From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id EFG7M/vIyl4qSQAA0tVLHw (envelope-from ) for ; Sun, 24 May 2020 19:20:27 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id yKCeL/vIyl58SgAAB5/wlQ (envelope-from ) for ; Sun, 24 May 2020 19:20:27 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 87F7894030A for ; Sun, 24 May 2020 19:20:27 +0000 (UTC) Received: from localhost ([::1]:48440 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jcwAc-0006O8-Ab for larch@yhetil.org; Sun, 24 May 2020 15:20:26 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:36860) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jcwAK-0006Lb-4z for guix-devel@gnu.org; Sun, 24 May 2020 15:20:08 -0400 Received: from mail-vk1-xa43.google.com ([2607:f8b0:4864:20::a43]:40554) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jcwAI-0006XT-NH for guix-devel@gnu.org; Sun, 24 May 2020 15:20:07 -0400 Received: by mail-vk1-xa43.google.com with SMTP id h74so2406230vka.7 for ; Sun, 24 May 2020 12:20:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=9Rgt4f6tb4Wgnv5YQFDVGMA6Ju6/28XWeyEV6h8aynY=; b=A6az7RDRJq9uGCmB2zbmtGeStrwpHDDLE5pNldiRNGWKqEPpr0Zgzk/YQ6pd3ZnK8U rTmhp5ck8DKIr8Ae1DFzyFpUFsrQ1xBjJp68nrOv7462NEij0unad8x5VqAthEqoYwmM mvNCfg0AZisBpqF4grHAF+/HJ6tEWqYOvyfQ5JmM9+Lutjlg8tNDSSel/xf0rih9XJVR ohXHhPJAvIv9Oj1mLrKQXB6xKeAjDCGd/F0D0ZjN84VPsodm3aIE7HhaN7F2g6gz9UxK bz+gohm6VvmfupzLT14paRcFZKfmQ+AHMH4X3c4xxlSGprEiTuxWITow716vjB7G4PZ5 wPqg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=9Rgt4f6tb4Wgnv5YQFDVGMA6Ju6/28XWeyEV6h8aynY=; b=MA1E5QRKfUVcgnxhp7H7FXQH4z+4WgnRNfdTIvTyMlvRGfW+SkP615PsPV4P206J0/ dku3NCLKPjwJ70rjUWjMCU4Wn7sipGL9F/NQYelPXeL4uorxMOjRpscQkYXiMnxpEUJc NG/FA3fc4fitITtUlPGPZ/4ZNdmP2JJz3BYe+bfWSsjh5KZXZPms1CN9LpE1Zijt6nuA K7MQe0DtjhFSAaY5KLN2p+kmQrocJTAm87ujHsep68N0Mxq5EHVdIVwAjT6PUx3RBe/R 3XMIfvq+x3BY0826g7L1ZCkS79/C1SpW7my4xzthkkyGTf0y/OgHJuoiUnVQTIjfZJbx m3aA== X-Gm-Message-State: AOAM533sdDlzRZlF4MKI3pnhq4ZzOi185fIzgVq4WK3gg+KYH7NEkoEc tzW7tFAI6NgJ3Ofd5lskoG20kUNDHpgePU1N/z/dtUVmE6k= X-Google-Smtp-Source: ABdhPJx9z2R0/nC8ilJVIICnmXC2AUMz8NUvH+eQti3IXmEyZTBvX8E92bZQHE06c1i3+8+AfvP321Du0h/p2XuPp6c= X-Received: by 2002:a1f:20d5:: with SMTP id g204mr4050599vkg.60.1590348005310; Sun, 24 May 2020 12:20:05 -0700 (PDT) MIME-Version: 1.0 References: <87imgvop9g.fsf@nckx> <20200517020535.GA3652@LionPure> In-Reply-To: <20200517020535.GA3652@LionPure> From: Josh Marshall Date: Sun, 24 May 2020 15:19:54 -0400 Message-ID: Subject: Re: Propose to distribute a user-only install script, not admin required To: Bengt Richter Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=2607:f8b0:4864:20::a43; envelope-from=joshua.r.marshall.1991@gmail.com; helo=mail-vk1-xa43.google.com X-detected-operating-system: by eggs.gnu.org: No matching host in p0f cache. That's all we know. X-Spam_score_int: -17 X-Spam_score: -1.8 X-Spam_bar: - X-Spam_report: (-1.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=_AUTOLEARN X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=fail (rsa verify failed) header.d=gmail.com header.s=20161025 header.b=A6az7RDR; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Spam-Score: 0.09 X-TUID: KQhPuPaxQg/p Another non-chroot option is `fakechroot`, which seems to get the same effect without root. It does make me wonder why `chroot` requires privileged access at all. As I'm slowly getting more familiar with guix, the more I think the internal design ought to change. I'm finding that how it works right now is inelegant if you need to shift the application of guix a little bit. If you want a native guix experience vs secondary package manager they have to be configured differently and daemon details seem to need to leak to the client. For users who need unprivileged access to use guix, setup is more difficult when similar tools can work without hassle. Tracing back errors across the client and server requires extra knowledge of implementation to understand what errors actually mean, increasing the barrier to entry. If guix changed such that it had the ability to work as a single standalone binary, and optionally checked something with dbus or a reserved unix socket to coordinate with an existing daemon, other instances of guix running on the system, or launch a daemon on demand then the number of use cases where guix would just work would significantly increase. Having all functionality in a single binary would also make error handling and determination easier. There are ways to make the current approach accomplish all of these goals, but it would be more complex and seems like it is ultimately trying to approximate the restructuring I'm suggesting. On Sat, May 16, 2020 at 10:05 PM Bengt Richter wrote: > > Hi Josh, Tobias, et al, > > On +2020-05-16 17:47:39 +0200, Tobias Geerinckx-Rice wrote: > > Josh, > > > > Josh Marshall =E5=86=99=E9=81=93=EF=BC=9A > > > One thing which I think could significantly aid adoption would be up > > > either add an option or add a new installer script with guix > > > configured to install and run purely out of the user's home directory > > > without any special permissions. > > > > An old but classic place to start is [0] which explains some of the pro= blems > > & trade-offs, and illustrates an approach that may or may not still wor= k > > today. > > > > My subjective impression was that this used to be more of a big deal (i= .e. a > > few years ago) than it is now. I don't know if it's less of a problem = these > > days, or people gave up on asking, or perhaps I'm not in the right chan= nels > > to hear the clamouring. > > > > Part of me thanks you for bringing this up again. I'm interested to se= e > > where it goes. > > > > Another part of me fears that =E2=80=98rootless Guix=E2=80=99 is just t= he perfect excuse for > > misguided admins to give their users a pale and flavourless Guix experi= ence. > > It would rather taint the brand. > > > > Kind regards, > > > > T G-R > > > > [0]: https://github.com/pjotrp/guix-notes/blob/master/GUIX-NO-ROOT.org > > (I hadn't seen [0] above, but now I have :) So I will be wondering if > proot is a good path to get where I want to go. I hope this thread > will provide further input). > > I am happy to see this suggestion, as I have been experimenting with > re-writing guix-install.sh to do something very related: > > (I am assuming a user who _can_ do useradd and groupadd, or get it done, > but wants to run guix totally without needing root priviliges > beyond that). > > It boils down to creating a new user-mode user called guixurootd > to serve as "guix-root" daemon and manage running the builders > with inter-user permission isolation but not involving root. > > I'm hoping some combination of group membership and permissions > will enable safe multithread isolation without involving actual root > privileges for guixurootd. > > My motivation was really not liking to run guix-install.sh as root. > Big complex chains of actions that involve unnecessary global > root privileges scare me, even if I can inspect the script. > > So my first thought was to split it into two: the part that can > run fine without sudo to root (which is most of it) and the part that > requires sudo to root, which is creating the daemon and builders, and > writing to / and ~root, and something I forgot probably :). > > The latter requirement goes away when writing to / becomes > writing to /home/guixurootd/ and /home/guixurootd/root > > I really would like the entire guix usage of "/" to become > usage of "/home/guixurootd/" including /var /etc /root/.dotfiles > /tmp and _everything_, so that the impact on a "foreign distro" > is totally contained in the guixurootd $HOME file space plus > the existence of the $HOME-less builders. > > I am in a design-churn phase for the moment, trying to > factor everything into place ;-) > > Ideally installation could become something like > --8<---------------cut here---------------start------------->8--- > 1. sudo sys_create_build_user # as defined in guix-install.sh > 2. sudo useradd -U -G guixbuild \ > -m -k $tmp_skeldir -s "$(which nologin)" \ > -c "Guix user-root daemon" --system \ > "guixurootd"; > 3. download and verify guixurootd-install.sh > 4. sudo -u guixrootd guixurootd-install.sh > --8<---------------cut here---------------end--------------->8--- > > but wondering whether to live with /etc/skeldir (think not entirely) > or what to put in $tmp_skeldir... > > Maybe even more ideally, the guixurootd daemon could populate itself > by cloning the guix repo and automatically proceed according to > https://guix.gnu.org/manual/en/html_node/Building-from-Git.html > > I.e. sudo -u guixurootd 'cd;bin/init' automatically would do > git clone https://git.savannah.gnu.org/git/guix.git > (BTW, should a specific commit be specified by install docs, > to avoid becoming invalid due to later commit breakage??) > (BTW2 any-whatever-install.sh should be version controlled and signed too= , IMO :) > > I'm thinking skeldir/bin/init would be a minimal kick-start script to run > build stuff from the repo. Or maybe skeldir/.profile could do it without = a skeldir/bin > ... wip ;-) > > So anyway git would store the repo at /home/guixurootd/guix/ and then > the init script would somehow execute a "build-from-git" sequence > automatically, at the end of which all other users on the machine > have to do is set up their ~/.guix-profile and ~/.bash_profile > to tie in, maybe starting with the (now deprecated?) advice to > use /usr/local/bin like > > # mkdir -p /usr/local/bin > # cd /usr/local/bin > # ln -s /home/guixurootd/var/guix/profiles/per-user/root/current-guix/bin= /guix > if /var really were moved there ... wip ;) > > Anticipating potholes and brick walls ... > > One thing I'd like to do is make this new guixurootd-install.sh > stateful -- I'm thinking by logging passed and failed milestones > to a source-able file like a bash_history with dates in comments > so that re-tries don't waste my time (or internet budget). > Lines like > autoconf=3D1 # 2020-05-17 01:56:55 +0200 > with the file initialized from a template with all steps =3D0 > and including the template version and where to find it, with > self-referential hash :) > > Still wip ;-) > > I'm wondering whether to make guixurootd support login or not. > Or just rely on sudo -u > (Maybe some special setuid > helper will have to be created for privilege lowering? > I haven't got that far yet. > > Maybe it could be done without any changing of privileges at all, > with the guixurootd daemon and builderXX processes cooperating > by message passing using that new extent-swapping kernel api > that atomically (IIUC) swaps page-sequemces between files of > cooperating users. That should be fast, since it's just like mmap > table manipulation IIUC. > > So there's my 2 cents worth of bike shed paint :) > Well, a little more, I hope. I'll be poking at it, but now > will hope for ideas and prior art revelations here ;-) > > BTW, might encapsulating all of guix in the guixurootd $HOME file space > serendipitously work with that systemd home encapsulator/migration- > facilitator that I don't even know the right name of, possibly? > > -- > Regards, > Bengt Richter