[PATCH] etc: Add a systemd unit to bind-mount @storedir@ read-only.

  • Done
  • quality assurance status badge
Details
5 participants
  • Julien Lepiller
  • Maxim Cournoyer
  • Marius Bakke
  • Tobias Geerinckx-Rice
  • Vincent Legoll
Owner
unassigned
Submitted by
Tobias Geerinckx-Rice
Severity
normal
T
T
Tobias Geerinckx-Rice wrote on 14 May 2020 15:48
(address . guix-patches@gnu.org)
20200514134846.29037-1-me@tobias.gr
* etc/gnu-store.mount.in: New file.
* nix/local.mk (nodist_systemdservice_DATA): Add it.
(etc/%.mount): New rule.
* etc/guix-install.sh (sys_enable_guix_daemon): Install it.
* doc/guix.texi (Binary Installation): Document it.
---


doc/guix.texi | 5 +++--
etc/gnu-store.mount.in | 14 ++++++++++++++
etc/guix-install.sh | 12 +++++++++---
nix/local.mk | 12 +++++++++++-
4 files changed, 37 insertions(+), 6 deletions(-)
create mode 100644 etc/gnu-store.mount.in

Toggle diff (92 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index d6fbd85fde..5d80a7e405 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -659,9 +659,10 @@ with these commands:
@c https://lists.gnu.org/archive/html/guix-devel/2017-01/msg01199.html
@example
-# cp ~root/.config/guix/current/lib/systemd/system/guix-daemon.service \
+# cp ~root/.config/guix/current/lib/systemd/system/gnu-store.mount \
+ ~root/.config/guix/current/lib/systemd/system/guix-daemon.service \
/etc/systemd/system/
-# systemctl enable --now guix-daemon
+# systemctl enable --now gnu-store.mount guix-daemon
@end example
If your host distro uses the Upstart init system:
diff --git a/etc/gnu-store.mount.in b/etc/gnu-store.mount.in
new file mode 100644
index 0000000000..c94f2db72b
--- /dev/null
+++ b/etc/gnu-store.mount.in
@@ -0,0 +1,14 @@
+[Unit]
+Description=Read-only @storedir@ for GNU Guix
+DefaultDependencies=no
+ConditionPathExists=@storedir@
+Before=guix-daemon.service
+
+[Install]
+WantedBy=guix-daemon.service
+
+[Mount]
+What=@storedir@
+Where=@storedir@
+Type=none
+Options=bind,ro
diff --git a/etc/guix-install.sh b/etc/guix-install.sh
index 4909d3f162..d252c132fb 100755
--- a/etc/guix-install.sh
+++ b/etc/guix-install.sh
@@ -342,7 +342,13 @@ sys_enable_guix_daemon()
_msg "${PAS}enabled Guix daemon via upstart"
;;
systemd)
- { cp "${ROOT_HOME}/.config/guix/current/lib/systemd/system/guix-daemon.service" \
+ { # systemd .mount units must be named after the target directory.
+ # Here we assume a hard-coded name of /gnu/store.
+ cp "${ROOT_HOME}/.config/guix/current/lib/systemd/system/gnu-store.mount" \
+ /etc/systemd/system/;
+ chmod 664 /etc/systemd/system/gnu-store.mount;
+
+ cp "${ROOT_HOME}/.config/guix/current/lib/systemd/system/guix-daemon.service" \
/etc/systemd/system/;
chmod 664 /etc/systemd/system/guix-daemon.service;
@@ -357,8 +363,8 @@ sys_enable_guix_daemon()
fi;
systemctl daemon-reload &&
- systemctl start guix-daemon &&
- systemctl enable guix-daemon; } &&
+ systemctl start gnu-store.mount guix-daemon &&
+ systemctl enable gnu-store.mount guix-daemon; } &&
_msg "${PAS}enabled Guix daemon via systemd"
;;
sysv-init)
diff --git a/nix/local.mk b/nix/local.mk
index a64bdd2137..435fdd389a 100644
--- a/nix/local.mk
+++ b/nix/local.mk
@@ -155,7 +155,17 @@ noinst_HEADERS = \
# The '.service' files for systemd.
systemdservicedir = $(libdir)/systemd/system
-nodist_systemdservice_DATA = etc/guix-daemon.service etc/guix-publish.service
+nodist_systemdservice_DATA = \
+ etc/gnu-store.mount \
+ etc/guix-daemon.service \
+ etc/guix-publish.service
+
+etc/%.mount: etc/%.mount.in \
+ $(top_builddir)/config.status
+ $(AM_V_GEN)$(MKDIR_P) "`dirname $@`"; \
+ $(SED) -e 's|@''storedir''@|$(storedir)|' < \
+ "$<" > "$@.tmp"; \
+ mv "$@.tmp" "$@"
etc/guix-%.service: etc/guix-%.service.in \
$(top_builddir)/config.status
--
2.26.2
T
T
Tobias Geerinckx-Rice wrote on 14 May 2020 15:53
Re: Few questions
(address . 41259@debbugs.gnu.org)
87lflud3mn.fsf@nckx
Tobias Geerinckx-Rice ???
Toggle quote (4 lines)
> A simple
>
> $ sudo mount -o bind,ro /gnu/store /gnu/store

I decided to write a q&d patch that does just that

Caveats:
- It's lightly tested (the only non-Guix System I have SSH access
to is someone's laptop, currently being used to consume ‘dank
memes’, and I cannot risk performing any action that could stop
the flow of memes),
- it only fixes the problem on modern^Wsystemd systems (I'm fine
with that),
- the unit name could be templated to @storedir@ as well. Worth
it?

Feedback and testing welcome.

Kind regards,

T G-R
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQT12iAyS4c9C3o4dnINsP+IT1VteQUCXr1NYAAKCRANsP+IT1Vt
eanNAQD8840t6rLLSG6porbp1niAih1kOag/WWyIRigHam2yCgD/UAURG1ss9iq2
2zPbzqsf+7fsj/WFH/+dJrvjCBF0mAE=
=1d69
-----END PGP SIGNATURE-----

J
J
Julien Lepiller wrote on 14 May 2020 16:01
Re: [bug#41259] [PATCH] etc: Add a systemd unit to bind-mount @storedir@ read-only.
A93A189C-73FB-4E7F-B1F7-B57A1366ABA3@lepiller.eu
Le 14 mai 2020 09:48:46 GMT-04:00, Tobias Geerinckx-Rice via Guix-patches via <guix-patches@gnu.org> a écrit :
Toggle quote (118 lines)
>* etc/gnu-store.mount.in: New file.
>* nix/local.mk (nodist_systemdservice_DATA): Add it.
>(etc/%.mount): New rule.
>* etc/guix-install.sh (sys_enable_guix_daemon): Install it.
>* doc/guix.texi (Binary Installation): Document it.
>---
>
>For
><https://lists.gnu.org/archive/html/help-guix/2020-05/msg00097.html>.
>
> doc/guix.texi | 5 +++--
> etc/gnu-store.mount.in | 14 ++++++++++++++
> etc/guix-install.sh | 12 +++++++++---
> nix/local.mk | 12 +++++++++++-
> 4 files changed, 37 insertions(+), 6 deletions(-)
> create mode 100644 etc/gnu-store.mount.in
>
>diff --git a/doc/guix.texi b/doc/guix.texi
>index d6fbd85fde..5d80a7e405 100644
>--- a/doc/guix.texi
>+++ b/doc/guix.texi
>@@ -659,9 +659,10 @@ with these commands:
> @c https://lists.gnu.org/archive/html/guix-devel/2017-01/msg01199.html
>
> @example
>-# cp ~root/.config/guix/current/lib/systemd/system/guix-daemon.service
>\
>+# cp ~root/.config/guix/current/lib/systemd/system/gnu-store.mount \
>+ ~root/.config/guix/current/lib/systemd/system/guix-daemon.service
>\
> /etc/systemd/system/
>-# systemctl enable --now guix-daemon
>+# systemctl enable --now gnu-store.mount guix-daemon
> @end example
>
> If your host distro uses the Upstart init system:
>diff --git a/etc/gnu-store.mount.in b/etc/gnu-store.mount.in
>new file mode 100644
>index 0000000000..c94f2db72b
>--- /dev/null
>+++ b/etc/gnu-store.mount.in
>@@ -0,0 +1,14 @@
>+[Unit]
>+Description=Read-only @storedir@ for GNU Guix
>+DefaultDependencies=no
>+ConditionPathExists=@storedir@
>+Before=guix-daemon.service
>+
>+[Install]
>+WantedBy=guix-daemon.service
>+
>+[Mount]
>+What=@storedir@
>+Where=@storedir@
>+Type=none
>+Options=bind,ro
>diff --git a/etc/guix-install.sh b/etc/guix-install.sh
>index 4909d3f162..d252c132fb 100755
>--- a/etc/guix-install.sh
>+++ b/etc/guix-install.sh
>@@ -342,7 +342,13 @@ sys_enable_guix_daemon()
> _msg "${PAS}enabled Guix daemon via upstart"
> ;;
> systemd)
>- { cp
>"${ROOT_HOME}/.config/guix/current/lib/systemd/system/guix-daemon.service"
>\
>+ { # systemd .mount units must be named after the target
>directory.
>+ # Here we assume a hard-coded name of /gnu/store.
>+ cp
>"${ROOT_HOME}/.config/guix/current/lib/systemd/system/gnu-store.mount"
>\
>+ /etc/systemd/system/;
>+ chmod 664 /etc/systemd/system/gnu-store.mount;
>+
>+ cp
>"${ROOT_HOME}/.config/guix/current/lib/systemd/system/guix-daemon.service"
>\
> /etc/systemd/system/;
> chmod 664 /etc/systemd/system/guix-daemon.service;
>
>@@ -357,8 +363,8 @@ sys_enable_guix_daemon()
> fi;
>
> systemctl daemon-reload &&
>- systemctl start guix-daemon &&
>- systemctl enable guix-daemon; } &&
>+ systemctl start gnu-store.mount guix-daemon &&
>+ systemctl enable gnu-store.mount guix-daemon; } &&
> _msg "${PAS}enabled Guix daemon via systemd"
> ;;
> sysv-init)
>diff --git a/nix/local.mk b/nix/local.mk
>index a64bdd2137..435fdd389a 100644
>--- a/nix/local.mk
>+++ b/nix/local.mk
>@@ -155,7 +155,17 @@ noinst_HEADERS = \
>
> # The '.service' files for systemd.
> systemdservicedir = $(libdir)/systemd/system
>-nodist_systemdservice_DATA = etc/guix-daemon.service
>etc/guix-publish.service
>+nodist_systemdservice_DATA = \
>+ etc/gnu-store.mount \
>+ etc/guix-daemon.service \
>+ etc/guix-publish.service
>+
>+etc/%.mount: etc/%.mount.in \
>+ $(top_builddir)/config.status
>+ $(AM_V_GEN)$(MKDIR_P) "`dirname $@`"; \
>+ $(SED) -e 's|@''storedir''@|$(storedir)|' < \
>+ "$<" > "$@.tmp"; \
>+ mv "$@.tmp" "$@"
>
> etc/guix-%.service: etc/guix-%.service.in \
> $(top_builddir)/config.status

I see that's how it's done with the existing service, but why sed the .in file when we could let configure.ac take care of it?

I'll try that on a VM of a foreign distro soonish and report. Thanks!
M
M
Marius Bakke wrote on 14 May 2020 16:13
874ksivc2p.fsf@devup.no
Julien Lepiller <julien@lepiller.eu> writes:

Toggle quote (12 lines)
>>+etc/%.mount: etc/%.mount.in \
>>+ $(top_builddir)/config.status
>>+ $(AM_V_GEN)$(MKDIR_P) "`dirname $@`"; \
>>+ $(SED) -e 's|@''storedir''@|$(storedir)|' < \
>>+ "$<" > "$@.tmp"; \
>>+ mv "$@.tmp" "$@"
>>
>> etc/guix-%.service: etc/guix-%.service.in \
>> $(top_builddir)/config.status
>
> I see that's how it's done with the existing service, but why sed the .in file when we could let configure.ac take care of it?

Because --storedir can in theory be something like '$prefix/store',
which would not get properly expanded by configure. See "Installation
Directory Variables" in the GNU Autoconf manual:


(in particular scroll down to the notice about AC_CONFIG_FILES)
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl69Uh4ACgkQoqBt8qM6
VPociQf9EQ1BTKTs33f/6L5L3OoHTTGwOSxg5gzbx0PtceI9968Cr1wcYn/z7AD5
TEam6RJnwcwoZiSiXyXS5+ls/52fxjh86vAjFRV6ghULbCZeolSPVnnU9ZaMtWAx
MZhOzeYWecQUWdj0GZRWuTNUQ9ffxxPrRAvqa7eClbrELEpSu3dj6VrtBkzSVa3/
RDNQGYrrUrHshQHwr2/P1Io9UfGctQZ8eTl0wmUM7Vt4AAVQav+JNyGQ4b1DLtRK
IteWbLPmeYo2fT+MH5OwYtnWoQnOQnk+Y7u3NJO3XuiV3WSWidYG5diAEcYGPNlf
KAroIxiMqLMJ+1JJOSGuPtifufoBOQ==
=7zsJ
-----END PGP SIGNATURE-----

T
T
Tobias Geerinckx-Rice wrote on 14 May 2020 16:21
(name . Julien Lepiller)(address . julien@lepiller.eu)(address . 41259@debbugs.gnu.org)
87ftc2d2cj.fsf@nckx
Julien,

Julien Lepiller ???
Toggle quote (6 lines)
>> etc/guix-%.service: etc/guix-%.service.in \
>> $(top_builddir)/config.status
>
> I see that's how it's done with the existing service, but why
> sed the .in file when we could let configure.ac take care of it?

¯\_(?)_/¯!

TBH I wondered the same thing but am not in deep-dive mode ATM.

Toggle quote (3 lines)
> I'll try that on a VM of a foreign distro soonish and
> report. Thanks!

Thank you! I'm still in the middle of reinstalling Guix on my
main laptop, which should give me back my magical KVM powers.

Kind regards,

T G-R
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQT12iAyS4c9C3o4dnINsP+IT1VteQUCXr1T3AAKCRANsP+IT1Vt
ecx8AP9pb5Q0pC27b9Ucx7eRLU+s5L5SzpmdM4S6TIN3BeTfcAD/UHTAg7usE1X8
T9QUkEFzinrOZuvsJZJPXbD7lDNzUgs=
=P4td
-----END PGP SIGNATURE-----

T
T
Tobias Geerinckx-Rice wrote on 14 May 2020 16:24
(name . Tobias Geerinckx-Rice via Guix-patches)(address . guix-patches@gnu.org)(address . 41259@debbugs.gnu.org)
87d076d271.fsf@nckx
Tobias Geerinckx-Rice via Guix-patches via ???
Toggle quote (8 lines)
> systemctl daemon-reload &&
> - systemctl start guix-daemon &&
> - systemctl enable guix-daemon; } &&
> + systemctl start gnu-store.mount guix-daemon
> &&
> + systemctl enable gnu-store.mount guix-daemon;
> } &&

Speaking of things I wondered: I'm no systemd wizard but I think
‘enable --now’ would be equivalent and less repetitive.

Kind regards,

T G-R
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQT12iAyS4c9C3o4dnINsP+IT1VteQUCXr1UogAKCRANsP+IT1Vt
eWv4AQDZMZ5apuYVzFkDo42bl9bYt69FkyWQSPW6qPp/347vOwD/cF4yNIQfwnkS
p5pFgNY8grEeCykMFwEN+iQ6NgVaLQA=
=OKPw
-----END PGP SIGNATURE-----

T
T
Tobias Geerinckx-Rice wrote on 14 May 2020 16:25
(name . Marius Bakke)(address . mbakke@fastmail.com)
87a72ad25l.fsf@nckx
Marius Bakke ???
Toggle quote (8 lines)
>> I see that's how it's done with the existing service, but why
>> sed the .in file when we could let configure.ac take care of
>> it?
>
> Because --storedir can in theory be something like
> '$prefix/store',
> which would not get properly expanded by configure.

Makes sense. Thanks Marius,

T G-R
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQT12iAyS4c9C3o4dnINsP+IT1VteQUCXr1U1wAKCRANsP+IT1Vt
eRdZAQDyT+fZ4xQ9PdYTdQqfGei6onS+7Jpsfhpx8G2/JqvPpgD+KNc74Bo1JRYl
IFs89KblIfNuiDm1zQUw2a/AHhW5Fgw=
=5ve1
-----END PGP SIGNATURE-----

J
J
Julien Lepiller wrote on 14 May 2020 18:35
A2F0E860-28E9-42A6-AE02-0BDBB876106E@lepiller.eu
Le 14 mai 2020 10:01:51 GMT-04:00, Julien Lepiller <julien@lepiller.eu> a écrit :
Toggle quote (128 lines)
>Le 14 mai 2020 09:48:46 GMT-04:00, Tobias Geerinckx-Rice via
>Guix-patches via <guix-patches@gnu.org> a écrit :
>>* etc/gnu-store.mount.in: New file.
>>* nix/local.mk (nodist_systemdservice_DATA): Add it.
>>(etc/%.mount): New rule.
>>* etc/guix-install.sh (sys_enable_guix_daemon): Install it.
>>* doc/guix.texi (Binary Installation): Document it.
>>---
>>
>>For
>><https://lists.gnu.org/archive/html/help-guix/2020-05/msg00097.html>.
>>
>> doc/guix.texi | 5 +++--
>> etc/gnu-store.mount.in | 14 ++++++++++++++
>> etc/guix-install.sh | 12 +++++++++---
>> nix/local.mk | 12 +++++++++++-
>> 4 files changed, 37 insertions(+), 6 deletions(-)
>> create mode 100644 etc/gnu-store.mount.in
>>
>>diff --git a/doc/guix.texi b/doc/guix.texi
>>index d6fbd85fde..5d80a7e405 100644
>>--- a/doc/guix.texi
>>+++ b/doc/guix.texi
>>@@ -659,9 +659,10 @@ with these commands:
>> @c
>https://lists.gnu.org/archive/html/guix-devel/2017-01/msg01199.html
>>
>> @example
>>-# cp
>~root/.config/guix/current/lib/systemd/system/guix-daemon.service
>>\
>>+# cp ~root/.config/guix/current/lib/systemd/system/gnu-store.mount \
>>+
>~root/.config/guix/current/lib/systemd/system/guix-daemon.service
>>\
>> /etc/systemd/system/
>>-# systemctl enable --now guix-daemon
>>+# systemctl enable --now gnu-store.mount guix-daemon
>> @end example
>>
>> If your host distro uses the Upstart init system:
>>diff --git a/etc/gnu-store.mount.in b/etc/gnu-store.mount.in
>>new file mode 100644
>>index 0000000000..c94f2db72b
>>--- /dev/null
>>+++ b/etc/gnu-store.mount.in
>>@@ -0,0 +1,14 @@
>>+[Unit]
>>+Description=Read-only @storedir@ for GNU Guix
>>+DefaultDependencies=no
>>+ConditionPathExists=@storedir@
>>+Before=guix-daemon.service
>>+
>>+[Install]
>>+WantedBy=guix-daemon.service
>>+
>>+[Mount]
>>+What=@storedir@
>>+Where=@storedir@
>>+Type=none
>>+Options=bind,ro
>>diff --git a/etc/guix-install.sh b/etc/guix-install.sh
>>index 4909d3f162..d252c132fb 100755
>>--- a/etc/guix-install.sh
>>+++ b/etc/guix-install.sh
>>@@ -342,7 +342,13 @@ sys_enable_guix_daemon()
>> _msg "${PAS}enabled Guix daemon via upstart"
>> ;;
>> systemd)
>>- { cp
>>"${ROOT_HOME}/.config/guix/current/lib/systemd/system/guix-daemon.service"
>>\
>>+ { # systemd .mount units must be named after the target
>>directory.
>>+ # Here we assume a hard-coded name of /gnu/store.
>>+ cp
>>"${ROOT_HOME}/.config/guix/current/lib/systemd/system/gnu-store.mount"
>>\
>>+ /etc/systemd/system/;
>>+ chmod 664 /etc/systemd/system/gnu-store.mount;
>>+
>>+ cp
>>"${ROOT_HOME}/.config/guix/current/lib/systemd/system/guix-daemon.service"
>>\
>> /etc/systemd/system/;
>> chmod 664 /etc/systemd/system/guix-daemon.service;
>>
>>@@ -357,8 +363,8 @@ sys_enable_guix_daemon()
>> fi;
>>
>> systemctl daemon-reload &&
>>- systemctl start guix-daemon &&
>>- systemctl enable guix-daemon; } &&
>>+ systemctl start gnu-store.mount guix-daemon &&
>>+ systemctl enable gnu-store.mount guix-daemon; } &&
>> _msg "${PAS}enabled Guix daemon via systemd"
>> ;;
>> sysv-init)
>>diff --git a/nix/local.mk b/nix/local.mk
>>index a64bdd2137..435fdd389a 100644
>>--- a/nix/local.mk
>>+++ b/nix/local.mk
>>@@ -155,7 +155,17 @@ noinst_HEADERS = \
>>
>> # The '.service' files for systemd.
>> systemdservicedir = $(libdir)/systemd/system
>>-nodist_systemdservice_DATA = etc/guix-daemon.service
>>etc/guix-publish.service
>>+nodist_systemdservice_DATA = \
>>+ etc/gnu-store.mount \
>>+ etc/guix-daemon.service \
>>+ etc/guix-publish.service
>>+
>>+etc/%.mount: etc/%.mount.in \
>>+ $(top_builddir)/config.status
>>+ $(AM_V_GEN)$(MKDIR_P) "`dirname $@`"; \
>>+ $(SED) -e 's|@''storedir''@|$(storedir)|' < \
>>+ "$<" > "$@.tmp"; \
>>+ mv "$@.tmp" "$@"
>>
>> etc/guix-%.service: etc/guix-%.service.in \
>> $(top_builddir)/config.status
>
>I see that's how it's done with the existing service, but why sed the
>.in file when we could let configure.ac take care of it?
>
>I'll try that on a VM of a foreign distro soonish and report. Thanks!

I tested it on a debian VM and it worked well. I tested the installer script and it fails at installing the .mount unit, because it does not exist in the tarball.

After installing the unit manually, I could start the .mount service and found that I was not able to remove store store items with rm. I checked that Guix is able to install new store items.
J
J
Julien Lepiller wrote on 14 May 2020 20:49
0CDBC9C6-B6B1-4696-A2C0-7D5BD3BA887D@lepiller.eu
Le 14 mai 2020 12:35:12 GMT-04:00, Julien Lepiller <julien@lepiller.eu> a écrit :
Toggle quote (138 lines)
>Le 14 mai 2020 10:01:51 GMT-04:00, Julien Lepiller <julien@lepiller.eu>
>a écrit :
>>Le 14 mai 2020 09:48:46 GMT-04:00, Tobias Geerinckx-Rice via
>>Guix-patches via <guix-patches@gnu.org> a écrit :
>>>* etc/gnu-store.mount.in: New file.
>>>* nix/local.mk (nodist_systemdservice_DATA): Add it.
>>>(etc/%.mount): New rule.
>>>* etc/guix-install.sh (sys_enable_guix_daemon): Install it.
>>>* doc/guix.texi (Binary Installation): Document it.
>>>---
>>>
>>>For
>>><https://lists.gnu.org/archive/html/help-guix/2020-05/msg00097.html>.
>>>
>>> doc/guix.texi | 5 +++--
>>> etc/gnu-store.mount.in | 14 ++++++++++++++
>>> etc/guix-install.sh | 12 +++++++++---
>>> nix/local.mk | 12 +++++++++++-
>>> 4 files changed, 37 insertions(+), 6 deletions(-)
>>> create mode 100644 etc/gnu-store.mount.in
>>>
>>>diff --git a/doc/guix.texi b/doc/guix.texi
>>>index d6fbd85fde..5d80a7e405 100644
>>>--- a/doc/guix.texi
>>>+++ b/doc/guix.texi
>>>@@ -659,9 +659,10 @@ with these commands:
>>> @c
>>https://lists.gnu.org/archive/html/guix-devel/2017-01/msg01199.html
>>>
>>> @example
>>>-# cp
>>~root/.config/guix/current/lib/systemd/system/guix-daemon.service
>>>\
>>>+# cp ~root/.config/guix/current/lib/systemd/system/gnu-store.mount \
>>>+
>>~root/.config/guix/current/lib/systemd/system/guix-daemon.service
>>>\
>>> /etc/systemd/system/
>>>-# systemctl enable --now guix-daemon
>>>+# systemctl enable --now gnu-store.mount guix-daemon
>>> @end example
>>>
>>> If your host distro uses the Upstart init system:
>>>diff --git a/etc/gnu-store.mount.in b/etc/gnu-store.mount.in
>>>new file mode 100644
>>>index 0000000000..c94f2db72b
>>>--- /dev/null
>>>+++ b/etc/gnu-store.mount.in
>>>@@ -0,0 +1,14 @@
>>>+[Unit]
>>>+Description=Read-only @storedir@ for GNU Guix
>>>+DefaultDependencies=no
>>>+ConditionPathExists=@storedir@
>>>+Before=guix-daemon.service
>>>+
>>>+[Install]
>>>+WantedBy=guix-daemon.service
>>>+
>>>+[Mount]
>>>+What=@storedir@
>>>+Where=@storedir@
>>>+Type=none
>>>+Options=bind,ro
>>>diff --git a/etc/guix-install.sh b/etc/guix-install.sh
>>>index 4909d3f162..d252c132fb 100755
>>>--- a/etc/guix-install.sh
>>>+++ b/etc/guix-install.sh
>>>@@ -342,7 +342,13 @@ sys_enable_guix_daemon()
>>> _msg "${PAS}enabled Guix daemon via upstart"
>>> ;;
>>> systemd)
>>>- { cp
>>>"${ROOT_HOME}/.config/guix/current/lib/systemd/system/guix-daemon.service"
>>>\
>>>+ { # systemd .mount units must be named after the target
>>>directory.
>>>+ # Here we assume a hard-coded name of /gnu/store.
>>>+ cp
>>>"${ROOT_HOME}/.config/guix/current/lib/systemd/system/gnu-store.mount"
>>>\
>>>+ /etc/systemd/system/;
>>>+ chmod 664 /etc/systemd/system/gnu-store.mount;
>>>+
>>>+ cp
>>>"${ROOT_HOME}/.config/guix/current/lib/systemd/system/guix-daemon.service"
>>>\
>>> /etc/systemd/system/;
>>> chmod 664 /etc/systemd/system/guix-daemon.service;
>>>
>>>@@ -357,8 +363,8 @@ sys_enable_guix_daemon()
>>> fi;
>>>
>>> systemctl daemon-reload &&
>>>- systemctl start guix-daemon &&
>>>- systemctl enable guix-daemon; } &&
>>>+ systemctl start gnu-store.mount guix-daemon &&
>>>+ systemctl enable gnu-store.mount guix-daemon; } &&
>>> _msg "${PAS}enabled Guix daemon via systemd"
>>> ;;
>>> sysv-init)
>>>diff --git a/nix/local.mk b/nix/local.mk
>>>index a64bdd2137..435fdd389a 100644
>>>--- a/nix/local.mk
>>>+++ b/nix/local.mk
>>>@@ -155,7 +155,17 @@ noinst_HEADERS = \
>>>
>>> # The '.service' files for systemd.
>>> systemdservicedir = $(libdir)/systemd/system
>>>-nodist_systemdservice_DATA = etc/guix-daemon.service
>>>etc/guix-publish.service
>>>+nodist_systemdservice_DATA = \
>>>+ etc/gnu-store.mount \
>>>+ etc/guix-daemon.service \
>>>+ etc/guix-publish.service
>>>+
>>>+etc/%.mount: etc/%.mount.in \
>>>+ $(top_builddir)/config.status
>>>+ $(AM_V_GEN)$(MKDIR_P) "`dirname $@`"; \
>>>+ $(SED) -e 's|@''storedir''@|$(storedir)|' < \
>>>+ "$<" > "$@.tmp"; \
>>>+ mv "$@.tmp" "$@"
>>>
>>> etc/guix-%.service: etc/guix-%.service.in \
>>> $(top_builddir)/config.status
>>
>>I see that's how it's done with the existing service, but why sed the
>>.in file when we could let configure.ac take care of it?
>>
>>I'll try that on a VM of a foreign distro soonish and report. Thanks!
>
>I tested it on a debian VM and it worked well. I tested the installer
>script and it fails at installing the .mount unit, because it does not
>exist in the tarball.
>
>After installing the unit manually, I could start the .mount service
>and found that I was not able to remove store store items with rm. I
>checked that Guix is able to install new store items.

For non systemd distros, adding the following line to /etc/fstab works:

@storedir@ @storedir@ none defaults,bind,ro 0 0

Then running "mount -a" remounts the store read-only.

I'm not sure how to integrate this properly in the installer script.
V
V
Vincent Legoll wrote on 15 May 2020 09:34
Re: [PATCH] etc: Add a systemd unit to bind-mount @storedir@ read-only.
(address . 41259@debbugs.gnu.org)
1061cdaa-0be4-728c-4311-8d3a6172435d@gmail.com
Hello Tobias,

As this will conflict with the work I'm preparing (runit, openrc,
non-interactive-mode, busybox compatibility, local binary tarball
& misc cleanups)

I'll give it a spin on a bunch of different OS versions (fedora
rawhide, debian 9 & 10, devuan, alpine & void/i686) later today.

--
Vincent Legoll
V
V
Vincent Legoll wrote on 15 May 2020 18:25
.gitignore ?
(address . 41259@debbugs.gnu.org)
a26089e6-681e-66de-2143-2da22235aa92@gmail.com
Hello Tobias,

shouldn't your patch also add: /etc/gnu-store.mount
to .gitignore ?

I'm doing the tests now, stay tuned for the results.

--
Vincent Legoll
T
T
Tobias Geerinckx-Rice wrote on 15 May 2020 18:52
(name . Vincent Legoll)(address . vincent.legoll@gmail.com)(address . 41259@debbugs.gnu.org)
87blmpjg3x.fsf@nckx
Vincent,

Vincent Legoll ???
Toggle quote (3 lines)
> shouldn't your patch also add: /etc/gnu-store.mount
> to .gitignore ?

Probably, it's not a file I ever think of. Done.

How does this conflict with your work?

Thanks,

T G-R
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQT12iAyS4c9C3o4dnINsP+IT1VteQUCXr7IsgAKCRANsP+IT1Vt
eaM6AP0TAyKCEGDOqbfLZb3GO88kPRistt2qctjYQJxtsi73PQEAmV1k2ENSYemk
TLkQhUZHfj456xEgdx/+2BWUednpaww=
=fRR1
-----END PGP SIGNATURE-----

V
V
Vincent Legoll wrote on 15 May 2020 18:55
(name . Tobias Geerinckx-Rice)(address . me@tobias.gr)(address . 41259@debbugs.gnu.org)
ea7c5b81-d76b-68bb-a0fd-cbb0df0a3278@gmail.com
Hello,

On 15/05/2020 18:52, Tobias Geerinckx-Rice wrote:
Toggle quote (2 lines)
> How does this conflict with your work?

I'll get a merge conflict in etc/guix-install.sh and
maybe also in nix/local.mk but that's OK, it will be
simple enough to handle.

--
Vincent Legoll
V
V
Vincent Legoll wrote on 16 May 2020 14:38
(name . Tobias Geerinckx-Rice)(address . me@tobias.gr)(address . 41259@debbugs.gnu.org)
741a8f8e-e3a0-fe88-2484-3a54db19b617@gmail.com
Hello Tobias,

yesterday's today is in fact today's today...

On 15/05/2020 18:55, Vincent Legoll wrote:
Toggle quote (4 lines)
> I'll get a merge conflict in etc/guix-install.sh and
> maybe also in nix/local.mk but that's OK, it will be
> simple enough to handle.

I was too pessimistic, I'm not getting any merge conflict.

Your patch seems to be working nicely, I tested on a range
of VMs:

x86_64: alpine devuan fedora debian_stretch debian_buster
i686: void

guix is still working properly (search, show, build, gc,
package -i, -r, -l, -d)

And `rm -rf /gnu/store/*hello*' was correctly prevented
on the systemds (debian*, fedora) and the other ones let
the delete run.

LGTM

I'll try to come with something for the other init systems
and add that to my series...

--
Vincent Legoll
T
T
Tobias Geerinckx-Rice wrote on 16 May 2020 16:04
(name . Vincent Legoll)(address . vincent.legoll@gmail.com)(address . 41259@debbugs.gnu.org)
87o8qonfhm.fsf@nckx
Vincent,

Vincent Legoll ???
Toggle quote (2 lines)
> yesterday's today is in fact today's today...

I've tried to stop that but to no avail.

Toggle quote (2 lines)
> I was too pessimistic, I'm not getting any merge conflict.

Happy to hear it. Git can be remarkably clever with 3-way merges
sometimes (and disappointingly dense at others).

Toggle quote (6 lines)
> Your patch seems to be working nicely, I tested on a range
> of VMs:
>
> x86_64: alpine devuan fedora debian_stretch debian_buster
> i686: void

Thank you for being so thorough. You've given me the confidence
to push this to master as
1a1faa78b0498fbb71f1533beb4b65817c1d3f2a. Guess I'll leave this
bug open since it only solves it for systemd.

Toggle quote (3 lines)
> I'll try to come with something for the other init systems
> and add that to my series...

I hope we can avoid touching users' fstab but don't know enough
about these other systems to say.

Thanks!

T G-R
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQT12iAyS4c9C3o4dnINsP+IT1VteQUCXr/y1gAKCRANsP+IT1Vt
edztAQDjqOXbfjA2e7z2ByyCv6xVAJuuMEkXJ4MQhYWJDt78CAD9F0TDi3t8ZEPy
mfjYREOBGicJPISoF1UJzuu5mJimOgY=
=Y6U5
-----END PGP SIGNATURE-----

M
M
Maxim Cournoyer wrote on 3 Aug 2021 21:56
Re: bug#41259: [PATCH] etc: Add a systemd unit to bind-mount @storedir@ read-only.
(name . Tobias Geerinckx-Rice)(address . me@tobias.gr)
87pmuu8fq3.fsf_-_@gmail.com
Tobias Geerinckx-Rice <me@tobias.gr> writes:

Toggle quote (22 lines)
> Vincent,
>
> Vincent Legoll ???
>> yesterday's today is in fact today's today...
>
> I've tried to stop that but to no avail.
>
>> I was too pessimistic, I'm not getting any merge conflict.
>
> Happy to hear it. Git can be remarkably clever with 3-way merges
> sometimes (and disappointingly dense at others).
>
>> Your patch seems to be working nicely, I tested on a range
>> of VMs:
>>
>> x86_64: alpine devuan fedora debian_stretch debian_buster
>> i686: void
>
> Thank you for being so thorough. You've given me the confidence to
> push this to master as 1a1faa78b0498fbb71f1533beb4b65817c1d3f2a.
> Guess I'll leave this bug open since it only solves it for systemd.

That's a patch, not a bug, though :-).

I'll close it now to spare someone else the time it took me to read
through and see whether bits had gone uncommitted :-).

Thank you,

Maxim
Closed
?