GNU bug report logs - #71352
branch master updated: services: nix: Mount Nix store read only.

Previous Next

Package: guix;

Reported by: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>

Date: Tue, 4 Jun 2024 02:35:01 UTC

Severity: normal

Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#71352: closed (branch master updated: services: nix: Mount
 Nix store read only.)
Date: Mon, 24 Jun 2024 02:49:02 +0000

[Message part 1 (text/plain, inline)]
Your message dated Sun, 23 Jun 2024 22:47:33 -0400
with message-id <87h6dj6oqi.fsf <at> gmail.com>
and subject line Re: bug#71352: branch master updated: services: nix: Mount Nix store read only.
has caused the debbugs.gnu.org bug report #71352,
regarding branch master updated: services: nix: Mount Nix store read only.
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
71352: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=71352
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: bug-guix <bug-guix <at> gnu.org>
Cc: Oleg Pykhalov <go.wigust <at> gmail.com>
Subject: Re: branch master updated: services: nix: Mount Nix store read only.
Date: Mon, 03 Jun 2024 22:34:35 -0400

Hello,

guix-commits <at> gnu.org writes:

>     services: nix: Mount Nix store read only.
>     
>     * gnu/services/nix.scm (nix-shepherd-service): Add requirements.
>     (%nix-store-directory): New variable.
>     (nix-service-type): Add file-system-service-type extension.
>     
>     Change-Id: I18a5d58c92c1f2b5b6dcecc3d5b439cc15bf4e49

This commit unfortunately appears to introduce a regression where
reconfiguring a system with the read-only /nix/store causes the
following error:

--8<---------------cut here---------------start------------->8---
guix system: error: chown: Système de fichiers accessible en lecture seulement
--8<---------------cut here---------------end--------------->8---

With the accompanying strace output:

--8<---------------cut here---------------start------------->8---
20261 close(17)                         = 0
20261 chown("/nix/store", 0, 981)       = -1 EROFS (Système de fichiers accessible en lecture seulement)
20261 close(13)                         = 0
20261 write(2, "guix system: \33[1;31merror: \33[0m\33[1mchown\33[0m: Syst\303\250me de fichiers accessible en lecture seulement\n", 99) = 99
--8<---------------cut here---------------end--------------->8---

Are these chown still useful in the activation snippet?

--8<---------------cut here---------------start------------->8---
(define (nix-activation _)
  ;; Return the activation gexp.
  #~(begin
      (use-modules (guix build utils)
                   (srfi srfi-26))
      (for-each (cut mkdir-p <>) '("/nix/store" "/nix/var/log"
                                   "/nix/var/nix/gcroots/per-user"
                                   "/nix/var/nix/profiles/per-user"))
      (chown "/nix/store"
             (passwd:uid (getpw "root")) (group:gid (getpw "nixbld01")))
      (chmod "/nix/store" #o775)
      (for-each (cut chmod <> #o777) '("/nix/var/nix/profiles"
                                       "/nix/var/nix/profiles/per-user"))))
--8<---------------cut here---------------end--------------->8---

If they are useful only on the first time, perhaps we could catch the
exceptions for when it runs on an already read-only mounted /nix/store?

-- 
Thanks,
Maxim



[Message part 3 (message/rfc822, inline)]
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Oleg Pykhalov <go.wigust <at> gmail.com>
Cc: 71352-done <at> debbugs.gnu.org
Subject: Re: bug#71352: branch master updated: services: nix: Mount Nix
 store read only.
Date: Sun, 23 Jun 2024 22:47:33 -0400

Hi Oleg,

Maxim Cournoyer <maxim.cournoyer <at> gmail.com> writes:

> Hi Oleg,
>
> [...]
>
>>> Are these chown still useful in the activation snippet?
>>>
>>> (define (nix-activation _)
>>>   ;; Return the activation gexp.
>>>   #~(begin
>>>       (use-modules (guix build utils)
>>>                    (srfi srfi-26))
>>>       (for-each (cut mkdir-p <>) '("/nix/store" "/nix/var/log"
>>>                                    "/nix/var/nix/gcroots/per-user"
>>>                                    "/nix/var/nix/profiles/per-user"))
>>>       (chown "/nix/store"
>>>              (passwd:uid (getpw "root")) (group:gid (getpw "nixbld01")))
>>>       (chmod "/nix/store" #o775)
>>>       (for-each (cut chmod <> #o777) '("/nix/var/nix/profiles"
>>>                                        "/nix/var/nix/profiles/per-user"))))
>>>
>>> If they are useful only on the first time, perhaps we could catch the
>>> exceptions for when it runs on an already read-only mounted /nix/store?
>>
>> Indeed, it is a good idea.
>>
>> A hotfix for the issue was discussed and implemented. It has already
>> been pushed to the master branch. The fix involves a simple
>> 'file-exists?' check. You can find more details in the discussion at
>> https://debbugs.gnu.org/cgi/bugreport.cgi?bug=71320
>>
>> What do you think is preferable in this scenario – catching exceptions
>> or sticking with '(unless (file-exists? ...))'?  Your thoughts on the
>> best approach here?
>
> Exceptions are usually better than 'check then do' as they avoid the
> TOCTTOU (time-of-check to time-of-use) class of bugs/vulnerabilities.

I'm closing this for now; I'm satisfied that working order has been
restored :-).

-- 
Thanks,
Maxim
This bug report was last modified 1 year and 26 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.