Hello fantastic Guix enthusiasts! I've been using the Guix System for a bit over a year now and it's been pretty fun. Following from the security issues posted in June, I became interested in hardening the system further, and found the following:
https://hpc.guix.info/blog/2025/03/build-daemon-drops-its-privileges/ This led me to https://guix.gnu.org/manual/devel/en/html_node/Build-Environment-Setup.html#Daemon-Running-Without-Privileges and ultimately https://guix.gnu.org/manual/devel/en/html_node/Base-Services.html#guix_002dconfiguration_002dtype , revealing that setting privileged to #f within my guix-configuration would allow me to swap over to the rootless build daemon. So what I did was define this in my system.scm: (define rootless-guix-daemon (modify-services %base-services (guix-service-type config => (guix-configuration (privileged? #f))))) And appended my existing list of services to this rootless-guix-daemon, rather than %base-services, in my system.scm. It seems like things more or less worked after that, but I noticed that guix gc would fail, and I didn't end up finding an obvious answer. I figured the migration may have been messed up since I had many generations in place already in the store, and it sounds like filesystem permission changes would be involved to make /gnu/store accessible to the non-root daemon users/groups. Unrelated to that, I got a new storage device and decided to do a fresh install, figuring that this time since I would be reusing my system.scm that my store could be set up "from the very beginning" to use rootless Guix builds. Unfortunately, I still see the same issues - or similar enough ones - and have not been able to run guix gc this entire time, leading to disk space slowly disappearing as I continue to create new generations: irandms@firelink ~> guix gc finding garbage collector roots... removing stale link from `/var/guix/gcroots/auto/f011k8wxdbzhp0k92b2s8a0ld2w626ii' to `/home/irandms/.cache/guix/profiles/qil6j44krodwz7bmtn6cflnkh7yjwxuec7qrvltflevq3graktyq' removing stale link from `/var/guix/gcroots/auto/wg6rbbqbszcm3qrha8jjjhz6wf73wc3i' to `/home/irandms/.cache/guix/profiles/p6tfph2p743qhrxub24lw5fftujirj7v45e2b2xvawk7krjfhh3q' removing stale link from `/var/guix/gcroots/auto/w0r0i9y06argglwg22lv91wg157dvx8v' to `/home/irandms/.cache/guix/profiles/t37ttccjtewrggfiutxb5jz3c23tsiklsdi2zr6qcvnahwotcn6q' removing stale link from `/var/guix/gcroots/auto/7rclhnw3lysqvg8hgkbfvb4v5hnnyfa3' to `/home/irandms/.cache/guix/profiles/37uubhsdb53jtmqdh6cpfiib3hyjbfl5yhv6dnvw7rzaojeltzsa' removing stale link from `/var/guix/gcroots/auto/2d7v7k5vmmdr3agmklymi41qhy8iw41m' to `/home/irandms/.cache/guix/profiles/4oqmejpiuoljny4uv4wozvpyewzj7mg7ueqprbfoeeqijtzcmmiq' removing stale link from `/var/guix/gcroots/auto/xnr6gi37zyg7n92lw43jdicxb416rax3' to `/home/irandms/.cache/guix/profiles/tzqgpkskscayqletb3ehdz7725ff2klsvtw4wdhso6rw3wjqv45a' removing stale link from `/var/guix/gcroots/auto/671qjr4ma1v16qn0p99xn73j5bymhcpa' to `/home/irandms/.cache/guix/profiles/utqsir2fxsipoaq77bzexenvh3xezc7kckpb242lvvrl3kaie54a' removing stale link from `/var/guix/gcroots/auto/5apxj94305vr6wpvrrj8wibg1xlklgxv' to `/home/irandms/.cache/guix/profiles/jmuajyp4jk56727sc2wid3feeju5rtncp6ql4tdjz5afd5l7cl6a' removing stale link from `/var/guix/gcroots/auto/rafgib0497hjb8vvlgfclyjpibzlzsgy' to `/home/irandms/.cache/guix/profiles/eqqltc2o56tg6ej2ekovmxnrjq6aogf3tydq3xfzohmnvovujera' guix gc: error: program `/gnu/store/v0jn99jlpdy6449apv91x752h39q9y51-guix-1.4.0-41.826e305/bin/guix' failed with exit code 1 spaced I initially asked a question a few weeks ago in IRC if anyone experienced issues with guix gc after changing this parameter (privileged?), but didn't seem to get any response. I was hoping someone here could point me in the right direction to debug guix gc, or just know outright what the issue is. I imagine this is related to filesystem permission/visibility, but even after trying to (very hackily) modify permissions to both restrictive and permissive settings (e.g. chmod 777 recursively on /gnu) on my old/previous drive's Guix System, it still seemed quite broken, with guix gc failing with exit code 1. Thanks to anyone who can help me figure this out, and to all the contributors to this awesome project. - irandms
