018 Clément Lassieur ;;; Copyright © 2022 Maxim Cournoyer ;;; Copyright © 2022 Marius Bakke @@ -63,7 +63,8 @@ (define-module (gnu tests base) %hello-dependencies-manifest guix-daemon-test-cases - %test-guix-daemon)) + %test-guix-daemon + %test-guix-daemon-unprivileged)) (define %simple-os (simple-operating-system)) @@ -1121,7 +1122,7 @@ (define (guix-daemon-test-cases marionette) (system-error-errno args))) #$marionette)))) -(define (run-guix-daemon-test os) +(define (run-guix-daemon-test os name) (define test-image (image (operating-system os) (format 'compressed-qcow2) @@ -1161,6 +1162,12 @@ (define (run-guix-daemon-test os) ;; Wait for 'guix-daemon' to be up. (marionette-eval '(begin (use-modules (gnu services herd)) + (start-service 'guix-daemon) + + ;; XXX: Do it a second time to work around + ;; and its + ;; effect on the 'guix-ownership' service. + ;; TODO: Remove when Shepherd 1.0.4 is out. (start-service 'guix-daemon)) marionette)) @@ -1168,7 +1175,7 @@ (define (run-guix-daemon-test os) (test-end)))) - (gexp->derivation "guix-daemon-test" test)) + (gexp->derivation name test)) (define %test-guix-daemon (system-test @@ -1190,4 +1197,34 @@ (define %test-guix-daemon %base-user-accounts))) #:imported-modules '((gnu services herd) (guix combinators))))) - (run-guix-daemon-test os))))) + (run-guix-daemon-test os "guix-daemon-test"))))) + +(define %test-guix-daemon-unprivileged + (system-test + (name "guix-daemon-unprivileged") + (description + "Test 'guix-daemon' behavior on a multi-user system, where 'guix-daemon' +runs unprivileged.") + (value + (let ((os (marionette-operating-system + (let ((base (operating-system-with-gc-roots + %daemon-os + (list (profile + (name "hello-build-dependencies") + (content %hello-dependencies-manifest)))))) + (operating-system + (inherit base) + (kernel-arguments '("console=ttyS0")) + (users (cons (user-account + (name "user") + (group "users")) + %base-user-accounts)) + (services + (modify-services (operating-system-user-services base) + (guix-service-type + config => (guix-configuration + (inherit config) + (privileged? #f))))))) + #:imported-modules '((gnu services herd) + (guix combinators))))) + (run-guix-daemon-test os "guix-daemon-unprivileged-test"))))) From patchwork Thu Apr 17 14:21:43 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 41734 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id E957527BC4B; Thu, 17 Apr 2025 15:23:54 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-6.4 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 9F08A27BC49 for ; Thu, 17 Apr 2025 15:23:54 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u5Q9R-0000le-UA; Thu, 17 Apr 2025 10:23:38 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u5Q8z-0000VQ-5I for guix-patches@gnu.org; Thu, 17 Apr 2025 10:23:11 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1u5Q8y-0001fM-So for guix-patches@gnu.org; Thu, 17 Apr 2025 10:23:08 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=NvETS3a7wS7cajId857MOkfgRUdTvu19iavdD7nbxws=; b=Q9iFRzLH0R5lGWZtoPH0cYJync0Zv6nhvC4hPbbZfBSqF3T8uhmxJfcgGa+EV/gJK9QYDfSSPQtFm+aLBdcxoL3S9WJqCHwjtcYtyQePI2wFc3wyMgpQEpL9aAKVhu4bPqAP9oVyUnpeoYojrKJ89TQY3EwVXJRdVTsEuNt6hvH48CSANCG9Ecr1/JMkTvrGXBjSOB5VVP+yV4gFfyG/efPcEehTvrFWX/mjIY+vn04+JRdI9V7d4jWu5QzCIAaUdLJ7/3SOT8marqBzix+oYDVUOEGnk/KaEeYDAniq6TlPZLXjSZnEx/1bZ2fMJ0ofJbdaO2+xg45+deCq9XnlVg==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1u5Q8y-0004wd-Nk; Thu, 17 Apr 2025 10:23:08 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#77288] [PATCH v2 8/8] DRAFT news: Add entry about unprivileged guix-daemon on Guix System. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: pelzflorian@pelzflorian.de, julien@lepiller.eu, guix-patches@gnu.org Resent-Date: Thu, 17 Apr 2025 14:23:08 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 77288 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 77288@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= , Florian Pelz , Julien Lepiller X-Debbugs-Original-Xcc: Florian Pelz , Julien Lepiller Received: via spool by 77288-submit@debbugs.gnu.org id=B77288.174489974918791 (code B ref 77288); Thu, 17 Apr 2025 14:23:08 +0000 Received: (at 77288) by debbugs.gnu.org; 17 Apr 2025 14:22:29 +0000 Received: from localhost ([127.0.0.1]:48002 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u5Q8K-0004sz-Jt for submit@debbugs.gnu.org; Thu, 17 Apr 2025 10:22:29 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43230) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1u5Q83-0004pt-OX for 77288@debbugs.gnu.org; Thu, 17 Apr 2025 10:22:13 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u5Q7y-0001UT-9u; Thu, 17 Apr 2025 10:22:06 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=NvETS3a7wS7cajId857MOkfgRUdTvu19iavdD7nbxws=; b=MKJqnwyuuXenz2HsCm56 /sPzFtUF1ZXGNUuvQbXfqLyNy9Xx4vDmjIEsJq3whX8/2D/Vitia2y6elAmySlYNfj6Z0Otfjbvyy 8ta4FzA7Ocf9NwYFeeKV7G4Kb3mfPO0fVxuR64KcpZkU8QlGRR0aseKdveccx0lLBQWfshqGGamVt 9oAmtw787oxyhdCA8Z/gfyIxJ2swUdVFep6k6kzLMY1SI0IThPTw9naRnqZOfIfD9krdAS5bdjkt9 EVqMRfi1KKNJ9RHAdXYdp8Z2d9HasdANjlGNhC8/RZjiSi7M5e9QOm6XLQbg0CcFWrRTJoiAuVxS8 QjLhm/HZdHBKow==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Thu, 17 Apr 2025 16:21:43 +0200 Message-ID: X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches DRAFT: Temporary commit. * etc/news.scm: Add it. Change-Id: I28eae7f7b4305225b13281b99458cbedda3c3b94 --- etc/news.scm | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/etc/news.scm b/etc/news.scm index 4b3da44540..c1f2315e33 100644 --- a/etc/news.scm +++ b/etc/news.scm @@ -37,6 +37,37 @@ (channel-news (version 0) + (entry (commit "XXX") + (title + (en "Guix System can run @command{guix-daemon} without root +privileges")) + (body + (en "On Guix System, @code{guix-service-type} can now be configured +to run the build daemon, @command{guix-daemon}, without root privileges. In +that configuration, the daemon runs with the authority of the +@code{guix-daemon} user, which we think can reduce the impact of some classes +of vulnerabilities that could affect it. + +For now, this is opt-in: you have to change @code{guix-configuration} to set +the @code{privileged?} field to @code{#f}. When you do this, all the files in +@file{/gnu/store}, @file{/var/guix}, etc. will have their ownership changed to +the @code{guix-daemon} user (instead of @code{root}); this can take a while, +especially if the store is big. To learn more about it, run: + +@example +info guix --index-search=guix-service-type +@end example + +Running @command{guix-daemon} without root privileges will likely become the +default in the future. + +Users of Guix on other distributions can find information on how to migrate in +the manual: + +@example +info guix --index-search=migration +@end example"))) + (entry (commit "0e51c6547ffdaf91777f7383da4a52a1a07b7286") (title (en "Incompatible upgrade of the Syncthing service"))