services: guix: Populate /etc/subgid so guix-daemon can map the “kvm” GID.

* gnu/services/base.scm (guix-activation): Add a line for ‘guix-daemon’ in /etc/subgid. (guix-shepherd-services): Add /run/privileged/bin to ‘PATH’. Change-Id: Ic103d86986ce2ace194b0a4296a00278bf0617eb
author: Ludovic Courtès <ludo@gnu.org> 2025-06-06 13:40:50 +0200
committer: Ludovic Courtès <ludo@gnu.org> 2025-10-21 16:32:04 +0200
commit: 69710d1d3aa24cab57fe1f5521efe0fa96681538 (patch)
tree: f1d151d93aae37a1a96e0803387ed23dfbe4b411 /gnu
parent: 84c60c3c3baf4a743e921e13f7887152a1dae450 (diff)
1 files changed, 24 insertions, 3 deletions
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 09e599c89ec..c43f39fe320 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -2275,10 +2275,14 @@ guix-daemon have the right ownership."))
                                   ;; Make 'tar' and 'gzip' available so
                                   ;; that 'guix perform-download' can use
                                   ;; them when downloading from Software
-                                  ;; Heritage via '(guix swh)'.
+                                  ;; Heritage via '(guix swh)'.  Last,
+                                  ;; /run/privileged/bin is needed for
+                                  ;; 'newgidmap', used by the unprivileged
+                                  ;; daemon.
                                   (string-append "PATH="
                                                  #$(file-append tar "/bin") ":"
-                                                 #$(file-append gzip "/bin")))
+                                                 #$(file-append gzip "/bin") ":"
+                                                 "/run/privileged/bin"))
                             (if proxy
                                 (list (string-append "http_proxy=" proxy)
                                       (string-append "https_proxy=" proxy))
@@ -2383,7 +2387,24 @@ guix-daemon have the right ownership."))
         #$(if (null? (guix-configuration-build-machines config))
               #~#f
               (guix-machines-files-installation
-               #~(list #$@(guix-configuration-build-machines config)))))))
+               #~(list #$@(guix-configuration-build-machines config))))
+
+        #$(and (not (guix-configuration-privileged? config))
+               ;; Augment /etc/subgid so that the "kvm" group can be mapped in
+               ;; the build user namespace.  If a line is already present,
+               ;; assume it's correct.
+               #~(let ((port (open-file "/etc/subgid" "w+"))
+                       (kvm (false-if-exception (getgrnam "kvm"))))
+                   (when kvm
+                     (let loop ()
+                       (let ((line ((@ (ice-9 rdelim) read-line) port)))
+                         (cond ((eof-object? line)
+                                (format port "guix-daemon:~a:1~%"
+                                        (group:gid kvm)))
+                               ((string-prefix? "guix-daemon:" line)
+                                #t)
+                               (else (loop))))))
+                   (close-port port))))))
 
 (define-record-type* <guix-extension>
   guix-extension make-guix-extension
author	Ludovic Courtès <ludo@gnu.org>	2025-06-06 13:40:50 +0200
committer	Ludovic Courtès <ludo@gnu.org>	2025-10-21 16:32:04 +0200
commit	69710d1d3aa24cab57fe1f5521efe0fa96681538 (patch)
tree	f1d151d93aae37a1a96e0803387ed23dfbe4b411 /gnu
parent	84c60c3c3baf4a743e921e13f7887152a1dae450 (diff)