Hi irandms,
radio <[email protected]> writes: > Hello fantastic Guix enthusiasts! > > I've been using the Guix System for a bit over a year now and it's been > pretty fun. Following from the security issues posted in June, I became > interested in hardening the system further, and found the following: > > https://hpc.guix.info/blog/2025/03/build-daemon-drops-its-privileges/ > > This led me to > https://guix.gnu.org/manual/devel/en/html_node/Build-Environment-Setup.html#Daemon-Running-Without-Privileges > and ultimately > https://guix.gnu.org/manual/devel/en/html_node/Base-Services.html#guix_002dconfiguration_002dtype > , revealing that setting privileged to #f within my guix-configuration > would allow me to swap over to the rootless build daemon. > > So what I did was define this in my system.scm: > > (define rootless-guix-daemon > (modify-services %base-services > (guix-service-type > config => (guix-configuration > (privileged? #f))))) > > And appended my existing list of services to this rootless-guix-daemon, > rather than %base-services, in my system.scm. > > It seems like things more or less worked after that, but I noticed that > guix gc would fail, and I didn't end up finding an obvious answer. I > figured the migration may have been messed up since I had many generations > in place already in the store, and it sounds like filesystem permission > changes would be involved to make /gnu/store accessible to the non-root > daemon users/groups. > > Unrelated to that, I got a new storage device and decided to do a fresh > install, figuring that this time since I would be reusing my system.scm > that my store could be set up "from the very beginning" to use rootless > Guix builds. > > Unfortunately, I still see the same issues - or similar enough ones - and > have not been able to run guix gc this entire time, leading to disk space > slowly disappearing as I continue to create new generations: > > irandms@firelink ~> guix gc > finding garbage collector roots... > removing stale link from > `/var/guix/gcroots/auto/f011k8wxdbzhp0k92b2s8a0ld2w626ii' to > `/home/irandms/.cache/guix/profiles/qil6j44krodwz7bmtn6cflnkh7yjwxuec7qrvltflevq3graktyq' > removing stale link from > `/var/guix/gcroots/auto/wg6rbbqbszcm3qrha8jjjhz6wf73wc3i' to > `/home/irandms/.cache/guix/profiles/p6tfph2p743qhrxub24lw5fftujirj7v45e2b2xvawk7krjfhh3q' > removing stale link from > `/var/guix/gcroots/auto/w0r0i9y06argglwg22lv91wg157dvx8v' to > `/home/irandms/.cache/guix/profiles/t37ttccjtewrggfiutxb5jz3c23tsiklsdi2zr6qcvnahwotcn6q' > removing stale link from > `/var/guix/gcroots/auto/7rclhnw3lysqvg8hgkbfvb4v5hnnyfa3' to > `/home/irandms/.cache/guix/profiles/37uubhsdb53jtmqdh6cpfiib3hyjbfl5yhv6dnvw7rzaojeltzsa' > removing stale link from > `/var/guix/gcroots/auto/2d7v7k5vmmdr3agmklymi41qhy8iw41m' to > `/home/irandms/.cache/guix/profiles/4oqmejpiuoljny4uv4wozvpyewzj7mg7ueqprbfoeeqijtzcmmiq' > removing stale link from > `/var/guix/gcroots/auto/xnr6gi37zyg7n92lw43jdicxb416rax3' to > `/home/irandms/.cache/guix/profiles/tzqgpkskscayqletb3ehdz7725ff2klsvtw4wdhso6rw3wjqv45a' > removing stale link from > `/var/guix/gcroots/auto/671qjr4ma1v16qn0p99xn73j5bymhcpa' to > `/home/irandms/.cache/guix/profiles/utqsir2fxsipoaq77bzexenvh3xezc7kckpb242lvvrl3kaie54a' > removing stale link from > `/var/guix/gcroots/auto/5apxj94305vr6wpvrrj8wibg1xlklgxv' to > `/home/irandms/.cache/guix/profiles/jmuajyp4jk56727sc2wid3feeju5rtncp6ql4tdjz5afd5l7cl6a' > removing stale link from > `/var/guix/gcroots/auto/rafgib0497hjb8vvlgfclyjpibzlzsgy' to > `/home/irandms/.cache/guix/profiles/eqqltc2o56tg6ej2ekovmxnrjq6aogf3tydq3xfzohmnvovujera' > guix gc: error: program > `/gnu/store/v0jn99jlpdy6449apv91x752h39q9y51-guix-1.4.0-41.826e305/bin/guix' > failed with exit code 1 > > spaced I initially asked a question a few weeks ago in IRC if anyone > experienced issues with guix gc after changing this parameter > (privileged?), but didn't seem to get any response. > > I was hoping someone here could point me in the right direction to debug > guix gc, or just know outright what the issue is. I imagine this is related > to filesystem permission/visibility, but even after trying to (very > hackily) modify permissions to both restrictive and permissive settings > (e.g. chmod 777 recursively on /gnu) on my old/previous drive's Guix > System, it still seemed quite broken, with guix gc failing with exit code 1. So who owns the file in your /gnu/store? - Are all files in there owned by the non-root daemon user? Rutherther > > Thanks to anyone who can help me figure this out, and to all the > contributors to this awesome project. > > - irandms
