GNU bug report logs - #75810
[PATCH 0/6] Rootless guix-daemon

Previous Next

Full log

Message #95 received at 75810 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludovic.courtes <at> inria.fr>
To: Reepca Russelstein <reepca <at> russelstein.xyz>
Cc: 75810 <at> debbugs.gnu.org
Subject: Remounting the store read-write for guix-daemon
Date: Mon, 17 Feb 2025 17:52:30 +0100

Hi,

Ludovic Courtès <ludo <at> gnu.org> skribis:

> I think I’d prefer to have a systemd (or other) service make a
> read-write bind-mount at /gnu/store/.rw-store, and then we’d run
> ‘guix-daemon --backing-store=/gnu/store/.rw-store’.

For a moment, I thought we could just do nothing on our side and instead
take advantage of what systemd (and shepherd) have to offer.

On the systemd side, there are several things that looked promising¹.
First option:

  PrivateMounts=true
  PrivateUsers=true
  ReadWritePaths=/gnu/store

But that doesn’t work: the doc says that files in ‘ReadWritePaths’ “are
accessible from within the namespace with the same access modes as from
outside of it” (so read-only in our case).

Second option:

  BindPaths=/gnu/store

… but that does essentially nothing, and we can’t specify that we want
“remount,rw”.

Third option:

  ExecStartPre=mount --bind -o rw,remount /gnu/store

… but the doc for ‘PrivateMounts’ says that “[m]ounts established in the
namespace of the process created by ExecStartPre= will hence be cleaned
up automatically as soon as that process exits and will not be available
to subsequent processes forked off for ExecStart=”.

If anyone familiar with systemd has other ideas, I’m all ears!

Otherwise I think we’ll have to have that ‘--backing-store’ option
(which would be useful in other contexts anyway).

Thanks,
Ludo’.

¹ https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.