This makes it impossible to unmount or remount things from within
‘call-with-container’.
* gnu/build/linux-container.scm (initialize-user-namespace):
Add #:host-uid and #:host-gid. and honor them.
(run-container): Add #:lock-mounts?. Honor it by calling ‘unshare’
followed by ‘initialize-user-namespace’.
(call-with-container): Add #:lock-mounts? and pass it down.
(container-excursion): Get the user namespace owning the PID namespace
and join it, then join the remaining namespaces.
* tests/containers.scm ("call-with-container, mnt namespace, locked mounts"):
New test.
("container-excursion"): Pass #:lock-mounts? #f.
Change-Id: I13be982aef99e68a653d472f0e595c81cfcfa392
* gnu/build/linux-container.scm (run-container): Add #:loopback-network?
and honor it via #:populate-file-system.
(call-with-container): Add #:loopback-network? and pass it to
‘run-container’.
* guix/scripts/environment.scm (launch-environment/container): Remove
call to ‘set-network-interface-up’ and remove generation of /etc/hosts.
* guix/scripts/home.scm (spawn-home-container): Likewise.
Change-Id: I5933a4e8dc6d8e19235a79696b62299d74d1ba21
Until now, the read-only file system set up by ‘call-with-container’
would always be writable. With this change, it can be made read-only.
With this patch, only ‘least-authority-wrapper’ switches to a read-only
root file system.
* gnu/build/linux-container.scm (remount-read-only): New procedure.
(mount-file-systems): Add #:writable-root? and #:populate-file-system
and honor them.
(run-container): Likewise.
(call-with-container): Likewise.
* gnu/system/linux-container.scm (container-script): Pass #:writable-root?
to ‘call-with-container’.
(eval/container): Add #:populate-file-system and #:writable-root? and
honor them.
* guix/scripts/environment.scm (launch-environment/container):
Pass #:writable-root? to ‘call-with-container’.
* guix/scripts/home.scm (spawn-home-container): Likewise.
* tests/containers.scm ("call-with-container, mnt namespace, read-only root")
("call-with-container, mnt namespace, writable root"): New tests.
Change-Id: I603e2fd08851338b737bb16c8af3f765e2538906
This should be about twice as fast as the default zlib compressor used for
qcow2, and potentially multi-thread aware given some improvements to qemu-img
in the future (zstd supports its but it's not currently used by QEMU).
* gnu/build/image.scm (convert-disk-image): Specify 'compression_type=zstd'
option.
Change-Id: Ie9c66f0c13e789ec863c95a5e549f035b6a17bf9
This doesn't seem to change anything currently (the default is 8). Perhaps
useful in the future, for example if the compressor used by qemu-img starts
honoring it.
* gnu/build/image.scm (convert-disk-image): Specify the '-m' option.
Change-Id: Ia288c85af8a0621d61cf6b9f0d3f73f5a3026d66
Fixes <https://issues.guix.gnu.org/77992>.
Fixes a bug whereby ‘mkdir-p/perms’ would throw an exception on the
Hurd:
In gnu/build/activation.scm:
97:20 1 (mkdir-p/perms _ #("ludo" "x" 1000 998 "Ludovic…" …) …)
In unknown file:
0 (open "." 7340032 #<undefined>)
ERROR: In procedure open:
In procedure scm_fdes_to_port: requested file mode not available on fdes
This, in turn, would cause ‘user-homes’ to fail to start on the Hurd
since commit da741d8931.
* gnu/build/activation.scm (mkdir-p/perms): Add O_RDONLY to ‘open-flags’.
Reported-by: Yelninei <yelninei@tutamail.com>
Change-Id: I74f90599338772ba4341067215b864273aa30b3e
Otherwise the code would be evaluated instead of shown.
* gnu/build/dbus-service.scm (with-retries): Quote the body data in the error
message.
Change-Id: I7a06f08327bdc7df70ae56a146855bc32ad3e63e
Fixes <https://issues.guix.gnu.org/61690>.
Until now, this would work:
guix shell --no-cwd -CWP -- guix shell -C coreutils -- ls -R /home
… but this would not:
$ guix shell --no-cwd -CWPN -- guix shell -C coreutils -- ls -R /home
guix shell: error: mount: mount "none" on "/tmp/guix-directory.Wnc2OI/sys": Operation not permitted
This is annoying and hardly understandable. Since we already disable
/sys mounts when sharing the global network namespace is asked (as in
‘guix shell -CN‘), for the very same reason, we can just as well disable
/sys mounts anytime it fails with EPERM.
* gnu/build/linux-container.scm (mount-file-systems): Silently ignore
EPERM when attempting to mount /sys.
Change-Id: If85b1d703ab58a98ea9873f4f8fed71a06b7aa63
This commit adds a Guix System service to handle allocation of subuid
and subgid requests. Users that don't care can just add themselves as a
subid-range and don't need to specify anything but their user name.
Users that care about specific ranges, such as possibly LXD, can specify
a start and a count.
* doc/guix.texi (Miscellaneous Services): Document it.
* gnu/build/activation.scm (activate-subuids+subgids): New variable.
* gnu/local.mk: Add gnu/tests/shadow.scm.
* gnu/system/accounts.scm (sexp->subid-range): New variable.
* gnu/system/shadow.scm (%root-subid): New variable;
(subids-configuration): new record;
(subid-range->gexp): new variable;
(assert-valid-subids): new variable;
(delete-duplicate-ranges): new variable;
(subids-activation): new variable;
(subids-extension): new record;
(append-subid-ranges): new variable;
(subids-extension-merge): new variable;
(subids-service-type): new variable.
* gnu/tests/shadow.scm (subids): New system test.
Change-Id: I3755e1c75771220c74fe8ae5de1a7d90f2376635
Signed-off-by: Giacomo Leidi <goodoldpaul@autistici.org>
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
This commit adds allocation logic for subid ranges. Subid ranges are
ranges of contiguous subids that are mapped to a user in the host
system. This patch implements a flexible allocation algorithm allowing
users that do not want (or need) to specify details of the subid ranges
that they are requesting to avoid doing so, while upholding requests of
users that need to have specific ranges.
* gnu/build/accounts.scm (%subordinate-id-min): New variable;
(%subordinate-id-max): new variable;
(%subordinate-id-count): new variable;
(subordinate-id?): new variable;
(&subordinate-id-error): new variable;
(&subordinate-id-overflow-error): new variable;
(&illegal-subid-range-error): new variable;
(&specific-subid-range-expected-error): new variable;
(&generic-subid-range-expected-error): new variable;
(within-interval?): new variable;
(allocate-unused-range): new variable;
(allocate-generic-range): new variable;
(allocate-specific-range): new variable;
(reserve-subids): new variable;
(range->entry): new variable;
(entry->range): new variable;
(allocate-subids): new variable;
(subuid+subgid-databases): new variable.
* gnu/system/accounts.scm (subid-range-end): New variable;
(subid-range-has-start?): new variable;
(subid-range-less): new variable.
* test/accounts.scm: Test them.
Change-Id: I8de1fd7cfe508b9c76408064d6f498471da0752d
Co-Authored-By: Ludovic Courtès <ludo@gnu.org>
Signed-off-by: Giacomo Leidi <goodoldpaul@autistici.org>
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
This commit adds a new record type, <subid-entry> and serializers
and deserializers for it in (gnu build accounts). Each instance of this
record represents one line in either /etc/subuid or /etc/subgid. Since
Shadow uses the same representation for both files, it should be ok if
we do it as well.
This commit adds also <subid-range>, a user facing representation of
<subid-entry>. It is supposed to be usable directly in OS configurations.
* gnu/build/accounts.scm (subid-entry): New record;
(write-subgid): add serializer for subgids;
(write-subuid): add serializer for subuids;
(read-subgid): add serializer for subgids;
(read-subuid): add serializer for subuids.
* gnu/system/accounts.scm (subid-range): New record.
* test/accounts.scm: Test them.
Change-Id: I6b037e40e354c069bf556412bb5b626bd3ea1b2c
Signed-off-by: Giacomo Leidi <goodoldpaul@autistici.org>
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
* gnu/build/hurd-boot.scm (boot-hurd-system): Check for stale shepherd socket
and remove it. Be chattier about /hurd symlink replacement.
Change-Id: I5e528c131ebeadb7ebc9727336a0f9301af3e68e
This supports using another than the default DISK0 PART1 and using LABEL or
UUID as root file-system specifier. It still defaults to DISK0 PART1 if
the file-system cannot be found, i.e., lives only at the build side: A
virtual machine/childhurd build.
* gnu/build/file-systems.scm (%hurd-device-spec-regexp, %device-spec-regexp):
New variables.
(device-name->hurd-device-name, hurd-device-name->device-name,
device-spec->device, device-spec->device-name): Use them in new procedures.
* gnu/bootloader/grub.scm (make-grub-configuration): Use them to remove
hardcoded partition number (root-index 1).
Change-Id: I49fa93dacc09883dfb4d695402c5eac2e0e17286
There is currently a window of time between when the desired directory is
created and when its permissions are changed. During this time, its
permissions are restricted only by the umask.
Of course, in the "directory already exists" case, this doesn't matter, but if
the directory has been specifically deleted ahead of time so that it is
created afresh, this is an unnecessary window.
We can avoid this by passing the caller-provided BITS to 'mkdirat' when
attempting to create the last directory.
* gnu/build/activation.scm (mkdir-p/perms): Create target directory with BITS
permissions.
Change-Id: I03d2c620872e86b6f591abe0f1c8317aa1245383
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
* gnu/build/hurd-boot.scm (make-hurd-device-nodes): Cater for existing
directories (dev, servers).
(set-hurd-device-translators): Remove /servers/socket/1, that is created by
libexec/console-run. Cater for nonexistent /dev/console.
(boot-hurd-system): Call make-hurd-device-nodes on initial run.
Fixes <https://issues.guix.gnu.org/47584>.
I removed the 'Based upon mkdir-p from (guix build utils)'
comment because it's quite a bit different now.
* gnu/build/activation.scm (verify-not-symbolic): Delete.
(mkdir-p/perms): Rewrite in terms of 'openat'.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Change-Id: Id2f5bcbb903283afd45f6109190210d02eb383c7
* gnu/system/privilege.scm (<privileged-program>): Add a field
representing the program's POSIX capabilities.
(privileged-program-capabilities): New public procedure.
* doc/guix.texi (Privileged Programs): Document it.
* gnu/build/activation.scm (activate-privileged-programs): Take a LIBCAP
package argument providing setcap(8) to apply said capabilities.
* gnu/services.scm (privileged-program->activation-gexp): Pass said
package argument where supported. Include privileged-program-capabilities
in the compatibility hack.
* gnu/build/activation.scm (activate-setuid-programs): Rename this…
(activate-privileged-programs): …to this.
Operate on a list of <privileged-program> records.
* gnu/services.scm (setuid-program->activation-gexp): Adjust caller.
Create /run/setuid-programs compatibility symlinks so that we can
migrate all users (both package and human) piecemeal at our leisure.
Apart from being symlinks, this should be a user-invisible change.
* gnu/build/activation.scm (%privileged-program-directory): New variable.
[activate-setuid-programs]: Put privileged copies in
%PRIVILEGED-PROGRAM-DIRECTORY, with compatibility symlinks to each in
%SETUID-DIRECTORY.
* gnu/services.scm (setuid-program-service-type): Update docstring.
* doc/guix.texi (Setuid Programs): Update @file{} name accordingly.
As files in the store and /etc/fstab are world readable, specifying the
password in the file-system record is suboptimal. To mitigate this,
`mount.cifs' supports reading `username', `password' and `domain' options from
a file named by the `credentials' or `cred' option.
* gnu/build/file-systems.scm (mount-file-system): Read mount options from the
file specified via the `credentials' or `cred' option if specified.
Change-Id: I786c5da373fc26d45fe7a876c56a8c4854d18532
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
This brings the on disk size of the kernel from 164 MiB to 144 MiB, or about
12%.
* gnu/packages/linux.scm (default-extra-linux-options)
[version>=5.13]: Enable CONFIG_MODULE_COMPRESS_ZSTD, else
CONFIG_MODULE_COMPRESS_GZIP.
(make-linux-libre*) [phases] {set-environment}: Set ZSTD_CLEVEL environment
variable to 19.
[native-inputs]: Add zstd.
* gnu/build/linux-modules.scm (module-regex): Add .zst to regexp. Update doc.
(modinfo-section-contents): Extend support to Zstd compressed module.
(dot-ko): Register the 'zstd compression type.
(ensure-dot-ko, file-name->module-name, load-linux-module*)
(module-name->file-name/guess, write-module-name-database)
(write-module-alias-database, write-module-device-database): Update doc.
(module-name-lookup): Also consider zstd-compressed modules.
* gnu/installer.scm (installer-program): Add guile-zstd extension to gexp.
* gnu/system/linux-initrd.scm (flat-linux-module-directory): Likewise.
Decompress zstd-compressed modules for use in initrd.
* guix/profiles.scm (linux-module-database): Add guile-zstd extension to gexp.
Change-Id: Ide899dc5c58ea5033583b1a91a92c025fc8d901a
This is a follow-up to 8f8ec56052, which only
covers building initrd, while the booting code still tries to load nonexistent
files for builtin modules.
* gnu/build/linux-modules.scm (load-linux-modules-from-directory): Ignore
nonexistent module files.
Change-Id: I09ef207e82397e915e671c8464b92bcf90f03dcf
Until now, the secret service had a hard-coded TCP endpoint on port
1004. This change lets users specify arbitrary socket addresses.
* gnu/build/secret-service.scm (socket-address->string): New procedure,
taken from Shepherd.
(secret-service-send-secrets): Replace ‘port’ by ‘address’ and adjust
accordingly.
(secret-service-receive-secrets): Likewise.
* gnu/services/virtualization.scm (secret-service-shepherd-services):
Likewise.
(secret-service-operating-system): Add optional ‘address’ parameter and
honor it. Adjust ‘start’ method accordingly.
Change-Id: I87a9514f1c170dca756ce76083d7182c6ebf6578
* gnu/build/chromium-extension.scm (make-chromium-extension): Make use of the
make-signing-key procedure inside the argument field, making sure that it is
not evaluated at file-load time. This would otherwise try to resolve gnutls
when we can't guarantee it's defined because of dependency cycles.
Change-Id: Ia7b13acfbca475c2df073e9a88fc8bb9264dd968
This was superseded by ‘least-authority-wrapper’.
* gnu/build/shepherd.scm (read-pid-file/container)
(make-forkexec-constructor/container): Remove.
Change-Id: I6acccdff2609a35807608f865a4d381146113a88
This is an improvement for the purposes of ‘guix edit’ & co.
* gnu/build/icecat-extension.scm (make-icecat-extension): Add ‘location’
field.
Change-Id: I896ae6823b3fe4ea013fa74e2c536f45664d8042
* gnu/build/icecat-extension.scm: New file with a MAKE-ICECAT-EXTENSION
procedure that makes sure the add-on directory is a symlink, so that Icecat
can normalize it into a package store path.
* gnu/local.mk (dist_patch_DATA): Register it, as well as new patches.
* gnu/packages/browser-extensions.scm (ublock-origin)[properties]: Store the
add-on ID so that it is accessible in MAKE-ICECAT-EXTENSION.
[arguments]: Use the add-on ID as root directory.
(ublock-origin/icecat): New procedure.
* gnu/packages/gnuzilla.scm (icecat-minimal)[arguments]: Rewrite the unused
'apply-guix-specific-patches' phase so that it applies the following two
patches.
[native-search-paths]: New field.
* gnu/packages/patches/icecat-compare-paths.patch: New patch that compares
add-on paths (which are package store paths) to detect package changes.
* gnu/packages/patches/icecat-use-system-wide-dir.patch: New patch that
replaces "/usr/lib/mozilla" (the system-wide directory for extensions and
native manifests) with "$ICECAT_SYSTEM_DIR".
The gnumach builtin IDE hd devices are still used, unless booting with
"noide".
* gnu/build/hurd-boot.scm (set-hurd-device-translators): Create /dev/hd{0..3},
/dev/hd{0..3}s{0..3}.
