bug#72337: Add /etc/subuid and /etc/subgid support

["Ludovic Courtès" <ludo@gnu.org>]

[-- Attachment #1: Type: text/plain, Size: 1537 bytes --]

Giacomo Leidi <goodoldpaul@autistici.org> skribis:

> This commit adds a Guix System service to handle allocation of subuid
> and subgid requests.  Users that don't care can just add themselves as a
> subid-range and don't need to specify anything but their user name.
> Users that care about specific ranges, such as possibly LXD, can specify
> a start and a count.
>
> * doc/guix.texi: Document the new service.
> * gnu/build/activation.scm (activate-subuids+subgids): New variable.
> * gnu/local.mk: Add gnu/tests/shadow.scm.
> * gnu/system/accounts.scm (sexp->subid-range): New variable.
> * gnu/system/shadow.scm (%root-subid): New variable;
> (subids-configuration): new record;
> (subid-range->gexp): new variable;
> (assert-valid-subids): new variable;
> (delete-duplicate-ranges): new variable;
> (subids-activation): new variable;
> (subids-extension): new record;
> (append-subid-ranges): new variable;
> (subids-extension-merge): new variable;
> (subids-service-type): new variable.
> * gnu/tests/shadow.scm (subids): New system test.
>
> Change-Id: I3755e1c75771220c74fe8ae5de1a7d90f2376635
> Signed-off-by: Giacomo Leidi <goodoldpaul@autistici.org>

Applied as well!  I took the liberty to make the changes below to the
documentation.

I’m sorry that it took me so long.  I appreciate your patience and the
time you took to polish this patch series; I like the end result!  And I
realize it’s quite an important feature that will unlock a few things.
Thumbs up!

Thanks,
Ludo’.


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: Type: text/x-patch, Size: 1729 bytes --]

diff --git a/doc/guix.texi b/doc/guix.texi
index f49154dc1b..fe84b52052 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -18848,6 +18848,13 @@ User Accounts
 special-case and is automatically added whether or not it is specified.
 @end defvar
 
+@cindex containers, subordinate IDs
+The Linux kernel also implements @dfn{subordinate user and group IDs},
+or ``subids'', which are used to map the ID of a user and group to
+several IDs inside separate name spaces---inside ``containers''.
+@xref{subordinate-user-group-ids, the subordinate user and group ID
+service}, for information on how to configure it.
+
 @node Keyboard Layout
 @section Keyboard Layout
 
@@ -41524,13 +41531,15 @@ Miscellaneous Services
 
 @c %end of fragment
 
-@cindex Subids
-@subsubheading Subid Service
+@anchor{subordinate-user-group-ids}
+@cindex subordinate user and group IDs
+@cindex subid, subordinate user and group IDs
+@subsubheading Subordinate User and Group ID Service
 
-Among the virtualization facilities implemented by the Linux kernel, the is the
-concept of subordinate IDs.  Subordinate IDs allow for mapping user and group
+Among the virtualization facilities implemented by the Linux kernel is the
+concept of @dfn{subordinate IDs}.  Subordinate IDs allow for mapping user and group
 IDs inside process namespaces to user and group IDs of the host system.
-Subordinate user ID ranges (subids) allow to map virtual user IDs inside
+Subordinate user ID ranges (subuids) allow users to map virtual user IDs inside
 containers to the user ID of an unprivileged user of the host system.
 Subordinate group ID ranges (subgids), instead map virtual group IDs to the
 group ID of an unprivileged user on the host system.  You can access