From unknown Sun Aug 17 10:26:43 2025 X-Loop: help-debbugs@gnu.org Subject: bug#71352: branch master updated: services: nix: Mount Nix store read only. Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 04 Jun 2024 02:35:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 71352 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 71352@debbugs.gnu.org Cc: Oleg Pykhalov X-Debbugs-Original-To: bug-guix Received: via spool by submit@debbugs.gnu.org id=B.171746849727349 (code B ref -1); Tue, 04 Jun 2024 02:35:01 +0000 Received: (at submit) by debbugs.gnu.org; 4 Jun 2024 02:34:57 +0000 Received: from localhost ([127.0.0.1]:56061 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sEK0m-000773-O5 for submit@debbugs.gnu.org; Mon, 03 Jun 2024 22:34:57 -0400 Received: from lists.gnu.org ([209.51.188.17]:52402) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sEK0k-00076u-Cq for submit@debbugs.gnu.org; Mon, 03 Jun 2024 22:34:55 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sEK0W-0008RS-Sc for bug-guix@gnu.org; Mon, 03 Jun 2024 22:34:40 -0400 Received: from mail-qt1-x831.google.com ([2607:f8b0:4864:20::831]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1sEK0V-0006ev-BW for bug-guix@gnu.org; Mon, 03 Jun 2024 22:34:40 -0400 Received: by mail-qt1-x831.google.com with SMTP id d75a77b69052e-4401a1ee681so2816841cf.1 for ; Mon, 03 Jun 2024 19:34:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1717468478; x=1718073278; darn=gnu.org; h=content-transfer-encoding:mime-version:user-agent:message-id:date :references:in-reply-to:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=opeF9fP2H/oNfjMqsjgFWDADe9DC+HqY26+9ntOL1kE=; b=L/GdgQche3MNHru1MW4u84t8ctkP5afvN2TzRY38ExpWJCsIp0pnGR+yA8fJkz4s+4 0vAa+888zkdcpZuQofGPFCcSc47VJ+21b37P6EGkp+jZNkiF2/YrzagalnuhwJkExN5j MoSet2PBDWgrEpSkI0iMFsHfk4TChQ2vH1K2Tl88E6um8a8XhBK+K7zpapeVtvaStD9S 2Y8IUGKbhSpxJcMVp3gqhRMtwb3GwaRGatHzjqYwLltZMJZVqRkxNrIljPjyCYnAxxJy 36mh92xMsersFzJ5VJqbmiGVGuJmv1tgLiDwu/SwFu6ZSUnOeEbS34GBQ+Ln/AgppORz HiPw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1717468478; x=1718073278; h=content-transfer-encoding:mime-version:user-agent:message-id:date :references:in-reply-to:subject:cc:to:from:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=opeF9fP2H/oNfjMqsjgFWDADe9DC+HqY26+9ntOL1kE=; b=YvAPwrgZFu3/rr21dXfiR99Dsz9niIQwrdIUySmHoZIGpWVme49kn4jyk9zGdDHNWh Edsf+Jssf9H9PhySzT9UcDvQ/yA4141SsOhYxFA0mVexCnJBcrcH65MgxILZvy653e0e yEfeUTMXsWzsPHVmHIhtMPgljKx3rVNqsNRZcUJ2uRWztQzUP+1b28eNl6ROL7B974SO LBssH+QjPMqLGlUEoX6iE9ltIFxWzOJIRRJccOEqpR0WandTxGOggyUl6KYDTgtplkVP a03Jh5vKH7K7mhlcrC/pgI2e7yFNCnsHzrR8eqWgHTXfz09CBpJ/ih/926kpDBWgr+3f r0lg== X-Gm-Message-State: AOJu0Yxe1T6lN52wBB4y9NP39gYBrykBaUYco/M3xgy9LxHCEnnWs/NI T2MI+xmROPw4n5US3N9OyT0hTOY05bhfogEezJP4ezVO3g1KmWB0 X-Google-Smtp-Source: AGHT+IE+828NUsVmgglHJEz+pnHuy80HrXaSObl++OJzKWVorGZHz4FXMDePO+qT0G7V6cNB1lvePw== X-Received: by 2002:ac8:570a:0:b0:43a:d430:b678 with SMTP id d75a77b69052e-43ff52554f4mr109606141cf.32.1717468477445; Mon, 03 Jun 2024 19:34:37 -0700 (PDT) Received: from hurd (dsl-154-1.b2b2c.ca. [66.158.154.1]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-43ff23bfaf9sm45066131cf.27.2024.06.03.19.34.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Jun 2024 19:34:36 -0700 (PDT) From: Maxim Cournoyer In-Reply-To: <171695309234.24183.12881718488458327568@vcs2.savannah.gnu.org> (guix-commits@gnu.org's message of "Tue, 28 May 2024 23:24:52 -0400") References: <171695309234.24183.12881718488458327568@vcs2.savannah.gnu.org> Date: Mon, 03 Jun 2024 22:34:35 -0400 Message-ID: <87o78hv3k4.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=2607:f8b0:4864:20::831; envelope-from=maxim.cournoyer@gmail.com; helo=mail-qt1-x831.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) Hello, guix-commits@gnu.org writes: > services: nix: Mount Nix store read only. >=20=20=20=20=20 > * gnu/services/nix.scm (nix-shepherd-service): Add requirements. > (%nix-store-directory): New variable. > (nix-service-type): Add file-system-service-type extension. >=20=20=20=20=20 > Change-Id: I18a5d58c92c1f2b5b6dcecc3d5b439cc15bf4e49 This commit unfortunately appears to introduce a regression where reconfiguring a system with the read-only /nix/store causes the following error: --8<---------------cut here---------------start------------->8--- guix system: error: chown: Syst=C3=A8me de fichiers accessible en lecture s= eulement --8<---------------cut here---------------end--------------->8--- With the accompanying strace output: --8<---------------cut here---------------start------------->8--- 20261 close(17) =3D 0 20261 chown("/nix/store", 0, 981) =3D -1 EROFS (Syst=C3=A8me de fichi= ers accessible en lecture seulement) 20261 close(13) =3D 0 20261 write(2, "guix system: \33[1;31merror: \33[0m\33[1mchown\33[0m: Syst\= 303\250me de fichiers accessible en lecture seulement\n", 99) =3D 99 --8<---------------cut here---------------end--------------->8--- Are these chown still useful in the activation snippet? --8<---------------cut here---------------start------------->8--- (define (nix-activation _) ;; Return the activation gexp. #~(begin (use-modules (guix build utils) (srfi srfi-26)) (for-each (cut mkdir-p <>) '("/nix/store" "/nix/var/log" "/nix/var/nix/gcroots/per-user" "/nix/var/nix/profiles/per-user")) (chown "/nix/store" (passwd:uid (getpw "root")) (group:gid (getpw "nixbld01"))) (chmod "/nix/store" #o775) (for-each (cut chmod <> #o777) '("/nix/var/nix/profiles" "/nix/var/nix/profiles/per-user")))) --8<---------------cut here---------------end--------------->8--- If they are useful only on the first time, perhaps we could catch the exceptions for when it runs on an already read-only mounted /nix/store? --=20 Thanks, Maxim From unknown Sun Aug 17 10:26:43 2025 X-Loop: help-debbugs@gnu.org Subject: bug#71352: branch master updated: services: nix: Mount Nix store read only. Resent-From: Oleg Pykhalov Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 04 Jun 2024 08:49:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 71352 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Maxim Cournoyer Cc: 71352@debbugs.gnu.org X-Debbugs-Original-Cc: bug-guix Received: via spool by submit@debbugs.gnu.org id=B.171749088911970 (code B ref -1); Tue, 04 Jun 2024 08:49:02 +0000 Received: (at submit) by debbugs.gnu.org; 4 Jun 2024 08:48:09 +0000 Received: from localhost ([127.0.0.1]:57567 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sEPpm-00035t-M0 for submit@debbugs.gnu.org; Tue, 04 Jun 2024 04:48:08 -0400 Received: from lists.gnu.org ([209.51.188.17]:50354) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sEPpk-00034w-It for submit@debbugs.gnu.org; Tue, 04 Jun 2024 04:47:56 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sEPck-0008Tr-Ag for bug-guix@gnu.org; Tue, 04 Jun 2024 04:34:30 -0400 Received: from mail-lf1-x135.google.com ([2a00:1450:4864:20::135]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1sEPci-0002OJ-Hx for bug-guix@gnu.org; Tue, 04 Jun 2024 04:34:30 -0400 Received: by mail-lf1-x135.google.com with SMTP id 2adb3069b0e04-52b86cf9ae2so469231e87.0 for ; Tue, 04 Jun 2024 01:34:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1717490066; x=1718094866; darn=gnu.org; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to; bh=X0FQdw5IgPewCPvIWnnFAYnkpPrJCRx/U1DoBtDIy/0=; b=FZRd3F+sM23AH8Pohl+2lDFlQDYSUmA9bB5+2I0+3Iz42aL9yGyYzcSixs3G01hPM+ drDjL1gBw3NPbEhq47m7aiN+7PGqZFuPBauRAV5CLa04a4EO5o0Azrsg0ajN6k2m1aVv Ac1bk6RxgJSThjq+XRly2Jf6sn4S8953T2p7+t65cPZdQs0kfpnDJ2RVSwDHmKkh7app ZtjGdo0vHOtt/Nc9gLQ/NunodkDDUvDmqJ8vBX1nMXkA0mPIptk6glQch9el/NPYvWOX +Tn3LT6eIPjK/f8n3qB+nC3YFv6xFmtcxEtgUk5oxcpOmNIxOW24j4diS4ubvdWJC1Ov q3wQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1717490066; x=1718094866; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=X0FQdw5IgPewCPvIWnnFAYnkpPrJCRx/U1DoBtDIy/0=; b=itbVZHLDSS1cTy37UjrgxtAG1+kchF8trPvUPgeFo6ClaUEtiTNApVdT5k0KSQH/rN 6YfYT2Y7DI4hil+Lij7rAXv0oH0Nqil56Yw40Qmsk748zAtFpiLZlX80qFYI0MLYEBsR 1aCWamTaOH7S6jXowH/TQZ/u4jGB0ADXIS+uCecVAKcXuOJd1LDAFKaFluGfU5XrprU3 0lrfoMtDtSSZbc19NwvadsV7wiBbwLeg2zbJqGWP/ts9IpJyAyZ0etduNPYNYGR31eLE lSQ5VrGCBsS3tJo3H1ZPQiOtjmrx5IsHVnrblvXfF0dSnmVFOH3oNw+7HoIs9xHIojt7 8rzg== X-Gm-Message-State: AOJu0YwouDVtTTkTCXkKyjMxAib2SN3+Kcqrx03wv/3S6hlIiNWTGbUV r6ZiYe67yuOeyEHdl3QiTuq7GLasWsvMBc7UUhvGOjePCy3tTca+BiLyNA== X-Google-Smtp-Source: AGHT+IEg9irRg1PAN3XM/ZTxDP4hnnZmJS3vVbhb5zUsYfy4metjc5XskSyzKrrSIBm0SmYqGWQnVA== X-Received: by 2002:a05:6512:1108:b0:52b:9e52:17f7 with SMTP id 2adb3069b0e04-52b9e52186amr2789562e87.6.1717490065991; Tue, 04 Jun 2024 01:34:25 -0700 (PDT) Received: from localhost ([93.100.15.190]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-52b9d2a4754sm399161e87.148.2024.06.04.01.34.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 04 Jun 2024 01:34:25 -0700 (PDT) From: Oleg Pykhalov In-Reply-To: <87o78hv3k4.fsf@gmail.com> (Maxim Cournoyer's message of "Mon, 03 Jun 2024 22:34:35 -0400") References: <171695309234.24183.12881718488458327568@vcs2.savannah.gnu.org> <87o78hv3k4.fsf@gmail.com> Date: Tue, 04 Jun 2024 11:34:24 +0300 Message-ID: <877cf5gl7z.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: pass client-ip=2a00:1450:4864:20::135; envelope-from=go.wigust@gmail.com; helo=mail-lf1-x135.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hello Maxim, Thank you for your report. Apologize for any inconvenience caused by the unexpected breakage. Maxim Cournoyer writes: > Hello, > > guix-commits@gnu.org writes: > >> services: nix: Mount Nix store read only. >>=20=20=20=20=20 >> * gnu/services/nix.scm (nix-shepherd-service): Add requirements. >> (%nix-store-directory): New variable. >> (nix-service-type): Add file-system-service-type extension. >>=20=20=20=20=20 >> Change-Id: I18a5d58c92c1f2b5b6dcecc3d5b439cc15bf4e49 > > This commit unfortunately appears to introduce a regression where > reconfiguring a system with the read-only /nix/store causes the > following error: > > guix system: error: chown: Syst=C3=A8me de fichiers accessible en lecture= seulement > > > With the accompanying strace output: > > 20261 close(17) =3D 0 > 20261 chown("/nix/store", 0, 981) =3D -1 EROFS (Syst=C3=A8me de fic= hiers accessible en lecture seulement) > 20261 close(13) =3D 0 > 20261 write(2, "guix system: \33[1;31merror: \33[0m\33[1mchown\33[0m: Sys= t\303\250me de fichiers accessible en lecture seulement\n", 99) =3D 99 > > > Are these chown still useful in the activation snippet? > > (define (nix-activation _) > ;; Return the activation gexp. > #~(begin > (use-modules (guix build utils) > (srfi srfi-26)) > (for-each (cut mkdir-p <>) '("/nix/store" "/nix/var/log" > "/nix/var/nix/gcroots/per-user" > "/nix/var/nix/profiles/per-user")) > (chown "/nix/store" > (passwd:uid (getpw "root")) (group:gid (getpw "nixbld01"))) > (chmod "/nix/store" #o775) > (for-each (cut chmod <> #o777) '("/nix/var/nix/profiles" > "/nix/var/nix/profiles/per-user"))= )) > > If they are useful only on the first time, perhaps we could catch the > exceptions for when it runs on an already read-only mounted /nix/store? Indeed, it is a good idea. A hotfix for the issue was discussed and implemented. It has already been pushed to the master branch. The fix involves a simple 'file-exists?' check. You can find more details in the discussion at https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D71320 What do you think is preferable in this scenario =E2=80=93 catching excepti= ons or sticking with '(unless (file-exists? ...))'? Your thoughts on the best approach here? Regards, Oleg. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEEcjhxI46s62NFSFhXFn+OpQAa+pwFAmZe0ZEUHGdvLndpZ3Vz dEBnbWFpbC5jb20ACgkQFn+OpQAa+pyEKRAAgpnYQxoBoCzrenmxP1Yg6Nl5GP8j NJUJ5uZFHSqdaOO9+SmHdMP5sQQckDax9BCNbALRvRFnOB+9w/nvkKTWcF3tFk4d vGyaTgIuwwlEOP2zA8xqlUS/Iw0nxO99+MIu+YiaZNUuu151nBym0HPm5x0mkRBP 09iFmTyQgrlG3X+mOcs+2wXnbXemV4pb0Tb3QgyRg3vwMijA89DtrIf/slQYeOk2 RbAQe20jErtIFFSNMMWd0Qws4McdKSa43yNwtBRPXD0dl7PujwcLR85RtJytUMBu gub2pcybvLAHg2sL7JMxW0fPUJwWRv7dYJH66Xk2yqd/ZxW5yT+xLDUM/Xxgnv8j 1TW4Kb6a8ZEFudezDzlTuSX2HA27N4w4kbmQCe95K9/tFmm6db4XbMwhnGQ5Ijoi 76MRwUHnHx/fyV7gbGVOaqj3nux/3DwBcd5RtsvZ2VvA9aZqttI9N58yMm583RpN oy4IUYIrqZBnO0n1JQszcyXsE2WZhj3r8Much+1TdZh5EIBJJlv2dOwdVXiXOSWR QMJ0QrJGqTbhkzU2q/sKalV52VvTXMsd/E8wVSLVFumz4xDUUnptYYD5+/dmo83G 6A5tx/2d+BfPwzXnvQXfEnspdpYbuslyeHhRHxdhNwt9oVuwHFpTN/M8hoClvUno GoBIg+MjE+gc9G0= =YB1W -----END PGP SIGNATURE----- --=-=-=-- From unknown Sun Aug 17 10:26:43 2025 X-Loop: help-debbugs@gnu.org Subject: bug#71352: branch master updated: services: nix: Mount Nix store read only. Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 06 Jun 2024 02:05:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 71352 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Oleg Pykhalov Cc: 71352@debbugs.gnu.org Received: via spool by 71352-submit@debbugs.gnu.org id=B71352.171763950027968 (code B ref 71352); Thu, 06 Jun 2024 02:05:02 +0000 Received: (at 71352) by debbugs.gnu.org; 6 Jun 2024 02:05:00 +0000 Received: from localhost ([127.0.0.1]:56697 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sF2Ut-0007H0-Gx for submit@debbugs.gnu.org; Wed, 05 Jun 2024 22:04:59 -0400 Received: from mail-qv1-f52.google.com ([209.85.219.52]:56606) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sF2Uq-0007Gb-VJ for 71352@debbugs.gnu.org; Wed, 05 Jun 2024 22:04:57 -0400 Received: by mail-qv1-f52.google.com with SMTP id 6a1803df08f44-6ae279e6427so2172906d6.1 for <71352@debbugs.gnu.org>; Wed, 05 Jun 2024 19:04:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1717639416; x=1718244216; darn=debbugs.gnu.org; h=content-transfer-encoding:mime-version:user-agent:message-id:date :references:in-reply-to:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=i4fgKTDtW4vDEmIKNyK7L8S/XFetW9qY+OcCxURhPpA=; b=GPVJeaCyoVTIE7ZUnHmubm96Ztb5/cy3koMv6hqIjDGedN9KS4le2EWsiuSyI2mgnu Bq/zICmsDQoQ8dXLzxK0x7Zj6ffUIKntBoin3JCFy5Ua4CbJyxE80uw/wRTmzrM/KHqv T38LGW/M3tifGVLYZMx0vEiSLGlpbxb04y1fOW7WjRE0PLZMYAyMApBLQeHdfESQfzww CIndrvSKkrtMauJI2UvlPf8rsRbwRJVIjXyQehkWhMvoPLkTQpqvumYQS6FNUdKqzNqt iGXOhI3R1xbIukRtXJzE17tcUFR6JeoP81RXP5x9dmkYnOTNF/OR66zF6Q3Vg2A8eMAl qEmA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1717639416; x=1718244216; h=content-transfer-encoding:mime-version:user-agent:message-id:date :references:in-reply-to:subject:cc:to:from:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=i4fgKTDtW4vDEmIKNyK7L8S/XFetW9qY+OcCxURhPpA=; b=VT4/YTGNJj0zXIxDFlOw/lQX/+svlVNcHZCpUCUAG+gGxSPWZa/s6qPqQz/A04zK7u LwxT5aWi1/jCJr31hyFTbu9EW/rl9qi3MgmYICjM28b9magMp5oiWp4ZojvVo2HdOo8t 5NaAydZlccnraShaEWM5opa46qmpICTH+ElwCpSw8BF5aEQNypZW3gODt2wiIuhRK9vH EvChEfinl1PZ8TG0w92qrsErY5gA1GsFs9tifbLIXSsgU2kWKpUbwaOZNb+86UQig282 J3caRtJ6S3Qaj0V0rAgVxRwuqClh/7PoCj0SBuz/zCyrEwgTBNsJ/I0cPDkCWJ46G5dC Ikzw== X-Gm-Message-State: AOJu0YyHer0J0oh2vDCt73oUgNQcTwi9oW0sICfELQZ7kkbD2K/Us0NS Bt0lcjxTCohi5dq8w51mdSyG2ariH7Sn6AvxB7EZ+dCCyPu708epxW8Fliy8 X-Google-Smtp-Source: AGHT+IE0qSMAmCjEzSWe9LODYRhVfmfzvZh94gma7UY0Nbpk2pqFtTsGgOaPF2w2yxVpByCtAulzgQ== X-Received: by 2002:a05:6214:4981:b0:6ae:d5ab:58d4 with SMTP id 6a1803df08f44-6b02bf8325emr53049316d6.26.1717639415646; Wed, 05 Jun 2024 19:03:35 -0700 (PDT) Received: from hurd (dsl-10-133-150.b2b2c.ca. [72.10.133.150]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6b04f712e00sm1627536d6.61.2024.06.05.19.03.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Jun 2024 19:03:35 -0700 (PDT) From: Maxim Cournoyer In-Reply-To: <877cf5gl7z.fsf@gmail.com> (Oleg Pykhalov's message of "Tue, 04 Jun 2024 11:34:24 +0300") References: <171695309234.24183.12881718488458327568@vcs2.savannah.gnu.org> <87o78hv3k4.fsf@gmail.com> <877cf5gl7z.fsf@gmail.com> Date: Wed, 05 Jun 2024 22:03:33 -0400 Message-ID: <87tti625fu.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Oleg, [...] >> Are these chown still useful in the activation snippet? >> >> (define (nix-activation _) >> ;; Return the activation gexp. >> #~(begin >> (use-modules (guix build utils) >> (srfi srfi-26)) >> (for-each (cut mkdir-p <>) '("/nix/store" "/nix/var/log" >> "/nix/var/nix/gcroots/per-user" >> "/nix/var/nix/profiles/per-user")) >> (chown "/nix/store" >> (passwd:uid (getpw "root")) (group:gid (getpw "nixbld01"))) >> (chmod "/nix/store" #o775) >> (for-each (cut chmod <> #o777) '("/nix/var/nix/profiles" >> "/nix/var/nix/profiles/per-user")= ))) >> >> If they are useful only on the first time, perhaps we could catch the >> exceptions for when it runs on an already read-only mounted /nix/store? > > Indeed, it is a good idea. > > A hotfix for the issue was discussed and implemented. It has already > been pushed to the master branch. The fix involves a simple > 'file-exists?' check. You can find more details in the discussion at > https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D71320 > > What do you think is preferable in this scenario =E2=80=93 catching excep= tions > or sticking with '(unless (file-exists? ...))'? Your thoughts on the > best approach here? Exceptions are usually better than 'check then do' as they avoid the TOCTTOU (time-of-check to time-of-use) class of bugs/vulnerabilities. By the way, 'Reported-by:' is a fine git trailer to use :-). I also use 'Fixes:' as a git trailer (trailer means they should be found at the bottom of the commit message -- these can be parsed with the 'git interpret-trailers' command) --=20 Thanks, Maxim From unknown Sun Aug 17 10:26:43 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Maxim Cournoyer Subject: bug#71352: closed (Re: bug#71352: branch master updated: services: nix: Mount Nix store read only.) Message-ID: References: <87h6dj6oqi.fsf@gmail.com> <87o78hv3k4.fsf@gmail.com> X-Gnu-PR-Message: they-closed 71352 X-Gnu-PR-Package: guix Reply-To: 71352@debbugs.gnu.org Date: Mon, 24 Jun 2024 02:49:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1719197342-18886-1" This is a multi-part message in MIME format... ------------=_1719197342-18886-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #71352: branch master updated: services: nix: Mount Nix store read only. which was filed against the guix package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 71352@debbugs.gnu.org. --=20 71352: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D71352 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1719197342-18886-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 71352-done) by debbugs.gnu.org; 24 Jun 2024 02:48:44 +0000 Received: from localhost ([127.0.0.1]:34662 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sLZl6-0004u1-0D for submit@debbugs.gnu.org; Sun, 23 Jun 2024 22:48:44 -0400 Received: from mail-qt1-f173.google.com ([209.85.160.173]:46502) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sLZl3-0004tm-OH for 71352-done@debbugs.gnu.org; Sun, 23 Jun 2024 22:48:42 -0400 Received: by mail-qt1-f173.google.com with SMTP id d75a77b69052e-444c0d2d503so15879941cf.1 for <71352-done@debbugs.gnu.org>; Sun, 23 Jun 2024 19:48:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1719197254; x=1719802054; darn=debbugs.gnu.org; h=content-transfer-encoding:mime-version:user-agent:message-id:date :references:in-reply-to:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=IU4yLMv4tJM2YiVBZ4QSz1w+TYkZj7ZCsDA6C85zg0s=; b=BSbIwJ8V6Qcx2n4DGwvqrVpa1ms9qN9eb8g+1dGizSw4xun/006QKAqQ810+BpBfL/ 6D8JZK7JC8lIA/bbIKBv6VRxWjyriAnNftV4WZU+BuIBcKG91P3/cwouRqQNm8BXTONN n+mcAaPdvqrjz4B19MTIJez7JQTQNG/i7facJcE2lHoDxMbtaSMxJN7JNKx97lvo5RTd QIiksLadeckOmXS9SWUaNDE9sKB0I/PiTyqibUROQh3ZX23q4Ul4EZPyC7FAEf9csQLO eJF5egJH04D2K+c5NKFCUxSmtq8OAppqJ2raCbZQ9szarnwnrOrILbbU+IGjRWTuo2kZ IMLw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719197254; x=1719802054; h=content-transfer-encoding:mime-version:user-agent:message-id:date :references:in-reply-to:subject:cc:to:from:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=IU4yLMv4tJM2YiVBZ4QSz1w+TYkZj7ZCsDA6C85zg0s=; b=dp8B5tjn8GyX22Hr5jnHyyYy5q2dsYwVwtkEkN769cf0voc7ePa3oB4uoa4a6gsHVy NnTj/qyZP/PqCjkAxml+wb0gWjoYP6t1vSpAuSDPktu30CgM+etxNkY0E/n9XJZ/TzSP l65cuge4RjNDX0DHgd+QQ9cE5HNzUDAuASNMthRcjs/A8hcv93chOmjx3dqaCpSTp3sH nm4osKFkvx9L+x4YnuCQygTOMdXg2gBQMgOj6exFApE/BzkHoptLLXXW05CqygHXrb+V 5/lpzJurugOco7kED3hS1iss2QKEhT9OuVW6feBAu0talUZHNoIaaxOQe/gkbZqCcMJe rYyQ== X-Gm-Message-State: AOJu0YzULlvugM1tNKfNIPe12kE4DP+lK8EsNTf4D7OnoF93Fv7xpXbp svS5RnBXX24Zss6jqJCMdaTHKo0HaQIjE0f+9fKzF3Emew67VP9ygIvLmpwsLEQ= X-Google-Smtp-Source: AGHT+IF4enFnTl7Rybm5ZCdz+ycqbtWa9bCOIwARYTAddCt8oEVhiZu/o32KyHZgQz7GCapC3dWnZQ== X-Received: by 2002:a05:622a:108:b0:441:569f:7065 with SMTP id d75a77b69052e-444d657b92amr43864191cf.58.1719197254499; Sun, 23 Jun 2024 19:47:34 -0700 (PDT) Received: from hurd (dsl-205-233-124-241.b2b2c.ca. [205.233.124.241]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-444e35fa975sm6657101cf.31.2024.06.23.19.47.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Jun 2024 19:47:34 -0700 (PDT) From: Maxim Cournoyer To: Oleg Pykhalov Subject: Re: bug#71352: branch master updated: services: nix: Mount Nix store read only. In-Reply-To: <87tti625fu.fsf@gmail.com> (Maxim Cournoyer's message of "Wed, 05 Jun 2024 22:03:33 -0400") References: <171695309234.24183.12881718488458327568@vcs2.savannah.gnu.org> <87o78hv3k4.fsf@gmail.com> <877cf5gl7z.fsf@gmail.com> <87tti625fu.fsf@gmail.com> Date: Sun, 23 Jun 2024 22:47:33 -0400 Message-ID: <87h6dj6oqi.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 71352-done Cc: 71352-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Oleg, Maxim Cournoyer writes: > Hi Oleg, > > [...] > >>> Are these chown still useful in the activation snippet? >>> >>> (define (nix-activation _) >>> ;; Return the activation gexp. >>> #~(begin >>> (use-modules (guix build utils) >>> (srfi srfi-26)) >>> (for-each (cut mkdir-p <>) '("/nix/store" "/nix/var/log" >>> "/nix/var/nix/gcroots/per-user" >>> "/nix/var/nix/profiles/per-user")) >>> (chown "/nix/store" >>> (passwd:uid (getpw "root")) (group:gid (getpw "nixbld01"))) >>> (chmod "/nix/store" #o775) >>> (for-each (cut chmod <> #o777) '("/nix/var/nix/profiles" >>> "/nix/var/nix/profiles/per-user"= )))) >>> >>> If they are useful only on the first time, perhaps we could catch the >>> exceptions for when it runs on an already read-only mounted /nix/store? >> >> Indeed, it is a good idea. >> >> A hotfix for the issue was discussed and implemented. It has already >> been pushed to the master branch. The fix involves a simple >> 'file-exists?' check. You can find more details in the discussion at >> https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D71320 >> >> What do you think is preferable in this scenario =E2=80=93 catching exce= ptions >> or sticking with '(unless (file-exists? ...))'? Your thoughts on the >> best approach here? > > Exceptions are usually better than 'check then do' as they avoid the > TOCTTOU (time-of-check to time-of-use) class of bugs/vulnerabilities. I'm closing this for now; I'm satisfied that working order has been restored :-). --=20 Thanks, Maxim ------------=_1719197342-18886-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 4 Jun 2024 02:34:57 +0000 Received: from localhost ([127.0.0.1]:56061 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sEK0m-000773-O5 for submit@debbugs.gnu.org; Mon, 03 Jun 2024 22:34:57 -0400 Received: from lists.gnu.org ([209.51.188.17]:52402) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sEK0k-00076u-Cq for submit@debbugs.gnu.org; Mon, 03 Jun 2024 22:34:55 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sEK0W-0008RS-Sc for bug-guix@gnu.org; Mon, 03 Jun 2024 22:34:40 -0400 Received: from mail-qt1-x831.google.com ([2607:f8b0:4864:20::831]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1sEK0V-0006ev-BW for bug-guix@gnu.org; Mon, 03 Jun 2024 22:34:40 -0400 Received: by mail-qt1-x831.google.com with SMTP id d75a77b69052e-4401a1ee681so2816841cf.1 for ; Mon, 03 Jun 2024 19:34:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1717468478; x=1718073278; darn=gnu.org; h=content-transfer-encoding:mime-version:user-agent:message-id:date :references:in-reply-to:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=opeF9fP2H/oNfjMqsjgFWDADe9DC+HqY26+9ntOL1kE=; b=L/GdgQche3MNHru1MW4u84t8ctkP5afvN2TzRY38ExpWJCsIp0pnGR+yA8fJkz4s+4 0vAa+888zkdcpZuQofGPFCcSc47VJ+21b37P6EGkp+jZNkiF2/YrzagalnuhwJkExN5j MoSet2PBDWgrEpSkI0iMFsHfk4TChQ2vH1K2Tl88E6um8a8XhBK+K7zpapeVtvaStD9S 2Y8IUGKbhSpxJcMVp3gqhRMtwb3GwaRGatHzjqYwLltZMJZVqRkxNrIljPjyCYnAxxJy 36mh92xMsersFzJ5VJqbmiGVGuJmv1tgLiDwu/SwFu6ZSUnOeEbS34GBQ+Ln/AgppORz HiPw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1717468478; x=1718073278; h=content-transfer-encoding:mime-version:user-agent:message-id:date :references:in-reply-to:subject:cc:to:from:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=opeF9fP2H/oNfjMqsjgFWDADe9DC+HqY26+9ntOL1kE=; b=YvAPwrgZFu3/rr21dXfiR99Dsz9niIQwrdIUySmHoZIGpWVme49kn4jyk9zGdDHNWh Edsf+Jssf9H9PhySzT9UcDvQ/yA4141SsOhYxFA0mVexCnJBcrcH65MgxILZvy653e0e yEfeUTMXsWzsPHVmHIhtMPgljKx3rVNqsNRZcUJ2uRWztQzUP+1b28eNl6ROL7B974SO LBssH+QjPMqLGlUEoX6iE9ltIFxWzOJIRRJccOEqpR0WandTxGOggyUl6KYDTgtplkVP a03Jh5vKH7K7mhlcrC/pgI2e7yFNCnsHzrR8eqWgHTXfz09CBpJ/ih/926kpDBWgr+3f r0lg== X-Gm-Message-State: AOJu0Yxe1T6lN52wBB4y9NP39gYBrykBaUYco/M3xgy9LxHCEnnWs/NI T2MI+xmROPw4n5US3N9OyT0hTOY05bhfogEezJP4ezVO3g1KmWB0 X-Google-Smtp-Source: AGHT+IE+828NUsVmgglHJEz+pnHuy80HrXaSObl++OJzKWVorGZHz4FXMDePO+qT0G7V6cNB1lvePw== X-Received: by 2002:ac8:570a:0:b0:43a:d430:b678 with SMTP id d75a77b69052e-43ff52554f4mr109606141cf.32.1717468477445; Mon, 03 Jun 2024 19:34:37 -0700 (PDT) Received: from hurd (dsl-154-1.b2b2c.ca. [66.158.154.1]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-43ff23bfaf9sm45066131cf.27.2024.06.03.19.34.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Jun 2024 19:34:36 -0700 (PDT) From: Maxim Cournoyer To: bug-guix Subject: Re: branch master updated: services: nix: Mount Nix store read only. In-Reply-To: <171695309234.24183.12881718488458327568@vcs2.savannah.gnu.org> (guix-commits@gnu.org's message of "Tue, 28 May 2024 23:24:52 -0400") References: <171695309234.24183.12881718488458327568@vcs2.savannah.gnu.org> Date: Mon, 03 Jun 2024 22:34:35 -0400 Message-ID: <87o78hv3k4.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=2607:f8b0:4864:20::831; envelope-from=maxim.cournoyer@gmail.com; helo=mail-qt1-x831.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit Cc: Oleg Pykhalov X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) Hello, guix-commits@gnu.org writes: > services: nix: Mount Nix store read only. >=20=20=20=20=20 > * gnu/services/nix.scm (nix-shepherd-service): Add requirements. > (%nix-store-directory): New variable. > (nix-service-type): Add file-system-service-type extension. >=20=20=20=20=20 > Change-Id: I18a5d58c92c1f2b5b6dcecc3d5b439cc15bf4e49 This commit unfortunately appears to introduce a regression where reconfiguring a system with the read-only /nix/store causes the following error: --8<---------------cut here---------------start------------->8--- guix system: error: chown: Syst=C3=A8me de fichiers accessible en lecture s= eulement --8<---------------cut here---------------end--------------->8--- With the accompanying strace output: --8<---------------cut here---------------start------------->8--- 20261 close(17) =3D 0 20261 chown("/nix/store", 0, 981) =3D -1 EROFS (Syst=C3=A8me de fichi= ers accessible en lecture seulement) 20261 close(13) =3D 0 20261 write(2, "guix system: \33[1;31merror: \33[0m\33[1mchown\33[0m: Syst\= 303\250me de fichiers accessible en lecture seulement\n", 99) =3D 99 --8<---------------cut here---------------end--------------->8--- Are these chown still useful in the activation snippet? --8<---------------cut here---------------start------------->8--- (define (nix-activation _) ;; Return the activation gexp. #~(begin (use-modules (guix build utils) (srfi srfi-26)) (for-each (cut mkdir-p <>) '("/nix/store" "/nix/var/log" "/nix/var/nix/gcroots/per-user" "/nix/var/nix/profiles/per-user")) (chown "/nix/store" (passwd:uid (getpw "root")) (group:gid (getpw "nixbld01"))) (chmod "/nix/store" #o775) (for-each (cut chmod <> #o777) '("/nix/var/nix/profiles" "/nix/var/nix/profiles/per-user")))) --8<---------------cut here---------------end--------------->8--- If they are useful only on the first time, perhaps we could catch the exceptions for when it runs on an already read-only mounted /nix/store? --=20 Thanks, Maxim ------------=_1719197342-18886-1--