From unknown Tue Sep 09 06:10:59 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#79321 <79321@debbugs.gnu.org> To: bug#79321 <79321@debbugs.gnu.org> Subject: Status: A pile of problems with unprivileged Guix daemon and 'guix gc' Reply-To: bug#79321 <79321@debbugs.gnu.org> Date: Tue, 09 Sep 2025 13:10:59 +0000 retitle 79321 A pile of problems with unprivileged Guix daemon and 'guix gc' reassign 79321 guix submitter 79321 "Zack Weinberg" severity 79321 normal thanks From debbugs-submit-bounces@debbugs.gnu.org Tue Aug 26 17:18:03 2025 Received: (at submit) by debbugs.gnu.org; 26 Aug 2025 21:18:03 +0000 Received: from localhost ([127.0.0.1]:57047 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ur13K-000733-QD for submit@debbugs.gnu.org; Tue, 26 Aug 2025 17:18:03 -0400 Received: from lists.gnu.org ([2001:470:142::17]:56882) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1ur13H-00072T-S3 for submit@debbugs.gnu.org; Tue, 26 Aug 2025 17:18:00 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ur138-0001Bk-76; Tue, 26 Aug 2025 17:17:50 -0400 Received: from fhigh-a4-smtp.messagingengine.com ([103.168.172.155]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ur135-0006AC-Hl; Tue, 26 Aug 2025 17:17:49 -0400 Received: from phl-compute-06.internal (phl-compute-06.internal [10.202.2.46]) by mailfhigh.phl.internal (Postfix) with ESMTP id 5C8681400081; Tue, 26 Aug 2025 17:17:45 -0400 (EDT) Received: from phl-imap-16 ([10.202.2.88]) by phl-compute-06.internal (MEProxy); Tue, 26 Aug 2025 17:17:45 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=owlfolio.org; h= cc:content-transfer-encoding:content-type:content-type:date:date :from:from:in-reply-to:message-id:mime-version:reply-to:subject :subject:to:to; s=fm3; t=1756243065; x=1756329465; bh=Gi2+Vrx5Fy rwJ7Iv+nZSCfQBUsrIFsSSRsmjhJcYfJ8=; b=VfBj5vL53yhjm2IaaQQEmc4uXc TduRRVyKbQa9uyLG5VMMZozO3fIwYH//cSL7h2keMaWggQIk/aAuuHZG00k8sxSd ToC8tBZRc+aCHpWnGrj0wTKW16YUbVZocTiintv370Uv4DYB08bEkoqLwScwWYus GU9QOJL2IXoeCm94rsdqJ9OX+FLWCC47hIXKqgMK3SvJVz6KFmGC0mwBE281HLSJ 51Ww00+46F9RyMgrVPAHht5BPOIIoCb1eZ4wz/QN3707P5Rp6aGTT4Ga24jkwd0N boncc67WW5HNyPUkv1l2iMSTCGUzoxMTflyPwC7qe2sv1SIzhsMYLaWh/mpA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:message-id:mime-version:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t= 1756243065; x=1756329465; bh=Gi2+Vrx5FyrwJ7Iv+nZSCfQBUsrIFsSSRsm jhJcYfJ8=; b=Qt4lSYPDOOBZCcRJI2EeJTEnaW5fzl6DiUTGzIcyBJYVOU8TfT1 VR7vzHehuijIKJNIDyYi/Cswz2wP2SnZqjZHt1TnwSeXCJINRWtVXDPFAy77y3dC YkQVJGAXuIbR9ZD655GYSeEUtBQ49skunmeKms91mRs0NMU2zqoi3ujRyECHjsT4 eyorD/YM1myJUdKn9ZvIwvJjfS8CuX3Gx2CqClBLlLY0TqGt7odB43IZZe1Az5Op kEq9vs6CqJfDmDcOj64dnnn1pVlWR54GrryQQk+xGWGSibKy6kdz+lexXBBcpW5j Kq8aG0yz9s++6ucWVsG+jf2UUfW2NdcJP6g== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdefgddujeeifedvucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu rghilhhouhhtmecufedttdenucenucfjughrpefoggffhffvkffutgfgsehtjeertdertd dtnecuhfhrohhmpedfkggrtghkucghvghinhgsvghrghdfuceoiigrtghksehofihlfhho lhhiohdrohhrgheqnecuggftrfgrthhtvghrnhepfeduteeifeevuedtgeehvefgtedvje fhleejteduvddtvddvhedvgeekhfejffdtnecuvehluhhsthgvrhfuihiivgeptdenucfr rghrrghmpehmrghilhhfrhhomhepiigrtghksehofihlfhholhhiohdrohhrghdpnhgspg hrtghpthhtohepvddpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepsghughdqghhu ihigsehgnhhurdhorhhgpdhrtghpthhtohephhgvlhhpqdhguhhigiesghhnuhdrohhrgh X-ME-Proxy: Feedback-ID: i876146a2:Fastmail Received: by mailuser.phl.internal (Postfix, from userid 501) id 0434A2CC0091; Tue, 26 Aug 2025 17:17:45 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface MIME-Version: 1.0 Date: Tue, 26 Aug 2025 17:17:22 -0400 From: "Zack Weinberg" To: help-guix@gnu.org, bug-guix@gnu.org Message-Id: <9e3bad11-bae9-456f-93ac-c813d52c6ca9@app.fastmail.com> Subject: A pile of problems with unprivileged Guix daemon and 'guix gc' Content-Type: text/plain Content-Transfer-Encoding: 7bit Received-SPF: pass client-ip=103.168.172.155; envelope-from=zack@owlfolio.org; helo=fhigh-a4-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 0.7 (/) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.3 (/) # guix gc finding garbage collector roots... cannot read potential root `/var/guix/gcroots/auto/idj3k6kjlqi7y8sc4c5xschqh8zkhfvb' cannot read potential root `/var/guix/gcroots/auto/5si4fzk79j7v27rqaic4lc2qfpk42ilb' cannot read potential root `/var/guix/gcroots/auto/825grbfhqdfav4g6827d2d3hb8hyhhzl' cannot read potential root `/var/guix/gcroots/auto/6l77c1c97vij2gg3p95d9zi2k7l0yx29' cannot read potential root `/var/guix/gcroots/auto/r2x8d211bfp2y3y6wvgp8740ram26ipv' cannot read potential root `/var/guix/gcroots/auto/jbrxxz57056g8393kh9zyyj325lwq5c5' guix gc: error: program `/gnu/store/6px1m9n904j8s4hyrmlds707sfnq52d9-guix-1.4.0-41.826e305/bin/guix' failed with exit code 1 So first off, these error messages fail to comply with the first law of Unix error messages; they don't print strerror(errno), and they don't name the actual system call that failed, so they don't tell me *why* the GC roots can't be read. But leave that aside for now... # guix gc 2>&1 | sed -ne 's:^cannot read potential root `\([a-z0-9/]*\)'\''$:\1:p' > /tmp/bad-roots # ls -l $(cat /tmp/bad-roots) lrwxrwxrwx 1 guix-daemon guix-daemon 80 Aug 10 01:41 /var/guix/gcroots/auto/5si4fzk79j7v27rqaic4lc2qfpk42ilb -> /root/.cache/guix/inferiors/bpo6zmuuzeya74vbpqn2innq7vw4xzxn7azgjarsmg756jdrsika lrwxrwxrwx 1 guix-daemon guix-daemon 79 Mar 16 22:20 /var/guix/gcroots/auto/6l77c1c97vij2gg3p95d9zi2k7l0yx29 -> /root/.cache/guix/profiles/simr3ylizyyss24c25azsqfl4vjtw2t4ywvgpbh3iinbrsljgfea lrwxrwxrwx 1 guix-daemon guix-daemon 80 Jul 27 02:02 /var/guix/gcroots/auto/825grbfhqdfav4g6827d2d3hb8hyhhzl -> /root/.cache/guix/inferiors/zy7a627k6aubd32iun2ibyoy4ulbj4xas55yaibwaayctx6qehta lrwxrwxrwx 1 guix-daemon guix-daemon 80 Jul 13 01:41 /var/guix/gcroots/auto/idj3k6kjlqi7y8sc4c5xschqh8zkhfvb -> /root/.cache/guix/inferiors/72tvmmz43muzwd4lml3xsfdxw55idd742433w4kylm7yyyohed6a lrwxrwxrwx 1 guix-daemon guix-daemon 80 Aug 3 01:39 /var/guix/gcroots/auto/jbrxxz57056g8393kh9zyyj325lwq5c5 -> /root/.cache/guix/inferiors/qgxsppsml7olednljz273sdygm5zsxjrrpey2q7ysh5on6evneza lrwxrwxrwx 1 guix-daemon guix-daemon 80 Jul 20 01:41 /var/guix/gcroots/auto/r2x8d211bfp2y3y6wvgp8740ram26ipv -> /root/.cache/guix/inferiors/whqagcgua6af2zpw3xpaiiifny6pvevcpque3kstsu74ufx6rrda # ls -ld /root /root/.cache /root/.cache/guix /root/.cache/guix/{inferiors,profiles} drwx------ 5 root root 4096 Aug 26 20:46 /root/ drwxr-xr-x 4 root root 4096 Jul 22 2024 /root/.cache/ drwxr-xr-x 6 root root 4096 Mar 16 22:19 /root/.cache/guix/ drwxr-xr-x 2 root root 4096 Aug 10 01:41 /root/.cache/guix/inferiors/ drwxr-xr-x 2 root root 4096 Mar 16 22:21 /root/.cache/guix/profiles/ After seeing this I suspected the problem might be that the *Guix daemon*, which is running unprivileged, cannot access these files. And indeed, if I do `chmod 711 /root`, then `guix gc` stops printing the "cannot read potential root" messages. But it still doesn't _work_: # guix gc finding garbage collector roots... guix gc: error: program `/gnu/store/6px1m9n904j8s4hyrmlds707sfnq52d9-guix-1.4.0-41.826e305/bin/guix' failed with exit code 1 So that's _really_ bad UX, but again, not the immediate problem. Since I do now know that it's the daemon that's having problems, I check the logs: # tail -3 /var/log/guix-daemon.log 2025-08-26 20:56:21 accepted connection from pid 172, user root 2025-08-26 20:56:21 accepted connection from pid 176, user guix-daemon 2025-08-26 20:56:21 guix gc: error: creating directory `/var/guix/profiles/per-user/guix-daemon': Permission denied Well, that's suggestive... # ls -la /var/guix/profiles/per-user total 28 drwxr-xr-x 7 root root 4096 Apr 25 20:03 ./ drwxr-xr-x 3 root root 4096 Aug 26 20:25 ../ drwxr-xr-x 2 root root 4096 Aug 26 20:25 root/ drwxr-xr-x 2 user1 user1 4096 Apr 25 20:03 user1/ drwxr-xr-x 2 user2 user2 4096 Apr 25 20:03 user2/ drwxr-xr-x 2 user3 user3 4096 Apr 25 20:03 user3/ (actual user names redacted) # mkdir /var/guix/profiles/per-user/guix-daemon # chown guix-daemon:guix-daemon /var/guix/profiles/per-user/guix-daemon # guix gc finding garbage collector roots... deleting garbage... [7 MiB] deleting '/gnu/store/r993z4wdyqqwzxlif1hvqzp6cqhqr2bw-rustc-1.76.0-src.tar.zst.drv' [7 MiB] deleting '/gnu/store/afnyx8a8qj4wlhywv0zsf57lmk8yskzc-rustc-1.76.0-src.tar.gz.drv' ... [38344 MiB] deleting '/gnu/store/yd1hpyjjmzmq5qmlv6q2ycqlymsma9rh-freeglut-3.4.0-builder' [38344 MiB] deleting '/gnu/store/3z0np2ad898193wws74k54rzppr356cv-ipxe-qemu-1.21.1-3.24db39f-builder' deleting `/gnu/store/trash' guix gc: error: making `var/empty' writable: Operation not permitted Well yeah! /var/empty is supposed to be empty at all times! Is this not how it's supposed to be? # ls -ld /var/empty dr-xr-xr-x 2 root root 4096 Jul 22 2024 /var/empty/ But if I set it to be world-writable I still get the same error. In fact, even if I make it *owned by guix-daemon*, I still get the same error! And now I'm stuck. guix gc moved all the trash to /gnu/store/trash, but it didn't actually delete any of it. There's 11G in there, and I can't delete it by hand because the store is mounted read-only and I don't know how to temporarily override that for this kind of manual repair job. Any advice would be most appreciated. zw From debbugs-submit-bounces@debbugs.gnu.org Wed Aug 27 02:23:54 2025 Received: (at 79321) by debbugs.gnu.org; 27 Aug 2025 06:23:54 +0000 Received: from localhost ([127.0.0.1]:58513 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ur9Za-0003nj-25 for submit@debbugs.gnu.org; Wed, 27 Aug 2025 02:23:54 -0400 Received: from ditigal.xyz ([2a01:4f8:1c1b:6a1c::]:48010 helo=mail.ditigal.xyz) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1ur9ZW-0003nO-Gf for 79321@debbugs.gnu.org; Wed, 27 Aug 2025 02:23:51 -0400 Received: by cerebrum (OpenSMTPD) with ESMTPSA id 8693f6fb (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); Wed, 27 Aug 2025 06:23:43 +0000 (UTC) Date: Wed, 27 Aug 2025 08:23:41 +0200 From: Rutherther To: help-guix@gnu.org, Zack Weinberg , 79321@debbugs.gnu.org Subject: Re: A pile of problems with unprivileged Guix daemon and 'guix gc' User-Agent: K-9 Mail for Android In-Reply-To: <9e3bad11-bae9-456f-93ac-c813d52c6ca9@app.fastmail.com> References: <9e3bad11-bae9-456f-93ac-c813d52c6ca9@app.fastmail.com> Message-ID: <62B5E93F-E05F-4FF1-A7CC-1D74A397E890@ditigal.xyz> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ditigal.xyz; i=@ditigal.xyz; q=dns/txt; s=20240917; t=1756275823; h=date : from : to : subject : in-reply-to : references : message-id : mime-version : content-type : content-transfer-encoding : from; bh=WigxraGMBnPFrL+cxu6UAf1y9rNv4VvK0QvvyLKdi4M=; b=kwbG5d4F3GM0IWfXmprHtwhoSfJPSDWqKMR36wvyqn2N0mFZl8ph8cWoMWWUd3CzcHvJP HnXgDj57a/FwLjjoW7A3hjAWMLVczZvfpxrJP+JJfhqHwQuTD96gExjpB6AOFIIrAW6SvdP vqHE2iI9OUO/HKQPRR8cDZOWf0+MZYE= X-Spam-Score: 2.5 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hi, On August 26, 2025 11:17:22 PM GMT+02:00, Zack Weinberg wrote: ># guix gc >finding garbage collector roots... >cannot read potential root `/var/guix/gcroots/auto/idj3k6kjlqi7y8sc4c [...] Content analysis details: (2.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: ditigal.xyz (xyz)] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD X-Debbugs-Envelope-To: 79321 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 2.5 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hi, On August 26, 2025 11:17:22 PM GMT+02:00, Zack Weinberg wrote: ># guix gc >finding garbage collector roots... >cannot read potential root `/var/guix/gcroots/auto/idj3k6kjlqi7y8sc4c [...] Content analysis details: (2.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: ditigal.xyz (xyz)] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD 1.0 BULK_RE_SUSP_NTLD Precedence bulk and RE: from a suspicious TLD -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager Hi,=20 On August 26, 2025 11:17:22 PM GMT+02:00, Zack Weinberg wrote: ># guix gc >finding garbage collector roots=2E=2E=2E >cannot read potential root `/var/guix/gcroots/auto/idj3k6kjlqi7y8sc4c5xsc= hqh8zkhfvb' >cannot read potential root `/var/guix/gcroots/auto/5si4fzk79j7v27rqaic4lc= 2qfpk42ilb' >cannot read potential root `/var/guix/gcroots/auto/825grbfhqdfav4g6827d2d= 3hb8hyhhzl' >cannot read potential root `/var/guix/gcroots/auto/6l77c1c97vij2gg3p95d9z= i2k7l0yx29' >cannot read potential root `/var/guix/gcroots/auto/r2x8d211bfp2y3y6wvgp87= 40ram26ipv' >cannot read potential root `/var/guix/gcroots/auto/jbrxxz57056g8393kh9zyy= j325lwq5c5' >guix gc: error: program `/gnu/store/6px1m9n904j8s4hyrmlds707sfnq52d9-guix= -1=2E4=2E0-41=2E826e305/bin/guix' failed with exit code 1 > >So first off, these error messages fail to comply with the first law of >Unix error messages; they don't print strerror(errno), and they don't >name the actual system call that failed, so they don't tell me *why* the >GC roots can't be read=2E But leave that aside for now=2E=2E=2E > ># guix gc 2>&1 | > sed -ne 's:^cannot read potential root `\([a-z0-9/]*\)'\''$:\1:p' > > /tmp/bad-roots ># ls -l $(cat /tmp/bad-roots) >lrwxrwxrwx 1 guix-daemon guix-daemon 80 Aug 10 01:41 /var/guix/gcroots/au= to/5si4fzk79j7v27rqaic4lc2qfpk42ilb -> /root/=2Ecache/guix/inferiors/bpo6zm= uuzeya74vbpqn2innq7vw4xzxn7azgjarsmg756jdrsika >lrwxrwxrwx 1 guix-daemon guix-daemon 79 Mar 16 22:20 /var/guix/gcroots/au= to/6l77c1c97vij2gg3p95d9zi2k7l0yx29 -> /root/=2Ecache/guix/profiles/simr3yl= izyyss24c25azsqfl4vjtw2t4ywvgpbh3iinbrsljgfea >lrwxrwxrwx 1 guix-daemon guix-daemon 80 Jul 27 02:02 /var/guix/gcroots/au= to/825grbfhqdfav4g6827d2d3hb8hyhhzl -> /root/=2Ecache/guix/inferiors/zy7a62= 7k6aubd32iun2ibyoy4ulbj4xas55yaibwaayctx6qehta >lrwxrwxrwx 1 guix-daemon guix-daemon 80 Jul 13 01:41 /var/guix/gcroots/au= to/idj3k6kjlqi7y8sc4c5xschqh8zkhfvb -> /root/=2Ecache/guix/inferiors/72tvmm= z43muzwd4lml3xsfdxw55idd742433w4kylm7yyyohed6a >lrwxrwxrwx 1 guix-daemon guix-daemon 80 Aug 3 01:39 /var/guix/gcroots/au= to/jbrxxz57056g8393kh9zyyj325lwq5c5 -> /root/=2Ecache/guix/inferiors/qgxspp= sml7olednljz273sdygm5zsxjrrpey2q7ysh5on6evneza >lrwxrwxrwx 1 guix-daemon guix-daemon 80 Jul 20 01:41 /var/guix/gcroots/au= to/r2x8d211bfp2y3y6wvgp8740ram26ipv -> /root/=2Ecache/guix/inferiors/whqagc= gua6af2zpw3xpaiiifny6pvevcpque3kstsu74ufx6rrda > ># ls -ld /root /root/=2Ecache /root/=2Ecache/guix /root/=2Ecache/guix/{in= feriors,profiles} >drwx------ 5 root root 4096 Aug 26 20:46 /root/ >drwxr-xr-x 4 root root 4096 Jul 22 2024 /root/=2Ecache/ >drwxr-xr-x 6 root root 4096 Mar 16 22:19 /root/=2Ecache/guix/ >drwxr-xr-x 2 root root 4096 Aug 10 01:41 /root/=2Ecache/guix/inferiors/ >drwxr-xr-x 2 root root 4096 Mar 16 22:21 /root/=2Ecache/guix/profiles/ > >After seeing this I suspected the problem might be that the *Guix daemon*= , >which is running unprivileged, cannot access these files=2E And indeed, = if >I do `chmod 711 /root`, then `guix gc` stops printing the "cannot read >potential root" messages=2E But it still doesn't _work_: > ># guix gc >finding garbage collector roots=2E=2E=2E >guix gc: error: program `/gnu/store/6px1m9n904j8s4hyrmlds707sfnq52d9-guix= -1=2E4=2E0-41=2E826e305/bin/guix' failed with exit code 1 > >So that's _really_ bad UX, but again, not the immediate problem=2E Since= I >do now know that it's the daemon that's having problems, I check the logs= : > ># tail -3 /var/log/guix-daemon=2Elog >2025-08-26 20:56:21 accepted connection from pid 172, user root >2025-08-26 20:56:21 accepted connection from pid 176, user guix-daemon >2025-08-26 20:56:21 guix gc: error: creating directory `/var/guix/profile= s/per-user/guix-daemon': Permission denied > >Well, that's suggestive=2E=2E=2E > ># ls -la /var/guix/profiles/per-user >total 28 >drwxr-xr-x 7 root root 4096 Apr 25 20:03 =2E/ >drwxr-xr-x 3 root root 4096 Aug 26 20:25 =2E=2E/ >drwxr-xr-x 2 root root 4096 Aug 26 20:25 root/ >drwxr-xr-x 2 user1 user1 4096 Apr 25 20:03 user1/ >drwxr-xr-x 2 user2 user2 4096 Apr 25 20:03 user2/ >drwxr-xr-x 2 user3 user3 4096 Apr 25 20:03 user3/ > >(actual user names redacted) This doesn't look okay, I think both /var/guix/profiles and /var/guix/prof= iles/per-user should be owned by guix-daemon=2E This goes basically for eve= rything under /var/guix, except for profiles/per-user/X, where the owner sh= ould be X=2E Though now looking into guix-ownership service it seems it doe= sn't try to change this ownership, only of /var/guix=2E While on the other = hand the guix-install=2Esh script does - it chowns everything and then reve= rts root's profile to root=2E An oversight?=20 > ># mkdir /var/guix/profiles/per-user/guix-daemon ># chown guix-daemon:guix-daemon /var/guix/profiles/per-user/guix-daemon ># guix gc >finding garbage collector roots=2E=2E=2E >deleting garbage=2E=2E=2E >[7 MiB] deleting '/gnu/store/r993z4wdyqqwzxlif1hvqzp6cqhqr2bw-rustc-1=2E7= 6=2E0-src=2Etar=2Ezst=2Edrv' >[7 MiB] deleting '/gnu/store/afnyx8a8qj4wlhywv0zsf57lmk8yskzc-rustc-1=2E7= 6=2E0-src=2Etar=2Egz=2Edrv' >=2E=2E=2E >[38344 MiB] deleting '/gnu/store/yd1hpyjjmzmq5qmlv6q2ycqlymsma9rh-freeglu= t-3=2E4=2E0-builder' >[38344 MiB] deleting '/gnu/store/3z0np2ad898193wws74k54rzppr356cv-ipxe-qe= mu-1=2E21=2E1-3=2E24db39f-builder' >deleting `/gnu/store/trash' >guix gc: error: making `var/empty' writable: Operation not permitted > >Well yeah! /var/empty is supposed to be empty at all times! Is this >not how it's supposed to be? > ># ls -ld /var/empty >dr-xr-xr-x 2 root root 4096 Jul 22 2024 /var/empty/ > >But if I set it to be world-writable I still get the same error=2E In >fact, even if I make it *owned by guix-daemon*, I still get the same >error! I think that resolving the /var/guix permissions might solve this issue as= well=2E The error says var/empty, not /var/empty, implying it is under wha= tever the guix daemon's pwd is=2E Well, I unfortunately am just on phone an= d since recently I decided to try update emacs on it and ended up with emac= s without git or anything, I cannot check now what file it is actually tryi= ng to create from source like I usually would (with search feature)=2E So b= est I can tell you, if solving permissions in /var/guix doesnt work, to sta= rt guix-daemon with strace and see what file it is actually talking about, = not just the relative path=2E=20 > >And now I'm stuck=2E guix gc moved all the trash to /gnu/store/trash, >but it didn't actually delete any of it=2E There's 11G in there, and >I can't delete it by hand because the store is mounted read-only >and I don't know how to temporarily override that for this kind of >manual repair job=2E Any advice would be most appreciated=2E It is bind mounted, that means you can just umount it=2E But I would stron= gly advise against it if it is possible to let guix solve it on its own=2E= Not sure if stuff in the trash is somehow tracked, if not, it would be saf= e to do that, yeah=2E=20 Rutherther PS: please dont send same emails both to guix help and bug guix=2E This me= ans anyone who replies all will make a new bug report! Omitting the fact th= at this bug tracker is deprecated in favor of codeberg issues, you should r= ather use X-Debbugs-Cc to let debbugs send the email with proper email addr= ess to reply to - id of the bug=2E=20 > >zw From debbugs-submit-bounces@debbugs.gnu.org Wed Aug 27 11:25:02 2025 Received: (at 79321) by debbugs.gnu.org; 27 Aug 2025 15:25:02 +0000 Received: from localhost ([127.0.0.1]:33565 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1urI1G-0005Md-8W for submit@debbugs.gnu.org; Wed, 27 Aug 2025 11:25:02 -0400 Received: from fhigh-b4-smtp.messagingengine.com ([202.12.124.155]:43091) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1urI1D-0005Lp-SA for 79321@debbugs.gnu.org; Wed, 27 Aug 2025 11:25:00 -0400 Received: from phl-compute-06.internal (phl-compute-06.internal [10.202.2.46]) by mailfhigh.stl.internal (Postfix) with ESMTP id D619D7A017A; Wed, 27 Aug 2025 11:24:52 -0400 (EDT) Received: from phl-imap-16 ([10.202.2.88]) by phl-compute-06.internal (MEProxy); Wed, 27 Aug 2025 11:24:52 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=owlfolio.org; h= cc:content-transfer-encoding:content-type:content-type:date:date :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm3; t=1756308292; x=1756394692; bh=MVa7GneEWFmOK77/x+8hmGrXRGU/BMqqmubJmne8qe0=; b= I5cKR3jJfA7mcAjoBkGzExU/KXR89TX98124UMAwcw+69/zG0dMvpwQIrGp/QvHH EpD1JOp0ARLcLkbwhTt5brOVxYd8vJ++H7RhgeCDaYw+nUWwKtXYF67ThJA7+/y3 j1sjJUjx+WsHGuEriCcEbEcilhJ7+SzL+OlPBymZGMazeuJcv74yKXr+FLifTToS efPAA6p23ZP3oR4sME9+g4CH2Rv6stzc6rMoEFjZ3mkNvxUKf/oCRbKC1EK4uSq7 9qLJsrA3l3OZvINdTWny7IveRuDIRINJEehHkElJMZYLBRC18PavWgH2DNhLlUGU lfWznKcJjHyOff3lwr26EA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; t=1756308292; x=1756394692; bh=M Va7GneEWFmOK77/x+8hmGrXRGU/BMqqmubJmne8qe0=; b=nlprsbFQmO2fBSlSB FDFCny8GbCU2WT+IjQxl55WN3UDnG6wcNpatUTYrS15QQxk3VNU7oNopp9AGqd3v OEgJQlipCqV7QuqdCFYm4Yia3K3CGmtXKyxtNOyXbxaZSvKEdtIAU+/fiuxFbAhm f1rcGMFuX/OT8pESOtQPEgJFuNVTy+1gYo+/GYCtgVAlWC5nub0eA6yZY53IcOUW XD7W+mJ+YH4/c5bLcILRRKI7o5eyZb1zK7KrafDDfSp8lmZXo05rKH9nfZC/gG98 aCLuyt7y5duCOEDtah5QbRkmQDSPs79IzSvV4r0BLqlefSLJNPty8RJXtDT5Z6Qu 7M8iw== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdefgddujeekhedtucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu rghilhhouhhtmecufedttdenucenucfjughrpefoggffhffvkfgjfhfutgfgsehtjeertd ertddtnecuhfhrohhmpedfkggrtghkucghvghinhgsvghrghdfuceoiigrtghksehofihl fhholhhiohdrohhrgheqnecuggftrfgrthhtvghrnhepgfevleehleeivdefjeetffehue elveegudffleduheeiudefveejjedvveduleetnecuvehluhhsthgvrhfuihiivgeptden ucfrrghrrghmpehmrghilhhfrhhomhepiigrtghksehofihlfhholhhiohdrohhrghdpnh gspghrtghpthhtohepfedpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepjeelfedv udesuggvsggsuhhgshdrghhnuhdrohhrghdprhgtphhtthhopehruhhthhgvrhhthhgvrh esughithhighgrlhdrgiihiidprhgtphhtthhopehhvghlphdqghhuihigsehgnhhurdho rhhg X-ME-Proxy: Feedback-ID: i876146a2:Fastmail Received: by mailuser.phl.internal (Postfix, from userid 501) id 409872CC0086; Wed, 27 Aug 2025 11:24:52 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface MIME-Version: 1.0 X-ThreadId: AYqOBAyZXnZg Date: Wed, 27 Aug 2025 11:24:32 -0400 From: "Zack Weinberg" To: Rutherther , help-guix@gnu.org, 79321@debbugs.gnu.org Message-Id: In-Reply-To: <62B5E93F-E05F-4FF1-A7CC-1D74A397E890@ditigal.xyz> References: <9e3bad11-bae9-456f-93ac-c813d52c6ca9@app.fastmail.com> <62B5E93F-E05F-4FF1-A7CC-1D74A397E890@ditigal.xyz> Subject: Re: A pile of problems with unprivileged Guix daemon and 'guix gc' Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 79321 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) On Wed, Aug 27, 2025, at 2:23 AM, Rutherther wrote: > On August 26, 2025 11:17:22 PM GMT+02:00, Zack Weinberg wrote: >># guix gc >>guix gc: error: making `var/empty' writable: Operation not permitted >> >>Well yeah! /var/empty is supposed to be empty at all times! Is this >>not how it's supposed to be? >> >># ls -ld /var/empty >>dr-xr-xr-x 2 root root 4096 Jul 22 2024 /var/empty/ >> >>But if I set it to be world-writable I still get the same error. In >>fact, even if I make it *owned by guix-daemon*, I still get the same >>error! > > I think that resolving the /var/guix permissions might solve this issue > as well. The error says var/empty, not /var/empty, implying it is under > whatever the guix daemon's pwd is. The guix daemon's pwd is '/'. > Well, I unfortunately am just on > phone and since recently I decided to try update emacs on it and ended > up with emacs without git or anything, I cannot check now what file it > is actually trying to create from source like I usually would (with > search feature). I happen to have a full checkout of Guix on my workstation. The computer with all the problems was stuck on an old Guix (because unattended-upgrade failed because the store had consumed all available disk space); if I'm interpreting the contents of the old system profile correctly, it was stuck on commit b7ac124f3cfadca9a6fc9829628f84c9d9d1b27b. The string "var/empty" does not appear anywhere in the Guix source tree, except as part of "/var/empty", either on that commit or the tip of master (currently commit aad612c143e19c1a4b64ae066a1fdfbe16c71226). I'm reluctant to screw with permissions without understanding what actually went wrong here. > PS: please dont send same emails both to guix help and bug guix. This > means anyone who replies all will make a new bug report! Omitting the > fact that this bug tracker is deprecated in favor of codeberg issues, > you should rather use X-Debbugs-Cc to let debbugs send the email with > proper email address to reply to - id of the bug. So noted. zw