GNU bug report logs - #77288
[PATCH 0/6] Rootless guix-daemon on Guix System

Previous Next

Package: guix-patches;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Wed, 26 Mar 2025 16:50:01 UTC

Severity: normal

Tags: patch

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Ludovic Courtès <ludo <at> gnu.org>
Subject: bug#77288: closed (Re: [bug#77288] [PATCH v3 0/8] Rootless
 guix-daemon on Guix System)
Date: Sun, 20 Apr 2025 17:01:03 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#77288: [PATCH 0/6] Rootless guix-daemon on Guix System

which was filed against the guix-patches package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 77288 <at> debbugs.gnu.org.

-- 
77288: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=77288
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Ludovic Courtès <ludo <at> gnu.org>
To: 77288-done <at> debbugs.gnu.org
Cc: Florian Pelz <pelzflorian <at> pelzflorian.de>,
 Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Subject: Re: [bug#77288] [PATCH v3 0/8] Rootless guix-daemon on Guix System
Date: Sun, 20 Apr 2025 18:59:38 +0200

I pushed this series including the latest suggestions by Florian
(migration instructions on foreign distros) and Maxim (long lines,
leftover hack in the system test).

  ba53ff9cc4 * news: Add entry about unprivileged guix-daemon on Guix System.
  e2583b5a17 * services: guix: Allow ‘guix-daemon’ to run without root privileges.
  2c7c059e0b * tests: guix-daemon: Wait for the ‘guix-daemon’ service to be up.
  6367e69f50 * tests: guix-daemon: Send system log output to /dev/console.
  da741d8931 * services: account: Create /var/guix/profiles/per-user/$USER.
  c990405607 * syscalls: Add ‘unshare’.
  78f493dcf8 * doc: Document migration to the unprivileged daemon.
  efcce99acb * self: Install systemd ‘.service’ files.

Thanks for helping out!

Ludo’.


[Message part 3 (message/rfc822, inline)]
From: Ludovic Courtès <ludo <at> gnu.org>
To: guix-patches <at> gnu.org
Cc: Ludovic Courtès <ludo <at> gnu.org>,
 Reepca Russelstein <reepca <at> russelstein.xyz>
Subject: [PATCH 0/6] Rootless guix-daemon on Guix System
Date: Wed, 26 Mar 2025 17:48:38 +0100

Hello Guix,

This is a followup to <https://issues.guix.gnu.org/75810>,
which also depends on <https://issues.guix.gnu.org/77189>,
allowing us to run ‘guix-daemon’ without root privileges on
Guix System.  It is the second step of the migration path
outlined in <https://issues.guix.gnu.org/75810#111-lineno40>.

This is made difficult by the fact that all this is stateful:
if I switch my system to unprivileged mode, then the store and
all the data files of the daemon must have their owner changed
to ‘guix-daemon’.

This is implemented by an intermediate ‘guix-ownership’ one-shot
service, which completes instantaneously in the normal case and
chowns if when switching from privileged to unprivileged and vice
versa.  This service remains in ‘starting’ state until it is done.

Another complication is that of /gnu/store being mounted read-only.
To provide the ‘guix-ownership’ and ‘guix-daemon’ processes write
access to the store, they are started by a wrapper that creates a
new mount namespace and remounts the store read-write (similar to
‘makeStoreWritable’ in the daemon).

An open issue is ‘--keep-failed’: currently /tmp/guix-build-*
directories will remain owned by ‘guix-daemon’ as was discussed in
the initial message at <https://issues.guix.gnu.org/75810>.  It’s
a regression, but maybe it’s acceptable if we consider that this
feature is primarily used on single-user machines.

For now, the installation procedure creates /gnu/store, /var/guix,
etc. with root:root ownership.  Eventually, if/when we settle on
unprivileged guix-daemon, we should change that code to have
guix-daemon:guix-daemon as the owner.

Ludovic Courtès (6):
  syscalls: Add ‘unshare’.
  services: account: Create /var/guix/profiles/per-user/$USER.
  tests: guix-daemon: Send system log output to /dev/console.
  tests: guix-daemon: Wait for the ‘guix-daemon’ service to be up.
  services: guix: Allow ‘guix-daemon’ to run without root privileges.
  DRAFT news: Add entry about unprivileged guix-daemon on Guix System.

 doc/guix.texi           |  30 +++++++
 etc/news.scm            |  24 ++++++
 gnu/services/base.scm   | 187 ++++++++++++++++++++++++++++++++++++----
 gnu/system/shadow.scm   |  19 +++-
 gnu/tests/base.scm      |  60 +++++++++++--
 guix/build/syscalls.scm |  18 ++++
 tests/syscalls.scm      |   9 ++
 7 files changed, 325 insertions(+), 22 deletions(-)


base-commit: 1a69acce515de9be9b95df04c553a47a808e5034
-- 
2.49.0
This bug report was last modified 90 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.