GNU bug report logs - #75810
[PATCH 0/6] Rootless guix-daemon

Previous Next

Full log

View this message in rfc822 format

From: Ludovic Courtès <ludo <at> gnu.org>
To: Simon Tournier <zimon.toutoune <at> gmail.com>
Cc: Reepca Russelstein <reepca <at> russelstein.xyz>, 75810 <at> debbugs.gnu.org
Subject: [bug#75810] [PATCH v3 00/11] Rootless guix-daemon
Date: Sat, 22 Feb 2025 18:16:17 +0100

Hi,

Simon Tournier <zimon.toutoune <at> gmail.com> skribis:

> Quoting Janneke [1]:
>
>         I'm kind of afraid that having a writable /gnu/store, even if it's just
>         on foreign distributions,

This problem is fixed in v3: the store will be remounted readonly as is
currently the case.

> Could you clarify the status about the store when running guix-daemon as
> root on foreign distros?  Or maybe now, will guix-daemon always run as a
> regular user on foreign distros?

As currently written, guix-daemon will always run as non-root on foreign
distros (on systemd-based distros specifically.)

>>From an user perspective, instead of running guix-daemon as root, now
> guix-daemon will run as the regular user named ’guix-daemon’ without any
> special privileges, right?

Correct.

> User still need root privileges once at guix-install.sh time but not
> more.  Therefore, for updating the guix-daemon, the user guix-daemon
> needs to run “guix pull“ and restart the service, right?

The upgrade procedure remains unchanged: you would run ‘guix pull’ as
root and restart the service¹ (the service itself runs as user
‘guix-daemon’).

> If yes, cool!  It’ll be a booster for cluster sysadmins. :-)

Yup!

Ludo’.

¹ https://guix.gnu.org/manual/devel/en/html_node/Upgrading-Guix.html

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.