GNU bug report logs - #45980
Feature request: parameterized /var/guix/profiles/per-user

Previous Next

Package: guix;

Reported by: Dimitri DELABROYE <dimitri.delabroye <at> inria.fr>

Date: Tue, 19 Jan 2021 14:16:02 UTC

Severity: wishlist

To reply to this bug, email your comments to 45980 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#45980; Package guix. (Tue, 19 Jan 2021 14:16:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Dimitri DELABROYE <dimitri.delabroye <at> inria.fr>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Tue, 19 Jan 2021 14:16:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Dimitri DELABROYE <dimitri.delabroye <at> inria.fr>
To: bug-guix <at> gnu.org
Cc: support-staff <at> lists.grid5000.fr
Subject: Feature request: parameterized /var/guix/profiles/per-user
Date: Tue, 19 Jan 2021 14:34:47 +0100

Hi,

We have installed guix following this cluster documentation 
https://hpc.guix.info/blog/2017/11/installing-guix-on-a-cluster/ on 
Grid'5000 which is a testbed.

In order to be more secure we did not want to export /var/guix with RW 
rights, we cannot trust root on the nodes. So for the user profile to 
work we did the following:
    - mount the user's home on the guix server
    - instead of letting guix create the user's profile on 
/var/guix/profiles/per-user we created symlink: ln -s /home/USER/.guix 
/var/guix/profiles/per-user/USER
This way we can export /var/guix with RO rights and users can't see each 
others profiles.

Another way would be to have a parameter to configure the 
/var/guix/profiles/per-user directory so the symlink mecanism would not 
be needed. For example guix could directly write in the user directory 
in /home/USER/.guix.

Best regards,
Dimitri

Grid'5000 Techteam
Information forwarded to bug-guix <at> gnu.org:
bug#45980; Package guix. (Thu, 21 Jan 2021 14:35:02 GMT) Full text and rfc822 format available.

Message #8 received at 45980 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludovic.courtes <at> inria.fr>
To: Dimitri DELABROYE <dimitri.delabroye <at> inria.fr>
Cc: support-staff <at> lists.grid5000.fr, 45980 <at> debbugs.gnu.org
Subject: Re: bug#45980: Feature request: parameterized
 /var/guix/profiles/per-user
Date: Thu, 21 Jan 2021 15:34:00 +0100

Hi Dimitri,

Dimitri DELABROYE <dimitri.delabroye <at> inria.fr> skribis:

> In order to be more secure we did not want to export /var/guix with RW
> rights, we cannot trust root on the nodes.

Just so those unfamiliar with Grid’5000 understand: what’s special here
is that users can spawn new nodes where they are root, but this root
user is not trusted as an admin of the cluster as a whole.

Thus, if /var/guix as we know it were NFS-exported read/write, anyone
could fiddle with all of /var/guix/profiles/per-user.  That’s the reason
why Dimitri & co. came up with the idea of storing per-user profiles in
each user’s home directory.

Why home directories?  Because there’s already machinery on G5K that
arranges so that a node can NFS-mount nothing but the home directory of
the user who reserved the node.

Why not treat /var/guix/profiles/per-user/USER NFS shares in the same
way as home directories, then?  That’s an option, but that’d mean extra
work for G5K, AIUI.

> So for the user profile to 
> work we did the following:
>     - mount the user's home on the guix server
>     - instead of letting guix create the user's profile on
> /var/guix/profiles/per-user we created symlink: ln -s /home/USER/.guix 
> /var/guix/profiles/per-user/USER
> This way we can export /var/guix with RO rights and users can't see
> each others profiles.

The problem is that ‘gc-roots’ in (guix store roots) won’t traverse
those /per-user/USER symlinks.  Instead, it assumes they are symlinks to
indirect roots.

> Another way would be to have a parameter to configure the
> /var/guix/profiles/per-user directory so the symlink mecanism would
> not be needed. For example guix could directly write in the user
> directory in /home/USER/.guix.

In fact, it’s possible to use profiles other than the default profile,
and those profiles can be anywhere on the file system.  For instance, if
you do:

  guix install -p ~/.guix/my-profile emacs

the thing is installed in ~/.guix/my-profile; that profile does not show
up in /var/guix/profiles, but it is seen as a GC root by the daemon, via
/var/guix/gcroots/auto.

Longer-term, we could imagine having a “private profile” option, where
the default profile is managed this way instead of being visible in
/var/guix/profiles/per-user.  But obviously that needs more thought and
it’s not an option to solve your immediate problem.


As it stands, the simplest option I think would be handle NFS exports of
/var/guix/profiles/per-user/USER just like exports of /home/USER.

Thoughts?

Ludo’.
This bug report was last modified 4 years and 1 day ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.