Hi Dimitri,
Dimitri DELABROYE <dimitri.delabroye@inria.fr> skribis:
Toggle quote (3 lines)
> In order to be more secure we did not want to export /var/guix with RW
> rights, we cannot trust root on the nodes.
Just so those unfamiliar with Grid’5000 understand: what’s special here
is that users can spawn new nodes where they are root, but this root
user is not trusted as an admin of the cluster as a whole.
Thus, if /var/guix as we know it were NFS-exported read/write, anyone
could fiddle with all of /var/guix/profiles/per-user. That’s the reason
why Dimitri & co. came up with the idea of storing per-user profiles in
each user’s home directory.
Why home directories? Because there’s already machinery on G5K that
arranges so that a node can NFS-mount nothing but the home directory of
the user who reserved the node.
Why not treat /var/guix/profiles/per-user/USER NFS shares in the same
way as home directories, then? That’s an option, but that’d mean extra
work for G5K, AIUI.
Toggle quote (9 lines)
> So for the user profile to
> work we did the following:
> - mount the user's home on the guix server
> - instead of letting guix create the user's profile on
> /var/guix/profiles/per-user we created symlink: ln -s /home/USER/.guix
> /var/guix/profiles/per-user/USER
> This way we can export /var/guix with RO rights and users can't see
> each others profiles.
The problem is that ‘gc-roots’ in (guix store roots) won’t traverse
those /per-user/USER symlinks. Instead, it assumes they are symlinks to
indirect roots.
Toggle quote (5 lines)
> Another way would be to have a parameter to configure the
> /var/guix/profiles/per-user directory so the symlink mecanism would
> not be needed. For example guix could directly write in the user
> directory in /home/USER/.guix.
In fact, it’s possible to use profiles other than the default profile,
and those profiles can be anywhere on the file system. For instance, if
you do:
guix install -p ~/.guix/my-profile emacs
the thing is installed in ~/.guix/my-profile; that profile does not show
up in /var/guix/profiles, but it is seen as a GC root by the daemon, via
/var/guix/gcroots/auto.
Longer-term, we could imagine having a “private profile” option, where
the default profile is managed this way instead of being visible in
/var/guix/profiles/per-user. But obviously that needs more thought and
it’s not an option to solve your immediate problem.
As it stands, the simplest option I think would be handle NFS exports of
/var/guix/profiles/per-user/USER just like exports of /home/USER.
Thoughts?
Ludo’.
