From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id CLwQK3TRYmCU8wAAgWs5BA (envelope-from ) for ; Tue, 30 Mar 2021 09:21:24 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id UK32JHTRYmA5LAAAB5/wlQ (envelope-from ) for ; Tue, 30 Mar 2021 07:21:24 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 0BC1214E88 for ; Tue, 30 Mar 2021 09:21:24 +0200 (CEST) Received: from localhost ([::1]:57336 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lR8gl-0003n4-62 for larch@yhetil.org; Tue, 30 Mar 2021 03:21:23 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:33350) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lR8gg-0003mt-A0 for guix-science@gnu.org; Tue, 30 Mar 2021 03:21:20 -0400 Received: from mail2-relais-roc.national.inria.fr ([192.134.164.83]:61187) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lR8gb-0000J5-3h for guix-science@gnu.org; Tue, 30 Mar 2021 03:21:17 -0400 IronPort-HdrOrdr: =?us-ascii?q?A9a23=3AqvmSuq9ERALBX9Nbz0duk+BAI+orLtY04lQ7?= =?us-ascii?q?vn1ZYxY9SKClvuqpm+kW0gKxtSYJVBgb+eyoFaGcTRrnnqJdzpIWOd6ZNjXOnE?= =?us-ascii?q?uNAMVc4ZD5wzvmcheeysd42b17e6ZzTP3cZGIUse/A7AO1E8ktzbC8mciVrN3D?= =?us-ascii?q?xHRgRxwCUc9dxjp5EQqSHwlXQwRLFPMCZf+hz/dHvDapdDAraN26DBA+Loz+ju?= =?us-ascii?q?DM/aiKXTc2Qzou6AyDllqTmdzHOind+AwfXTNJyaoj9maAszWR3NTBj82G?= X-IronPort-AV: E=Sophos;i="5.81,290,1610406000"; d="scan'208";a="500631839" Received: from 91-160-117-201.subs.proxad.net (HELO ribbon) ([91.160.117.201]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 30 Mar 2021 09:21:10 +0200 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: =?utf-8?Q?S=C3=A9bastien?= Lerique Cc: guix-science@gnu.org, zimoun Subject: Re: Introducing Guix to HPC at my institution References: <878s6pds9t.fsf@eauchat.org> <87zgz3c17o.fsf@eauchat.org> <8735wva2p9.fsf@gnu.org> <87r1kdci49.fsf@eauchat.org> <877dlucsur.fsf@eauchat.org> <87k0pqrwub.fsf@inria.fr> <87blb1wgna.fsf@eauchat.org> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 10 Germinal an 229 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Tue, 30 Mar 2021 09:21:09 +0200 In-Reply-To: <87blb1wgna.fsf@eauchat.org> (=?utf-8?Q?=22S=C3=A9bastien?= Lerique"'s message of "Tue, 30 Mar 2021 10:54:01 +0900") Message-ID: <87o8f1jee2.fsf@inria.fr> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=192.134.164.83; envelope-from=ludovic.courtes@inria.fr; helo=mail2-relais-roc.national.inria.fr X-Spam_score_int: -41 X-Spam_score: -4.2 X-Spam_bar: ---- X-Spam_report: (-4.2 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-science@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-science-bounces+larch=yhetil.org@gnu.org Sender: "Guix-Science" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1617088884; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=Pm+3juIeW1ZXfpqeOJeeWf54DxbWvy/IEoanteHqQRM=; b=ZDYNZLGRVELYEoP1BBGvWBLYLvpgTSu5i1gK5jsg56v3TzlrrcI2CdPnmYZ/BExf1vQiGe F3dGd1nfv/CVbMe1asphuIbTG0TXdKm2b5YEPKmmOY4miOvuXfK/lKxuF4hPvQAqtVQ2af 4DSUK4hyS/afUirKIwDJlaXPRvKTtdh4g70YIg58N4Z9eQ2jQDBsZRz70b0unaUl3zqJMc aPLmIhJ4xF/j7c3L8+eK4DnEUhG6e8+XpIeVhgdpAyO6jeTHOHswfXSD2ebpllsmmnQowy jUAjKWoMgmVqdcleq+YszO+bxrIp92TVrsXxTmyRvRaeXuUOgAFDZNBi13seeA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1617088884; a=rsa-sha256; cv=none; b=KTPASftCY9f/oRkarV7lcQRcODFLHfsM9pPanoW3PBy1BrCHGQk3fymfVXo6ieZQr+Bw4d iF79SqIBYBkFnuekZL2nagwq1M3sVy7QqI0Yjzx+hGc9XCHv5Oawb/INC6SGbq7SpS/Olq kN1ZfONaPDU1rZnCwb/am4rkGXRilNCTlXYXIBuRQ4nPxbpdpz3xgh+k/mK60sEWQiM5Ep oGygLqCczoCSnBGIvrLTgDqzfgDp0pGbCCICAr2IP1ovcsLULEFkXn12X6S6aI3W3u+4iQ g+1g1l+eLFu2VMp0XZkBie/OfrhOd3HsabgejWr2U+2QMP9M4wS2ILhYsiwPrA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of guix-science-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-science-bounces@gnu.org X-Migadu-Spam-Score: -2.42 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-science-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-science-bounces@gnu.org X-Migadu-Queue-Id: 0BC1214E88 X-Spam-Score: -2.42 X-Migadu-Scanner: scn0.migadu.com X-TUID: R6p0OJJXdDI3 Hi S=C3=A9bastien, S=C3=A9bastien Lerique skribis: > On 29 Mar 2021 at 21:03, Ludovic Court=C3=A8s > wrote: > >> Instead of installing the =E2=80=9Cregular=E2=80=9D binary tarball insid= e a >> namespace, >> it might be easier to create a tarball like so: >> >> guix pack -RR -S /bin=3Dbin -S /etc=3Detc guix bash >> >> =E2=80=A6 and to unpack the resulting tarball. [...] > Thanks! I `guix pack`'ed with a single -R since I shouldn't need > PRoot, and had to add > > export GUIX_LOG_DIRECTORY=3D$HOME/.local/var/log OK. > to the environment setup in order to start guix-daemon. Then `guix > install hello` warned at the beginning with > > user with UID 7352 not found > > and later failed with > > Backtrace: > In ice-9/boot-9.scm: > 1736:10 6 (with-exception-handler _ _ #:unwind? _ # _) > In unknown file: > 5 (apply-smob/0 #) > In ice-9/boot-9.scm: > 718:2 4 (call-with-prompt _ _ # default-prompt-handle=E2=80=A6>) > In ice-9/eval.scm: > 619:8 3 (_ #(#(#))) > In guix/ui.scm: > 2164:12 2 (run-guix-command _ . _) > In guix/scripts/offload.scm: > 782:21 1 (guix-offload "x86_64-linux" "0" "1" "0") > In unknown file: > 0 (getpw 7352) > > ERROR: In procedure getpw: > In procedure getpw: entry not found Hmm could it be that nscd is not running, and that /etc/nsswitch.conf specifies a =E2=80=9Cnon-standard=E2=80=9D NSS plugin, such as =E2=80=98sss= d=E2=80=99? https://guix.gnu.org/manual/en/html_node/Application-Setup.html#Name-Serv= ice-Switch-1 Does =E2=80=98guix install hello --no-offload=E2=80=99 work around the issu= e? > Another problem appeared for substitutes (as 'guix install hello' was > rebuilding the world): > > $ guix archive --authorize < \ > /gnu/store/xb4szjambyi52bpnkjv080g2mlfqqpp0-profile/share/guix/ci.guix= .gnu.org.pub > guix archive: error: mkdir: Permission denied I guess it=E2=80=99s trying to write to /etc/guix. You probably need to set GUIX_STATE_DIRECTORY=3D$HOME/.local/var/guix here. > I quickly went through `guix/scripts/pack.scm` and > `gnu/packages/aux-files/run-in-namespace.c` to try and understand=20 > what `guix pack -R` does, but it looks like I need to learn more about > namespaces before I can digest that. My high-level understanding from > poking around is that the binaries from `guix pack -R` run inside a > namespace where /gnu is bind-mounted (along with /proc, /dev, /sys, > ...), but the rest of the host filesystem is still available, and > other host processes can also be seen. Then, anything I run from > inside the `guix pack`'ed bash inherits that namespace, which is what > makes guix-daemon work. Correct! > If this is incorrect, could you maybe give a high-level overview of > what it does? The documentation is a bit scarce on the topic (or I > didn't find it). The design and implementation are documented in blog posts: https://guix.gnu.org/en/blog/2018/tarballs-the-ultimate-container-image-f= ormat/ https://hpc.guix.info/blog/2020/05/faster-relocatable-packs-with-fakechro= ot/ > I'm also wondering why `guix-daemon` must be invoked with > `--disable-chroot`. Doesn't that make the reproducibility=20 > guarantees more brittle (according to the docs)? True, but I think (?) that=E2=80=99s currently unavoidable in this setup=E2= =80=A6 though I forget why. You might want to try without =E2=80=98--disable-chro= ot=E2=80=99. > Ok. My use cases here are: > - trying to provide a setup that others can more-or-less easily try > out to get a feel for Guix on the HPC cluster (if possible without > duplicating /gnu/store), thus creating interest and user support for > later presenting the case to sysadmins / university administration; Safe sharing among users is not possible without a daemon coordinating accesses to the store and acting as a trusted proxy. > - getting to know the exact requirements that I would have to > convince sysadmins to agree to, with rationales/explanations for=20 > the hardest-to-obtain. Getting them to run guix-daemon as root is > probably a lost case, so I'd like to explore everything else that is > possible. Yeah. > So let's transform my two questions above into the two following: > > 1. what would be the list of requirements that explain why guix-daemon > must run as root? What does each of those requirements accomplish? I think this article remains relevant: https://hpc.guix.info/blog/2017/09/reproducibility-and-root-privileges/ > 2. knowing that my environment has user namespaces (and knowing that > that may not be enough), would it be possible to set up guix-daemon as > non-root with the assistance of a sysadmin (so say with root access > during setup), with build users and all, and have it provide identical > guarantees to a guix-daemon running as root? If not, why not, and > could we work around that? Good question. It should be possible to make the daemon run as non-root; that=E2=80=99s what the trick with the =E2=80=98guix pack -R=E2= =80=99 wrapper should achieve, but it could also be a built-in capability. Food for thought! Thanks, Ludo=E2=80=99.