GNU bug report logs - #77638
[PATCH 0/8] Harden 'call-with-container'

Previous Next

Full log

Message #32 received at 77638 <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: Josselin Poiret <dev <at> jpoiret.xyz>,
 Simon Tournier <zimon.toutoune <at> gmail.com>, Mathieu Othacehe <othacehe <at> gnu.org>,
 Tobias Geerinckx-Rice <me <at> tobias.gr>, 77638 <at> debbugs.gnu.org,
 Christopher Baines <guix <at> cbaines.net>
Subject: Re: [bug#77638] [PATCH 5/8] environment: Add ‘--writable-root’ and default to read-only root.
Date: Tue, 22 Apr 2025 11:13:54 +0900

Hi,

Ludovic Courtès <ludo <at> gnu.org> writes:

> This is an incompatible change where the root file system in
> ‘guix shell -C’ is now read-only by default.
>
> * guix/scripts/environment.scm (show-environment-options-help)
> (%options): Add ‘--writable-root’.
> * guix/scripts/environment.scm (setup-fhs): Invoke /sbin/ldconfig; moved
> from…
> (launch-environment): … here.
> (launch-environment/container): Add #:writable-root? and pass it to
> ‘call-with-container’.  Move root file system setup to #:populate-file-system.
> (guix-environment*): Honor ‘--writable-root’.
> * tests/guix-environment-container.sh: Test it.
> * doc/guix.texi (Invoking guix shell): Document ‘--writable-root’.
> (Debugging Build Failures): Mention it before “rm /bin/sh”.

Neat.

[...]

> +# Check that the root file system is read-only by default...
> +guix environment --bootstrap --container --ad-hoc guile-bootstrap \
> +     -- guile -c '(mkdir "/whatever")' && false
> +
> +# ... and can be made writable.
> +guix environment --bootstrap --container --ad-hoc guile-bootstrap	\
> +     --writable-root							\
> +     -- guile -c '(mkdir "/whatever")'
> +

Nice to have tests.

Reviewed-by: Maxim Cournoyer <maxim.cournoyer <at> gmail>

-- 
Thanks,
Maxim

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.