From: Julien Lepiller <julien@lepiller.eu>
To: 41259@debbugs.gnu.org,me@tobias.gr
Subject: [bug#41259] [PATCH] etc: Add a systemd unit to bind-mount @storedir@ read-only.
Date: Thu, 14 May 2020 14:49:15 -0400 [thread overview]
Message-ID: <0CDBC9C6-B6B1-4696-A2C0-7D5BD3BA887D@lepiller.eu> (raw)
In-Reply-To: <A2F0E860-28E9-42A6-AE02-0BDBB876106E@lepiller.eu>
Le 14 mai 2020 12:35:12 GMT-04:00, Julien Lepiller <julien@lepiller.eu> a écrit :
>Le 14 mai 2020 10:01:51 GMT-04:00, Julien Lepiller <julien@lepiller.eu>
>a écrit :
>>Le 14 mai 2020 09:48:46 GMT-04:00, Tobias Geerinckx-Rice via
>>Guix-patches via <guix-patches@gnu.org> a écrit :
>>>* etc/gnu-store.mount.in: New file.
>>>* nix/local.mk (nodist_systemdservice_DATA): Add it.
>>>(etc/%.mount): New rule.
>>>* etc/guix-install.sh (sys_enable_guix_daemon): Install it.
>>>* doc/guix.texi (Binary Installation): Document it.
>>>---
>>>
>>>For
>>><https://lists.gnu.org/archive/html/help-guix/2020-05/msg00097.html>.
>>>
>>> doc/guix.texi | 5 +++--
>>> etc/gnu-store.mount.in | 14 ++++++++++++++
>>> etc/guix-install.sh | 12 +++++++++---
>>> nix/local.mk | 12 +++++++++++-
>>> 4 files changed, 37 insertions(+), 6 deletions(-)
>>> create mode 100644 etc/gnu-store.mount.in
>>>
>>>diff --git a/doc/guix.texi b/doc/guix.texi
>>>index d6fbd85fde..5d80a7e405 100644
>>>--- a/doc/guix.texi
>>>+++ b/doc/guix.texi
>>>@@ -659,9 +659,10 @@ with these commands:
>>> @c
>>https://lists.gnu.org/archive/html/guix-devel/2017-01/msg01199.html
>>>
>>> @example
>>>-# cp
>>~root/.config/guix/current/lib/systemd/system/guix-daemon.service
>>>\
>>>+# cp ~root/.config/guix/current/lib/systemd/system/gnu-store.mount \
>>>+
>>~root/.config/guix/current/lib/systemd/system/guix-daemon.service
>>>\
>>> /etc/systemd/system/
>>>-# systemctl enable --now guix-daemon
>>>+# systemctl enable --now gnu-store.mount guix-daemon
>>> @end example
>>>
>>> If your host distro uses the Upstart init system:
>>>diff --git a/etc/gnu-store.mount.in b/etc/gnu-store.mount.in
>>>new file mode 100644
>>>index 0000000000..c94f2db72b
>>>--- /dev/null
>>>+++ b/etc/gnu-store.mount.in
>>>@@ -0,0 +1,14 @@
>>>+[Unit]
>>>+Description=Read-only @storedir@ for GNU Guix
>>>+DefaultDependencies=no
>>>+ConditionPathExists=@storedir@
>>>+Before=guix-daemon.service
>>>+
>>>+[Install]
>>>+WantedBy=guix-daemon.service
>>>+
>>>+[Mount]
>>>+What=@storedir@
>>>+Where=@storedir@
>>>+Type=none
>>>+Options=bind,ro
>>>diff --git a/etc/guix-install.sh b/etc/guix-install.sh
>>>index 4909d3f162..d252c132fb 100755
>>>--- a/etc/guix-install.sh
>>>+++ b/etc/guix-install.sh
>>>@@ -342,7 +342,13 @@ sys_enable_guix_daemon()
>>> _msg "${PAS}enabled Guix daemon via upstart"
>>> ;;
>>> systemd)
>>>- { cp
>>>"${ROOT_HOME}/.config/guix/current/lib/systemd/system/guix-daemon.service"
>>>\
>>>+ { # systemd .mount units must be named after the target
>>>directory.
>>>+ # Here we assume a hard-coded name of /gnu/store.
>>>+ cp
>>>"${ROOT_HOME}/.config/guix/current/lib/systemd/system/gnu-store.mount"
>>>\
>>>+ /etc/systemd/system/;
>>>+ chmod 664 /etc/systemd/system/gnu-store.mount;
>>>+
>>>+ cp
>>>"${ROOT_HOME}/.config/guix/current/lib/systemd/system/guix-daemon.service"
>>>\
>>> /etc/systemd/system/;
>>> chmod 664 /etc/systemd/system/guix-daemon.service;
>>>
>>>@@ -357,8 +363,8 @@ sys_enable_guix_daemon()
>>> fi;
>>>
>>> systemctl daemon-reload &&
>>>- systemctl start guix-daemon &&
>>>- systemctl enable guix-daemon; } &&
>>>+ systemctl start gnu-store.mount guix-daemon &&
>>>+ systemctl enable gnu-store.mount guix-daemon; } &&
>>> _msg "${PAS}enabled Guix daemon via systemd"
>>> ;;
>>> sysv-init)
>>>diff --git a/nix/local.mk b/nix/local.mk
>>>index a64bdd2137..435fdd389a 100644
>>>--- a/nix/local.mk
>>>+++ b/nix/local.mk
>>>@@ -155,7 +155,17 @@ noinst_HEADERS = \
>>>
>>> # The '.service' files for systemd.
>>> systemdservicedir = $(libdir)/systemd/system
>>>-nodist_systemdservice_DATA = etc/guix-daemon.service
>>>etc/guix-publish.service
>>>+nodist_systemdservice_DATA = \
>>>+ etc/gnu-store.mount \
>>>+ etc/guix-daemon.service \
>>>+ etc/guix-publish.service
>>>+
>>>+etc/%.mount: etc/%.mount.in \
>>>+ $(top_builddir)/config.status
>>>+ $(AM_V_GEN)$(MKDIR_P) "`dirname $@`"; \
>>>+ $(SED) -e 's|@''storedir''@|$(storedir)|' < \
>>>+ "$<" > "$@.tmp"; \
>>>+ mv "$@.tmp" "$@"
>>>
>>> etc/guix-%.service: etc/guix-%.service.in \
>>> $(top_builddir)/config.status
>>
>>I see that's how it's done with the existing service, but why sed the
>>.in file when we could let configure.ac take care of it?
>>
>>I'll try that on a VM of a foreign distro soonish and report. Thanks!
>
>I tested it on a debian VM and it worked well. I tested the installer
>script and it fails at installing the .mount unit, because it does not
>exist in the tarball.
>
>After installing the unit manually, I could start the .mount service
>and found that I was not able to remove store store items with rm. I
>checked that Guix is able to install new store items.
For non systemd distros, adding the following line to /etc/fstab works:
@storedir@ @storedir@ none defaults,bind,ro 0 0
Then running "mount -a" remounts the store read-only.
I'm not sure how to integrate this properly in the installer script.
next prev parent reply other threads:[~2020-05-14 18:50 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-14 13:48 [bug#41259] [PATCH] etc: Add a systemd unit to bind-mount @storedir@ read-only Tobias Geerinckx-Rice via Guix-patches via
2020-05-14 14:01 ` Julien Lepiller
2020-05-14 14:13 ` Marius Bakke
2020-05-14 14:25 ` Tobias Geerinckx-Rice via Guix-patches via
2020-05-14 14:21 ` Tobias Geerinckx-Rice via Guix-patches via
2020-05-14 16:35 ` Julien Lepiller
2020-05-14 18:49 ` Julien Lepiller [this message]
2020-05-14 14:24 ` Tobias Geerinckx-Rice via Guix-patches via
2020-05-15 7:34 ` Vincent Legoll
2020-05-15 16:25 ` [bug#41259] .gitignore ? Vincent Legoll
2020-05-15 16:52 ` Tobias Geerinckx-Rice via Guix-patches via
2020-05-15 16:55 ` Vincent Legoll
2020-05-16 12:38 ` Vincent Legoll
2020-05-16 14:04 ` Tobias Geerinckx-Rice via Guix-patches via
2021-08-03 19:56 ` bug#41259: [PATCH] etc: Add a systemd unit to bind-mount @storedir@ read-only Maxim Cournoyer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0CDBC9C6-B6B1-4696-A2C0-7D5BD3BA887D@lepiller.eu \
--to=julien@lepiller.eu \
--cc=41259@debbugs.gnu.org \
--cc=me@tobias.gr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).