GNU bug report logs - #77288
[PATCH 0/6] Rootless guix-daemon on Guix System

Previous Next

Package: guix-patches;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Wed, 26 Mar 2025 16:50:01 UTC

Severity: normal

Tags: patch

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #104 received at 77288 <at> debbugs.gnu.org (full text, mbox):

From: "pelzflorian (Florian Pelz)" <pelzflorian <at> pelzflorian.de>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 77288 <at> debbugs.gnu.org, Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Subject: Re: [bug#77288] [PATCH v3 2/8] doc: Document migration to the
 unprivileged daemon.
Date: Sat, 19 Apr 2025 22:22:43 +0200

Ludovic Courtès <ludo <at> gnu.org> writes:
>> except ownerships of /gnu/store/ files are funny when I guix system
>> roll-back to the time before guix-ownership services existed.
>
> Uh, right.  There’s little we can do here, except perhaps adding a
> warning in the doc?

No, I was just trying to provoke an error.  No warning in the doc is
needed.  Because (privileged #t) remains the default for some time and
guix-ownership already exists, wrong ownership will not affect many
users when they do not provoke it.  Also files owned by a user id, group
id that no longer exists can happen on system roll-backs.  And it can
obviously be fixed by following the “Migrating to the Unprivileged
Daemon” docs with root:root.

What I should have written to you is that I want the command

mount -o remount,rw /gnu/store

to come before the chown for the migrating foreign distro users.

> Users are invited to stop the daemon before doing that, which should
> stop ‘gnu-store.mount’ as well.[…]

No.  I set up a Debian VM now with Guix from the install script and guix
pulled as root with this patch series.  “systemctl stop guix-daemon”
does not change the mount command outputting:

“/dev/sda1 on /gnu/store type ext4 (ro,relatime,errors=remount-ro)”,

And the chown from “Migrating to the Unprivileged Daemon” prints lines
like:

chown: changing ownership of '/gnu/store/4ab…-mpfr-4.2.1-builder':
Read-only file system

Above mount command from the examples in Guix manual section on SELinux
Policy makes chown work.


I would just write down the “mount -o remount,rw /gnu/store” command,
even though it is not needed when a user is not on systemd or has not
set up gnu-store.mount.


Another observation; I get errors
guix shell: error: opening global GC lock '/var/guix/gc.lock':
Permission denied

I had to chown guix-daemon:guix-daemon /var/guix/gc.lock as well.

Other than that your docs work well for me.  Thanks again!

Regards,
Florian
This bug report was last modified 90 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.