From unknown Sat Jun 21 05:06:10 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#34859] [PATCH] pack: "-RR" produces PRoot-enabled relocatable binaries. Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 14 Mar 2019 16:11:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 34859 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 34859@debbugs.gnu.org Cc: Ludovic =?UTF-8?Q?Court=C3=A8s?= X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.155257984810463 (code B ref -1); Thu, 14 Mar 2019 16:11:02 +0000 Received: (at submit) by debbugs.gnu.org; 14 Mar 2019 16:10:48 +0000 Received: from localhost ([127.0.0.1]:43914 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1h4SwS-0002ig-0a for submit@debbugs.gnu.org; Thu, 14 Mar 2019 12:10:48 -0400 Received: from eggs.gnu.org ([209.51.188.92]:44608) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1h4SwQ-0002iV-T9 for submit@debbugs.gnu.org; Thu, 14 Mar 2019 12:10:47 -0400 Received: from lists.gnu.org ([209.51.188.17]:55346) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1h4SwL-00088G-OV for submit@debbugs.gnu.org; Thu, 14 Mar 2019 12:10:41 -0400 Received: from eggs.gnu.org ([209.51.188.92]:58981) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1h4SwI-0004OP-QF for guix-patches@gnu.org; Thu, 14 Mar 2019 12:10:41 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.2 required=5.0 tests=ALL_TRUSTED,BAYES_50, URIBL_BLOCKED autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:470:142:3::e]:40305) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1h4SwI-00086N-08; Thu, 14 Mar 2019 12:10:38 -0400 Received: from [2001:660:6102:320:e120:2c8f:8909:cdfe] (port=42740 helo=gnu.org) by fencepost.gnu.org with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1h4SwH-0006OO-Ah; Thu, 14 Mar 2019 12:10:37 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Date: Thu, 14 Mar 2019 17:10:26 +0100 Message-Id: <20190314161026.15696-1-ludo@gnu.org> X-Mailer: git-send-email 2.21.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) From: Ludovic Courtès * gnu/packages/aux-files/run-in-namespace.c (exec_with_proot): New function. (main): When 'clone' fails, call 'rm_rf'. [PROOT_PROGRAM]: When 'clone' fails, call 'exec_with_proot'. * guix/scripts/pack.scm (wrapped-package): Add #:proot?. [proot]: New procedure. [build]: Compile with -DPROOT_PROGRAM when PROOT? is true. * guix/scripts/pack.scm (%options): Set the 'relocatable?' value to 'proot when "-R" is passed several times. (guix-pack): Pass #:proot? to 'wrapped-package'. * tests/guix-pack-relocatable.sh: Use "-RR" on Intel systems that lack user namespace support. * doc/guix.texi (Invoking guix pack): Document -RR. --- doc/guix.texi | 39 ++++++++++++++----- gnu/packages/aux-files/run-in-namespace.c | 47 ++++++++++++++++++++++- guix/scripts/pack.scm | 33 +++++++++++++--- tests/guix-pack-relocatable.sh | 21 +++++++--- 4 files changed, 119 insertions(+), 21 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 043aad1b65..3a6a35b9c6 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -4760,14 +4760,24 @@ symlinks, as well as empty mount points for virtual file systems like procfs. @end table +@cindex relocatable binaries @item --relocatable @itemx -R Produce @dfn{relocatable binaries}---i.e., binaries that can be placed -anywhere in the file system hierarchy and run from there. For example, -if you create a pack containing Bash with: +anywhere in the file system hierarchy and run from there. + +When this option is passed once, the resulting binaries require support for +@dfn{user namespaces} in the kernel Linux; when passed +@emph{twice}@footnote{Here's a trick to memorize it: @code{-RR}, which adds +PRoot support, can be thought of as the abbreviation of ``Really +Relocatable''. Neat, isn't it?}, relocatable binaries fall to back to PRoot +if user namespaces are unavailable, and essentially work anywhere---see below +for the implications. + +For example, if you create a pack containing Bash with: @example -guix pack -R -S /mybin=bin bash +guix pack -RR -S /mybin=bin bash @end example @noindent @@ -4786,12 +4796,23 @@ In that shell, if you type @code{ls /gnu/store}, you'll notice that altogether! That is probably the simplest way to deploy Guix-built software on a non-Guix machine. -There's a gotcha though: this technique relies on the @dfn{user -namespace} feature of the kernel Linux, which allows unprivileged users -to mount or change root. Old versions of Linux did not support it, and -some GNU/Linux distributions turn it off; on these systems, programs -from the pack @emph{will fail to run}, unless they are unpacked in the -root file system. +@quotation Note +By default, relocatable binaries rely on the @dfn{user namespace} feature of +the kernel Linux, which allows unprivileged users to mount or change root. +Old versions of Linux did not support it, and some GNU/Linux distributions +turn it off. + +To produce relocatable binaries that work even in the absence of user +namespaces, pass @option{--relocatable} or @option{-R} @emph{twice}. In that +case, binaries will try user namespace support and fall back to PRoot if user +namespaces are not supported. + +The @uref{https://proot-me.github.io/, PRoot} program provides the necessary +support for file system virtualization. It achieves that by using the +@code{ptrace} system call on the running program. This approach has the +advantage to work without requiring special kernel support, but it incurs +run-time overhead every time a system call is made. +@end quotation @item --expression=@var{expr} @itemx -e @var{expr} diff --git a/gnu/packages/aux-files/run-in-namespace.c b/gnu/packages/aux-files/run-in-namespace.c index f0cff88552..551f4db88a 100644 --- a/gnu/packages/aux-files/run-in-namespace.c +++ b/gnu/packages/aux-files/run-in-namespace.c @@ -1,5 +1,5 @@ /* GNU Guix --- Functional package management for GNU - Copyright (C) 2018 Ludovic Courtès + Copyright (C) 2018, 2019 Ludovic Courtès This file is part of GNU Guix. @@ -212,6 +212,46 @@ disallow_setgroups (pid_t pid) } +#ifdef PROOT_PROGRAM + +/* Execute the wrapped program with PRoot, passing it ARGC and ARGV, and + "bind-mounting" STORE in the right place. */ +static void +exec_with_proot (const char *store, int argc, char *argv[]) +{ + int proot_specific_argc = 4; + int proot_argc = argc + proot_specific_argc; + char *proot_argv[proot_argc], *proot; + char bind_spec[strlen (store) + 1 + sizeof "@STORE_DIRECTORY@"]; + + strcpy (bind_spec, store); + strcat (bind_spec, ":"); + strcat (bind_spec, "@STORE_DIRECTORY@"); + + proot = concat (store, PROOT_PROGRAM); + + proot_argv[0] = proot; + proot_argv[1] = "-b"; + proot_argv[2] = bind_spec; + proot_argv[3] = "@WRAPPED_PROGRAM@"; + + for (int i = 0; i < argc; i++) + proot_argv[i + proot_specific_argc] = argv[i + 1]; + + proot_argv[proot_argc] = NULL; + + /* Seccomp support seems to invariably lead to segfaults; disable it by + default. */ + setenv ("PROOT_NO_SECCOMP", "1", 0); + + int err = execv (proot, proot_argv); + if (err < 0) + assert_perror (errno); +} + +#endif + + int main (int argc, char *argv[]) { @@ -274,6 +314,10 @@ main (int argc, char *argv[]) break; case -1: + rm_rf (new_root); +#ifdef PROOT_PROGRAM + exec_with_proot (store, argc, argv); +#else fprintf (stderr, "%s: error: 'clone' failed: %m\n", argv[0]); fprintf (stderr, "\ This may be because \"user namespaces\" are not supported on this system.\n\ @@ -281,6 +325,7 @@ Consequently, we cannot run '@WRAPPED_PROGRAM@',\n\ unless you move it to the '@STORE_DIRECTORY@' directory.\n\ \n\ Please refer to the 'guix pack' documentation for more information.\n"); +#endif return EXIT_FAILURE; default: diff --git a/guix/scripts/pack.scm b/guix/scripts/pack.scm index e2ecddfbfc..bfb8b85356 100644 --- a/guix/scripts/pack.scm +++ b/guix/scripts/pack.scm @@ -517,10 +517,14 @@ please email '~a'~%") ;;; (define* (wrapped-package package - #:optional (compiler (c-compiler))) + #:optional (compiler (c-compiler)) + #:key proot?) (define runner (local-file (search-auxiliary-file "run-in-namespace.c"))) + (define (proot) + (specification->package "proot-static")) + (define build (with-imported-modules (source-module-closure '((guix build utils) @@ -550,10 +554,19 @@ please email '~a'~%") (("@STORE_DIRECTORY@") (%store-directory))) (let* ((base (strip-store-prefix program)) - (result (string-append #$output "/" base))) + (result (string-append #$output "/" base)) + (proot #$(and proot? + #~(string-drop + #$(file-append (proot) "/bin/proot") + (+ (string-length (%store-directory)) + 1))))) (mkdir-p (dirname result)) - (invoke #$compiler "-std=gnu99" "-static" "-Os" "-g0" "-Wall" - "run.c" "-o" result) + (apply invoke #$compiler "-std=gnu99" "-static" "-Os" "-g0" "-Wall" + "run.c" "-o" result + (if proot + (list (string-append "-DPROOT_PROGRAM=\"" + proot "\"")) + '())) (delete-file "run.c"))) (setvbuf (current-output-port) 'line) @@ -646,7 +659,12 @@ please email '~a'~%") (exit 0))) (option '(#\R "relocatable") #f #f (lambda (opt name arg result) - (alist-cons 'relocatable? #t result))) + (match (assq-ref result 'relocatable?) + (#f + (alist-cons 'relocatable? #t result)) + (_ + (alist-cons 'relocatable? 'proot + (alist-delete 'relocatable? result)))))) (option '(#\e "expression") #t #f (lambda (opt name arg result) (alist-cons 'expression arg result))) @@ -821,11 +839,14 @@ Create a bundle of PACKAGE.\n")) #:graft? (assoc-ref opts 'graft?)))) (let* ((dry-run? (assoc-ref opts 'dry-run?)) (relocatable? (assoc-ref opts 'relocatable?)) + (proot? (eq? relocatable? 'proot)) (manifest (let ((manifest (manifest-from-args store opts))) ;; Note: We cannot honor '--bootstrap' here because ;; 'glibc-bootstrap' lacks 'libc.a'. (if relocatable? - (map-manifest-entries wrapped-package manifest) + (map-manifest-entries + (cut wrapped-package <> #:proot? proot?) + manifest) manifest))) (pack-format (assoc-ref opts 'format)) (name (string-append (symbol->string pack-format) diff --git a/tests/guix-pack-relocatable.sh b/tests/guix-pack-relocatable.sh index 554416627b..38dcf1e485 100644 --- a/tests/guix-pack-relocatable.sh +++ b/tests/guix-pack-relocatable.sh @@ -1,5 +1,5 @@ # GNU Guix --- Functional package management for GNU -# Copyright © 2018 Ludovic Courtès +# Copyright © 2018, 2019 Ludovic Courtès # # This file is part of GNU Guix. # @@ -41,17 +41,28 @@ STORE_PARENT="`dirname $NIX_STORE_DIR`" export STORE_PARENT if test "$STORE_PARENT" = "/"; then exit 77; fi -# This test requires user namespaces and associated command-line tools. -if ! unshare -mrf sh -c 'mount -t tmpfs none "$STORE_PARENT"' +if unshare -mrf sh -c 'mount -t tmpfs none "$STORE_PARENT"' then - exit 77 + # Test the wrapper that relies on user namespaces. + relocatable_option="-R" +else + case "`uname -m`" in + x86_64|i?86) + # Test the wrapper that falls back to PRoot. + relocatable_option="-RR";; + *) + # XXX: Our 'proot' package currently fails tests on non-Intel + # architectures, so skip this by default. + exit 77;; + esac fi test_directory="`mktemp -d`" export test_directory trap 'chmod -Rf +w "$test_directory"; rm -rf "$test_directory"' EXIT -tarball="`guix pack -R -S /Bin=bin sed`" +export relocatable_option +tarball="`guix pack $relocatable_option -S /Bin=bin sed`" (cd "$test_directory"; tar xvf "$tarball") # Run that relocatable 'sed' in a user namespace where we "erase" the store by -- 2.21.0 From unknown Sat Jun 21 05:06:10 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#34859] [PATCH] pack: "-RR" produces PRoot-enabled relocatable binaries. Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 15 Mar 2019 13:43:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 34859 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 34859@debbugs.gnu.org Received: via spool by 34859-submit@debbugs.gnu.org id=B34859.155265733412796 (code B ref 34859); Fri, 15 Mar 2019 13:43:02 +0000 Received: (at 34859) by debbugs.gnu.org; 15 Mar 2019 13:42:14 +0000 Received: from localhost ([127.0.0.1]:44471 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1h4n6E-0003KK-8t for submit@debbugs.gnu.org; Fri, 15 Mar 2019 09:42:14 -0400 Received: from mail3-relais-sop.national.inria.fr ([192.134.164.104]:2692) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1h4n6C-0003K5-6U for 34859@debbugs.gnu.org; Fri, 15 Mar 2019 09:42:12 -0400 X-IronPort-AV: E=Sophos;i="5.58,482,1544482800"; d="scan'208";a="299388979" Received: from unknown (HELO ribbon) ([193.50.110.240]) by mail3-relais-sop.national.inria.fr with ESMTP/TLS/AES256-GCM-SHA384; 15 Mar 2019 14:41:48 +0100 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <20190314161026.15696-1-ludo@gnu.org> Date: Fri, 15 Mar 2019 14:41:48 +0100 In-Reply-To: <20190314161026.15696-1-ludo@gnu.org> ("Ludovic \=\?utf-8\?Q\?Cou\?\= \=\?utf-8\?Q\?rt\=C3\=A8s\=22's\?\= message of "Thu, 14 Mar 2019 17:10:26 +0100") Message-ID: <87ftro45lv.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -5.0 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -6.0 (------) Hi there! Ludovic Court=C3=A8s skribis: > @item --relocatable > @itemx -R > Produce @dfn{relocatable binaries}---i.e., binaries that can be placed > -anywhere in the file system hierarchy and run from there. For example, > -if you create a pack containing Bash with: > +anywhere in the file system hierarchy and run from there. > + > +When this option is passed once, the resulting binaries require support = for > +@dfn{user namespaces} in the kernel Linux; when passed > +@emph{twice}@footnote{Here's a trick to memorize it: @code{-RR}, which a= dds > +PRoot support, can be thought of as the abbreviation of ``Really > +Relocatable''. Neat, isn't it?}, relocatable binaries fall to back to P= Root > +if user namespaces are unavailable, and essentially work anywhere---see = below > +for the implications. For the record, we had discussed this idea a while back=C2=B9, and I was recently reminded of it when looking at udocker=C2=B2. Udocker has a third method to achieve file system virtualization, which is to use Debian=E2=80=99s Fakechroot=C2=B3. Fakechroot is an LD_PRELOAD-b= ased thing, so it=E2=80=99s more lightweight than PRoot but also more fragile. I don=E2=80=99t think it=E2=80=99d be interesting for us to support that meth= od in addition to user namespaces and PRoot. Thoughts? Ludo=E2=80=99. =C2=B9 https://lists.gnu.org/archive/html/guix-devel/2018-04/msg00252.html =C2=B2 https://github.com/indigo-dc/udocker/ =C2=B3 https://github.com/dex4er/fakechroot/wiki From unknown Sat Jun 21 05:06:10 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#34859] [PATCH] pack: "-RR" produces PRoot-enabled relocatable binaries. Resent-From: Julien Lepiller Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 15 Mar 2019 14:26:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 34859 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 34859@debbugs.gnu.org Received: via spool by 34859-submit@debbugs.gnu.org id=B34859.155265990217739 (code B ref 34859); Fri, 15 Mar 2019 14:26:01 +0000 Received: (at 34859) by debbugs.gnu.org; 15 Mar 2019 14:25:02 +0000 Received: from localhost ([127.0.0.1]:45315 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1h4nle-0004by-BC for submit@debbugs.gnu.org; Fri, 15 Mar 2019 10:25:02 -0400 Received: from lepiller.eu ([89.234.186.109]:52626) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1h4nla-0004bP-8O for 34859@debbugs.gnu.org; Fri, 15 Mar 2019 10:25:00 -0400 Received: from webmail.lepiller.eu (static-176-182-42-79.ncc.abo.bbox.fr [176.182.42.79]) by lepiller.eu (OpenSMTPD) with ESMTPSA id eaec0e5a (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); Fri, 15 Mar 2019 14:24:55 +0000 (UTC) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Fri, 15 Mar 2019 15:24:54 +0100 From: Julien Lepiller In-Reply-To: <20190314161026.15696-1-ludo@gnu.org> References: <20190314161026.15696-1-ludo@gnu.org> Message-ID: <1ef41855caba45a267f90532d40a47f3@lepiller.eu> X-Sender: julien@lepiller.eu User-Agent: Roundcube Webmail/1.3.8 X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) How does it work? do you look for a proot on the system where the pack is unpacked, or is it included in the pack? If so, how does it work, since I guess it can't be wrapped? One small issue in the manual: Le 2019-03-14 17:10, Ludovic Courtès a écrit : > From: Ludovic Courtès > > [...] > > +@emph{twice}@footnote{Here's a trick to memorize it: @code{-RR}, which > adds > +PRoot support, can be thought of as the abbreviation of ``Really > +Relocatable''. Neat, isn't it?}, relocatable binaries fall to back to > PRoot ^ this here > +if user namespaces are unavailable, and essentially work > anywhere---see below > +for the implications. From unknown Sat Jun 21 05:06:10 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#34859] [PATCH] pack: "-RR" produces PRoot-enabled relocatable binaries. Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 15 Mar 2019 14:45:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 34859 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Julien Lepiller Cc: 34859@debbugs.gnu.org Received: via spool by 34859-submit@debbugs.gnu.org id=B34859.155266109219637 (code B ref 34859); Fri, 15 Mar 2019 14:45:01 +0000 Received: (at 34859) by debbugs.gnu.org; 15 Mar 2019 14:44:52 +0000 Received: from localhost ([127.0.0.1]:45341 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1h4o4q-00056f-Ih for submit@debbugs.gnu.org; Fri, 15 Mar 2019 10:44:52 -0400 Received: from mail2-relais-roc.national.inria.fr ([192.134.164.83]:63483) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1h4o4o-00056R-OB for 34859@debbugs.gnu.org; Fri, 15 Mar 2019 10:44:51 -0400 X-IronPort-AV: E=Sophos;i="5.58,482,1544482800"; d="scan'208";a="373636967" Received: from unknown (HELO ribbon) ([193.50.110.240]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/AES256-GCM-SHA384; 15 Mar 2019 15:44:43 +0100 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <20190314161026.15696-1-ludo@gnu.org> <1ef41855caba45a267f90532d40a47f3@lepiller.eu> Date: Fri, 15 Mar 2019 15:44:43 +0100 In-Reply-To: <1ef41855caba45a267f90532d40a47f3@lepiller.eu> (Julien Lepiller's message of "Fri, 15 Mar 2019 15:24:54 +0100") Message-ID: <87imwk2o4k.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -5.0 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -6.0 (------) Hello! Julien Lepiller skribis: > How does it work? do you look for a proot on the system where the pack > is unpacked, or is it included in the pack? The pack includes =E2=80=98proot-static=E2=80=99, which takes approximately= 1=C2=A0MiB. The =E2=80=98run-in-namespace.c=E2=80=99 wrapper determines its own location via /proc/self/exe; from there it determines the location of the unpacked store, and then determines the location of the statically-linked =E2=80=98p= root=E2=80=99 program. So it basically automates the PRoot trick described at . Ludo=E2=80=99. From unknown Sat Jun 21 05:06:10 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#34859] [PATCH] pack: "-RR" produces PRoot-enabled relocatable binaries. Resent-From: Ricardo Wurmus Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 15 Mar 2019 16:06:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 34859 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: Ludovic =?UTF-8?Q?Court=C3=A8s?= , 34859@debbugs.gnu.org Received: via spool by 34859-submit@debbugs.gnu.org id=B34859.155266593127644 (code B ref 34859); Fri, 15 Mar 2019 16:06:02 +0000 Received: (at 34859) by debbugs.gnu.org; 15 Mar 2019 16:05:31 +0000 Received: from localhost ([127.0.0.1]:45404 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1h4pKt-0007Bo-15 for submit@debbugs.gnu.org; Fri, 15 Mar 2019 12:05:31 -0400 Received: from sender-of-o51.zoho.com ([135.84.80.216]:21010) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1h4pKr-0007Bg-88 for 34859@debbugs.gnu.org; Fri, 15 Mar 2019 12:05:29 -0400 ARC-Seal: i=1; a=rsa-sha256; t=1552665897; cv=none; d=zoho.com; s=zohoarc; b=fo4disZ1IvymJj9jvhzh66LOWzUYxFdosqKWbJTjwT/tiCk25eNS0ADszJHovAObHvYf9Vj99aQmqw9tGlcj73fCb7lQt5F+NJD4nV7P6fO0YLFLg1JrDqRcD7ZLYXWRQQ+6ys06T+vCueFwUZQcyHZtsXg/yQByja77ymzGpg8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1552665897; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To:ARC-Authentication-Results; bh=1LS1hgiPV57Hy9nZ1R1KeTlpt4WRBiAnlLJRuC/syYs=; b=MQ2K1BrL5T8It6GSb/t6S+AHWwstbfG8GHNBRw2QxQnDjVCinCJvgBlkmlOrf0ZEZOjb8HkazjD9aadlSDiM3vdKQs/5nZ7FgDrMik86S4k9vnOo6dAPBES54iV6lXRs4xGAkGN2BYxcmzdo3EtGJPDlCaeARodDZLPyZ5DJBL8= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass header.i=elephly.net; spf=pass smtp.mailfrom=rekado@elephly.net; dmarc=pass header.from= header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1552665897; s=zoho; d=elephly.net; i=rekado@elephly.net; h=References:From:To:Cc:Subject:In-reply-to:Date:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding; l=906; bh=1LS1hgiPV57Hy9nZ1R1KeTlpt4WRBiAnlLJRuC/syYs=; b=OKbJvinroZlwDcY1Jd1pW7PQ2HmblG31AoRvsfin9JNBLZYjeNa/p9zAEQYl96zn AZ3KgE9IXttAwuTPq+IPBUTON/L3ctUQPbunRqxMB5LHnzankvOWfZKzQVHnsXhIGPA F4L+3HU9SF/NJ7nPvsyT/N7V2y9xoJiPbhp/iJAo= Received: from localhost (p54AD437A.dip0.t-ipconnect.de [84.173.67.122]) by mx.zohomail.com with SMTPS id 1552665895702209.41387753809784; Fri, 15 Mar 2019 09:04:55 -0700 (PDT) References: <20190314161026.15696-1-ludo@gnu.org> User-agent: mu4e 1.0; emacs 26.1 From: Ricardo Wurmus In-reply-to: <20190314161026.15696-1-ludo@gnu.org> X-URL: https://elephly.net X-PGP-Key: https://elephly.net/rekado.pubkey X-PGP-Fingerprint: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC Date: Fri, 15 Mar 2019 17:04:51 +0100 Message-ID: <87wol015uk.fsf@elephly.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-ZohoMailClient: External X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Ludovic Court=C3=A8s writes: > * gnu/packages/aux-files/run-in-namespace.c (exec_with_proot): New > function. > (main): When 'clone' fails, call 'rm_rf'. > [PROOT_PROGRAM]: When 'clone' fails, call 'exec_with_proot'. > * guix/scripts/pack.scm (wrapped-package): Add #:proot?. > [proot]: New procedure. > [build]: Compile with -DPROOT_PROGRAM when PROOT? is true. > * guix/scripts/pack.scm (%options): Set the 'relocatable?' value to > 'proot when "-R" is passed several times. > (guix-pack): Pass #:proot? to 'wrapped-package'. > * tests/guix-pack-relocatable.sh: Use "-RR" on Intel systems that lack > user namespace support. > * doc/guix.texi (Invoking guix pack): Document -RR. This is great! So, the only downside to using =E2=80=9C-RR=E2=80=9D is that it=E2=80=99s 1= MB heavier than =E2=80=9C-R=E2=80=9D due to the included proot-static? Neat! -- Ricardo From unknown Sat Jun 21 05:06:10 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Subject: bug#34859: closed (Re: [bug#34859] [PATCH] pack: "-RR" produces PRoot-enabled relocatable binaries.) Message-ID: References: <87bm2b22cy.fsf@gnu.org> <20190314161026.15696-1-ludo@gnu.org> X-Gnu-PR-Message: they-closed 34859 X-Gnu-PR-Package: guix-patches X-Gnu-PR-Keywords: patch Reply-To: 34859@debbugs.gnu.org Date: Fri, 15 Mar 2019 22:36:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1552689362-20506-1" This is a multi-part message in MIME format... ------------=_1552689362-20506-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #34859: [PATCH] pack: "-RR" produces PRoot-enabled relocatable binaries. which was filed against the guix-patches package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 34859@debbugs.gnu.org. --=20 34859: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D34859 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1552689362-20506-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 34859-done) by debbugs.gnu.org; 15 Mar 2019 22:35:03 +0000 Received: from localhost ([127.0.0.1]:45595 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1h4vPq-0005JQ-PA for submit@debbugs.gnu.org; Fri, 15 Mar 2019 18:35:03 -0400 Received: from eggs.gnu.org ([209.51.188.92]:53694) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1h4vPo-0005It-Vd for 34859-done@debbugs.gnu.org; Fri, 15 Mar 2019 18:35:01 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:50910) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1h4vPj-00083q-Fe; Fri, 15 Mar 2019 18:34:55 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=59546 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1h4vPi-0000br-NS; Fri, 15 Mar 2019 18:34:55 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Ricardo Wurmus Subject: Re: [bug#34859] [PATCH] pack: "-RR" produces PRoot-enabled relocatable binaries. References: <20190314161026.15696-1-ludo@gnu.org> <87wol015uk.fsf@elephly.net> Date: Fri, 15 Mar 2019 23:34:53 +0100 In-Reply-To: <87wol015uk.fsf@elephly.net> (Ricardo Wurmus's message of "Fri, 15 Mar 2019 17:04:51 +0100") Message-ID: <87bm2b22cy.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 34859-done Cc: 34859-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Ricardo Wurmus skribis: > Ludovic Court=C3=A8s writes: > >> * gnu/packages/aux-files/run-in-namespace.c (exec_with_proot): New >> function. >> (main): When 'clone' fails, call 'rm_rf'. >> [PROOT_PROGRAM]: When 'clone' fails, call 'exec_with_proot'. >> * guix/scripts/pack.scm (wrapped-package): Add #:proot?. >> [proot]: New procedure. >> [build]: Compile with -DPROOT_PROGRAM when PROOT? is true. >> * guix/scripts/pack.scm (%options): Set the 'relocatable?' value to >> 'proot when "-R" is passed several times. >> (guix-pack): Pass #:proot? to 'wrapped-package'. >> * tests/guix-pack-relocatable.sh: Use "-RR" on Intel systems that lack >> user namespace support. >> * doc/guix.texi (Invoking guix pack): Document -RR. > > This is great! > > So, the only downside to using =E2=80=9C-RR=E2=80=9D is that it=E2=80=99s= 1MB heavier than =E2=80=9C-R=E2=80=9D > due to the included proot-static?=20=20 Yes! But note that our =E2=80=98proot-static=E2=80=99 package currently fa= ils to build on ARM. > Neat! Pushed as 99aec37a78e7be6a591d0e5b7439896d669a75d1, thanks! Ludo=E2=80=99. ------------=_1552689362-20506-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 14 Mar 2019 16:10:48 +0000 Received: from localhost ([127.0.0.1]:43914 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1h4SwS-0002ig-0a for submit@debbugs.gnu.org; Thu, 14 Mar 2019 12:10:48 -0400 Received: from eggs.gnu.org ([209.51.188.92]:44608) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1h4SwQ-0002iV-T9 for submit@debbugs.gnu.org; Thu, 14 Mar 2019 12:10:47 -0400 Received: from lists.gnu.org ([209.51.188.17]:55346) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1h4SwL-00088G-OV for submit@debbugs.gnu.org; Thu, 14 Mar 2019 12:10:41 -0400 Received: from eggs.gnu.org ([209.51.188.92]:58981) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1h4SwI-0004OP-QF for guix-patches@gnu.org; Thu, 14 Mar 2019 12:10:41 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.2 required=5.0 tests=ALL_TRUSTED,BAYES_50, URIBL_BLOCKED autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:470:142:3::e]:40305) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1h4SwI-00086N-08; Thu, 14 Mar 2019 12:10:38 -0400 Received: from [2001:660:6102:320:e120:2c8f:8909:cdfe] (port=42740 helo=gnu.org) by fencepost.gnu.org with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1h4SwH-0006OO-Ah; Thu, 14 Mar 2019 12:10:37 -0400 From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= To: guix-patches@gnu.org Subject: [PATCH] pack: "-RR" produces PRoot-enabled relocatable binaries. Date: Thu, 14 Mar 2019 17:10:26 +0100 Message-Id: <20190314161026.15696-1-ludo@gnu.org> X-Mailer: git-send-email 2.21.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: submit Cc: =?UTF-8?q?Ludovic=20Court=C3=A8s?= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) From: Ludovic Courtès * gnu/packages/aux-files/run-in-namespace.c (exec_with_proot): New function. (main): When 'clone' fails, call 'rm_rf'. [PROOT_PROGRAM]: When 'clone' fails, call 'exec_with_proot'. * guix/scripts/pack.scm (wrapped-package): Add #:proot?. [proot]: New procedure. [build]: Compile with -DPROOT_PROGRAM when PROOT? is true. * guix/scripts/pack.scm (%options): Set the 'relocatable?' value to 'proot when "-R" is passed several times. (guix-pack): Pass #:proot? to 'wrapped-package'. * tests/guix-pack-relocatable.sh: Use "-RR" on Intel systems that lack user namespace support. * doc/guix.texi (Invoking guix pack): Document -RR. --- doc/guix.texi | 39 ++++++++++++++----- gnu/packages/aux-files/run-in-namespace.c | 47 ++++++++++++++++++++++- guix/scripts/pack.scm | 33 +++++++++++++--- tests/guix-pack-relocatable.sh | 21 +++++++--- 4 files changed, 119 insertions(+), 21 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 043aad1b65..3a6a35b9c6 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -4760,14 +4760,24 @@ symlinks, as well as empty mount points for virtual file systems like procfs. @end table +@cindex relocatable binaries @item --relocatable @itemx -R Produce @dfn{relocatable binaries}---i.e., binaries that can be placed -anywhere in the file system hierarchy and run from there. For example, -if you create a pack containing Bash with: +anywhere in the file system hierarchy and run from there. + +When this option is passed once, the resulting binaries require support for +@dfn{user namespaces} in the kernel Linux; when passed +@emph{twice}@footnote{Here's a trick to memorize it: @code{-RR}, which adds +PRoot support, can be thought of as the abbreviation of ``Really +Relocatable''. Neat, isn't it?}, relocatable binaries fall to back to PRoot +if user namespaces are unavailable, and essentially work anywhere---see below +for the implications. + +For example, if you create a pack containing Bash with: @example -guix pack -R -S /mybin=bin bash +guix pack -RR -S /mybin=bin bash @end example @noindent @@ -4786,12 +4796,23 @@ In that shell, if you type @code{ls /gnu/store}, you'll notice that altogether! That is probably the simplest way to deploy Guix-built software on a non-Guix machine. -There's a gotcha though: this technique relies on the @dfn{user -namespace} feature of the kernel Linux, which allows unprivileged users -to mount or change root. Old versions of Linux did not support it, and -some GNU/Linux distributions turn it off; on these systems, programs -from the pack @emph{will fail to run}, unless they are unpacked in the -root file system. +@quotation Note +By default, relocatable binaries rely on the @dfn{user namespace} feature of +the kernel Linux, which allows unprivileged users to mount or change root. +Old versions of Linux did not support it, and some GNU/Linux distributions +turn it off. + +To produce relocatable binaries that work even in the absence of user +namespaces, pass @option{--relocatable} or @option{-R} @emph{twice}. In that +case, binaries will try user namespace support and fall back to PRoot if user +namespaces are not supported. + +The @uref{https://proot-me.github.io/, PRoot} program provides the necessary +support for file system virtualization. It achieves that by using the +@code{ptrace} system call on the running program. This approach has the +advantage to work without requiring special kernel support, but it incurs +run-time overhead every time a system call is made. +@end quotation @item --expression=@var{expr} @itemx -e @var{expr} diff --git a/gnu/packages/aux-files/run-in-namespace.c b/gnu/packages/aux-files/run-in-namespace.c index f0cff88552..551f4db88a 100644 --- a/gnu/packages/aux-files/run-in-namespace.c +++ b/gnu/packages/aux-files/run-in-namespace.c @@ -1,5 +1,5 @@ /* GNU Guix --- Functional package management for GNU - Copyright (C) 2018 Ludovic Courtès + Copyright (C) 2018, 2019 Ludovic Courtès This file is part of GNU Guix. @@ -212,6 +212,46 @@ disallow_setgroups (pid_t pid) } +#ifdef PROOT_PROGRAM + +/* Execute the wrapped program with PRoot, passing it ARGC and ARGV, and + "bind-mounting" STORE in the right place. */ +static void +exec_with_proot (const char *store, int argc, char *argv[]) +{ + int proot_specific_argc = 4; + int proot_argc = argc + proot_specific_argc; + char *proot_argv[proot_argc], *proot; + char bind_spec[strlen (store) + 1 + sizeof "@STORE_DIRECTORY@"]; + + strcpy (bind_spec, store); + strcat (bind_spec, ":"); + strcat (bind_spec, "@STORE_DIRECTORY@"); + + proot = concat (store, PROOT_PROGRAM); + + proot_argv[0] = proot; + proot_argv[1] = "-b"; + proot_argv[2] = bind_spec; + proot_argv[3] = "@WRAPPED_PROGRAM@"; + + for (int i = 0; i < argc; i++) + proot_argv[i + proot_specific_argc] = argv[i + 1]; + + proot_argv[proot_argc] = NULL; + + /* Seccomp support seems to invariably lead to segfaults; disable it by + default. */ + setenv ("PROOT_NO_SECCOMP", "1", 0); + + int err = execv (proot, proot_argv); + if (err < 0) + assert_perror (errno); +} + +#endif + + int main (int argc, char *argv[]) { @@ -274,6 +314,10 @@ main (int argc, char *argv[]) break; case -1: + rm_rf (new_root); +#ifdef PROOT_PROGRAM + exec_with_proot (store, argc, argv); +#else fprintf (stderr, "%s: error: 'clone' failed: %m\n", argv[0]); fprintf (stderr, "\ This may be because \"user namespaces\" are not supported on this system.\n\ @@ -281,6 +325,7 @@ Consequently, we cannot run '@WRAPPED_PROGRAM@',\n\ unless you move it to the '@STORE_DIRECTORY@' directory.\n\ \n\ Please refer to the 'guix pack' documentation for more information.\n"); +#endif return EXIT_FAILURE; default: diff --git a/guix/scripts/pack.scm b/guix/scripts/pack.scm index e2ecddfbfc..bfb8b85356 100644 --- a/guix/scripts/pack.scm +++ b/guix/scripts/pack.scm @@ -517,10 +517,14 @@ please email '~a'~%") ;;; (define* (wrapped-package package - #:optional (compiler (c-compiler))) + #:optional (compiler (c-compiler)) + #:key proot?) (define runner (local-file (search-auxiliary-file "run-in-namespace.c"))) + (define (proot) + (specification->package "proot-static")) + (define build (with-imported-modules (source-module-closure '((guix build utils) @@ -550,10 +554,19 @@ please email '~a'~%") (("@STORE_DIRECTORY@") (%store-directory))) (let* ((base (strip-store-prefix program)) - (result (string-append #$output "/" base))) + (result (string-append #$output "/" base)) + (proot #$(and proot? + #~(string-drop + #$(file-append (proot) "/bin/proot") + (+ (string-length (%store-directory)) + 1))))) (mkdir-p (dirname result)) - (invoke #$compiler "-std=gnu99" "-static" "-Os" "-g0" "-Wall" - "run.c" "-o" result) + (apply invoke #$compiler "-std=gnu99" "-static" "-Os" "-g0" "-Wall" + "run.c" "-o" result + (if proot + (list (string-append "-DPROOT_PROGRAM=\"" + proot "\"")) + '())) (delete-file "run.c"))) (setvbuf (current-output-port) 'line) @@ -646,7 +659,12 @@ please email '~a'~%") (exit 0))) (option '(#\R "relocatable") #f #f (lambda (opt name arg result) - (alist-cons 'relocatable? #t result))) + (match (assq-ref result 'relocatable?) + (#f + (alist-cons 'relocatable? #t result)) + (_ + (alist-cons 'relocatable? 'proot + (alist-delete 'relocatable? result)))))) (option '(#\e "expression") #t #f (lambda (opt name arg result) (alist-cons 'expression arg result))) @@ -821,11 +839,14 @@ Create a bundle of PACKAGE.\n")) #:graft? (assoc-ref opts 'graft?)))) (let* ((dry-run? (assoc-ref opts 'dry-run?)) (relocatable? (assoc-ref opts 'relocatable?)) + (proot? (eq? relocatable? 'proot)) (manifest (let ((manifest (manifest-from-args store opts))) ;; Note: We cannot honor '--bootstrap' here because ;; 'glibc-bootstrap' lacks 'libc.a'. (if relocatable? - (map-manifest-entries wrapped-package manifest) + (map-manifest-entries + (cut wrapped-package <> #:proot? proot?) + manifest) manifest))) (pack-format (assoc-ref opts 'format)) (name (string-append (symbol->string pack-format) diff --git a/tests/guix-pack-relocatable.sh b/tests/guix-pack-relocatable.sh index 554416627b..38dcf1e485 100644 --- a/tests/guix-pack-relocatable.sh +++ b/tests/guix-pack-relocatable.sh @@ -1,5 +1,5 @@ # GNU Guix --- Functional package management for GNU -# Copyright © 2018 Ludovic Courtès +# Copyright © 2018, 2019 Ludovic Courtès # # This file is part of GNU Guix. # @@ -41,17 +41,28 @@ STORE_PARENT="`dirname $NIX_STORE_DIR`" export STORE_PARENT if test "$STORE_PARENT" = "/"; then exit 77; fi -# This test requires user namespaces and associated command-line tools. -if ! unshare -mrf sh -c 'mount -t tmpfs none "$STORE_PARENT"' +if unshare -mrf sh -c 'mount -t tmpfs none "$STORE_PARENT"' then - exit 77 + # Test the wrapper that relies on user namespaces. + relocatable_option="-R" +else + case "`uname -m`" in + x86_64|i?86) + # Test the wrapper that falls back to PRoot. + relocatable_option="-RR";; + *) + # XXX: Our 'proot' package currently fails tests on non-Intel + # architectures, so skip this by default. + exit 77;; + esac fi test_directory="`mktemp -d`" export test_directory trap 'chmod -Rf +w "$test_directory"; rm -rf "$test_directory"' EXIT -tarball="`guix pack -R -S /Bin=bin sed`" +export relocatable_option +tarball="`guix pack $relocatable_option -S /Bin=bin sed`" (cd "$test_directory"; tar xvf "$tarball") # Run that relocatable 'sed' in a user namespace where we "erase" the store by -- 2.21.0 ------------=_1552689362-20506-1--