GNU bug report logs - #75810
[PATCH 0/6] Rootless guix-daemon

Previous Next

Package: guix-patches;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Fri, 24 Jan 2025 17:24:02 UTC

Severity: normal

Tags: patch

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #232 received at 75810 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: 75810 <at> debbugs.gnu.org
Cc: Ludovic Courtès <ludo <at> gnu.org>,
 Reepca Russelstein <reepca <at> russelstein.xyz>
Subject: [PATCH v5 00/14] Rootless guix-daemon
Date: Fri, 14 Mar 2025 18:47:57 +0100

Hello Guix!

Changes since v4:

  • Remove qualifiers such as “new” from the documentation
    and clarify that unprivileged guix-daemon is the option
    chosen by default in some cases (Simon, Maxim).

  • Change ‘deleteTmpDir’ to deal with the case where
    CAP_SYS_CHOWN is available but ‘--disable-chroot’ is used
    (Reepca).

  • Add ‘unshare’ call in the build process before ‘execve’
    to create new user and mount namespaces, thereby locking
    together all the previous mounts; check by calling
    ‘umount’ and ensuring that it returns EINVAL that mounts
    are indeed locked (Reepca).

  • In ‘guix-install.sh’, keep /var/guix/profiles/per-user/root
    root-owned (previously it was chowned to ‘guix-daemon’).

  • In ‘guix-install.sh’, start ‘gnu-store.mount’ explicitly
    since it is no longer a dependency of ‘guix-daemon.service’.

  • In ‘guix-daemon.service.in’, set
    ‘GUIX_DATABASE_DIRECTORY=/var/guix’ for forward compatibility
    (I’m thinking of eventually changing the default database
    location when not running as root).

With these changes, the ‘debian-install’ and ‘guix-daemon’
system tests both pass.

I think we’ve never been this close to completion.  :-)

Thoughts?

Thanks a lot for your feedback, comrades.

Ludo’.

Ludovic Courtès (14):
  daemon: Use ‘close_range’ where available.
  daemon: Bind-mount /etc/nsswitch.conf & co. only if it exists.
  daemon: Bind-mount all the inputs, not just directories.
  daemon: Remount inputs as read-only.
  daemon: Remount root directory as read-only.
  daemon: Allow running as non-root with unprivileged user namespaces.
  daemon: Create /var/guix/profiles/per-user unconditionally.
  daemon: Drop Linux ambient capabilities before executing builder.
  daemon: Move comments where they belong.
  tests: Add missing derivation inputs.
  tests: Run in a chroot and unprivileged user namespaces.
  etc: systemd services: Run ‘guix-daemon’ as an unprivileged user.
  guix-install.sh: Support the unprivileged daemon where possible.
  DRAFT gnu: guix: Update to 00562be.

 build-aux/test-env.in               |  16 +-
 config-daemon.ac                    |   5 +-
 doc/guix.texi                       | 102 +++++++++---
 etc/gnu-store.mount.in              |   3 +-
 etc/guix-daemon.service.in          |  22 ++-
 etc/guix-install.sh                 | 109 +++++++++---
 gnu/packages/package-management.scm |   6 +-
 guix/substitutes.scm                |   2 +-
 nix/libstore/build.cc               | 247 ++++++++++++++++++++-------
 nix/libstore/local-store.cc         |  26 ++-
 nix/libutil/util.cc                 |  23 ++-
 tests/derivations.scm               |  24 ++-
 tests/packages.scm                  |  13 +-
 tests/processes.scm                 |   9 +-
 tests/store.scm                     | 250 ++++++++++++++++++++++++----
 15 files changed, 675 insertions(+), 182 deletions(-)


base-commit: 519fc51b6ecfe9ac9f2fa2f4ae052ab1984eed22
-- 
2.48.1
This bug report was last modified 56 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.