[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#75810] [PATCH v7 00/16] Rootless guix-daemon
|
From: |
Ludovic Courtès |
|
Subject: |
[bug#75810] [PATCH v7 00/16] Rootless guix-daemon |
|
Date: |
Thu, 20 Mar 2025 21:54:33 +0100 |
Hello,
Changes compared to v6 (all suggested by Reepca):
• Canonicalize the builder’s file name before ‘execve’
and add the “builder is outside the store” test in
‘tests/derivations.scm’ (though the test would already
succeed before due to the ELF interpreter being unavailable
in the chroot).
• Explicitly close both ends of the ‘readiness’ pipe.
• Use ‘mkdir -p’ to create /var/log/guix in ‘guix-install.sh’.
Thoughts?
Ludo’.
Ludovic Courtès (16):
daemon: Use ‘close_range’ where available.
daemon: Close the read end of the logging pipe.
daemon: Bind-mount /etc/nsswitch.conf & co. only if it exists.
daemon: Bind-mount all the inputs, not just directories.
daemon: Remount inputs as read-only.
daemon: Remount root directory as read-only.
daemon: Allow running as non-root with unprivileged user namespaces.
daemon: Create /var/guix/profiles/per-user unconditionally.
daemon: Drop Linux ambient capabilities before executing builder.
daemon: Move comments where they belong.
linux-container: ‘unprivileged-user-namespace-supported?’ returns #f
on non-Linux.
tests: Add missing derivation inputs.
tests: Run in a chroot and unprivileged user namespaces.
etc: systemd services: Run ‘guix-daemon’ as an unprivileged user.
guix-install.sh: Support the unprivileged daemon where possible.
DRAFT gnu: guix: Update to f447941.
build-aux/test-env.in | 18 +-
config-daemon.ac | 5 +-
doc/guix.texi | 102 ++++++++---
etc/gnu-store.mount.in | 3 +-
etc/guix-daemon.service.in | 22 ++-
etc/guix-install.sh | 124 ++++++++++---
gnu/build/linux-container.scm | 4 +-
gnu/packages/package-management.scm | 6 +-
guix/substitutes.scm | 2 +-
nix/libstore/build.cc | 271 ++++++++++++++++++++++------
nix/libstore/local-store.cc | 26 ++-
nix/libutil/util.cc | 26 ++-
tests/derivations.scm | 34 +++-
tests/packages.scm | 13 +-
tests/processes.scm | 9 +-
tests/store.scm | 247 +++++++++++++++++++++----
16 files changed, 726 insertions(+), 186 deletions(-)
base-commit: cbd2db98954739db1cdda208e1667c5d50976bf1
--
2.48.1
- [bug#75810] [PATCH v7 00/16] Rootless guix-daemon,
Ludovic Courtès <=
- [bug#75810] [PATCH v7 03/16] daemon: Bind-mount /etc/nsswitch.conf & co. only if it exists., Ludovic Courtès, 2025/03/20
- [bug#75810] [PATCH v7 01/16] daemon: Use ‘close_range’ where available., Ludovic Courtès, 2025/03/20
- [bug#75810] [PATCH v7 06/16] daemon: Remount root directory as read-only., Ludovic Courtès, 2025/03/20
- [bug#75810] [PATCH v7 05/16] daemon: Remount inputs as read-only., Ludovic Courtès, 2025/03/20
- [bug#75810] [PATCH v7 04/16] daemon: Bind-mount all the inputs, not just directories., Ludovic Courtès, 2025/03/20
- [bug#75810] [PATCH v7 02/16] daemon: Close the read end of the logging pipe., Ludovic Courtès, 2025/03/20
- [bug#75810] [PATCH v7 09/16] daemon: Drop Linux ambient capabilities before executing builder., Ludovic Courtès, 2025/03/20
- [bug#75810] [PATCH v7 12/16] tests: Add missing derivation inputs., Ludovic Courtès, 2025/03/20
- [bug#75810] [PATCH v7 11/16] linux-container: ‘unprivileged-user-namespace-supported?’ returns #f on non-Linux., Ludovic Courtès, 2025/03/20
- [bug#75810] [PATCH v7 14/16] etc: systemd services: Run ‘guix-daemon’ as an unprivileged user., Ludovic Courtès, 2025/03/20