GNU bug report logs - #75810
[PATCH 0/6] Rootless guix-daemon

Previous Next

Package: guix-patches;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Fri, 24 Jan 2025 17:24:02 UTC

Severity: normal

Tags: patch

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Simon Tournier <zimon.toutoune <at> gmail.com>
To: Ludovic Courtès <ludo <at> gnu.org>, 75810 <at> debbugs.gnu.org
Cc: Ludovic Courtès <ludo <at> gnu.org>, Reepca Russelstein <reepca <at> russelstein.xyz>
Subject: [bug#75810] [PATCH v3 00/11] Rootless guix-daemon
Date: Fri, 21 Feb 2025 18:16:11 +0100

Hi Ludo,

On Fri, 21 Feb 2025 at 14:05, Ludovic Courtès <ludo <at> gnu.org> wrote:

> The one observable difference compared to current guix-daemon
> operational mode is that, in the build environment, writing to
> the root file system results in EROFS instead of EPERM, as you
> pointed out earlier.  That’s not great but probably acceptable.
> We’ll only know whether this is a problem in practice once we’ve
> run the test suites of tens of thousands of packages.

Clearly, I do not fully understand all the deep details of all the
series.

Quoting Janneke [1]:

        I'm kind of afraid that having a writable /gnu/store, even if it's just
        on foreign distributions, is going to cause a whole lot of problems/bug
        reports with people changing files in the store.  When I came to guix I
        ran it on Debian for a couple of months and I certainly changed files in
        the store, even with the read-only mount hurdle, to "get stuff to
        build".  Only later to realise that by doing so I was making things much
        more difficult for myself.

        Hopefully I'm either misunderstanding this patch set, or else too
        pessimistict, and maybe other people aren't as stupid as I was when I
        first came to Guix?

I’m not sure to get what’s the answer now with the v3?  Especially when
connected to this other question:

                           Will there be an option for users to choose between
        a non-root guix-daemon or a read-only store?

Where the answer, IIUC, is no.

Could you clarify the status about the store when running guix-daemon as
root on foreign distros?  Or maybe now, will guix-daemon always run as a
regular user on foreign distros?

From an user perspective, instead of running guix-daemon as root, now
guix-daemon will run as the regular user named ’guix-daemon’ without any
special privileges, right?

User still need root privileges once at guix-install.sh time but not
more.  Therefore, for updating the guix-daemon, the user guix-daemon
needs to run “guix pull“ and restart the service, right?

If yes, cool!  It’ll be a booster for cluster sysadmins. :-)

Cheers,
simon

1: [bug#75810] [PATCH 0/6] Rootless guix-daemon
Janneke Nieuwenhuizen <janneke <at> gnu.org>
Fri, 24 Jan 2025 20:20:42 +0100
id:87ikq49fxx.fsf <at> gnu.org
https://issues.guix.gnu.org/75810
https://issues.guix.gnu.org/msgid/87ikq49fxx.fsf <at> gnu.org
https://yhetil.org/guix/87ikq49fxx.fsf <at> gnu.org
This bug report was last modified 56 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.