From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id +MTkMDzkF1+vMQAA0tVLHw (envelope-from ) for ; Wed, 22 Jul 2020 07:01:16 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id 8ODALDzkF1/PSwAA1q6Kng (envelope-from ) for ; Wed, 22 Jul 2020 07:01:16 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 3A6279400B1 for ; Wed, 22 Jul 2020 07:01:16 +0000 (UTC) Received: from localhost ([::1]:56500 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jy8kc-0007zZ-Jr for larch@yhetil.org; Wed, 22 Jul 2020 03:01:14 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:49122) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jy8kR-0007yx-7g for bug-guix@gnu.org; Wed, 22 Jul 2020 03:01:04 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:57797) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jy8kQ-0003Y2-Tx for bug-guix@gnu.org; Wed, 22 Jul 2020 03:01:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1jy8kQ-0003QC-TI for bug-guix@gnu.org; Wed, 22 Jul 2020 03:01:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#42173: [PATCH 2/2] services: nix: Fix sandbox. Resent-From: Oleg Pykhalov Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 22 Jul 2020 07:01:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 42173 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 42173@debbugs.gnu.org Received: via spool by 42173-submit@debbugs.gnu.org id=B42173.159540123113097 (code B ref 42173); Wed, 22 Jul 2020 07:01:02 +0000 Received: (at 42173) by debbugs.gnu.org; 22 Jul 2020 07:00:31 +0000 Received: from localhost ([127.0.0.1]:41109 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jy8jr-0003P6-QE for submit@debbugs.gnu.org; Wed, 22 Jul 2020 03:00:31 -0400 Received: from mail-lj1-f175.google.com ([209.85.208.175]:39336) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jy8jm-0003Ob-3a for 42173@debbugs.gnu.org; Wed, 22 Jul 2020 03:00:27 -0400 Received: by mail-lj1-f175.google.com with SMTP id b25so1322759ljp.6 for <42173@debbugs.gnu.org>; Wed, 22 Jul 2020 00:00:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=pSm4rIIEDJc5+sajXfvFeR7VeGr2BcvrN88pk6G3N5Q=; b=ukerGj3s12NTKs2H966AjJErjSOojYwNK/cVKc8uSMDWBFhKefP82sYnjd+FSYd7nH RLYdzMrE7ML7VGk0o5AJc9bPoeIrcUQPyoL26VgL2fiNGSOUZtcd1IYzOC/I1peDvVSv S7d9Uuejj5TRry6GhYrnMCIHesLGoEu9pjLPnkiDrzOT2MhcOnZPkLI98NBHLKSL4EM/ kRBYSOUzcKI27YaR9azN9z8OHAF25ZoI42/2N/FSst0m2kW8e/CjUJgvVUhcMSCR18kW mtCIRTej6AdSQYp2xaRXhCTbUxQFdLVhUnJB7stTpsVkuZlckr+DP+7pzsxT+vglnXSO M72Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=pSm4rIIEDJc5+sajXfvFeR7VeGr2BcvrN88pk6G3N5Q=; b=N/b9hTbaEdqRlDy5rj/cxZsI8m611x5nsns6n0KPsdT28KVj/na5FjYKbso41SKiNr nLTuAfXA4aaUV1faxsjeV5MlzT/uuBUFNDKp5vpJ4ltWTgAEApJwC6UGgeNdYPybJfI+ TWfdKG3/fn9bZuoy+3yaSAkhJKBTKHP/nH/kpCaPdHwHsbGOKAzBEdbzqRWoXvzd4e0j cVtld4p0PY3jU0GEvrLDLKfJgLYaZq6huNbu4mRxYwzBEYDp4ZBlYSJ8khfCjiiQYdEP hFnknms1T2pUsxxaEAJianNMJrLLM0C2lrlKHRhn9wIVzVrd2NS8qFoiNP2+5Zi8iSuG KF7g== X-Gm-Message-State: AOAM531UgtgHkBR0V5698PoXsV97zbgdOCORbcEhL8ntY+R+xE9u745E xe57Wy9W7SRxX+oBpNwGWty2bL7r X-Google-Smtp-Source: ABdhPJwgnB0YDixNrW7/OGAtiQQ21XU80x9FEfbuvfhkoQIFo7lzP5QWnz6/hyNRQT2AYr4mXi7aDw== X-Received: by 2002:a2e:8187:: with SMTP id e7mr15799596ljg.308.1595401215589; Wed, 22 Jul 2020 00:00:15 -0700 (PDT) Received: from localhost.localdomain (ppp91-122-98-213.pppoe.avangarddsl.ru. [91.122.98.213]) by smtp.gmail.com with ESMTPSA id h22sm6051027ljg.1.2020.07.22.00.00.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Jul 2020 00:00:14 -0700 (PDT) From: Oleg Pykhalov Date: Wed, 22 Jul 2020 09:59:39 +0300 Message-Id: <20200722065939.18138-2-go.wigust@gmail.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200722065939.18138-1-go.wigust@gmail.com> References: <878sfclfrf.fsf@gnu.org> <20200722065939.18138-1-go.wigust@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -1.0 (-) X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=fail (body hash did not verify) header.d=gmail.com header.s=20161025 header.b=ukerGj3s; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Spam-Score: 0.09 X-TUID: I7tzAA2JRxAG * gnu/tests/package-management.scm: New file. * gnu/local.mk: Add this. * gnu/services/nix.scm (): New record. (nix-activation): Generate Nix config file. (nix-service-type): Add default value. (nix-shepherd-service): Allow provide Nix package. * doc/guix.texi (Miscellaneous Services)[Nix service]: Document record. --- doc/guix.texi | 21 +++++ gnu/local.mk | 1 + gnu/services/nix.scm | 90 +++++++++++++-------- gnu/tests/package-management.scm | 131 +++++++++++++++++++++++++++++++ 4 files changed, 211 insertions(+), 32 deletions(-) create mode 100644 gnu/tests/package-management.scm diff --git a/doc/guix.texi b/doc/guix.texi index 26ef937604..5639a360be 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -27597,6 +27597,27 @@ $ source /run/current-system/profile/etc/profile.d/nix.sh @end defvr +@deftp {Data Type} nix-configuration +This data type represents the configuration of the Nix daemon. + +@table @asis +@item @code{nix} (default: @code{nix}) +The Nix package to use. + +@item @code{sandbox} (default: @code{#t}) +Specifies whether builds are sandboxed by default. + +@item @code{build-sandbox-paths} (default: @code{'()}) +This is a list of strings or objects appended to the +@code{build-sandbox-paths} field of the configuration file. + +@item @code{extra-config} (default: @code{'()}) +This is a list of strings or objects appended to the configuration file. +It is used to pass extra text to be added verbatim to the configuration +file. +@end table +@end deftp + @node Setuid Programs @section Setuid Programs diff --git a/gnu/local.mk b/gnu/local.mk index 0eac01d72d..2c19562171 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -674,6 +674,7 @@ GNU_SYSTEM_MODULES = \ %D%/tests/mail.scm \ %D%/tests/messaging.scm \ %D%/tests/networking.scm \ + %D%/tests/package-management.scm \ %D%/tests/reconfigure.scm \ %D%/tests/rsync.scm \ %D%/tests/security-token.scm \ diff --git a/gnu/services/nix.scm b/gnu/services/nix.scm index 3c0065207d..04e7726e4d 100644 --- a/gnu/services/nix.scm +++ b/gnu/services/nix.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2019 Oleg Pykhalov +;;; Copyright © 2019, 2020 Oleg Pykhalov ;;; ;;; This file is part of GNU Guix. ;;; @@ -31,7 +31,9 @@ #:use-module (guix store) #:use-module (srfi srfi-1) #:use-module (srfi srfi-26) + #:use-module (ice-9 match) #:use-module (ice-9 format) + #:use-module (guix modules) #:export (nix-service-type)) ;;; Commentary: @@ -40,10 +42,17 @@ ;;; ;;; Code: - -;;; -;;; Accounts -;;; +(define-record-type* + nix-configuration make-nix-configuration + nix-configuration? + (package nix-configuration-package ;package + (default nix)) + (sandbox nix-configuration-sandbox ;boolean + (default #t)) + (build-sandbox-paths nix-configuration-build-sandbox-paths ;list of strings + (default '())) + (extra-config nix-configuration-extra-options ;list of strings + (default '()))) ;; Copied from gnu/services/base.scm (define* (nix-build-accounts count #:key @@ -74,32 +83,49 @@ GID." (id 40000)) (nix-build-accounts 10 #:group "nixbld"))) -(define (nix-activation _) - "Return the activation gexp." - (with-imported-modules '((guix build utils)) - #~(begin - (use-modules (guix build utils) - (srfi srfi-26)) - (for-each (cut mkdir-p <>) '("/nix/store" "/nix/var/log" - "/nix/var/nix/gcroots/per-user" - "/nix/var/nix/profiles/per-user")) - (chown "/nix/store" - (passwd:uid (getpw "root")) (group:gid (getpw "nixbld01"))) - (chmod "/nix/store" #o775) - (for-each (cut chmod <> #o777) '("/nix/var/nix/profiles" - "/nix/var/nix/profiles/per-user"))))) +(define nix-activation + ;; Return the activation gexp. + (match-lambda + (($ package sandbox build-sandbox-paths extra-config) + (with-imported-modules (source-module-closure + '((guix build store-copy))) + #~(begin + (use-modules (guix build utils) + (ice-9 format) + (srfi srfi-1) + (srfi srfi-26)) + (for-each (cut mkdir-p <>) '("/nix/store" "/nix/var/log" + "/nix/var/nix/gcroots/per-user" + "/nix/var/nix/profiles/per-user")) + (chown "/nix/store" + (passwd:uid (getpw "root")) (group:gid (getpw "nixbld01"))) + (chmod "/nix/store" #o775) + (for-each (cut chmod <> #o777) '("/nix/var/nix/profiles" + "/nix/var/nix/profiles/per-user")) + (mkdir-p "/etc/nix") + (with-output-to-file "/etc/nix/nix.conf" + (lambda _ + (format #t "sandbox = ~a~%" (if #$sandbox "true" "false")) + (format #t "build-sandbox-paths = ~{~a ~}~%" + (append (append-map (cut call-with-input-file <> read) + '#$(map references-file + (list package))) + '#$build-sandbox-paths)) + (for-each (cut display <>) '#$extra-config)))))))) -(define (nix-shepherd-service _) - "Return a for Nix." - (list - (shepherd-service - (provision '(nix-daemon)) - (documentation "Run nix-daemon.") - (requirement '()) - (start #~(make-forkexec-constructor - (list (string-append #$nix "/bin/nix-daemon")))) - (respawn? #f) - (stop #~(make-kill-destructor))))) +(define nix-shepherd-service + ;; Return a for Nix. + (match-lambda + (($ package _ ...) + (list + (shepherd-service + (provision '(nix-daemon)) + (documentation "Run nix-daemon.") + (requirement '()) + (start #~(make-forkexec-constructor + (list (string-append #$package "/bin/nix-daemon")))) + (respawn? #f) + (stop #~(make-kill-destructor))))))) (define nix-service-type (service-type @@ -108,7 +134,7 @@ GID." (list (service-extension shepherd-root-service-type nix-shepherd-service) (service-extension account-service-type nix-accounts) (service-extension activation-service-type nix-activation))) - (default-value '()) - (description "Run the Nix daemon."))) + (description "Run the Nix daemon.") + (default-value (nix-configuration)))) ;;; nix.scm ends here diff --git a/gnu/tests/package-management.scm b/gnu/tests/package-management.scm new file mode 100644 index 0000000000..dbb9df22df --- /dev/null +++ b/gnu/tests/package-management.scm @@ -0,0 +1,131 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2020 Oleg Pykhalov +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu tests package-management) + #:use-module (gnu packages base) + #:use-module (gnu packages package-management) + #:use-module (gnu services) + #:use-module (gnu services networking) + #:use-module (gnu services nix) + #:use-module (gnu system) + #:use-module (gnu system vm) + #:use-module (gnu tests) + #:use-module (guix gexp) + #:use-module (guix git-download) + #:use-module (guix packages) + #:export (%test-nix)) + +;;; Commentary: +;;; +;;; This module provides a test definition for the nix-daemon +;;; +;;; Code: + +(define* (run-nix-test name test-os) + "Run tests in %NIX-OS Guix operating system, which has nix-daemon running." + (define os + (marionette-operating-system + test-os + #:imported-modules '((gnu services herd)))) + + (define vm + (virtual-machine + (operating-system os) + (port-forwardings '((8080 . 80))) + (memory-size 1024))) + + (define test + (with-imported-modules '((gnu build marionette)) + #~(begin + (use-modules (srfi srfi-11) + (srfi srfi-64) + (gnu build marionette) + (web client) + (web response)) + + (define marionette + (make-marionette (list #$vm))) + + (mkdir #$output) + (chdir #$output) + + (test-begin #$name) + + ;; XXX: Shepherd reads the config file *before* binding its control + ;; socket, so /var/run/shepherd/socket might not exist yet when the + ;; 'marionette' service is started. + (test-assert "shepherd socket ready" + (marionette-eval + `(begin + (use-modules (gnu services herd)) + (let loop ((i 10)) + (cond ((file-exists? (%shepherd-socket-file)) + #t) + ((> i 0) + (sleep 1) + (loop (- i 1))) + (else + 'failure)))) + marionette)) + + (test-assert "Nix daemon running" + (marionette-eval + '(begin + ;; Wait for nix-daemon to be up and running. + (start-service 'nix-daemon) + (with-output-to-file "guix-test.nix" + (lambda () + (display "\ +with import ; + +derivation { + system = builtins.currentSystem; + name = \"guix-test\"; + builder = shell; + args = [\"-c\" \"mkdir $out\\necho FOO > $out/foo\"]; + PATH = coreutils; +} +"))) + (zero? (system* (string-append #$nix "/bin/nix-build") + "--substituters" "" "--debug" "--no-out-link" + "guix-test.nix"))) + marionette)) + + (test-end) + + (exit (= (test-runner-fail-count (test-runner-current)) 0))))) + + (gexp->derivation (string-append name "-test") test)) + +(define %nix-os + ;; Return operating system under test. + (let ((base-os + (simple-operating-system + (service nix-service-type) + (service dhcp-client-service-type)))) + (operating-system + (inherit base-os) + (packages (cons nix (operating-system-packages base-os)))))) + +(define %test-nix + (system-test + (name "nix") + (description "Connect to a running nix-daemon") + (value (run-nix-test name %nix-os)))) + +;;; package-management.scm ends here -- 2.27.0