* bug#71352: branch master updated: services: nix: Mount Nix store read only. [not found] <171695309234.24183.12881718488458327568@vcs2.savannah.gnu.org> @ 2024-06-04 2:34 ` Maxim Cournoyer 2024-06-04 8:34 ` Oleg Pykhalov 0 siblings, 1 reply; 4+ messages in thread From: Maxim Cournoyer @ 2024-06-04 2:34 UTC (permalink / raw) To: 71352; +Cc: Oleg Pykhalov Hello, guix-commits@gnu.org writes: > services: nix: Mount Nix store read only. > > * gnu/services/nix.scm (nix-shepherd-service): Add requirements. > (%nix-store-directory): New variable. > (nix-service-type): Add file-system-service-type extension. > > Change-Id: I18a5d58c92c1f2b5b6dcecc3d5b439cc15bf4e49 This commit unfortunately appears to introduce a regression where reconfiguring a system with the read-only /nix/store causes the following error: --8<---------------cut here---------------start------------->8--- guix system: error: chown: Système de fichiers accessible en lecture seulement --8<---------------cut here---------------end--------------->8--- With the accompanying strace output: --8<---------------cut here---------------start------------->8--- 20261 close(17) = 0 20261 chown("/nix/store", 0, 981) = -1 EROFS (Système de fichiers accessible en lecture seulement) 20261 close(13) = 0 20261 write(2, "guix system: \33[1;31merror: \33[0m\33[1mchown\33[0m: Syst\303\250me de fichiers accessible en lecture seulement\n", 99) = 99 --8<---------------cut here---------------end--------------->8--- Are these chown still useful in the activation snippet? --8<---------------cut here---------------start------------->8--- (define (nix-activation _) ;; Return the activation gexp. #~(begin (use-modules (guix build utils) (srfi srfi-26)) (for-each (cut mkdir-p <>) '("/nix/store" "/nix/var/log" "/nix/var/nix/gcroots/per-user" "/nix/var/nix/profiles/per-user")) (chown "/nix/store" (passwd:uid (getpw "root")) (group:gid (getpw "nixbld01"))) (chmod "/nix/store" #o775) (for-each (cut chmod <> #o777) '("/nix/var/nix/profiles" "/nix/var/nix/profiles/per-user")))) --8<---------------cut here---------------end--------------->8--- If they are useful only on the first time, perhaps we could catch the exceptions for when it runs on an already read-only mounted /nix/store? -- Thanks, Maxim ^ permalink raw reply [flat|nested] 4+ messages in thread
* bug#71352: branch master updated: services: nix: Mount Nix store read only. 2024-06-04 2:34 ` bug#71352: branch master updated: services: nix: Mount Nix store read only Maxim Cournoyer @ 2024-06-04 8:34 ` Oleg Pykhalov 2024-06-06 2:03 ` Maxim Cournoyer 0 siblings, 1 reply; 4+ messages in thread From: Oleg Pykhalov @ 2024-06-04 8:34 UTC (permalink / raw) To: Maxim Cournoyer; +Cc: 71352 [-- Attachment #1: Type: text/plain, Size: 2526 bytes --] Hello Maxim, Thank you for your report. Apologize for any inconvenience caused by the unexpected breakage. Maxim Cournoyer <maxim.cournoyer@gmail.com> writes: > Hello, > > guix-commits@gnu.org writes: > >> services: nix: Mount Nix store read only. >> >> * gnu/services/nix.scm (nix-shepherd-service): Add requirements. >> (%nix-store-directory): New variable. >> (nix-service-type): Add file-system-service-type extension. >> >> Change-Id: I18a5d58c92c1f2b5b6dcecc3d5b439cc15bf4e49 > > This commit unfortunately appears to introduce a regression where > reconfiguring a system with the read-only /nix/store causes the > following error: > > guix system: error: chown: Système de fichiers accessible en lecture seulement > > > With the accompanying strace output: > > 20261 close(17) = 0 > 20261 chown("/nix/store", 0, 981) = -1 EROFS (Système de fichiers accessible en lecture seulement) > 20261 close(13) = 0 > 20261 write(2, "guix system: \33[1;31merror: \33[0m\33[1mchown\33[0m: Syst\303\250me de fichiers accessible en lecture seulement\n", 99) = 99 > > > Are these chown still useful in the activation snippet? > > (define (nix-activation _) > ;; Return the activation gexp. > #~(begin > (use-modules (guix build utils) > (srfi srfi-26)) > (for-each (cut mkdir-p <>) '("/nix/store" "/nix/var/log" > "/nix/var/nix/gcroots/per-user" > "/nix/var/nix/profiles/per-user")) > (chown "/nix/store" > (passwd:uid (getpw "root")) (group:gid (getpw "nixbld01"))) > (chmod "/nix/store" #o775) > (for-each (cut chmod <> #o777) '("/nix/var/nix/profiles" > "/nix/var/nix/profiles/per-user")))) > > If they are useful only on the first time, perhaps we could catch the > exceptions for when it runs on an already read-only mounted /nix/store? Indeed, it is a good idea. A hotfix for the issue was discussed and implemented. It has already been pushed to the master branch. The fix involves a simple 'file-exists?' check. You can find more details in the discussion at https://debbugs.gnu.org/cgi/bugreport.cgi?bug=71320 What do you think is preferable in this scenario – catching exceptions or sticking with '(unless (file-exists? ...))'? Your thoughts on the best approach here? Regards, Oleg. [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 861 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* bug#71352: branch master updated: services: nix: Mount Nix store read only. 2024-06-04 8:34 ` Oleg Pykhalov @ 2024-06-06 2:03 ` Maxim Cournoyer 2024-06-24 2:47 ` Maxim Cournoyer 0 siblings, 1 reply; 4+ messages in thread From: Maxim Cournoyer @ 2024-06-06 2:03 UTC (permalink / raw) To: Oleg Pykhalov; +Cc: 71352 Hi Oleg, [...] >> Are these chown still useful in the activation snippet? >> >> (define (nix-activation _) >> ;; Return the activation gexp. >> #~(begin >> (use-modules (guix build utils) >> (srfi srfi-26)) >> (for-each (cut mkdir-p <>) '("/nix/store" "/nix/var/log" >> "/nix/var/nix/gcroots/per-user" >> "/nix/var/nix/profiles/per-user")) >> (chown "/nix/store" >> (passwd:uid (getpw "root")) (group:gid (getpw "nixbld01"))) >> (chmod "/nix/store" #o775) >> (for-each (cut chmod <> #o777) '("/nix/var/nix/profiles" >> "/nix/var/nix/profiles/per-user")))) >> >> If they are useful only on the first time, perhaps we could catch the >> exceptions for when it runs on an already read-only mounted /nix/store? > > Indeed, it is a good idea. > > A hotfix for the issue was discussed and implemented. It has already > been pushed to the master branch. The fix involves a simple > 'file-exists?' check. You can find more details in the discussion at > https://debbugs.gnu.org/cgi/bugreport.cgi?bug=71320 > > What do you think is preferable in this scenario – catching exceptions > or sticking with '(unless (file-exists? ...))'? Your thoughts on the > best approach here? Exceptions are usually better than 'check then do' as they avoid the TOCTTOU (time-of-check to time-of-use) class of bugs/vulnerabilities. By the way, 'Reported-by:' is a fine git trailer to use :-). I also use 'Fixes:' as a git trailer (trailer means they should be found at the bottom of the commit message -- these can be parsed with the 'git interpret-trailers' command) -- Thanks, Maxim ^ permalink raw reply [flat|nested] 4+ messages in thread
* bug#71352: branch master updated: services: nix: Mount Nix store read only. 2024-06-06 2:03 ` Maxim Cournoyer @ 2024-06-24 2:47 ` Maxim Cournoyer 0 siblings, 0 replies; 4+ messages in thread From: Maxim Cournoyer @ 2024-06-24 2:47 UTC (permalink / raw) To: Oleg Pykhalov; +Cc: 71352-done Hi Oleg, Maxim Cournoyer <maxim.cournoyer@gmail.com> writes: > Hi Oleg, > > [...] > >>> Are these chown still useful in the activation snippet? >>> >>> (define (nix-activation _) >>> ;; Return the activation gexp. >>> #~(begin >>> (use-modules (guix build utils) >>> (srfi srfi-26)) >>> (for-each (cut mkdir-p <>) '("/nix/store" "/nix/var/log" >>> "/nix/var/nix/gcroots/per-user" >>> "/nix/var/nix/profiles/per-user")) >>> (chown "/nix/store" >>> (passwd:uid (getpw "root")) (group:gid (getpw "nixbld01"))) >>> (chmod "/nix/store" #o775) >>> (for-each (cut chmod <> #o777) '("/nix/var/nix/profiles" >>> "/nix/var/nix/profiles/per-user")))) >>> >>> If they are useful only on the first time, perhaps we could catch the >>> exceptions for when it runs on an already read-only mounted /nix/store? >> >> Indeed, it is a good idea. >> >> A hotfix for the issue was discussed and implemented. It has already >> been pushed to the master branch. The fix involves a simple >> 'file-exists?' check. You can find more details in the discussion at >> https://debbugs.gnu.org/cgi/bugreport.cgi?bug=71320 >> >> What do you think is preferable in this scenario – catching exceptions >> or sticking with '(unless (file-exists? ...))'? Your thoughts on the >> best approach here? > > Exceptions are usually better than 'check then do' as they avoid the > TOCTTOU (time-of-check to time-of-use) class of bugs/vulnerabilities. I'm closing this for now; I'm satisfied that working order has been restored :-). -- Thanks, Maxim ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-06-24 2:49 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- [not found] <171695309234.24183.12881718488458327568@vcs2.savannah.gnu.org> 2024-06-04 2:34 ` bug#71352: branch master updated: services: nix: Mount Nix store read only Maxim Cournoyer 2024-06-04 8:34 ` Oleg Pykhalov 2024-06-06 2:03 ` Maxim Cournoyer 2024-06-24 2:47 ` Maxim Cournoyer
Code repositories for project(s) associated with this public inbox https://git.savannah.gnu.org/cgit/guix.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).