[PATCH] etc: Add a systemd unit to bind-mount @storedir@ read-only.

DoneSubmitted by Tobias Geerinckx-Rice.
Details
5 participants
  • Julien Lepiller
  • Maxim Cournoyer
  • Marius Bakke
  • Tobias Geerinckx-Rice
  • Vincent Legoll
Owner
unassigned
Severity
normal
T
T
Tobias Geerinckx-Rice wrote on 14 May 2020 15:48
(address . guix-patches@gnu.org)
20200514134846.29037-1-me@tobias.gr
* etc/gnu-store.mount.in: New file.* nix/local.mk (nodist_systemdservice_DATA): Add it.(etc/%.mount): New rule.* etc/guix-install.sh (sys_enable_guix_daemon): Install it.* doc/guix.texi (Binary Installation): Document it.---
For https://lists.gnu.org/archive/html/help-guix/2020-05/msg00097.html.
doc/guix.texi | 5 +++-- etc/gnu-store.mount.in | 14 ++++++++++++++ etc/guix-install.sh | 12 +++++++++--- nix/local.mk | 12 +++++++++++- 4 files changed, 37 insertions(+), 6 deletions(-) create mode 100644 etc/gnu-store.mount.in
Toggle diff (92 lines)diff --git a/doc/guix.texi b/doc/guix.texiindex d6fbd85fde..5d80a7e405 100644--- a/doc/guix.texi+++ b/doc/guix.texi@@ -659,9 +659,10 @@ with these commands: @c https://lists.gnu.org/archive/html/guix-devel/2017-01/msg01199.html @example-# cp ~root/.config/guix/current/lib/systemd/system/guix-daemon.service \+# cp ~root/.config/guix/current/lib/systemd/system/gnu-store.mount \+ ~root/.config/guix/current/lib/systemd/system/guix-daemon.service \ /etc/systemd/system/-# systemctl enable --now guix-daemon+# systemctl enable --now gnu-store.mount guix-daemon @end example If your host distro uses the Upstart init system:diff --git a/etc/gnu-store.mount.in b/etc/gnu-store.mount.innew file mode 100644index 0000000000..c94f2db72b--- /dev/null+++ b/etc/gnu-store.mount.in@@ -0,0 +1,14 @@+[Unit]+Description=Read-only @storedir@ for GNU Guix+DefaultDependencies=no+ConditionPathExists=@storedir@+Before=guix-daemon.service++[Install]+WantedBy=guix-daemon.service++[Mount]+What=@storedir@+Where=@storedir@+Type=none+Options=bind,rodiff --git a/etc/guix-install.sh b/etc/guix-install.shindex 4909d3f162..d252c132fb 100755--- a/etc/guix-install.sh+++ b/etc/guix-install.sh@@ -342,7 +342,13 @@ sys_enable_guix_daemon() _msg "${PAS}enabled Guix daemon via upstart" ;; systemd)- { cp "${ROOT_HOME}/.config/guix/current/lib/systemd/system/guix-daemon.service" \+ { # systemd .mount units must be named after the target directory.+ # Here we assume a hard-coded name of /gnu/store.+ cp "${ROOT_HOME}/.config/guix/current/lib/systemd/system/gnu-store.mount" \+ /etc/systemd/system/;+ chmod 664 /etc/systemd/system/gnu-store.mount;++ cp "${ROOT_HOME}/.config/guix/current/lib/systemd/system/guix-daemon.service" \ /etc/systemd/system/; chmod 664 /etc/systemd/system/guix-daemon.service; @@ -357,8 +363,8 @@ sys_enable_guix_daemon() fi; systemctl daemon-reload &&- systemctl start guix-daemon &&- systemctl enable guix-daemon; } &&+ systemctl start gnu-store.mount guix-daemon &&+ systemctl enable gnu-store.mount guix-daemon; } && _msg "${PAS}enabled Guix daemon via systemd" ;; sysv-init)diff --git a/nix/local.mk b/nix/local.mkindex a64bdd2137..435fdd389a 100644--- a/nix/local.mk+++ b/nix/local.mk@@ -155,7 +155,17 @@ noinst_HEADERS = \ # The '.service' files for systemd. systemdservicedir = $(libdir)/systemd/system-nodist_systemdservice_DATA = etc/guix-daemon.service etc/guix-publish.service+nodist_systemdservice_DATA = \+ etc/gnu-store.mount \+ etc/guix-daemon.service \+ etc/guix-publish.service++etc/%.mount: etc/%.mount.in \+ $(top_builddir)/config.status+ $(AM_V_GEN)$(MKDIR_P) "`dirname $@`"; \+ $(SED) -e 's|@''storedir''@|$(storedir)|' < \+ "$<" > "$@.tmp"; \+ mv "$@.tmp" "$@" etc/guix-%.service: etc/guix-%.service.in \ $(top_builddir)/config.status-- 2.26.2
T
T
Tobias Geerinckx-Rice wrote on 14 May 2020 15:53
Re: Few questions
(address . 41259@debbugs.gnu.org)
87lflud3mn.fsf@nckx
Tobias Geerinckx-Rice 写道:
Toggle quote (4 lines)> A simple>> $ sudo mount -o bind,ro /gnu/store /gnu/store
I decided to write a q&d patch that does just that https://issues.guix.gnu.org/41259.
Caveats:- It's lightly tested (the only non-Guix System I have SSH access to is someone's laptop, currently being used to consume ‘dank memes’, and I cannot risk performing any action that could stop the flow of memes),- it only fixes the problem on modern^Wsystemd systems (I'm fine with that),- the unit name could be templated to @storedir@ as well. Worth it?
Feedback and testing welcome.
Kind regards,
T G-R
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQT12iAyS4c9C3o4dnINsP+IT1VteQUCXr1NYAAKCRANsP+IT1VteanNAQD8840t6rLLSG6porbp1niAih1kOag/WWyIRigHam2yCgD/UAURG1ss9iq22zPbzqsf+7fsj/WFH/+dJrvjCBF0mAE==1d69-----END PGP SIGNATURE-----
J
J
Julien Lepiller wrote on 14 May 2020 16:01
Re: [bug#41259] [PATCH] etc: Add a systemd unit to bind-mount @storedir@ read-only.
A93A189C-73FB-4E7F-B1F7-B57A1366ABA3@lepiller.eu
Le 14 mai 2020 09:48:46 GMT-04:00, Tobias Geerinckx-Rice via Guix-patches via <guix-patches@gnu.org> a écrit :
Toggle quote (118 lines)>* etc/gnu-store.mount.in: New file.>* nix/local.mk (nodist_systemdservice_DATA): Add it.>(etc/%.mount): New rule.>* etc/guix-install.sh (sys_enable_guix_daemon): Install it.>* doc/guix.texi (Binary Installation): Document it.>--->>For><https://lists.gnu.org/archive/html/help-guix/2020-05/msg00097.html>.>> doc/guix.texi | 5 +++--> etc/gnu-store.mount.in | 14 ++++++++++++++> etc/guix-install.sh | 12 +++++++++---> nix/local.mk | 12 +++++++++++-> 4 files changed, 37 insertions(+), 6 deletions(-)> create mode 100644 etc/gnu-store.mount.in>>diff --git a/doc/guix.texi b/doc/guix.texi>index d6fbd85fde..5d80a7e405 100644>--- a/doc/guix.texi>+++ b/doc/guix.texi>@@ -659,9 +659,10 @@ with these commands:> @c https://lists.gnu.org/archive/html/guix-devel/2017-01/msg01199.html> > @example>-# cp ~root/.config/guix/current/lib/systemd/system/guix-daemon.service>\>+# cp ~root/.config/guix/current/lib/systemd/system/gnu-store.mount \>+ ~root/.config/guix/current/lib/systemd/system/guix-daemon.service>\> /etc/systemd/system/>-# systemctl enable --now guix-daemon>+# systemctl enable --now gnu-store.mount guix-daemon> @end example> > If your host distro uses the Upstart init system:>diff --git a/etc/gnu-store.mount.in b/etc/gnu-store.mount.in>new file mode 100644>index 0000000000..c94f2db72b>--- /dev/null>+++ b/etc/gnu-store.mount.in>@@ -0,0 +1,14 @@>+[Unit]>+Description=Read-only @storedir@ for GNU Guix>+DefaultDependencies=no>+ConditionPathExists=@storedir@>+Before=guix-daemon.service>+>+[Install]>+WantedBy=guix-daemon.service>+>+[Mount]>+What=@storedir@>+Where=@storedir@>+Type=none>+Options=bind,ro>diff --git a/etc/guix-install.sh b/etc/guix-install.sh>index 4909d3f162..d252c132fb 100755>--- a/etc/guix-install.sh>+++ b/etc/guix-install.sh>@@ -342,7 +342,13 @@ sys_enable_guix_daemon()> _msg "${PAS}enabled Guix daemon via upstart"> ;;> systemd)>- { cp>"${ROOT_HOME}/.config/guix/current/lib/systemd/system/guix-daemon.service">\>+ { # systemd .mount units must be named after the target>directory.>+ # Here we assume a hard-coded name of /gnu/store.>+ cp>"${ROOT_HOME}/.config/guix/current/lib/systemd/system/gnu-store.mount">\>+ /etc/systemd/system/;>+ chmod 664 /etc/systemd/system/gnu-store.mount;>+>+ cp>"${ROOT_HOME}/.config/guix/current/lib/systemd/system/guix-daemon.service">\> /etc/systemd/system/;> chmod 664 /etc/systemd/system/guix-daemon.service;> >@@ -357,8 +363,8 @@ sys_enable_guix_daemon()> fi;> > systemctl daemon-reload &&>- systemctl start guix-daemon &&>- systemctl enable guix-daemon; } &&>+ systemctl start gnu-store.mount guix-daemon &&>+ systemctl enable gnu-store.mount guix-daemon; } &&> _msg "${PAS}enabled Guix daemon via systemd"> ;;> sysv-init)>diff --git a/nix/local.mk b/nix/local.mk>index a64bdd2137..435fdd389a 100644>--- a/nix/local.mk>+++ b/nix/local.mk>@@ -155,7 +155,17 @@ noinst_HEADERS = \> > # The '.service' files for systemd.> systemdservicedir = $(libdir)/systemd/system>-nodist_systemdservice_DATA = etc/guix-daemon.service>etc/guix-publish.service>+nodist_systemdservice_DATA = \>+ etc/gnu-store.mount \>+ etc/guix-daemon.service \>+ etc/guix-publish.service>+>+etc/%.mount: etc/%.mount.in \>+ $(top_builddir)/config.status>+ $(AM_V_GEN)$(MKDIR_P) "`dirname $@`"; \>+ $(SED) -e 's|@''storedir''@|$(storedir)|' < \>+ "$<" > "$@.tmp"; \>+ mv "$@.tmp" "$@"> > etc/guix-%.service: etc/guix-%.service.in \> $(top_builddir)/config.status
I see that's how it's done with the existing service, but why sed the .in file when we could let configure.ac take care of it?
I'll try that on a VM of a foreign distro soonish and report. Thanks!
M
M
Marius Bakke wrote on 14 May 2020 16:13
874ksivc2p.fsf@devup.no
Julien Lepiller <julien@lepiller.eu> writes:
Toggle quote (12 lines)>>+etc/%.mount: etc/%.mount.in \>>+ $(top_builddir)/config.status>>+ $(AM_V_GEN)$(MKDIR_P) "`dirname $@`"; \>>+ $(SED) -e 's|@''storedir''@|$(storedir)|' < \>>+ "$<" > "$@.tmp"; \>>+ mv "$@.tmp" "$@">> >> etc/guix-%.service: etc/guix-%.service.in \>> $(top_builddir)/config.status>> I see that's how it's done with the existing service, but why sed the .in file when we could let configure.ac take care of it?
Because --storedir can in theory be something like '$prefix/store',which would not get properly expanded by configure. See "InstallationDirectory Variables" in the GNU Autoconf manual:
https://www.gnu.org/savannah-checkouts/gnu/autoconf/manual/autoconf-2.69/html_node/Installation-Directory-Variables.html
(in particular scroll down to the notice about AC_CONFIG_FILES)
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl69Uh4ACgkQoqBt8qM6VPociQf9EQ1BTKTs33f/6L5L3OoHTTGwOSxg5gzbx0PtceI9968Cr1wcYn/z7AD5TEam6RJnwcwoZiSiXyXS5+ls/52fxjh86vAjFRV6ghULbCZeolSPVnnU9ZaMtWAxMZhOzeYWecQUWdj0GZRWuTNUQ9ffxxPrRAvqa7eClbrELEpSu3dj6VrtBkzSVa3/RDNQGYrrUrHshQHwr2/P1Io9UfGctQZ8eTl0wmUM7Vt4AAVQav+JNyGQ4b1DLtRKIteWbLPmeYo2fT+MH5OwYtnWoQnOQnk+Y7u3NJO3XuiV3WSWidYG5diAEcYGPNlfKAroIxiMqLMJ+1JJOSGuPtifufoBOQ===7zsJ-----END PGP SIGNATURE-----
T
T
Tobias Geerinckx-Rice wrote on 14 May 2020 16:21
(name . Julien Lepiller)(address . julien@lepiller.eu)(address . 41259@debbugs.gnu.org)
87ftc2d2cj.fsf@nckx
Julien,
Julien Lepiller 写道:
Toggle quote (6 lines)>> etc/guix-%.service: etc/guix-%.service.in \>> $(top_builddir)/config.status>> I see that's how it's done with the existing service, but why > sed the .in file when we could let configure.ac take care of it?
¯\_(ツ)_/¯!
TBH I wondered the same thing but am not in deep-dive mode ATM.
Toggle quote (3 lines)> I'll try that on a VM of a foreign distro soonish and > report. Thanks!
Thank you! I'm still in the middle of reinstalling Guix on my main laptop, which should give me back my magical KVM powers.
Kind regards,
T G-R
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQT12iAyS4c9C3o4dnINsP+IT1VteQUCXr1T3AAKCRANsP+IT1Vtecx8AP9pb5Q0pC27b9Ucx7eRLU+s5L5SzpmdM4S6TIN3BeTfcAD/UHTAg7usE1X8T9QUkEFzinrOZuvsJZJPXbD7lDNzUgs==P4td-----END PGP SIGNATURE-----
T
T
Tobias Geerinckx-Rice wrote on 14 May 2020 16:24
(name . Tobias Geerinckx-Rice via Guix-patches)(address . guix-patches@gnu.org)(address . 41259@debbugs.gnu.org)
87d076d271.fsf@nckx
Tobias Geerinckx-Rice via Guix-patches via 写道:
Toggle quote (8 lines)> systemctl daemon-reload &&> - systemctl start guix-daemon &&> - systemctl enable guix-daemon; } &&> + systemctl start gnu-store.mount guix-daemon > &&> + systemctl enable gnu-store.mount guix-daemon; > } &&
Speaking of things I wondered: I'm no systemd wizard but I think ‘enable --now’ would be equivalent and less repetitive.
Kind regards,
T G-R
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQT12iAyS4c9C3o4dnINsP+IT1VteQUCXr1UogAKCRANsP+IT1VteWv4AQDZMZ5apuYVzFkDo42bl9bYt69FkyWQSPW6qPp/347vOwD/cF4yNIQfwnkSp5pFgNY8grEeCykMFwEN+iQ6NgVaLQA==OKPw-----END PGP SIGNATURE-----
T
T
Tobias Geerinckx-Rice wrote on 14 May 2020 16:25
(name . Marius Bakke)(address . mbakke@fastmail.com)
87a72ad25l.fsf@nckx
Marius Bakke 写道:
Toggle quote (8 lines)>> I see that's how it's done with the existing service, but why >> sed the .in file when we could let configure.ac take care of >> it?>> Because --storedir can in theory be something like > '$prefix/store',> which would not get properly expanded by configure.
Makes sense. Thanks Marius,
T G-R
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQT12iAyS4c9C3o4dnINsP+IT1VteQUCXr1U1wAKCRANsP+IT1VteRdZAQDyT+fZ4xQ9PdYTdQqfGei6onS+7Jpsfhpx8G2/JqvPpgD+KNc74Bo1JRYlIFs89KblIfNuiDm1zQUw2a/AHhW5Fgw==5ve1-----END PGP SIGNATURE-----
J
J
Julien Lepiller wrote on 14 May 2020 18:35
A2F0E860-28E9-42A6-AE02-0BDBB876106E@lepiller.eu
Le 14 mai 2020 10:01:51 GMT-04:00, Julien Lepiller <julien@lepiller.eu> a écrit :
Toggle quote (128 lines)>Le 14 mai 2020 09:48:46 GMT-04:00, Tobias Geerinckx-Rice via>Guix-patches via <guix-patches@gnu.org> a écrit :>>* etc/gnu-store.mount.in: New file.>>* nix/local.mk (nodist_systemdservice_DATA): Add it.>>(etc/%.mount): New rule.>>* etc/guix-install.sh (sys_enable_guix_daemon): Install it.>>* doc/guix.texi (Binary Installation): Document it.>>--->>>>For>><https://lists.gnu.org/archive/html/help-guix/2020-05/msg00097.html>.>>>> doc/guix.texi | 5 +++-->> etc/gnu-store.mount.in | 14 ++++++++++++++>> etc/guix-install.sh | 12 +++++++++--->> nix/local.mk | 12 +++++++++++->> 4 files changed, 37 insertions(+), 6 deletions(-)>> create mode 100644 etc/gnu-store.mount.in>>>>diff --git a/doc/guix.texi b/doc/guix.texi>>index d6fbd85fde..5d80a7e405 100644>>--- a/doc/guix.texi>>+++ b/doc/guix.texi>>@@ -659,9 +659,10 @@ with these commands:>> @c>https://lists.gnu.org/archive/html/guix-devel/2017-01/msg01199.html>> >> @example>>-# cp>~root/.config/guix/current/lib/systemd/system/guix-daemon.service>>\>>+# cp ~root/.config/guix/current/lib/systemd/system/gnu-store.mount \>>+ >~root/.config/guix/current/lib/systemd/system/guix-daemon.service>>\>> /etc/systemd/system/>>-# systemctl enable --now guix-daemon>>+# systemctl enable --now gnu-store.mount guix-daemon>> @end example>> >> If your host distro uses the Upstart init system:>>diff --git a/etc/gnu-store.mount.in b/etc/gnu-store.mount.in>>new file mode 100644>>index 0000000000..c94f2db72b>>--- /dev/null>>+++ b/etc/gnu-store.mount.in>>@@ -0,0 +1,14 @@>>+[Unit]>>+Description=Read-only @storedir@ for GNU Guix>>+DefaultDependencies=no>>+ConditionPathExists=@storedir@>>+Before=guix-daemon.service>>+>>+[Install]>>+WantedBy=guix-daemon.service>>+>>+[Mount]>>+What=@storedir@>>+Where=@storedir@>>+Type=none>>+Options=bind,ro>>diff --git a/etc/guix-install.sh b/etc/guix-install.sh>>index 4909d3f162..d252c132fb 100755>>--- a/etc/guix-install.sh>>+++ b/etc/guix-install.sh>>@@ -342,7 +342,13 @@ sys_enable_guix_daemon()>> _msg "${PAS}enabled Guix daemon via upstart">> ;;>> systemd)>>- { cp>>"${ROOT_HOME}/.config/guix/current/lib/systemd/system/guix-daemon.service">>\>>+ { # systemd .mount units must be named after the target>>directory.>>+ # Here we assume a hard-coded name of /gnu/store.>>+ cp>>"${ROOT_HOME}/.config/guix/current/lib/systemd/system/gnu-store.mount">>\>>+ /etc/systemd/system/;>>+ chmod 664 /etc/systemd/system/gnu-store.mount;>>+>>+ cp>>"${ROOT_HOME}/.config/guix/current/lib/systemd/system/guix-daemon.service">>\>> /etc/systemd/system/;>> chmod 664 /etc/systemd/system/guix-daemon.service;>> >>@@ -357,8 +363,8 @@ sys_enable_guix_daemon()>> fi;>> >> systemctl daemon-reload &&>>- systemctl start guix-daemon &&>>- systemctl enable guix-daemon; } &&>>+ systemctl start gnu-store.mount guix-daemon &&>>+ systemctl enable gnu-store.mount guix-daemon; } &&>> _msg "${PAS}enabled Guix daemon via systemd">> ;;>> sysv-init)>>diff --git a/nix/local.mk b/nix/local.mk>>index a64bdd2137..435fdd389a 100644>>--- a/nix/local.mk>>+++ b/nix/local.mk>>@@ -155,7 +155,17 @@ noinst_HEADERS = \>> >> # The '.service' files for systemd.>> systemdservicedir = $(libdir)/systemd/system>>-nodist_systemdservice_DATA = etc/guix-daemon.service>>etc/guix-publish.service>>+nodist_systemdservice_DATA = \>>+ etc/gnu-store.mount \>>+ etc/guix-daemon.service \>>+ etc/guix-publish.service>>+>>+etc/%.mount: etc/%.mount.in \>>+ $(top_builddir)/config.status>>+ $(AM_V_GEN)$(MKDIR_P) "`dirname $@`"; \>>+ $(SED) -e 's|@''storedir''@|$(storedir)|' < \>>+ "$<" > "$@.tmp"; \>>+ mv "$@.tmp" "$@">> >> etc/guix-%.service: etc/guix-%.service.in \>> $(top_builddir)/config.status>>I see that's how it's done with the existing service, but why sed the>.in file when we could let configure.ac take care of it?>>I'll try that on a VM of a foreign distro soonish and report. Thanks!
I tested it on a debian VM and it worked well. I tested the installer script and it fails at installing the .mount unit, because it does not exist in the tarball.
After installing the unit manually, I could start the .mount service and found that I was not able to remove store store items with rm. I checked that Guix is able to install new store items.
J
J
Julien Lepiller wrote on 14 May 2020 20:49
0CDBC9C6-B6B1-4696-A2C0-7D5BD3BA887D@lepiller.eu
Le 14 mai 2020 12:35:12 GMT-04:00, Julien Lepiller <julien@lepiller.eu> a écrit :
Toggle quote (138 lines)>Le 14 mai 2020 10:01:51 GMT-04:00, Julien Lepiller <julien@lepiller.eu>>a écrit :>>Le 14 mai 2020 09:48:46 GMT-04:00, Tobias Geerinckx-Rice via>>Guix-patches via <guix-patches@gnu.org> a écrit :>>>* etc/gnu-store.mount.in: New file.>>>* nix/local.mk (nodist_systemdservice_DATA): Add it.>>>(etc/%.mount): New rule.>>>* etc/guix-install.sh (sys_enable_guix_daemon): Install it.>>>* doc/guix.texi (Binary Installation): Document it.>>>--->>>>>>For>>><https://lists.gnu.org/archive/html/help-guix/2020-05/msg00097.html>.>>>>>> doc/guix.texi | 5 +++-->>> etc/gnu-store.mount.in | 14 ++++++++++++++>>> etc/guix-install.sh | 12 +++++++++--->>> nix/local.mk | 12 +++++++++++->>> 4 files changed, 37 insertions(+), 6 deletions(-)>>> create mode 100644 etc/gnu-store.mount.in>>>>>>diff --git a/doc/guix.texi b/doc/guix.texi>>>index d6fbd85fde..5d80a7e405 100644>>>--- a/doc/guix.texi>>>+++ b/doc/guix.texi>>>@@ -659,9 +659,10 @@ with these commands:>>> @c>>https://lists.gnu.org/archive/html/guix-devel/2017-01/msg01199.html>>> >>> @example>>>-# cp>>~root/.config/guix/current/lib/systemd/system/guix-daemon.service>>>\>>>+# cp ~root/.config/guix/current/lib/systemd/system/gnu-store.mount \>>>+ >>~root/.config/guix/current/lib/systemd/system/guix-daemon.service>>>\>>> /etc/systemd/system/>>>-# systemctl enable --now guix-daemon>>>+# systemctl enable --now gnu-store.mount guix-daemon>>> @end example>>> >>> If your host distro uses the Upstart init system:>>>diff --git a/etc/gnu-store.mount.in b/etc/gnu-store.mount.in>>>new file mode 100644>>>index 0000000000..c94f2db72b>>>--- /dev/null>>>+++ b/etc/gnu-store.mount.in>>>@@ -0,0 +1,14 @@>>>+[Unit]>>>+Description=Read-only @storedir@ for GNU Guix>>>+DefaultDependencies=no>>>+ConditionPathExists=@storedir@>>>+Before=guix-daemon.service>>>+>>>+[Install]>>>+WantedBy=guix-daemon.service>>>+>>>+[Mount]>>>+What=@storedir@>>>+Where=@storedir@>>>+Type=none>>>+Options=bind,ro>>>diff --git a/etc/guix-install.sh b/etc/guix-install.sh>>>index 4909d3f162..d252c132fb 100755>>>--- a/etc/guix-install.sh>>>+++ b/etc/guix-install.sh>>>@@ -342,7 +342,13 @@ sys_enable_guix_daemon()>>> _msg "${PAS}enabled Guix daemon via upstart">>> ;;>>> systemd)>>>- { cp>>>"${ROOT_HOME}/.config/guix/current/lib/systemd/system/guix-daemon.service">>>\>>>+ { # systemd .mount units must be named after the target>>>directory.>>>+ # Here we assume a hard-coded name of /gnu/store.>>>+ cp>>>"${ROOT_HOME}/.config/guix/current/lib/systemd/system/gnu-store.mount">>>\>>>+ /etc/systemd/system/;>>>+ chmod 664 /etc/systemd/system/gnu-store.mount;>>>+>>>+ cp>>>"${ROOT_HOME}/.config/guix/current/lib/systemd/system/guix-daemon.service">>>\>>> /etc/systemd/system/;>>> chmod 664 /etc/systemd/system/guix-daemon.service;>>> >>>@@ -357,8 +363,8 @@ sys_enable_guix_daemon()>>> fi;>>> >>> systemctl daemon-reload &&>>>- systemctl start guix-daemon &&>>>- systemctl enable guix-daemon; } &&>>>+ systemctl start gnu-store.mount guix-daemon &&>>>+ systemctl enable gnu-store.mount guix-daemon; } &&>>> _msg "${PAS}enabled Guix daemon via systemd">>> ;;>>> sysv-init)>>>diff --git a/nix/local.mk b/nix/local.mk>>>index a64bdd2137..435fdd389a 100644>>>--- a/nix/local.mk>>>+++ b/nix/local.mk>>>@@ -155,7 +155,17 @@ noinst_HEADERS = \>>> >>> # The '.service' files for systemd.>>> systemdservicedir = $(libdir)/systemd/system>>>-nodist_systemdservice_DATA = etc/guix-daemon.service>>>etc/guix-publish.service>>>+nodist_systemdservice_DATA = \>>>+ etc/gnu-store.mount \>>>+ etc/guix-daemon.service \>>>+ etc/guix-publish.service>>>+>>>+etc/%.mount: etc/%.mount.in \>>>+ $(top_builddir)/config.status>>>+ $(AM_V_GEN)$(MKDIR_P) "`dirname $@`"; \>>>+ $(SED) -e 's|@''storedir''@|$(storedir)|' < \>>>+ "$<" > "$@.tmp"; \>>>+ mv "$@.tmp" "$@">>> >>> etc/guix-%.service: etc/guix-%.service.in \>>> $(top_builddir)/config.status>>>>I see that's how it's done with the existing service, but why sed the>>.in file when we could let configure.ac take care of it?>>>>I'll try that on a VM of a foreign distro soonish and report. Thanks!>>I tested it on a debian VM and it worked well. I tested the installer>script and it fails at installing the .mount unit, because it does not>exist in the tarball.>>After installing the unit manually, I could start the .mount service>and found that I was not able to remove store store items with rm. I>checked that Guix is able to install new store items.
For non systemd distros, adding the following line to /etc/fstab works:
@storedir@ @storedir@ none defaults,bind,ro 0 0
Then running "mount -a" remounts the store read-only.
I'm not sure how to integrate this properly in the installer script.
V
V
Vincent Legoll wrote on 15 May 2020 09:34
Re: [PATCH] etc: Add a systemd unit to bind-mount @storedir@ read-only.
(address . 41259@debbugs.gnu.org)
1061cdaa-0be4-728c-4311-8d3a6172435d@gmail.com
Hello Tobias,
As this will conflict with the work I'm preparing (runit, openrc,non-interactive-mode, busybox compatibility, local binary tarball& misc cleanups)
I'll give it a spin on a bunch of different OS versions (fedorarawhide, debian 9 & 10, devuan, alpine & void/i686) later today.
-- Vincent Legoll
V
V
Vincent Legoll wrote on 15 May 2020 18:25
.gitignore ?
(address . 41259@debbugs.gnu.org)
a26089e6-681e-66de-2143-2da22235aa92@gmail.com
Hello Tobias,
shouldn't your patch also add: /etc/gnu-store.mountto .gitignore ?
I'm doing the tests now, stay tuned for the results.
-- Vincent Legoll
T
T
Tobias Geerinckx-Rice wrote on 15 May 2020 18:52
(name . Vincent Legoll)(address . vincent.legoll@gmail.com)(address . 41259@debbugs.gnu.org)
87blmpjg3x.fsf@nckx
Vincent,
Vincent Legoll 写道:
Toggle quote (3 lines)> shouldn't your patch also add: /etc/gnu-store.mount> to .gitignore ?
Probably, it's not a file I ever think of. Done.
How does this conflict with your work?
Thanks,
T G-R
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQT12iAyS4c9C3o4dnINsP+IT1VteQUCXr7IsgAKCRANsP+IT1VteaM6AP0TAyKCEGDOqbfLZb3GO88kPRistt2qctjYQJxtsi73PQEAmV1k2ENSYemkTLkQhUZHfj456xEgdx/+2BWUednpaww==fRR1-----END PGP SIGNATURE-----
V
V
Vincent Legoll wrote on 15 May 2020 18:55
(name . Tobias Geerinckx-Rice)(address . me@tobias.gr)(address . 41259@debbugs.gnu.org)
ea7c5b81-d76b-68bb-a0fd-cbb0df0a3278@gmail.com
Hello,
On 15/05/2020 18:52, Tobias Geerinckx-Rice wrote:
Toggle quote (2 lines)> How does this conflict with your work?
I'll get a merge conflict in etc/guix-install.sh andmaybe also in nix/local.mk but that's OK, it will besimple enough to handle.
-- Vincent Legoll
V
V
Vincent Legoll wrote on 16 May 2020 14:38
(name . Tobias Geerinckx-Rice)(address . me@tobias.gr)(address . 41259@debbugs.gnu.org)
741a8f8e-e3a0-fe88-2484-3a54db19b617@gmail.com
Hello Tobias,
yesterday's today is in fact today's today...
On 15/05/2020 18:55, Vincent Legoll wrote:
Toggle quote (4 lines)> I'll get a merge conflict in etc/guix-install.sh and> maybe also in nix/local.mk but that's OK, it will be> simple enough to handle.
I was too pessimistic, I'm not getting any merge conflict.
Your patch seems to be working nicely, I tested on a rangeof VMs:
x86_64: alpine devuan fedora debian_stretch debian_busteri686: void
guix is still working properly (search, show, build, gc,package -i, -r, -l, -d)
And `rm -rf /gnu/store/*hello*' was correctly preventedon the systemds (debian*, fedora) and the other ones letthe delete run.
LGTM
I'll try to come with something for the other init systemsand add that to my series...
-- Vincent Legoll
T
T
Tobias Geerinckx-Rice wrote on 16 May 2020 16:04
(name . Vincent Legoll)(address . vincent.legoll@gmail.com)(address . 41259@debbugs.gnu.org)
87o8qonfhm.fsf@nckx
Vincent,
Vincent Legoll 写道:
Toggle quote (2 lines)> yesterday's today is in fact today's today...
I've tried to stop that but to no avail.
Toggle quote (2 lines)> I was too pessimistic, I'm not getting any merge conflict.
Happy to hear it. Git can be remarkably clever with 3-way merges sometimes (and disappointingly dense at others).
Toggle quote (6 lines)> Your patch seems to be working nicely, I tested on a range> of VMs:>> x86_64: alpine devuan fedora debian_stretch debian_buster> i686: void
Thank you for being so thorough. You've given me the confidence to push this to master as 1a1faa78b0498fbb71f1533beb4b65817c1d3f2a. Guess I'll leave this bug open since it only solves it for systemd.
Toggle quote (3 lines)> I'll try to come with something for the other init systems> and add that to my series...
I hope we can avoid touching users' fstab but don't know enough about these other systems to say.
Thanks!
T G-R
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQT12iAyS4c9C3o4dnINsP+IT1VteQUCXr/y1gAKCRANsP+IT1VtedztAQDjqOXbfjA2e7z2ByyCv6xVAJuuMEkXJ4MQhYWJDt78CAD9F0TDi3t8ZEPymfjYREOBGicJPISoF1UJzuu5mJimOgY==Y6U5-----END PGP SIGNATURE-----
M
M
Maxim Cournoyer wrote on 3 Aug 21:56 +0200
Re: bug#41259: [PATCH] etc: Add a systemd unit to bind-mount @storedir@ read-only.
(name . Tobias Geerinckx-Rice)(address . me@tobias.gr)
87pmuu8fq3.fsf_-_@gmail.com
Tobias Geerinckx-Rice <me@tobias.gr> writes:
Toggle quote (22 lines)> Vincent,>> Vincent Legoll 写道:>> yesterday's today is in fact today's today...>> I've tried to stop that but to no avail.>>> I was too pessimistic, I'm not getting any merge conflict.>> Happy to hear it. Git can be remarkably clever with 3-way merges> sometimes (and disappointingly dense at others).>>> Your patch seems to be working nicely, I tested on a range>> of VMs:>>>> x86_64: alpine devuan fedora debian_stretch debian_buster>> i686: void>> Thank you for being so thorough. You've given me the confidence to> push this to master as 1a1faa78b0498fbb71f1533beb4b65817c1d3f2a.> Guess I'll leave this bug open since it only solves it for systemd.
That's a patch, not a bug, though :-).
I'll close it now to spare someone else the time it took me to readthrough and see whether bits had gone uncommitted :-).
Thank you,
Maxim
Closed
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send email to 41259@debbugs.gnu.org