From debbugs-submit-bounces@debbugs.gnu.org Mon Jun 03 22:34:57 2024 Received: (at submit) by debbugs.gnu.org; 4 Jun 2024 02:34:57 +0000 Received: from localhost ([127.0.0.1]:56061 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sEK0m-000773-O5 for submit@debbugs.gnu.org; Mon, 03 Jun 2024 22:34:57 -0400 Received: from lists.gnu.org ([209.51.188.17]:52402) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sEK0k-00076u-Cq for submit@debbugs.gnu.org; Mon, 03 Jun 2024 22:34:55 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sEK0W-0008RS-Sc for bug-guix@gnu.org; Mon, 03 Jun 2024 22:34:40 -0400 Received: from mail-qt1-x831.google.com ([2607:f8b0:4864:20::831]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1sEK0V-0006ev-BW for bug-guix@gnu.org; Mon, 03 Jun 2024 22:34:40 -0400 Received: by mail-qt1-x831.google.com with SMTP id d75a77b69052e-4401a1ee681so2816841cf.1 for ; Mon, 03 Jun 2024 19:34:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1717468478; x=1718073278; darn=gnu.org; h=content-transfer-encoding:mime-version:user-agent:message-id:date :references:in-reply-to:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=opeF9fP2H/oNfjMqsjgFWDADe9DC+HqY26+9ntOL1kE=; b=L/GdgQche3MNHru1MW4u84t8ctkP5afvN2TzRY38ExpWJCsIp0pnGR+yA8fJkz4s+4 0vAa+888zkdcpZuQofGPFCcSc47VJ+21b37P6EGkp+jZNkiF2/YrzagalnuhwJkExN5j MoSet2PBDWgrEpSkI0iMFsHfk4TChQ2vH1K2Tl88E6um8a8XhBK+K7zpapeVtvaStD9S 2Y8IUGKbhSpxJcMVp3gqhRMtwb3GwaRGatHzjqYwLltZMJZVqRkxNrIljPjyCYnAxxJy 36mh92xMsersFzJ5VJqbmiGVGuJmv1tgLiDwu/SwFu6ZSUnOeEbS34GBQ+Ln/AgppORz HiPw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1717468478; x=1718073278; h=content-transfer-encoding:mime-version:user-agent:message-id:date :references:in-reply-to:subject:cc:to:from:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=opeF9fP2H/oNfjMqsjgFWDADe9DC+HqY26+9ntOL1kE=; b=YvAPwrgZFu3/rr21dXfiR99Dsz9niIQwrdIUySmHoZIGpWVme49kn4jyk9zGdDHNWh Edsf+Jssf9H9PhySzT9UcDvQ/yA4141SsOhYxFA0mVexCnJBcrcH65MgxILZvy653e0e yEfeUTMXsWzsPHVmHIhtMPgljKx3rVNqsNRZcUJ2uRWztQzUP+1b28eNl6ROL7B974SO LBssH+QjPMqLGlUEoX6iE9ltIFxWzOJIRRJccOEqpR0WandTxGOggyUl6KYDTgtplkVP a03Jh5vKH7K7mhlcrC/pgI2e7yFNCnsHzrR8eqWgHTXfz09CBpJ/ih/926kpDBWgr+3f r0lg== X-Gm-Message-State: AOJu0Yxe1T6lN52wBB4y9NP39gYBrykBaUYco/M3xgy9LxHCEnnWs/NI T2MI+xmROPw4n5US3N9OyT0hTOY05bhfogEezJP4ezVO3g1KmWB0 X-Google-Smtp-Source: AGHT+IE+828NUsVmgglHJEz+pnHuy80HrXaSObl++OJzKWVorGZHz4FXMDePO+qT0G7V6cNB1lvePw== X-Received: by 2002:ac8:570a:0:b0:43a:d430:b678 with SMTP id d75a77b69052e-43ff52554f4mr109606141cf.32.1717468477445; Mon, 03 Jun 2024 19:34:37 -0700 (PDT) Received: from hurd (dsl-154-1.b2b2c.ca. [66.158.154.1]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-43ff23bfaf9sm45066131cf.27.2024.06.03.19.34.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Jun 2024 19:34:36 -0700 (PDT) From: Maxim Cournoyer To: bug-guix Subject: Re: branch master updated: services: nix: Mount Nix store read only. In-Reply-To: <171695309234.24183.12881718488458327568@vcs2.savannah.gnu.org> (guix-commits@gnu.org's message of "Tue, 28 May 2024 23:24:52 -0400") References: <171695309234.24183.12881718488458327568@vcs2.savannah.gnu.org> Date: Mon, 03 Jun 2024 22:34:35 -0400 Message-ID: <87o78hv3k4.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=2607:f8b0:4864:20::831; envelope-from=maxim.cournoyer@gmail.com; helo=mail-qt1-x831.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit Cc: Oleg Pykhalov X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) Hello, guix-commits@gnu.org writes: > services: nix: Mount Nix store read only. >=20=20=20=20=20 > * gnu/services/nix.scm (nix-shepherd-service): Add requirements. > (%nix-store-directory): New variable. > (nix-service-type): Add file-system-service-type extension. >=20=20=20=20=20 > Change-Id: I18a5d58c92c1f2b5b6dcecc3d5b439cc15bf4e49 This commit unfortunately appears to introduce a regression where reconfiguring a system with the read-only /nix/store causes the following error: --8<---------------cut here---------------start------------->8--- guix system: error: chown: Syst=C3=A8me de fichiers accessible en lecture s= eulement --8<---------------cut here---------------end--------------->8--- With the accompanying strace output: --8<---------------cut here---------------start------------->8--- 20261 close(17) =3D 0 20261 chown("/nix/store", 0, 981) =3D -1 EROFS (Syst=C3=A8me de fichi= ers accessible en lecture seulement) 20261 close(13) =3D 0 20261 write(2, "guix system: \33[1;31merror: \33[0m\33[1mchown\33[0m: Syst\= 303\250me de fichiers accessible en lecture seulement\n", 99) =3D 99 --8<---------------cut here---------------end--------------->8--- Are these chown still useful in the activation snippet? --8<---------------cut here---------------start------------->8--- (define (nix-activation _) ;; Return the activation gexp. #~(begin (use-modules (guix build utils) (srfi srfi-26)) (for-each (cut mkdir-p <>) '("/nix/store" "/nix/var/log" "/nix/var/nix/gcroots/per-user" "/nix/var/nix/profiles/per-user")) (chown "/nix/store" (passwd:uid (getpw "root")) (group:gid (getpw "nixbld01"))) (chmod "/nix/store" #o775) (for-each (cut chmod <> #o777) '("/nix/var/nix/profiles" "/nix/var/nix/profiles/per-user")))) --8<---------------cut here---------------end--------------->8--- If they are useful only on the first time, perhaps we could catch the exceptions for when it runs on an already read-only mounted /nix/store? --=20 Thanks, Maxim From debbugs-submit-bounces@debbugs.gnu.org Tue Jun 04 04:48:09 2024 Received: (at submit) by debbugs.gnu.org; 4 Jun 2024 08:48:09 +0000 Received: from localhost ([127.0.0.1]:57567 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sEPpm-00035t-M0 for submit@debbugs.gnu.org; Tue, 04 Jun 2024 04:48:08 -0400 Received: from lists.gnu.org ([209.51.188.17]:50354) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sEPpk-00034w-It for submit@debbugs.gnu.org; Tue, 04 Jun 2024 04:47:56 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sEPck-0008Tr-Ag for bug-guix@gnu.org; Tue, 04 Jun 2024 04:34:30 -0400 Received: from mail-lf1-x135.google.com ([2a00:1450:4864:20::135]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1sEPci-0002OJ-Hx for bug-guix@gnu.org; Tue, 04 Jun 2024 04:34:30 -0400 Received: by mail-lf1-x135.google.com with SMTP id 2adb3069b0e04-52b86cf9ae2so469231e87.0 for ; Tue, 04 Jun 2024 01:34:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1717490066; x=1718094866; darn=gnu.org; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to; bh=X0FQdw5IgPewCPvIWnnFAYnkpPrJCRx/U1DoBtDIy/0=; b=FZRd3F+sM23AH8Pohl+2lDFlQDYSUmA9bB5+2I0+3Iz42aL9yGyYzcSixs3G01hPM+ drDjL1gBw3NPbEhq47m7aiN+7PGqZFuPBauRAV5CLa04a4EO5o0Azrsg0ajN6k2m1aVv Ac1bk6RxgJSThjq+XRly2Jf6sn4S8953T2p7+t65cPZdQs0kfpnDJ2RVSwDHmKkh7app ZtjGdo0vHOtt/Nc9gLQ/NunodkDDUvDmqJ8vBX1nMXkA0mPIptk6glQch9el/NPYvWOX +Tn3LT6eIPjK/f8n3qB+nC3YFv6xFmtcxEtgUk5oxcpOmNIxOW24j4diS4ubvdWJC1Ov q3wQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1717490066; x=1718094866; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=X0FQdw5IgPewCPvIWnnFAYnkpPrJCRx/U1DoBtDIy/0=; b=itbVZHLDSS1cTy37UjrgxtAG1+kchF8trPvUPgeFo6ClaUEtiTNApVdT5k0KSQH/rN 6YfYT2Y7DI4hil+Lij7rAXv0oH0Nqil56Yw40Qmsk748zAtFpiLZlX80qFYI0MLYEBsR 1aCWamTaOH7S6jXowH/TQZ/u4jGB0ADXIS+uCecVAKcXuOJd1LDAFKaFluGfU5XrprU3 0lrfoMtDtSSZbc19NwvadsV7wiBbwLeg2zbJqGWP/ts9IpJyAyZ0etduNPYNYGR31eLE lSQ5VrGCBsS3tJo3H1ZPQiOtjmrx5IsHVnrblvXfF0dSnmVFOH3oNw+7HoIs9xHIojt7 8rzg== X-Gm-Message-State: AOJu0YwouDVtTTkTCXkKyjMxAib2SN3+Kcqrx03wv/3S6hlIiNWTGbUV r6ZiYe67yuOeyEHdl3QiTuq7GLasWsvMBc7UUhvGOjePCy3tTca+BiLyNA== X-Google-Smtp-Source: AGHT+IEg9irRg1PAN3XM/ZTxDP4hnnZmJS3vVbhb5zUsYfy4metjc5XskSyzKrrSIBm0SmYqGWQnVA== X-Received: by 2002:a05:6512:1108:b0:52b:9e52:17f7 with SMTP id 2adb3069b0e04-52b9e52186amr2789562e87.6.1717490065991; Tue, 04 Jun 2024 01:34:25 -0700 (PDT) Received: from localhost ([93.100.15.190]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-52b9d2a4754sm399161e87.148.2024.06.04.01.34.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 04 Jun 2024 01:34:25 -0700 (PDT) From: Oleg Pykhalov To: Maxim Cournoyer Subject: Re: branch master updated: services: nix: Mount Nix store read only. In-Reply-To: <87o78hv3k4.fsf@gmail.com> (Maxim Cournoyer's message of "Mon, 03 Jun 2024 22:34:35 -0400") References: <171695309234.24183.12881718488458327568@vcs2.savannah.gnu.org> <87o78hv3k4.fsf@gmail.com> Date: Tue, 04 Jun 2024 11:34:24 +0300 Message-ID: <877cf5gl7z.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: pass client-ip=2a00:1450:4864:20::135; envelope-from=go.wigust@gmail.com; helo=mail-lf1-x135.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit Cc: bug-guix X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hello Maxim, Thank you for your report. Apologize for any inconvenience caused by the unexpected breakage. Maxim Cournoyer writes: > Hello, > > guix-commits@gnu.org writes: > >> services: nix: Mount Nix store read only. >>=20=20=20=20=20 >> * gnu/services/nix.scm (nix-shepherd-service): Add requirements. >> (%nix-store-directory): New variable. >> (nix-service-type): Add file-system-service-type extension. >>=20=20=20=20=20 >> Change-Id: I18a5d58c92c1f2b5b6dcecc3d5b439cc15bf4e49 > > This commit unfortunately appears to introduce a regression where > reconfiguring a system with the read-only /nix/store causes the > following error: > > guix system: error: chown: Syst=C3=A8me de fichiers accessible en lecture= seulement > > > With the accompanying strace output: > > 20261 close(17) =3D 0 > 20261 chown("/nix/store", 0, 981) =3D -1 EROFS (Syst=C3=A8me de fic= hiers accessible en lecture seulement) > 20261 close(13) =3D 0 > 20261 write(2, "guix system: \33[1;31merror: \33[0m\33[1mchown\33[0m: Sys= t\303\250me de fichiers accessible en lecture seulement\n", 99) =3D 99 > > > Are these chown still useful in the activation snippet? > > (define (nix-activation _) > ;; Return the activation gexp. > #~(begin > (use-modules (guix build utils) > (srfi srfi-26)) > (for-each (cut mkdir-p <>) '("/nix/store" "/nix/var/log" > "/nix/var/nix/gcroots/per-user" > "/nix/var/nix/profiles/per-user")) > (chown "/nix/store" > (passwd:uid (getpw "root")) (group:gid (getpw "nixbld01"))) > (chmod "/nix/store" #o775) > (for-each (cut chmod <> #o777) '("/nix/var/nix/profiles" > "/nix/var/nix/profiles/per-user"))= )) > > If they are useful only on the first time, perhaps we could catch the > exceptions for when it runs on an already read-only mounted /nix/store? Indeed, it is a good idea. A hotfix for the issue was discussed and implemented. It has already been pushed to the master branch. The fix involves a simple 'file-exists?' check. You can find more details in the discussion at https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D71320 What do you think is preferable in this scenario =E2=80=93 catching excepti= ons or sticking with '(unless (file-exists? ...))'? Your thoughts on the best approach here? Regards, Oleg. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEEcjhxI46s62NFSFhXFn+OpQAa+pwFAmZe0ZEUHGdvLndpZ3Vz dEBnbWFpbC5jb20ACgkQFn+OpQAa+pyEKRAAgpnYQxoBoCzrenmxP1Yg6Nl5GP8j NJUJ5uZFHSqdaOO9+SmHdMP5sQQckDax9BCNbALRvRFnOB+9w/nvkKTWcF3tFk4d vGyaTgIuwwlEOP2zA8xqlUS/Iw0nxO99+MIu+YiaZNUuu151nBym0HPm5x0mkRBP 09iFmTyQgrlG3X+mOcs+2wXnbXemV4pb0Tb3QgyRg3vwMijA89DtrIf/slQYeOk2 RbAQe20jErtIFFSNMMWd0Qws4McdKSa43yNwtBRPXD0dl7PujwcLR85RtJytUMBu gub2pcybvLAHg2sL7JMxW0fPUJwWRv7dYJH66Xk2yqd/ZxW5yT+xLDUM/Xxgnv8j 1TW4Kb6a8ZEFudezDzlTuSX2HA27N4w4kbmQCe95K9/tFmm6db4XbMwhnGQ5Ijoi 76MRwUHnHx/fyV7gbGVOaqj3nux/3DwBcd5RtsvZ2VvA9aZqttI9N58yMm583RpN oy4IUYIrqZBnO0n1JQszcyXsE2WZhj3r8Much+1TdZh5EIBJJlv2dOwdVXiXOSWR QMJ0QrJGqTbhkzU2q/sKalV52VvTXMsd/E8wVSLVFumz4xDUUnptYYD5+/dmo83G 6A5tx/2d+BfPwzXnvQXfEnspdpYbuslyeHhRHxdhNwt9oVuwHFpTN/M8hoClvUno GoBIg+MjE+gc9G0= =YB1W -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Wed Jun 05 22:04:59 2024 Received: (at 71352) by debbugs.gnu.org; 6 Jun 2024 02:05:00 +0000 Received: from localhost ([127.0.0.1]:56697 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sF2Ut-0007H0-Gx for submit@debbugs.gnu.org; Wed, 05 Jun 2024 22:04:59 -0400 Received: from mail-qv1-f52.google.com ([209.85.219.52]:56606) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sF2Uq-0007Gb-VJ for 71352@debbugs.gnu.org; Wed, 05 Jun 2024 22:04:57 -0400 Received: by mail-qv1-f52.google.com with SMTP id 6a1803df08f44-6ae279e6427so2172906d6.1 for <71352@debbugs.gnu.org>; Wed, 05 Jun 2024 19:04:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1717639416; x=1718244216; darn=debbugs.gnu.org; h=content-transfer-encoding:mime-version:user-agent:message-id:date :references:in-reply-to:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=i4fgKTDtW4vDEmIKNyK7L8S/XFetW9qY+OcCxURhPpA=; b=GPVJeaCyoVTIE7ZUnHmubm96Ztb5/cy3koMv6hqIjDGedN9KS4le2EWsiuSyI2mgnu Bq/zICmsDQoQ8dXLzxK0x7Zj6ffUIKntBoin3JCFy5Ua4CbJyxE80uw/wRTmzrM/KHqv T38LGW/M3tifGVLYZMx0vEiSLGlpbxb04y1fOW7WjRE0PLZMYAyMApBLQeHdfESQfzww CIndrvSKkrtMauJI2UvlPf8rsRbwRJVIjXyQehkWhMvoPLkTQpqvumYQS6FNUdKqzNqt iGXOhI3R1xbIukRtXJzE17tcUFR6JeoP81RXP5x9dmkYnOTNF/OR66zF6Q3Vg2A8eMAl qEmA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1717639416; x=1718244216; h=content-transfer-encoding:mime-version:user-agent:message-id:date :references:in-reply-to:subject:cc:to:from:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=i4fgKTDtW4vDEmIKNyK7L8S/XFetW9qY+OcCxURhPpA=; b=VT4/YTGNJj0zXIxDFlOw/lQX/+svlVNcHZCpUCUAG+gGxSPWZa/s6qPqQz/A04zK7u LwxT5aWi1/jCJr31hyFTbu9EW/rl9qi3MgmYICjM28b9magMp5oiWp4ZojvVo2HdOo8t 5NaAydZlccnraShaEWM5opa46qmpICTH+ElwCpSw8BF5aEQNypZW3gODt2wiIuhRK9vH EvChEfinl1PZ8TG0w92qrsErY5gA1GsFs9tifbLIXSsgU2kWKpUbwaOZNb+86UQig282 J3caRtJ6S3Qaj0V0rAgVxRwuqClh/7PoCj0SBuz/zCyrEwgTBNsJ/I0cPDkCWJ46G5dC Ikzw== X-Gm-Message-State: AOJu0YyHer0J0oh2vDCt73oUgNQcTwi9oW0sICfELQZ7kkbD2K/Us0NS Bt0lcjxTCohi5dq8w51mdSyG2ariH7Sn6AvxB7EZ+dCCyPu708epxW8Fliy8 X-Google-Smtp-Source: AGHT+IE0qSMAmCjEzSWe9LODYRhVfmfzvZh94gma7UY0Nbpk2pqFtTsGgOaPF2w2yxVpByCtAulzgQ== X-Received: by 2002:a05:6214:4981:b0:6ae:d5ab:58d4 with SMTP id 6a1803df08f44-6b02bf8325emr53049316d6.26.1717639415646; Wed, 05 Jun 2024 19:03:35 -0700 (PDT) Received: from hurd (dsl-10-133-150.b2b2c.ca. [72.10.133.150]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6b04f712e00sm1627536d6.61.2024.06.05.19.03.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Jun 2024 19:03:35 -0700 (PDT) From: Maxim Cournoyer To: Oleg Pykhalov Subject: Re: branch master updated: services: nix: Mount Nix store read only. In-Reply-To: <877cf5gl7z.fsf@gmail.com> (Oleg Pykhalov's message of "Tue, 04 Jun 2024 11:34:24 +0300") References: <171695309234.24183.12881718488458327568@vcs2.savannah.gnu.org> <87o78hv3k4.fsf@gmail.com> <877cf5gl7z.fsf@gmail.com> Date: Wed, 05 Jun 2024 22:03:33 -0400 Message-ID: <87tti625fu.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 71352 Cc: 71352@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Oleg, [...] >> Are these chown still useful in the activation snippet? >> >> (define (nix-activation _) >> ;; Return the activation gexp. >> #~(begin >> (use-modules (guix build utils) >> (srfi srfi-26)) >> (for-each (cut mkdir-p <>) '("/nix/store" "/nix/var/log" >> "/nix/var/nix/gcroots/per-user" >> "/nix/var/nix/profiles/per-user")) >> (chown "/nix/store" >> (passwd:uid (getpw "root")) (group:gid (getpw "nixbld01"))) >> (chmod "/nix/store" #o775) >> (for-each (cut chmod <> #o777) '("/nix/var/nix/profiles" >> "/nix/var/nix/profiles/per-user")= ))) >> >> If they are useful only on the first time, perhaps we could catch the >> exceptions for when it runs on an already read-only mounted /nix/store? > > Indeed, it is a good idea. > > A hotfix for the issue was discussed and implemented. It has already > been pushed to the master branch. The fix involves a simple > 'file-exists?' check. You can find more details in the discussion at > https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D71320 > > What do you think is preferable in this scenario =E2=80=93 catching excep= tions > or sticking with '(unless (file-exists? ...))'? Your thoughts on the > best approach here? Exceptions are usually better than 'check then do' as they avoid the TOCTTOU (time-of-check to time-of-use) class of bugs/vulnerabilities. By the way, 'Reported-by:' is a fine git trailer to use :-). I also use 'Fixes:' as a git trailer (trailer means they should be found at the bottom of the commit message -- these can be parsed with the 'git interpret-trailers' command) --=20 Thanks, Maxim From debbugs-submit-bounces@debbugs.gnu.org Sun Jun 23 22:48:44 2024 Received: (at 71352-done) by debbugs.gnu.org; 24 Jun 2024 02:48:44 +0000 Received: from localhost ([127.0.0.1]:34662 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sLZl6-0004u1-0D for submit@debbugs.gnu.org; Sun, 23 Jun 2024 22:48:44 -0400 Received: from mail-qt1-f173.google.com ([209.85.160.173]:46502) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sLZl3-0004tm-OH for 71352-done@debbugs.gnu.org; Sun, 23 Jun 2024 22:48:42 -0400 Received: by mail-qt1-f173.google.com with SMTP id d75a77b69052e-444c0d2d503so15879941cf.1 for <71352-done@debbugs.gnu.org>; Sun, 23 Jun 2024 19:48:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1719197254; x=1719802054; darn=debbugs.gnu.org; h=content-transfer-encoding:mime-version:user-agent:message-id:date :references:in-reply-to:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=IU4yLMv4tJM2YiVBZ4QSz1w+TYkZj7ZCsDA6C85zg0s=; b=BSbIwJ8V6Qcx2n4DGwvqrVpa1ms9qN9eb8g+1dGizSw4xun/006QKAqQ810+BpBfL/ 6D8JZK7JC8lIA/bbIKBv6VRxWjyriAnNftV4WZU+BuIBcKG91P3/cwouRqQNm8BXTONN n+mcAaPdvqrjz4B19MTIJez7JQTQNG/i7facJcE2lHoDxMbtaSMxJN7JNKx97lvo5RTd QIiksLadeckOmXS9SWUaNDE9sKB0I/PiTyqibUROQh3ZX23q4Ul4EZPyC7FAEf9csQLO eJF5egJH04D2K+c5NKFCUxSmtq8OAppqJ2raCbZQ9szarnwnrOrILbbU+IGjRWTuo2kZ IMLw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719197254; x=1719802054; h=content-transfer-encoding:mime-version:user-agent:message-id:date :references:in-reply-to:subject:cc:to:from:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=IU4yLMv4tJM2YiVBZ4QSz1w+TYkZj7ZCsDA6C85zg0s=; b=dp8B5tjn8GyX22Hr5jnHyyYy5q2dsYwVwtkEkN769cf0voc7ePa3oB4uoa4a6gsHVy NnTj/qyZP/PqCjkAxml+wb0gWjoYP6t1vSpAuSDPktu30CgM+etxNkY0E/n9XJZ/TzSP l65cuge4RjNDX0DHgd+QQ9cE5HNzUDAuASNMthRcjs/A8hcv93chOmjx3dqaCpSTp3sH nm4osKFkvx9L+x4YnuCQygTOMdXg2gBQMgOj6exFApE/BzkHoptLLXXW05CqygHXrb+V 5/lpzJurugOco7kED3hS1iss2QKEhT9OuVW6feBAu0talUZHNoIaaxOQe/gkbZqCcMJe rYyQ== X-Gm-Message-State: AOJu0YzULlvugM1tNKfNIPe12kE4DP+lK8EsNTf4D7OnoF93Fv7xpXbp svS5RnBXX24Zss6jqJCMdaTHKo0HaQIjE0f+9fKzF3Emew67VP9ygIvLmpwsLEQ= X-Google-Smtp-Source: AGHT+IF4enFnTl7Rybm5ZCdz+ycqbtWa9bCOIwARYTAddCt8oEVhiZu/o32KyHZgQz7GCapC3dWnZQ== X-Received: by 2002:a05:622a:108:b0:441:569f:7065 with SMTP id d75a77b69052e-444d657b92amr43864191cf.58.1719197254499; Sun, 23 Jun 2024 19:47:34 -0700 (PDT) Received: from hurd (dsl-205-233-124-241.b2b2c.ca. [205.233.124.241]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-444e35fa975sm6657101cf.31.2024.06.23.19.47.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Jun 2024 19:47:34 -0700 (PDT) From: Maxim Cournoyer To: Oleg Pykhalov Subject: Re: bug#71352: branch master updated: services: nix: Mount Nix store read only. In-Reply-To: <87tti625fu.fsf@gmail.com> (Maxim Cournoyer's message of "Wed, 05 Jun 2024 22:03:33 -0400") References: <171695309234.24183.12881718488458327568@vcs2.savannah.gnu.org> <87o78hv3k4.fsf@gmail.com> <877cf5gl7z.fsf@gmail.com> <87tti625fu.fsf@gmail.com> Date: Sun, 23 Jun 2024 22:47:33 -0400 Message-ID: <87h6dj6oqi.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 71352-done Cc: 71352-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Oleg, Maxim Cournoyer writes: > Hi Oleg, > > [...] > >>> Are these chown still useful in the activation snippet? >>> >>> (define (nix-activation _) >>> ;; Return the activation gexp. >>> #~(begin >>> (use-modules (guix build utils) >>> (srfi srfi-26)) >>> (for-each (cut mkdir-p <>) '("/nix/store" "/nix/var/log" >>> "/nix/var/nix/gcroots/per-user" >>> "/nix/var/nix/profiles/per-user")) >>> (chown "/nix/store" >>> (passwd:uid (getpw "root")) (group:gid (getpw "nixbld01"))) >>> (chmod "/nix/store" #o775) >>> (for-each (cut chmod <> #o777) '("/nix/var/nix/profiles" >>> "/nix/var/nix/profiles/per-user"= )))) >>> >>> If they are useful only on the first time, perhaps we could catch the >>> exceptions for when it runs on an already read-only mounted /nix/store? >> >> Indeed, it is a good idea. >> >> A hotfix for the issue was discussed and implemented. It has already >> been pushed to the master branch. The fix involves a simple >> 'file-exists?' check. You can find more details in the discussion at >> https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D71320 >> >> What do you think is preferable in this scenario =E2=80=93 catching exce= ptions >> or sticking with '(unless (file-exists? ...))'? Your thoughts on the >> best approach here? > > Exceptions are usually better than 'check then do' as they avoid the > TOCTTOU (time-of-check to time-of-use) class of bugs/vulnerabilities. I'm closing this for now; I'm satisfied that working order has been restored :-). --=20 Thanks, Maxim From unknown Sun Aug 17 10:26:26 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Mon, 22 Jul 2024 11:24:20 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator