GNU bug report logs - #75810
[PATCH 0/6] Rootless guix-daemon

Previous Next

Package: guix-patches;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Fri, 24 Jan 2025 17:24:02 UTC

Severity: normal

Tags: patch

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Ludovic Courtès <ludo <at> gnu.org>
To: 75810 <at> debbugs.gnu.org
Cc: Ludovic Courtès <ludo <at> gnu.org>, Reepca Russelstein <reepca <at> russelstein.xyz>
Subject: [bug#75810] [PATCH v6 00/16] Rootless guix-daemon
Date: Mon, 17 Mar 2025 18:02:43 +0100

Hello,

This new version addresses Reepca’s latest comments¹:

  • Close the read end of ‘logPipe’ in ‘commonChildInit’.

  • Explicitly close the ‘readiness’ pipe.

  • Fix ‘--disable-chroot’ warning in the manual that was misleading.

  • Have ‘test-env’ check whether user namespaces are supported at all,
    which fixes non-Linux support (where it would previously fail to
    pass ‘--disable-chroot’.)

  • Change ‘unprivileged-user-namespace-supported?’ similarly.

  • Fix “build root cannot be made world-readable” test, which could
    not possibly fail and was exposing users unnecessarily.

  • Change ‘guix-install.sh’ on systemd machines: warn when unprivileged
    user namespaces are disabled, attempt to enable them, and error out
    if we failed to enable them.

Hopefully I didn’t forget anything.

I checked that the “debian-install” and “guix-daemon” system tests
still pass.

Thanks,
Ludo’.

¹ https://issues.guix.gnu.org/75810#91

Ludovic Courtès (16):
  daemon: Use ‘close_range’ where available.
  daemon: Close the read end of the logging pipe.
  daemon: Bind-mount /etc/nsswitch.conf & co. only if it exists.
  daemon: Bind-mount all the inputs, not just directories.
  daemon: Remount inputs as read-only.
  daemon: Remount root directory as read-only.
  daemon: Allow running as non-root with unprivileged user namespaces.
  daemon: Create /var/guix/profiles/per-user unconditionally.
  daemon: Drop Linux ambient capabilities before executing builder.
  daemon: Move comments where they belong.
  linux-container: ‘unprivileged-user-namespace-supported?’ returns #f
    on non-Linux.
  tests: Add missing derivation inputs.
  tests: Run in a chroot and unprivileged user namespaces.
  etc: systemd services: Run ‘guix-daemon’ as an unprivileged user.
  guix-install.sh: Support the unprivileged daemon where possible.
  DRAFT gnu: guix: Update to 07c5b1b

 build-aux/test-env.in               |  18 +-
 config-daemon.ac                    |   5 +-
 doc/guix.texi                       | 102 ++++++++---
 etc/gnu-store.mount.in              |   3 +-
 etc/guix-daemon.service.in          |  22 ++-
 etc/guix-install.sh                 | 124 +++++++++++---
 gnu/build/linux-container.scm       |   4 +-
 gnu/packages/package-management.scm |   6 +-
 guix/substitutes.scm                |   2 +-
 nix/libstore/build.cc               | 251 +++++++++++++++++++++-------
 nix/libstore/local-store.cc         |  26 ++-
 nix/libutil/util.cc                 |  26 ++-
 tests/derivations.scm               |  24 ++-
 tests/packages.scm                  |  13 +-
 tests/processes.scm                 |   9 +-
 tests/store.scm                     | 247 +++++++++++++++++++++++----
 16 files changed, 698 insertions(+), 184 deletions(-)


base-commit: 0c497c87ac47206b3e8c6dfa2e1e9b5f3e452292
-- 
2.48.1
This bug report was last modified 56 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.