From e2583b5a17bfdedc1d24b3bab2d752fbf8fa6db6 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Tue, 25 Mar 2025 17:41:57 +0100 Subject: services: guix: Allow ‘guix-daemon’ to run without root privileges. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * gnu/services/base.scm (run-with-writable-store) (guix-ownership-change-program): New procedures. ()[privileged?]: New field. (guix-shepherd-service): Rename to… (guix-shepherd-services): … this. Add the ‘guix-ownership’ service. Change ‘guix-daemon’ service to depend on it; when unprivileged, prefix ‘daemon-command’ by ‘run-with-writable-store’ and omit ‘--build-users-group’; adjust socket activation endpoints. (guix-accounts): When unprivileged, create the “guix-daemon” user and group in addition to the others. (guix-service-type)[extensions]: Adjust to name change. * gnu/tests/base.scm (run-guix-daemon-test): Add ‘name’ parameter. (%test-guix-daemon): Adjust accordingly. (%test-guix-daemon-unprivileged): New test. * doc/guix.texi (Base Services): Document ‘privileged?’. (Migrating to the Unprivileged Daemon): Explain that this is automatic on Guix System. Reviewed-by: Maxim Cournoyer Change-Id: I28a9a22e617416c551dccb24e43a253b544ba163 --- gnu/tests/base.scm | 41 ++++++++++++++++++++++++++++++++++++----- 1 file changed, 36 insertions(+), 5 deletions(-) (limited to 'gnu/tests') diff --git a/gnu/tests/base.scm b/gnu/tests/base.scm index 83e047f7e64..ef05e56e5f7 100644 --- a/gnu/tests/base.scm +++ b/gnu/tests/base.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2016-2020, 2022, 2024 Ludovic Courtès +;;; Copyright © 2016-2020, 2022, 2024-2025 Ludovic Courtès ;;; Copyright © 2018 Clément Lassieur ;;; Copyright © 2022 Maxim Cournoyer ;;; Copyright © 2022 Marius Bakke @@ -63,7 +63,8 @@ %hello-dependencies-manifest guix-daemon-test-cases - %test-guix-daemon)) + %test-guix-daemon + %test-guix-daemon-unprivileged)) (define %simple-os (simple-operating-system)) @@ -1121,7 +1122,7 @@ test." (system-error-errno args))) #$marionette)))) -(define (run-guix-daemon-test os) +(define (run-guix-daemon-test os name) (define test-image (image (operating-system os) (format 'compressed-qcow2) @@ -1168,7 +1169,7 @@ test." (test-end)))) - (gexp->derivation "guix-daemon-test" test)) + (gexp->derivation name test)) (define %test-guix-daemon (system-test @@ -1190,4 +1191,34 @@ test." %base-user-accounts))) #:imported-modules '((gnu services herd) (guix combinators))))) - (run-guix-daemon-test os))))) + (run-guix-daemon-test os "guix-daemon-test"))))) + +(define %test-guix-daemon-unprivileged + (system-test + (name "guix-daemon-unprivileged") + (description + "Test 'guix-daemon' behavior on a multi-user system, where 'guix-daemon' +runs unprivileged.") + (value + (let ((os (marionette-operating-system + (let ((base (operating-system-with-gc-roots + %daemon-os + (list (profile + (name "hello-build-dependencies") + (content %hello-dependencies-manifest)))))) + (operating-system + (inherit base) + (kernel-arguments '("console=ttyS0")) + (users (cons (user-account + (name "user") + (group "users")) + %base-user-accounts)) + (services + (modify-services (operating-system-user-services base) + (guix-service-type + config => (guix-configuration + (inherit config) + (privileged? #f))))))) + #:imported-modules '((gnu services herd) + (guix combinators))))) + (run-guix-daemon-test os "guix-daemon-unprivileged-test"))))) -- cgit v1.3