From patchwork Fri Apr 18 19:46:46 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 41786 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 84F9B27BC4B; Fri, 18 Apr 2025 20:48:58 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-6.4 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id E272727BC49 for ; Fri, 18 Apr 2025 20:48:57 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u5rhh-0005mc-7S; Fri, 18 Apr 2025 15:48:49 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u5rh5-0005Tr-UN for guix-patches@gnu.org; Fri, 18 Apr 2025 15:48:12 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1u5rh1-0000bM-Mg; Fri, 18 Apr 2025 15:48:09 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=mtPCkcmWLIjQsjjBWKM0cyrevvUhhUSD9sywJ8G4WU4=; b=HyrNe3qDvREHb0KPGkXQKWZS7Y5Pj4wWeAvrIucu9/Nz810BVS0VsfmKD7Y3MVrj7eC5BmhJxORPpaYopYKVjsz6aZ2J+ieOFddDaeMu61CL9HyzSuIYtMKME+l1l0ub9GRglnoXQSY33nFmm/fWhZlztGxpbNcXFrmyVqJcBuiP52jXPK+h+YfKnYoXbKIsXsCCIYIZ3GxmOqV7G5nrguPTTct4kMMOEGQ0q9ddi5cDoFEa9kg9xvlLRrcU9WTn/+5z44+dASFUUlVaHAXWJYBhCZ4wIaBnmhjX0A++N44CEmEfc+i9lCvnqv02i7G0LMjmb8HETMEBs9ygLkKj8g==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1u5rgx-0008Lc-Fe; Fri, 18 Apr 2025 15:48:03 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#77288] [PATCH v3 1/8] self: Install systemd =?utf-8?b?4oCYLnNl?= =?utf-8?b?cnZpY2XigJk=?= files. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix@cbaines.net, dev@jpoiret.xyz, ludo@gnu.org, othacehe@gnu.org, zimon.toutoune@gmail.com, me@tobias.gr, guix-patches@gnu.org Resent-Date: Fri, 18 Apr 2025 19:48:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 77288 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 77288@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= , Christopher Baines , Josselin Poiret , Ludovic =?utf-8?q?Court=C3=A8s?= , Mathieu Othacehe , Simon Tournier , Tobias Geerinckx-Rice X-Debbugs-Original-Xcc: Christopher Baines , Josselin Poiret , Ludovic =?utf-8?q?Court=C3=A8s?= , Mathieu Othacehe , Simon Tournier , Tobias Geerinckx-Rice Received: via spool by 77288-submit@debbugs.gnu.org id=B77288.174500564131651 (code B ref 77288); Fri, 18 Apr 2025 19:48:03 +0000 Received: (at 77288) by debbugs.gnu.org; 18 Apr 2025 19:47:21 +0000 Received: from localhost ([127.0.0.1]:52938 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u5rgC-0008DV-C7 for submit@debbugs.gnu.org; Fri, 18 Apr 2025 15:47:20 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:34322) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1u5rg7-0008Bc-Sj for 77288@debbugs.gnu.org; Fri, 18 Apr 2025 15:47:13 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u5rg2-0000Un-Gf; Fri, 18 Apr 2025 15:47:06 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=mtPCkcmWLIjQsjjBWKM0cyrevvUhhUSD9sywJ8G4WU4=; b=q5/2GReV7wLRqOHLcl/t 65q+xusSMuBcJuifewlX7Gy4bauDTZW5L4UqtNnSrZxr3zGe0EIEzfP0K7OEbVVh3RvZ/D04Q1e+O 35XaZkWrO27OKz41Ds94/N7bVqt5xzC4uYHI2p4kyt6Shv4gwHTlXB9jfxQplrUc8Qtsguw7iqZZR XOn07GXh6LBmCbwbNDQePCLwtrVr138K6PJuqv8XL72RHc6zOhqZ2pHhK0/rUuWXqSDc+WPTIxUEo KJ8QLpDOORHblXPJMi2CK0ZvaXx2JmjXgTNNAm54M38GjXc7fA0UJIYpeXM/T5dD52BErn/2ZqdBm l2LoFzqhKW6DdA==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Fri, 18 Apr 2025 21:46:46 +0200 Message-ID: X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches This is consistent with the ‘guix’ package and will prove helpful when people want to replace /etc/systemd/system/guix*.service with newer versions thereof. * guix/self.scm (parameterized-file): New procedure, based on… (selinux-policy): … this. Use ‘parameterized-file’. (systemd-file): New procedure. (miscellaneous-files): Add systemd files. Change-Id: Ia489a955347cf648a86000cc1265769d66c3f0e8 --- guix/self.scm | 42 ++++++++++++++++++++++++++++++++---------- 1 file changed, 32 insertions(+), 10 deletions(-) diff --git a/guix/self.scm b/guix/self.scm index 28239d53f5..2a99765359 100644 --- a/guix/self.scm +++ b/guix/self.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2017-2023 Ludovic Courtès +;;; Copyright © 2017-2023, 2025 Ludovic Courtès ;;; Copyright © 2020 Martin Becze ;;; Copyright © 2023 Janneke Nieuwenhuizen ;;; Copyright © 2024 gemmaro @@ -666,24 +666,40 @@ (define* (guix-command modules ;; Use a 'guile' variant that doesn't complain about locales. #:guile (quiet-guile guile))) -(define (selinux-policy source daemon) - "Return the SELinux policy file taken from SOURCE and adjusted to refer to -DAEMON and to the current configuration variables." +(define (parameterized-file source daemon file name) + "Return FILE taken from SOURCE (typically a '.in' file) and adjusted to +refer to DAEMON and to the current configuration variables." (define build (with-imported-modules '((guix build utils)) #~(begin (use-modules (guix build utils)) - (copy-file #+(file-append* source "/etc/guix-daemon.cil.in") - "guix-daemon.cil") - (substitute* "guix-daemon.cil" + (fluid-set! %default-port-encoding "UTF-8") + (copy-file #+(file-append* source file) #$name) + (substitute* #$name (("@guix_sysconfdir@") #$%sysconfdir) (("@guix_localstatedir@") #$%localstatedir) + (("@localstatedir@") #$%localstatedir) (("@storedir@") #$%storedir) - (("@prefix@") #$daemon)) - (copy-file "guix-daemon.cil" #$output)))) + (("@prefix@") #$daemon) + (("@GUIX_SUBSTITUTE_URLS@") + #$(string-join %default-substitute-urls))) + (copy-file #$name #$output)))) - (computed-file "guix-daemon.cil" build)) + (computed-file name build)) + +(define (selinux-policy source daemon) + "Return the SELinux policy file taken from SOURCE and adjusted to refer to +DAEMON and to the current configuration variables." + (parameterized-file source daemon + "etc/guix-daemon.cil.in" + "guix-daemon.cil")) + +(define (systemd-file source daemon file) + "Return the given systemd file from SOURCE parameterized for DAEMON." + (parameterized-file source daemon + (string-append "etc/" file ".in") + file)) (define (miscellaneous-files source daemon) "Return data files taken from SOURCE." @@ -698,6 +714,12 @@ (define (miscellaneous-files source daemon) ,(file-append* source "/etc/completion/fish/guix.fish")) ("share/selinux/guix-daemon.cil" ,(selinux-policy source daemon)) + ,@(map (lambda (file) + `(,(string-append "lib/systemd/system/" file) + ,(systemd-file source daemon file))) + '("guix-gc.service" + "guix-publish.service" + "guix-daemon.service")) ("share/guix/berlin.guix.gnu.org.pub" ,(file-append* source "/etc/substitutes/berlin.guix.gnu.org.pub")) From patchwork Fri Apr 18 19:46:47 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 41787 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 637BE27BC4B; Fri, 18 Apr 2025 20:49:01 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-6.4 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id D342927BC49 for ; Fri, 18 Apr 2025 20:49:00 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u5rhR-0005Z9-MH; Fri, 18 Apr 2025 15:48:34 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u5rh7-0005Uh-N6 for guix-patches@gnu.org; Fri, 18 Apr 2025 15:48:13 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1u5rh6-0000by-8p; Fri, 18 Apr 2025 15:48:13 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=gexwjnZR4fw9UYYQljS6pnzdSTm4OAUOYgKKkKiyua8=; b=PUD744SOpi7O1Dw9YIiT6msR2vEPn9/cmL99rkSd6tHQTyWwEOFcD9KLrQT/6GthQ4Icjb5zA+6n+7feH9hKzPCvBLjgPbHUu1lwLEFU14PnDwWoFIEznW/oqD/JBAccx91HVlmv8Z9DJ+5U1DFuG4NN34nmcLYf7+NsrM/ON9KGwGBDejSLsPn90N4BeCGRXAgjqYFVsSfW7esKXJRNS4ILM3rXjKrHbu54gFVkCxHNar91KpW1tA8v7/LFUWabYYPUVjf/gZfZcjESOwRcxDRLyoplVTDnfWxqK+jhD5q4JbGcAcufviwXs7TWc6x1gakOp7snUYKkO255oiTYYQ==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1u5rh5-0008Ne-RX; Fri, 18 Apr 2025 15:48:11 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#77288] [PATCH v3 2/8] doc: Document migration to the unprivileged daemon. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: ludo@gnu.org, maxim.cournoyer@gmail.com, guix-patches@gnu.org Resent-Date: Fri, 18 Apr 2025 19:48:11 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 77288 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 77288@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= , Ludovic =?utf-8?q?Court?= =?utf-8?q?=C3=A8s?= , Maxim Cournoyer X-Debbugs-Original-Xcc: Ludovic =?utf-8?q?Court=C3=A8s?= , Maxim Cournoyer Received: via spool by 77288-submit@debbugs.gnu.org id=B77288.174500568032061 (code B ref 77288); Fri, 18 Apr 2025 19:48:11 +0000 Received: (at 77288) by debbugs.gnu.org; 18 Apr 2025 19:48:00 +0000 Received: from localhost ([127.0.0.1]:52958 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u5rgq-0008KG-7j for submit@debbugs.gnu.org; Fri, 18 Apr 2025 15:48:00 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:34326) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1u5rg9-0008Bu-B8 for 77288@debbugs.gnu.org; Fri, 18 Apr 2025 15:47:15 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u5rg3-0000Ux-Tw; Fri, 18 Apr 2025 15:47:07 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=gexwjnZR4fw9UYYQljS6pnzdSTm4OAUOYgKKkKiyua8=; b=r9l0PFKz5FRSqmMGB36u lAxjjUHaK3GcN1oUwGTBpNmAEpFike2DDe//pWx0THq9FP9Jy7GmEoi54E+LoAJHrSgJ0215Ti8gy ZqKFvR7nFzjqD/b6V3su9zbzXLccS603tihcWFNT355v9fudkFbVGuFYRz4kBVjuksd0zSfdP/LnG ulAeb/7rFXRlMcQz0VRvD5aANIZPX8IPLn63gbr82nDocUdqZTAr6+uhiPDbD2NOwQVehWx6XF2DK MisQRc/T2zSPjDTQudw6/YsoWcsmXVGRJ4CeRr24l/P0Y0QEiZMILlFBGNxK56McsN1mNqiUPZ2n7 569BMa0p1YWUuA==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Fri, 18 Apr 2025 21:46:47 +0200 Message-ID: X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * doc/guix.texi (Build Environment Setup): Add “Migrating to the Unprivileged Daemon” section. (Upgrading Guix): Link to it. Change-Id: I2bac3f4419d85b7c718c6c4a3908387b4f6ee582 --- doc/guix.texi | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 67 insertions(+), 1 deletion(-) diff --git a/doc/guix.texi b/doc/guix.texi index 070528667f..377cb65326 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -1026,13 +1026,75 @@ Build Environment Setup In this configuration, @file{/gnu/store} is owned by the @code{guix-daemon} user. +@anchor{unprivileged-daemon-migration} +@unnumberedsubsubsec Migrating to the Unprivileged Daemon + +@cindex unprivileged daemon, migration +@cindex rootless daemon, migration +To switch an existing installation to the unprivileged execution mode, a +number of steps must be taken: creating a new dedicated +@code{guix-daemon} user account, changing ownership of the relevant +files to @code{guix-daemon}, and ensuring that the @command{guix-daemon} +program runs as @code{guix-daemon}. + +@quotation Warning +Follow the instructions below only after making sure you have a recent +version of @command{guix-daemon} with support for unprivileged +execution. +@end quotation + +File ownership can be changed, after stopping the daemon, by running the +following commands as root (the @command{chown} can take a while if +there are many files in @file{/gnu/store}): + +@example +groupadd --system guix-daemon +useradd -g guix-daemon -G guix-daemon,kvm \ + -d /var/empty -s $(which nologin) \ + -c "Guix daemon privilege separation user" \ + --system guix-daemon + +chown -R guix-daemon:guix-daemon \ + /gnu \ + /var/guix/@{daemon-socket,db,discover@} \ + /var/guix/@{gcroots,offload,substitute,temproots@} \ + /var/log/guix \ + /etc/guix +@end example + +If your system uses the systemd service manager, running the daemon as +@code{guix-daemon} will be a matter of copying the relevant +configuration files---make sure to review any changes you might have +made in your own @file{.service} files before overwriting them: + +@example +cp /var/guix/profiles/per-user/root/current-guix/lib/systemd/system/*.service \ + /etc/systemd/system +systemctl daemon-reload +systemctl start guix-daemon +@end example + +@quotation Warning +The commands above assume that @command{guix pull} was run for the root +user. You can check whether this is the case by running this command: + +@example +grep User=guix-daemon \ + /var/guix/profiles/per-user/root/current-guix/lib/systemd/system/guix-daemon.service +@end example + +If that command does not show the @code{User=guix-daemon} line, then run +@command{guix pull} as the root user. +@end quotation + @unnumberedsubsubsec The Isolated Build Environment @cindex chroot @cindex build environment isolation @cindex isolated build environment @cindex hermetic build environment -In both cases, the daemon starts build processes without privileges in +In both cases, privileged and unprivileged, +the daemon starts build processes without privileges in an @emph{isolated} or @emph{hermetic} build environment---a ``chroot''. On GNU/Linux, by default, the build environment contains nothing but: @@ -2035,6 +2097,10 @@ Upgrading Guix On Guix System, upgrading the daemon is achieved by reconfiguring the system (@pxref{Invoking guix system, @code{guix system reconfigure}}). +To migrate an existing installation to the @emph{unprivileged daemon} +where @command{guix-daemon} does not run as root, +@pxref{unprivileged-daemon-migration}. + @c TODO What else? @c ********************************************************************* From patchwork Fri Apr 18 19:46:48 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 41783 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 8E9AA27BC4B; Fri, 18 Apr 2025 20:48:24 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-6.4 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 4E71527BC49 for ; Fri, 18 Apr 2025 20:48:24 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u5rh1-0005Sh-JS; Fri, 18 Apr 2025 15:48:08 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u5rgz-0005SF-5V for guix-patches@gnu.org; Fri, 18 Apr 2025 15:48:05 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1u5rgy-0000ac-R9 for guix-patches@gnu.org; Fri, 18 Apr 2025 15:48:04 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=pX3LSffILOqR/UkDvibjIkTZohWxhjxg21izy7L/1yo=; b=dinl5MpOtLGuIKMsWk4B5P/SjFwjV6U+H9As+8ROOzyrX7709984AS0wvqMhTMIsMLHzbMhdau2f9XvxOmfnjvq8ZfV2m0kRocxuEFK7JQMfgmbH1M3BeIKbxpYUwrwJfvW5T3lFy/CKOvJPql95L5den6RFSImVrNNDDDdzK4ECPBJ1ToSEzdevmaP4TgNJf3J176oD2NILeMcAebphBA1dT2ttXHvHIx0HutEXq/Z59UG/rEpYmqH6hWFOy8kyiwA07XQT1xDoGf/rVzMVEF4jfYT50fpOc9Nbf4wOQDCZoDsHGTJDIr8H0ODfZlqKoW5fhOs170Qklz/5Sza6gQ==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1u5rgy-0008Lw-Lc for guix-patches@gnu.org; Fri, 18 Apr 2025 15:48:04 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#77288] [PATCH v3 3/8] syscalls: Add =?utf-8?b?4oCYdW5zaGFyZQ==?= =?utf-8?b?4oCZLg==?= Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 18 Apr 2025 19:48:04 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 77288 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 77288@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 77288-submit@debbugs.gnu.org id=B77288.174500566431873 (code B ref 77288); Fri, 18 Apr 2025 19:48:04 +0000 Received: (at 77288) by debbugs.gnu.org; 18 Apr 2025 19:47:44 +0000 Received: from localhost ([127.0.0.1]:52950 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u5rgb-0008Hc-S9 for submit@debbugs.gnu.org; Fri, 18 Apr 2025 15:47:43 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:34340) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1u5rgA-0008CC-TZ for 77288@debbugs.gnu.org; Fri, 18 Apr 2025 15:47:16 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u5rg5-0000V6-3Y; Fri, 18 Apr 2025 15:47:09 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=pX3LSffILOqR/UkDvibjIkTZohWxhjxg21izy7L/1yo=; b=hE0tvDXgs28XNY4fKuTo 6ESy7k12YbTuqgU0DTd2Wb3v+rQ1ZiKpWZqZ5EWcKFQCJc4+VC9Z8WUZ1y0suAw+CZxJRKvjALwJi yTjimKKb4igvbnc793MTmDvGtPwCmT1jLKhE3GEnBFIjW+CoBcm86hjOHPv4imAhsTmjOWJyqXBkR Cn9fRWBvTEwcA8R1hse5Cine3vnUl1p3TFBt6XzqW17PLog8YVtNBfkCJmAjSbqDp3mpv9Jg3eEck sWbo5umYzG11CXt7qygJA1tLQAZKvuoPG5RD+XQS6XUG17eE/WYVlrbgwZb6d5G8AXpj01qbHuHRg yY4jGuFCLpWLHQ==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Fri, 18 Apr 2025 21:46:48 +0200 Message-ID: <35ccba134d61d8b0d98383d3978fe7984c4d63c5.1745005408.git.ludo@gnu.org> X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * guix/build/syscalls.scm (unshare): New procedure. Change-Id: I344273b8bdeaa9366334e6e20ee7efc37eb6c8f7 --- guix/build/syscalls.scm | 18 ++++++++++++++++++ tests/syscalls.scm | 9 +++++++++ 2 files changed, 27 insertions(+) diff --git a/guix/build/syscalls.scm b/guix/build/syscalls.scm index 42232fc7f1..cf09cae3a4 100644 --- a/guix/build/syscalls.scm +++ b/guix/build/syscalls.scm @@ -145,6 +145,7 @@ (define-module (guix build syscalls) CLONE_NEWPID CLONE_NEWNET clone + unshare setns kexec-load-file @@ -1213,6 +1214,23 @@ (define clone (list err)) ret))))) +(define unshare + (let ((proc (syscall->procedure int "unshare" (list int)))) + (lambda (flags) + "Disassociate the current process from parts of its execution context +according to FLAGS, which must be a logical or of CLONE_NEW* constants. + +Note that CLONE_NEWUSER requires that the calling process be single-threaded, +which is possible if and only if libgc is running a single marker thread; this +can be achieved by setting the GC_MARKERS environment variable to 1. If the +calling process is multi-threaded, this throws to 'system-error' with EINVAL." + (let-values (((ret err) + (without-automatic-finalization (proc flags)))) + (unless (zero? ret) + (throw 'system-error "unshare" "~a: ~A" + (list flags (strerror err)) + (list err))))))) + (define setns ;; Some systems may be using an old (pre-2.14) version of glibc where there ;; is no 'setns' function available. diff --git a/tests/syscalls.scm b/tests/syscalls.scm index d2848879d7..879c3e4f25 100644 --- a/tests/syscalls.scm +++ b/tests/syscalls.scm @@ -149,6 +149,15 @@ (define perform-container-tests? ((_ . status) (= 42 (status:exit-val status)))))))) +(test-equal "unshare" + EPERM + ;; Unless running as root, (unshare CLONE_NEWNS) returns EPERM. + (catch 'system-error + (lambda () + (unshare CLONE_NEWNS)) + (lambda args + (system-error-errno args)))) + (unless perform-container-tests? (test-skip 1)) (test-assert "setns" From patchwork Fri Apr 18 19:46:49 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 41789 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 8C37B27BC4B; Fri, 18 Apr 2025 20:49:07 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-6.4 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 46E8327BC49 for ; Fri, 18 Apr 2025 20:49:07 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u5rhD-0005W7-Vw; Fri, 18 Apr 2025 15:48:20 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u5rh0-0005Sg-6u for guix-patches@gnu.org; Fri, 18 Apr 2025 15:48:06 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1u5rgz-0000at-Q3 for guix-patches@gnu.org; Fri, 18 Apr 2025 15:48:05 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=CJ/L9kunERGnh6KdCeg3IMWjSzFeEbgPhD2pk3HBqVQ=; b=aMtAo3/0EtuHK7cy41C29aaf2KOrikTgQk8/LI/KET/hozHfKG4amKcqhwBij5kLnSgwHc8cpByX3g0xvvVvWbZFuaXrNHmtdjwREq1CGs1+Ml1Zb93V2TIqF2PkS8lqQZA2fb7yVryf/pz7JEpRce+e5sOf8Wlur7tT2BJJw6I+dafdi7WGm9GXgHWF6ULeOq6PKKXCJDnu7A9xWrY8oQsvpCrNNzVLJMuTg1Ltfe8A6b7RrUbsngdbkwEANWCLnfYFRAdyFj3VlGIHddLrl7H/ek1k7720rOeqYQigpJlxNnyQk+VKXwN+p4RpgUH1FBqxmv0OQAtSXvZOo/VeOg==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1u5rgz-0008M9-KC for guix-patches@gnu.org; Fri, 18 Apr 2025 15:48:05 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#77288] [PATCH v3 4/8] services: account: Create /var/guix/profiles/per-user/$USER. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 18 Apr 2025 19:48:05 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 77288 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 77288@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 77288-submit@debbugs.gnu.org id=B77288.174500566731916 (code B ref 77288); Fri, 18 Apr 2025 19:48:05 +0000 Received: (at 77288) by debbugs.gnu.org; 18 Apr 2025 19:47:47 +0000 Received: from localhost ([127.0.0.1]:52952 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u5rgd-0008I1-D4 for submit@debbugs.gnu.org; Fri, 18 Apr 2025 15:47:46 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:46974) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1u5rgB-0008CJ-ES for 77288@debbugs.gnu.org; Fri, 18 Apr 2025 15:47:19 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u5rg6-0000VL-2V; Fri, 18 Apr 2025 15:47:10 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=CJ/L9kunERGnh6KdCeg3IMWjSzFeEbgPhD2pk3HBqVQ=; b=fPm31IDjig2EOOelQywL Fi1M2JtGn5QUmix0MAwIcll7Fn0Kry2haQvf2juwlinuU8UTAGGhmseqpa1wrwsyU26X7RRDNdXou jqRNVCg9gKf4DsToszed+MXXtUaqxqCZpD7VgN93Yld2DRK74KVNlI37w3hquoU861GQogCsLIiL4 CqJfFql9UDqDp6Lh4FzEmP1P8d/GIwgtQogdlu8IrhJgnKrPXSAG1M2hlj1rfxnYuURNfXxQmAXY4 o/JCFp95ejbY53vkffmGoXDlX/O3bK/SDXWNNVYN9G1qm6IBhgGvmH0KUAl09ZrqP0VEzADbmN6Yd dIDtzQWMqzkO8w==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Fri, 18 Apr 2025 21:46:49 +0200 Message-ID: X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * gnu/system/shadow.scm (account-shepherd-service): Create /var/guix/profiles/per-user/$USER in ‘user-homes’ service. Change-Id: I22e66e8a34d63686df9bae64c68df65c8889e72a --- gnu/system/shadow.scm | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/gnu/system/shadow.scm b/gnu/system/shadow.scm index b68a818871..d0f1b6b2b1 100644 --- a/gnu/system/shadow.scm +++ b/gnu/system/shadow.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2013-2020, 2022, 2023 Ludovic Courtès +;;; Copyright © 2013-2020, 2022-2023, 2025 Ludovic Courtès ;;; Copyright © 2016 Alex Griffin ;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen ;;; Copyright © 2020, 2023 Efraim Flashner @@ -460,6 +460,12 @@ (define (account-shepherd-service accounts+groups) (define accounts (filter user-account? accounts+groups)) + (define regular-account-names + (filter-map (lambda (account) + (and (not (user-account-system? account)) + (user-account-name account))) + accounts)) + ;; Create home directories only once 'file-systems' is up. This makes sure ;; they are created in the right place if /home lives on a separate ;; partition. @@ -480,6 +486,17 @@ (define (account-shepherd-service accounts+groups) (activate-user-home (map sexp->user-account (list #$@(map user-account->gexp accounts)))) + + ;; Create the user's profile directory upfront: + ;; guix-daemon lacks permissions to create it when it is + ;; running as an unprivileged user. + (for-each (lambda (account) + (let ((profile (in-vicinity + "/var/guix/profiles/per-user" + account)) + (owner (getpwnam account))) + (mkdir-p/perms profile owner #o755))) + '#$regular-account-names) #t))) ;success (documentation "Create user home directories.")))) From patchwork Fri Apr 18 19:46:50 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 41788 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 0445927BC4B; Fri, 18 Apr 2025 20:49:05 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-6.4 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id C3F0727BC49 for ; Fri, 18 Apr 2025 20:49:04 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u5rhV-0005dq-QF; Fri, 18 Apr 2025 15:48:38 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u5rh5-0005Tq-TC for guix-patches@gnu.org; Fri, 18 Apr 2025 15:48:12 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1u5rh1-0000bG-Tu for guix-patches@gnu.org; Fri, 18 Apr 2025 15:48:09 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=xCCzckKP82CnyuCIo9fuJVhLYLiOCYeDm9GnRHKF0VY=; b=Bvv4P0FB7E+9N0OPQ+o9bNDUjaoHl/s7Jrsm47utjbprEf1F/BvUoP1UqGF03i6x7JYYQDBW5u2RTJhd5XxAOfFhegyPCn4c0Jpp37nLTCIrIO2aEhF7BrLJ0kUzPKyXBu0beM9BEUnGMsqlLpcrNiW6wROwwwHjEOY2ZttQ55GMzOSQwodugrOHobXX0smZu4Ksp4b4Uf8cfhtgNdPw36/0YvIzvM0Wm7FLXlRly/swSPTuTJBd+MOXumkOU/a7zwMoctUahIT1ahcH1zYDjLsRdtl11hjeEHlANTdUhcR9NpVE53zhjP+IFqBZxFbphXMQx7SM5uTVvDEls/+z7Q==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1u5rh0-0008MT-JY for guix-patches@gnu.org; Fri, 18 Apr 2025 15:48:06 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#77288] [PATCH v3 5/8] tests: guix-daemon: Send system log output to /dev/console. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 18 Apr 2025 19:48:06 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 77288 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 77288@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 77288-submit@debbugs.gnu.org id=B77288.174500566931936 (code B ref 77288); Fri, 18 Apr 2025 19:48:06 +0000 Received: (at 77288) by debbugs.gnu.org; 18 Apr 2025 19:47:49 +0000 Received: from localhost ([127.0.0.1]:52954 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u5rgg-0008Ih-8F for submit@debbugs.gnu.org; Fri, 18 Apr 2025 15:47:48 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:46976) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1u5rgC-0008CY-PS for 77288@debbugs.gnu.org; Fri, 18 Apr 2025 15:47:19 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u5rg7-0000Vd-1w; Fri, 18 Apr 2025 15:47:11 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=xCCzckKP82CnyuCIo9fuJVhLYLiOCYeDm9GnRHKF0VY=; b=n5tyELHl/YBgL/5LNL37 mK1EC1yTRbHATgFLBZuZnzjclH4q43PMDNsvyV+9pz6t1thMFsSy65YLfUyGopPTx4bmCMs4iP+/i g4qne6mq74McdApPOWMRIAkmt3F8USKo+/Gv+GWYxrOkojfysgF+LQxKAdIoBStA+LLyGrtaeH897 vgHnawgD8laWkGaqAEo6ZKlJ5gs94l6Aylt1QSF/xoJUI9eTLLemGqg5GF7eqmp5jiwpWS3/JFovR JChobBDNwp6zenXp70mJ70LzR6w0IDGbqOm1s59ghrOhM/cdOJYmXBdmQvJqrIjI3PkKlj49IOwXd SeN3z5haRW3ykg==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Fri, 18 Apr 2025 21:46:50 +0200 Message-ID: X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * gnu/tests/base.scm (%daemon-os): New variable. (%test-guix-daemon): Use it. Change-Id: Iea31808cc59e94971ea4cbc12d565c94348bf7a4 --- gnu/tests/base.scm | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/gnu/tests/base.scm b/gnu/tests/base.scm index a7f8a5bf7c..0f7fb543a7 100644 --- a/gnu/tests/base.scm +++ b/gnu/tests/base.scm @@ -994,6 +994,10 @@ (define %test-activation ;;; Build daemon. ;;; +(define %daemon-os + (operating-system-with-console-syslog + (simple-operating-system))) + (define (manifest-entry-without-grafts entry) "Return ENTRY with grafts disabled on its contents." (manifest-entry @@ -1168,7 +1172,7 @@ (define %test-guix-daemon (let ((os (marionette-operating-system (operating-system (inherit (operating-system-with-gc-roots - %simple-os + %daemon-os (list (profile (name "hello-build-dependencies") (content %hello-dependencies-manifest))))) From patchwork Fri Apr 18 19:46:51 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 41784 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 029F127BC4A; Fri, 18 Apr 2025 20:48:51 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-6.4 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id BEF5927BC4A for ; Fri, 18 Apr 2025 20:48:51 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u5rhE-0005WA-QK; Fri, 18 Apr 2025 15:48:20 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u5rh5-0005Tp-Re for guix-patches@gnu.org; Fri, 18 Apr 2025 15:48:12 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1u5rh2-0000bT-Ji for guix-patches@gnu.org; Fri, 18 Apr 2025 15:48:11 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=gKI5dMXI0sDlCCCNGZpFka8Qpc+H6GgunfDTs5URY5s=; b=ADZCczW23R8itLxizzeoJJ93KB8eWy8PrUKxiMUKuutqkx2SrCDj/Do4tT+a/Pidf3j7gtXkEJo1/rNY2QYG9CH/brd+uF3Ox1Lcx0tGt1BJG4auGYYofyWkXuFbTvmnMhxyVb4uWr6Nmn6FcU/2PcG2oOcYiA69Yc/4o/psoTATzKhzQhz2D8O85mB97RD/t5vSRbytS+vTANcqqtKt2rZEeRoOxDCNr3YQxQ3KmPKq4tlejH1X/2MuIrEiNMNnuuCfUWBlE2UnfOiJwrfQTRNf5FNLaap7XHPdBa5XLyPlZByVrLsHaddyuOTZhu/S2s1oq+RGOHuli9PWdkUtmw==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1u5rh2-0008Mq-2y for guix-patches@gnu.org; Fri, 18 Apr 2025 15:48:08 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#77288] [PATCH v3 6/8] tests: guix-daemon: Wait for the =?utf-8?b?4oCYZ3VpeC1kYWVtb27igJk=?= service to be up. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 18 Apr 2025 19:48:07 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 77288 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 77288@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 77288-submit@debbugs.gnu.org id=B77288.174500567431979 (code B ref 77288); Fri, 18 Apr 2025 19:48:07 +0000 Received: (at 77288) by debbugs.gnu.org; 18 Apr 2025 19:47:54 +0000 Received: from localhost ([127.0.0.1]:52956 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u5rgn-0008Jc-Mj for submit@debbugs.gnu.org; Fri, 18 Apr 2025 15:47:54 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:46978) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1u5rgD-0008Ce-Gk for 77288@debbugs.gnu.org; Fri, 18 Apr 2025 15:47:21 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u5rg8-0000Vq-0p; Fri, 18 Apr 2025 15:47:12 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=gKI5dMXI0sDlCCCNGZpFka8Qpc+H6GgunfDTs5URY5s=; b=ECgGffhubijqIW7jXMgh etoYB6bwZ9g9iZOLNxcSsTPgRyde8ZW5aVsYEu+HnlxONagQblfBGVoVv/piK2/pqXl7uLl9BdfH2 Iksh1novIkjODauan+WqEsX2TTmxDcVdKGkIbLPWF5d9+ZEBeWmaPbL9aI4l5BrbjPNNhQSB9Vmtq yDaNNRy7biSjDtlg8Ab4ZP22dzuUCagh5bexDvBFTXRcMqdnR5I1FQPMu4udpHIFF7FKIg7zJDrOm yGOuztM3IDNrgye5X1c42MIphfxJ4FD5ZTBa7rQPPxxR0ORcnI+1rVb7r4d9KlYMrRoch9p33ZC0A FBxsAk1VUm4TyA==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Fri, 18 Apr 2025 21:46:51 +0200 Message-ID: <17014000023c59ff457c3f88ccbede408290c495.1745005408.git.ludo@gnu.org> X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * gnu/tests/base.scm (run-guix-daemon-test): Add “guix-daemon service is up” test. Change-Id: I4d44a1248599fec45c854c285d4da201c30eb00c --- gnu/tests/base.scm | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/gnu/tests/base.scm b/gnu/tests/base.scm index 0f7fb543a7..83e047f7e6 100644 --- a/gnu/tests/base.scm +++ b/gnu/tests/base.scm @@ -1157,6 +1157,13 @@ (define (run-guix-daemon-test os) (test-runner-current (system-test-runner #$output)) (test-begin "guix-daemon") + (test-assert "guix-service is running" + ;; Wait for 'guix-daemon' to be up. + (marionette-eval '(begin + (use-modules (gnu services herd)) + (start-service 'guix-daemon)) + marionette)) + #$(guix-daemon-test-cases #~marionette) (test-end)))) From patchwork Fri Apr 18 19:46:52 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 41790 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 6881727BC4B; Fri, 18 Apr 2025 20:49:15 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-6.4 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 45A8C27BC49 for ; Fri, 18 Apr 2025 20:49:14 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u5ri4-00065T-KA; Fri, 18 Apr 2025 15:49:12 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u5rhy-000609-CU for guix-patches@gnu.org; Fri, 18 Apr 2025 15:49:06 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1u5rhx-0000jm-To; Fri, 18 Apr 2025 15:49:06 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=TeaYHy12+V9mlNecR4m93RlQppVhAs0eNAhkDZbalDQ=; b=hg0R8AwfARSzxhP9hstIZL+dJyPYQmzij2P5Vvx+9xMqu7SZiadVktB8X7Eh3yuyUee3fzNpQp809+LKeOu++obQsRmLe87hajDUO/52YaYSEvZEtUZS1g23K9w6DCF9FYshlZelKoXtgmNUsYkNrMAa55vqs9VDTqJL3LnVRp2pKuseBmKIq6xIHSVXl6aQ2ljoBgU1xOzgbTDk71Zkg3QNLm/awwHdGQwC9Gt98vPbLTSxuW8uqqxxGHlPDKGOG7dtW3dnQ0QiJw1G9upbZS8LpeRIiCCwKvGaGq/05V1ZTZrcZpkf6otzvu+BA+EP9/ioRmsX7HGeaE8K+GuSMg==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1u5rhx-0008WD-H7; Fri, 18 Apr 2025 15:49:05 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#77288] [PATCH v3 7/8] services: guix: Allow =?utf-8?b?4oCYZ3Vp?= =?utf-8?b?eC1kYWVtb27igJk=?= to run without root privileges. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: ludo@gnu.org, maxim.cournoyer@gmail.com, guix-patches@gnu.org Resent-Date: Fri, 18 Apr 2025 19:49:05 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 77288 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 77288@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= , Ludovic =?utf-8?q?Court?= =?utf-8?q?=C3=A8s?= , Maxim Cournoyer X-Debbugs-Original-Xcc: Ludovic =?utf-8?q?Court=C3=A8s?= , Maxim Cournoyer Received: via spool by 77288-submit@debbugs.gnu.org id=B77288.174500569732287 (code B ref 77288); Fri, 18 Apr 2025 19:49:05 +0000 Received: (at 77288) by debbugs.gnu.org; 18 Apr 2025 19:48:17 +0000 Received: from localhost ([127.0.0.1]:52974 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u5rh2-0008N4-Gz for submit@debbugs.gnu.org; Fri, 18 Apr 2025 15:48:17 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:46990) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1u5rgF-0008D9-Jk for 77288@debbugs.gnu.org; Fri, 18 Apr 2025 15:47:26 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u5rgA-0000W9-2l; Fri, 18 Apr 2025 15:47:14 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=TeaYHy12+V9mlNecR4m93RlQppVhAs0eNAhkDZbalDQ=; b=CFx7e24EYx0HfoxWp923 GWYmzausHgvOTsgdFw+hnyDWEqji3rY+OEbw9E8fIrWfBbx1ZEeaexFNWz0grtPJtD4FGB48I/A77 D/lvjwUBMJUbGJVYXsJDALoAzKIsH+ZDD2ZmDXPHitsfnzWrvaR52AlZv6wwxUOwl9jDcZMfsKURE ANdM+bXcuT2c6Op/OOzy8JbvwJ8RkD0qxiBG5guQqw6z7iNrGhXR/lY+IrAIu4e7u3KgezSjabNxc lREsB7Ws0D9fptfsnc3aPHr8MZnmezGgzs6LVJqgnh7Jl4+AjuBzJoUHiKpWfwVXk9gU0N8yZjoGp I7Xo6Dsj8gl8LQ==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Fri, 18 Apr 2025 21:46:52 +0200 Message-ID: <03a37d2a52c3cc6ce42a4e0699ca085cfaeac178.1745005408.git.ludo@gnu.org> X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * gnu/services/base.scm (run-with-writable-store) (guix-ownership-change-program): New procedures. ()[privileged?]: New field. (guix-shepherd-service): Rename to… (guix-shepherd-services): … this. Add the ‘guix-ownership’ service. Change ‘guix-daemon’ service to depend on it; when unprivileged, prefix ‘daemon-command’ by ‘run-with-writable-store’ and omit ‘--build-users-group’; adjust socket activation endpoints. (guix-accounts): When unprivileged, create the “guix-daemon” user and group in addition to the others. (guix-service-type)[extensions]: Adjust to name change. * gnu/tests/base.scm (run-guix-daemon-test): Add ‘name’ parameter. (%test-guix-daemon): Adjust accordingly. (%test-guix-daemon-unprivileged): New test. * doc/guix.texi (Base Services): Document ‘privileged?’. (Migrating to the Unprivileged Daemon): Explain that this is automatic on Guix System. Change-Id: I28a9a22e617416c551dccb24e43a253b544ba163 --- doc/guix.texi | 38 +++++++++ gnu/services/base.scm | 192 ++++++++++++++++++++++++++++++++++++++---- gnu/tests/base.scm | 47 +++++++++-- 3 files changed, 257 insertions(+), 20 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 377cb65326..8243bd0547 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -1037,6 +1037,14 @@ Build Environment Setup files to @code{guix-daemon}, and ensuring that the @command{guix-daemon} program runs as @code{guix-daemon}. +On Guix System, these steps are carried out automatically when you set +the @code{privileged?} field of the @code{guix-configuration} record to +@code{#f} and reconfigure (@pxref{guix-configuration-type, +@code{guix-configuration}}). + +However, on a foreign distribution, the process is manual. The +following paragraphs describe what you need to do. + @quotation Warning Follow the instructions below only after making sure you have a recent version of @command{guix-daemon} with support for unprivileged @@ -20105,6 +20113,36 @@ Base Services The Guix package to use. @xref{Customizing the System-Wide Guix} to learn how to provide a package with a pre-configured set of channels. +@cindex unprivileged @command{guix-daemon} +@cindex rootless @command{guix-daemon} +@item @code{privileged?} (default: @code{#t}) +Whether to run @command{guix-daemon} as root. + +When true, @command{guix-daemon} runs with root privileges and build +processes run under unprivileged user accounts as specified by +@code{build-group} and @code{build-accounts} (see below); when false, +@command{guix-daemon} run as the @code{guix-daemon} user, which is +unprivileged, and so do build processes. The unprivileged or +``rootless'' mode can reduce the impact of some classes of +vulnerabilities that could affect the daemon. + +The default is currently @code{#t} (@command{guix-daemon} runs with root +privileges) but may eventually be changed to @code{#f}. + +@quotation Warning +When changing this option, @file{/gnu/store}, @file{/var/guix}, and +@file{/etc/guix} have their ownership automatically changed by the +@code{guix-ownership} service to either the @code{guix-daemon} user or +the @code{root} user (@pxref{unprivileged-daemon-migration}). + +This can take a while, especially if @file{/gnu/store} is big; it cannot +be interrupted and @command{guix-daemon} cannot be used until it has +completed. +@end quotation + +@xref{Build Environment Setup}, for more information on the two ways to +run @command{guix-daemon}. + @item @code{build-group} (default: @code{"guixbuild"}) Name of the group for build user accounts. diff --git a/gnu/services/base.scm b/gnu/services/base.scm index 490376d446..df44e88b2e 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -1918,6 +1918,100 @@ (define (guix-machines-files-installation machines) #$machines)) machines-file)))) +(define (run-with-writable-store) + "Return a wrapper that runs the given command under the specified UID and +GID in a context where the store is writable, even if it was bind-mounted +read-only via %IMMUTABLE-STORE (this wrapper must run as root)." + (program-file "run-with-writable-store" + (with-imported-modules (source-module-closure + '((guix build syscalls))) + #~(begin + (use-modules (guix build syscalls) + (ice-9 match)) + + (define (ensure-writable-store store) + ;; Create a new mount namespace and remount STORE with + ;; write permissions if it's read-only. + (unshare CLONE_NEWNS) + (let ((fs (statfs store))) + (unless (zero? (logand (file-system-mount-flags fs) + ST_RDONLY)) + (mount store store "none" + (logior MS_BIND MS_REMOUNT))))) + + (match (command-line) + ((_ user group command args ...) + (ensure-writable-store #$(%store-prefix)) + (let ((uid (or (string->number user) + (passwd:uid (getpwnam user)))) + (gid (or (string->number group) + (group:gid (getgrnam group))))) + (setgroups #()) + (setgid gid) + (setuid uid) + (apply execl command command args)))))))) + +(define (guix-ownership-change-program) + "Return a program that changes ownership of the store and other data files +of Guix to the given UID and GID." + (program-file "validate-guix-ownership" + (with-imported-modules (source-module-closure + '((guix build utils))) + #~(begin + (use-modules (guix build utils) + (ice-9 ftw) + (ice-9 match)) + + (define (lchown file uid gid) + (let ((parent (open (dirname file) O_DIRECTORY))) + (chown-at parent (basename file) uid gid + AT_SYMLINK_NOFOLLOW) + (close-port parent))) + + (define (change-ownership directory uid gid) + ;; chown -R UID:GID DIRECTORY + (file-system-fold (const #t) ;enter? + (lambda (file stat result) ;leaf + (if (eq? 'symlink (stat:type stat)) + (lchown file uid gid) + (chown file uid gid))) + (const #t) ;down + (lambda (directory stat result) ;up + (chown directory uid gid)) + (const #t) ;skip + (lambda (file stat errno result) + (format (current-error-port) "i/o error: ~a: ~a~%" + file (strerror errno)) + #f) + #t ;seed + directory + lstat)) + + (define (claim-data-ownership uid gid) + (format #t "Changing file ownership for /gnu/store \ +and data directories to ~a:~a...~%" + uid gid) + (change-ownership #$(%store-prefix) uid gid) + (let ((excluded '("." ".." "profiles" "userpool"))) + (for-each (lambda (directory) + (change-ownership (in-vicinity "/var/guix" directory) + uid gid)) + (scandir "/var/guix" + (lambda (file) + (not (member file + excluded)))))) + (chown "/var/guix" uid gid) + (change-ownership "/etc/guix" uid gid) + (mkdir-p "/var/log/guix") + (change-ownership "/var/log/guix" uid gid)) + + (match (command-line) + ((_ (= string->number (? integer? uid)) + (= string->number (? integer? gid))) + (setlocale LC_ALL "C.UTF-8") ;for file name decoding + (setvbuf (current-output-port) 'line) + (claim-data-ownership uid gid))))))) + (define-record-type* guix-configuration make-guix-configuration guix-configuration? @@ -1959,6 +2053,8 @@ (define-record-type* (default #f)) (tmpdir guix-tmpdir ;string | #f (default #f)) + (privileged? guix-configuration-privileged? + (default #t)) (build-machines guix-configuration-build-machines ;list of gexps | '() (default '())) (environment guix-configuration-environment ;list of strings @@ -2021,7 +2117,7 @@ (define shepherd-discover-action (environ environment) #t))))) -(define (guix-shepherd-service config) +(define (guix-shepherd-services config) "Return a for the Guix daemon service with CONFIG." (define locales (let-system (system target) @@ -2030,16 +2126,57 @@ (define (guix-shepherd-service config) glibc-utf8-locales))) (match-record config - (guix build-group build-accounts chroot? authorize-key? authorized-keys + (guix privileged? + build-group build-accounts chroot? authorize-key? authorized-keys use-substitutes? substitute-urls max-silent-time timeout log-compression discover? extra-options log-file http-proxy tmpdir chroot-directories environment socket-directory-permissions socket-directory-group socket-directory-user) (list (shepherd-service + (provision '(guix-ownership)) + (requirement '(user-processes user-homes)) + (one-shot? #t) + (start #~(lambda () + (let* ((store #$(%store-prefix)) + (stat (lstat store)) + (privileged? #$(guix-configuration-privileged? + config)) + (change-ownership #$(guix-ownership-change-program)) + (with-writable-store #$(run-with-writable-store))) + ;; Check whether we're switching from privileged to + ;; unprivileged guix-daemon, or vice versa, and adjust + ;; file ownership accordingly. Spawn a child process + ;; if and only if something needs to be changed. + ;; + ;; Note: This service remains in 'starting' state for + ;; as long as CHANGE-OWNERSHIP is running. That way, + ;; 'guix-daemon' starts only once we're done. + (cond ((and (not privileged?) + (or (zero? (stat:uid stat)) + (zero? (stat:gid stat)))) + (let ((user (getpwnam "guix-daemon"))) + (format #t "Changing to unprivileged guix-daemon.~%") + (zero? + (system* with-writable-store "0" "0" + change-ownership + (number->string (passwd:uid user)) + (number->string (passwd:gid user)))))) + ((and privileged? + (and (not (zero? (stat:uid stat))) + (not (zero? (stat:gid stat))))) + (format #t "Changing to privileged guix-daemon.~%") + (zero? (system* with-writable-store "0" "0" + change-ownership "0" "0"))) + (else #t))))) + (documentation "Ensure that the store and other data files used by +guix-daemon have the right ownership.")) + + (shepherd-service (documentation "Run the Guix daemon.") (provision '(guix-daemon)) (requirement `(user-processes + guix-ownership ,@(if discover? '(avahi-daemon) '()))) (actions (list shepherd-set-http-proxy-action shepherd-discover-action)) @@ -2063,8 +2200,15 @@ (define (guix-shepherd-service config) (or (getenv "discover") #$discover?)) (define daemon-command - (cons* #$(file-append guix "/bin/guix-daemon") - "--build-users-group" #$build-group + (cons* #$@(if privileged? + #~() + #~(#$(run-with-writable-store) + "guix-daemon" "guix-daemon")) + + #$(file-append guix "/bin/guix-daemon") + #$@(if privileged? + #~("--build-users-group" #$build-group) + #~()) "--max-silent-time" #$(number->string max-silent-time) "--timeout" #$(number->string timeout) @@ -2145,9 +2289,11 @@ (define (guix-shepherd-service config) "/var/guix/daemon-socket/socket") #:name "socket" #:socket-owner - (or #$socket-directory-user 0) + (or #$socket-directory-user + #$(if privileged? 0 "guix-daemon")) #:socket-group - (or #$socket-directory-group 0) + (or #$socket-directory-group + #$(if privileged? 0 "guix-daemon")) #:socket-directory-permissions #$socket-directory-permissions))) ((make-systemd-constructor daemon-command @@ -2162,15 +2308,31 @@ (define (guix-shepherd-service config) (define (guix-accounts config) "Return the user accounts and user groups for CONFIG." - (cons (user-group - (name (guix-configuration-build-group config)) - (system? #t) + `(,@(if (guix-configuration-privileged? config) + '() + (list (user-group (name "guix-daemon") (system? #t)) + (user-account + (name "guix-daemon") + (group "guix-daemon") + (system? #t) + (supplementary-groups '("kvm")) + (comment "Guix Daemon User") + (home-directory "/var/empty") + (shell (file-append shadow "/sbin/nologin"))))) - ;; Use a fixed GID so that we can create the store with the right - ;; owner. - (id 30000)) - (guix-build-accounts (guix-configuration-build-accounts config) - #:group (guix-configuration-build-group config)))) + ;; When reconfiguring from privileged to unprivileged, the running daemon + ;; (privileged) relies on the availability of the build accounts and build + ;; group until 'guix system reconfigure' has completed. The simplest way + ;; to meet this requirement is to create these accounts unconditionally so + ;; they are not removed in the middle of the 'reconfigure' process. + ,(user-group + (name (guix-configuration-build-group config)) + (system? #t) + + ;; Use a fixed GID so that we can create the store with the right owner. + (id 30000)) + ,@(guix-build-accounts (guix-configuration-build-accounts config) + #:group (guix-configuration-build-group config)))) (define (guix-activation config) "Return the activation gexp for CONFIG." @@ -2228,7 +2390,7 @@ (define guix-service-type (service-type (name 'guix) (extensions - (list (service-extension shepherd-root-service-type guix-shepherd-service) + (list (service-extension shepherd-root-service-type guix-shepherd-services) (service-extension account-service-type guix-accounts) (service-extension activation-service-type guix-activation) (service-extension profile-service-type diff --git a/gnu/tests/base.scm b/gnu/tests/base.scm index 83e047f7e6..12d4e70ee5 100644 --- a/gnu/tests/base.scm +++ b/gnu/tests/base.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2016-2020, 2022, 2024 Ludovic Courtès +;;; Copyright © 2016-2020, 2022, 2024-2025 Ludovic Courtès ;;; Copyright © 2018 Clément Lassieur ;;; Copyright © 2022 Maxim Cournoyer ;;; Copyright © 2022 Marius Bakke @@ -63,7 +63,8 @@ (define-module (gnu tests base) %hello-dependencies-manifest guix-daemon-test-cases - %test-guix-daemon)) + %test-guix-daemon + %test-guix-daemon-unprivileged)) (define %simple-os (simple-operating-system)) @@ -1121,7 +1122,7 @@ (define (guix-daemon-test-cases marionette) (system-error-errno args))) #$marionette)))) -(define (run-guix-daemon-test os) +(define (run-guix-daemon-test os name) (define test-image (image (operating-system os) (format 'compressed-qcow2) @@ -1161,6 +1162,12 @@ (define (run-guix-daemon-test os) ;; Wait for 'guix-daemon' to be up. (marionette-eval '(begin (use-modules (gnu services herd)) + (start-service 'guix-daemon) + + ;; XXX: Do it a second time to work around + ;; and its + ;; effect on the 'guix-ownership' service. + ;; TODO: Remove when Shepherd 1.0.4 is out. (start-service 'guix-daemon)) marionette)) @@ -1168,7 +1175,7 @@ (define (run-guix-daemon-test os) (test-end)))) - (gexp->derivation "guix-daemon-test" test)) + (gexp->derivation name test)) (define %test-guix-daemon (system-test @@ -1190,4 +1197,34 @@ (define %test-guix-daemon %base-user-accounts))) #:imported-modules '((gnu services herd) (guix combinators))))) - (run-guix-daemon-test os))))) + (run-guix-daemon-test os "guix-daemon-test"))))) + +(define %test-guix-daemon-unprivileged + (system-test + (name "guix-daemon-unprivileged") + (description + "Test 'guix-daemon' behavior on a multi-user system, where 'guix-daemon' +runs unprivileged.") + (value + (let ((os (marionette-operating-system + (let ((base (operating-system-with-gc-roots + %daemon-os + (list (profile + (name "hello-build-dependencies") + (content %hello-dependencies-manifest)))))) + (operating-system + (inherit base) + (kernel-arguments '("console=ttyS0")) + (users (cons (user-account + (name "user") + (group "users")) + %base-user-accounts)) + (services + (modify-services (operating-system-user-services base) + (guix-service-type + config => (guix-configuration + (inherit config) + (privileged? #f))))))) + #:imported-modules '((gnu services herd) + (guix combinators))))) + (run-guix-daemon-test os "guix-daemon-unprivileged-test"))))) From patchwork Fri Apr 18 19:46:53 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 41785 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 85D2D27BC4B; Fri, 18 Apr 2025 20:48:54 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-6.4 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id E8A6227BC49 for ; Fri, 18 Apr 2025 20:48:53 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u5rha-0005fx-7O; Fri, 18 Apr 2025 15:48:42 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u5rhA-0005Vl-7F for guix-patches@gnu.org; Fri, 18 Apr 2025 15:48:19 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1u5rh9-0000cY-Qw for guix-patches@gnu.org; Fri, 18 Apr 2025 15:48:15 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=uqhskkxjhB5Voan1hxxqmujqtPVm+PfXXeOsApJpOiA=; b=hFkwJzfFPkXbnXCfFO0beeyqgRyi6GGPDAqafiHFc2ExJwKAgzjXYKOA6K9/tYnxtTJw9CELDAxPM1ej7Uz7j7Uv2fcSpK4enA3PR0N2inRlLJkLJYlsI+DkJU57AAEwri9BMSzH0SY98+/cGw6W30LpaZAT3YGw0qGvZTyEDgjs35WWk5Y5Yq/BriTICF9QBMWt32LgVTerCgwMtx+hPq54E1dYQUiBgGC4kg4TM7CDy7rm8oxBMYdTeV2TUxLIHPtXJa2QfX1v75aeTxochBKcc5p1soMoXs4XR/YXDXEWEshrPF3XR2IsXHv+iDWpXWlFqMZfII17KVoUUVLAfQ==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1u5rh9-0008OH-I5; Fri, 18 Apr 2025 15:48:15 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#77288] [PATCH v3 8/8] DRAFT news: Add entry about unprivileged guix-daemon on Guix System. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: pelzflorian@pelzflorian.de, julien@lepiller.eu, guix-patches@gnu.org Resent-Date: Fri, 18 Apr 2025 19:48:15 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 77288 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 77288@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= , Florian Pelz , Florian Pelz , Julien Lepiller X-Debbugs-Original-Xcc: Florian Pelz , Julien Lepiller Received: via spool by 77288-submit@debbugs.gnu.org id=B77288.174500568332087 (code B ref 77288); Fri, 18 Apr 2025 19:48:15 +0000 Received: (at 77288) by debbugs.gnu.org; 18 Apr 2025 19:48:03 +0000 Received: from localhost ([127.0.0.1]:52960 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u5rgu-0008L3-7z for submit@debbugs.gnu.org; Fri, 18 Apr 2025 15:48:02 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:47006) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1u5rgG-0008DM-V7 for 77288@debbugs.gnu.org; Fri, 18 Apr 2025 15:47:25 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u5rgB-0000WN-4A; Fri, 18 Apr 2025 15:47:15 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=uqhskkxjhB5Voan1hxxqmujqtPVm+PfXXeOsApJpOiA=; b=hV7Ay3QjTn8cekmSnYDU qY3VMuKV19rFWxvGKxbAvZdLRLFgTApzcAu43CavhygocaO2rvMHLkrnN+iqopRlMyQP6Pyi/qFk0 EYesMxzgYrpaMil4eSAkBeL7BIZI8lMpRBmbjWrMYLyuGn5G0nKVaOBnBgiW+XiEj8mx8YVKIt8I8 rMciA9sXpucmxRKdpxoRzV5HS6z43E13hPOefVotu01NSbYZqq9QOi+Rq46Bl/NLrGHaOtLBfv62+ O3HPS+ISvEjAFy2GheYwN4Ou5vWmdvIyCQ5j94QhO+cjHP0EDFDDUh0iMrG7hfWGUxr8AdPRPaj4A auZgthm+kADGDw==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Fri, 18 Apr 2025 21:46:53 +0200 Message-ID: <7d2a308296fb34cd6721db06f83922311eacb2d1.1745005408.git.ludo@gnu.org> X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches DRAFT: Temporary commit. * etc/news.scm: Add it. Change-Id: I28eae7f7b4305225b13281b99458cbedda3c3b94 Co-authored-by: Florian Pelz --- etc/news.scm | 88 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) diff --git a/etc/news.scm b/etc/news.scm index 4b3da44540..fcac283636 100644 --- a/etc/news.scm +++ b/etc/news.scm @@ -37,6 +37,94 @@ (channel-news (version 0) + (entry (commit "XXX") + (title + (en "Guix System can run @command{guix-daemon} without root +privileges") + (de "Guix System kann @command{guix-daemon} ohne root-Berechtigungen +ausführen") + (fr "Guix System peut faire tourner @command{guix-daemon} sans +privilèges")) + (body + (en "On Guix System, @code{guix-service-type} can now be configured +to run the build daemon, @command{guix-daemon}, without root privileges. In +that configuration, the daemon runs with the authority of the +@code{guix-daemon} user, which we think can reduce the impact of some classes +of vulnerabilities that could affect it. + +For now, this is opt-in: you have to change @code{guix-configuration} to set +the @code{privileged?} field to @code{#f}. When you do this, all the files in +@file{/gnu/store}, @file{/var/guix}, etc. will have their ownership changed to +the @code{guix-daemon} user (instead of @code{root}); this can take a while, +especially if the store is big. To learn more about it, run: + +@example +info guix --index-search=guix-service-type +@end example + +Running @command{guix-daemon} without root privileges will likely become the +default in the future. + +Users of Guix on other distributions can find information on how to migrate in +the manual: + +@example +info guix --index-search=migration +@end example") + (de "Auf Guix System kann @code{guix-service-type} jetzt so +konfiguriert werden, dass der Erstellungs-Daemon @command{guix-daemon} ohne +root-Berechtigungen ausgeführt wird. In dieser Konfiguration läuft der Daemon +mit den Berechtigungen des Benutzers @code{guix-daemon}, wovon wir glauben, +dass es die Auswirkungen mancher Schwachstellen-Kategorien verringert, die ihn +betreffen könnten. + +Fürs Erste bleibt es Ihnen überlassen: Sie müssen @code{guix-configuration} +anpassen und dort das Feld @code{privileged?} auf @code{#f} setzen. Wenn Sie +das tun, wird der Besitzer aller Dateien in @file{/gnu/store}, +@file{/var/guix}, usw. auf den Benutzer @code{guix-daemon} geändert (anstelle +von @code{root}); das kann eine Weile dauern, besonders wenn der Store groß +ist. Um mehr zu erfahren, führen Sie aus: + +@example +info guix --index-search=guix-service-type +@end example + +Schließlich wird das Ausführen von @command{guix-daemon} ohne +root-Berechtigungen wahrscheinlich die Vorgabe. + +Wer Guix auf anderen Distributionen benutzt, kann sich mit dem Handbuch +informieren, wie man umsteigt: + +@example +info guix --index-search=migration +@end example") + (fr "Sur Guix System, @code{guix-service-type} peut maintenant être +configuré pour faire tourner le démon de compilation, @command{guix-daemon}, +sans privilèges ``root''. Dans cette configuration, le démon s'exécute avec +l'autorité du compte @code{guix-daemon}, ce qui selon nous réduit l'impact de +certaines classes de vulnérabilités qui pourraient l'affecter. + +Pour le moment, c'est à activer explicitement : il faut changer +@code{guix-configuration} pour mettre le champ @code{privileged?} à @code{#f}. +Tous les fichiers de @file{/gnu/store}, @file{/var/guix}, etc. voient alors +leur propriétaire changé pour @code{guix-daemon} (au lieu de @code{root}) ; +cette opération peut prendre un moment, particulièrement si le dépôt est gros. +Pour en savoir plus, lancer : + +@example +info guix --index-search=guix-service-type +@end example + +L'exécution de @command{guix-daemon} sans privilèges se fera probablement par +défaut à l'avenir. + +Pour l'utilisation de Guix sur d'autres distributions, des informations sur +comment migrer se trouver dans le manuel : + +@example +info guix --index-search=migration +@end example"))) + (entry (commit "0e51c6547ffdaf91777f7383da4a52a1a07b7286") (title (en "Incompatible upgrade of the Syncthing service"))