How to install guix without root permission

How to install guix without root permission

[rohit yadav]

[-- Attachment #1: Type: text/plain, Size: 210 bytes --]

Hi,

I am using guix for sometime now and I must admit, it is very clean
compared to nix. However, I want to install it on system where I do not
have root permission. Is is possible? If so, how?

Thanks,
Rohit

[-- Attachment #2: Type: text/html, Size: 895 bytes --]

Re: How to install guix without root permission

[Ludovic Courtès]

Hello!

rohit yadav <rohityadav@utexas.edu> skribis:

> I am using guix for sometime now and I must admit, it is very clean
> compared to nix. However, I want to install it on system where I do not
> have root permission. Is is possible? If so, how?

It is possible, but currently inconvenient and brittle, as noted at the
bottom of:

  https://gnu.org/software/guix/manual/html_node/Build-Environment-Setup.html

The problems are:

  1. you’d be producing binaries for, say, /home/rohit/gnu/store instead
     of /gnu/store, so you’d have to build everything by yourself since
     the substitutes from hydra.gnu.org are for use in /gnu/store;

  2. you’d have no build isolation and long file names, which is likely
     to break builds here and there (things will use stuff from /usr/bin
     and /lib, shebangs will be longer than the kernel-imposed limit,
     etc.)

There have been discussions to improve the situation, and work in that
direction will hopefully start this year¹.  The preferred approach will
be the “user namespace” feature of the kernel Linux; does your system
support it, out of curiosity?

Thanks,
Ludo’.

¹ See the discussion that starts at
  <https://lists.gnu.org/archive/html/guix-devel/2016-10/msg00947.html>.

Re: How to install guix without root permission

[rohit yadav]

[-- Attachment #1: Type: text/plain, Size: 1809 bytes --]

​Thanks for the reply. ​The proot (https://proot-me.github.io/) project
allows you to map $HOME/gnu/store to /gnu/store etc. However, where I am
struggling is the guixbuild users and group creation, and running guix
daemon.

I am using kernel 4+, which supports namespaces. This reminds if there is
any effort to provide a lxc container for guixSD.

Thanks,
Rohit

On Fri, Jan 6, 2017 at 7:49 AM, Ludovic Courtès <ludo@gnu.org> wrote:

> Hello!
>
> rohit yadav <rohityadav@utexas.edu> skribis:
>
> > I am using guix for sometime now and I must admit, it is very clean
> > compared to nix. However, I want to install it on system where I do not
> > have root permission. Is is possible? If so, how?
>
> It is possible, but currently inconvenient and brittle, as noted at the
> bottom of:
>
>   https://gnu.org/software/guix/manual/html_node/Build-
> Environment-Setup.html
>
> The problems are:
>
>   1. you’d be producing binaries for, say, /home/rohit/gnu/store instead
>      of /gnu/store, so you’d have to build everything by yourself since
>      the substitutes from hydra.gnu.org are for use in /gnu/store;
>
>   2. you’d have no build isolation and long file names, which is likely
>      to break builds here and there (things will use stuff from /usr/bin
>      and /lib, shebangs will be longer than the kernel-imposed limit,
>      etc.)
>
> There have been discussions to improve the situation, and work in that
> direction will hopefully start this year¹.  The preferred approach will
> be the “user namespace” feature of the kernel Linux; does your system
> support it, out of curiosity?
>
> Thanks,
> Ludo’.
>
> ¹ See the discussion that starts at
>   <https://lists.gnu.org/archive/html/guix-devel/2016-10/msg00947.html>.
>

[-- Attachment #2: Type: text/html, Size: 3312 bytes --]

Re: How to install guix without root permission

[Tobias Geerinckx-Rice]

[-- Attachment #1.1: Type: text/plain, Size: 760 bytes --]

Hullo,

On 06/01/17 14:59, rohit yadav wrote:
> ​Thanks for the reply. ​The proot (https://proot-me.github.io/) project
> allows you to map $HOME/gnu/store to /gnu/store etc. However, where I am
> struggling is the guixbuild users and group creation, and running guix
> daemon.

I do exactly that as regular user on a shared shell server.

I haven't used it for a while, so I'll have to take another look at how
exactly. Not today. Try it, I'd say. It's possible. It's a heck of a
hack, but it works, and it's fun! :-)

It avoids the drawbacks mentioned by Ludo', except for the lack of hard
build isolation: I just used --disable-chroot to side-step the build
user group issue. There may be ways around that too.

Good luck,

T G-R


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 476 bytes --]

Re: How to install guix without root permission

[Ludovic Courtès]

rohit yadav <rohityadav@utexas.edu> skribis:

> ​Thanks for the reply. ​The proot (https://proot-me.github.io/) project
> allows you to map $HOME/gnu/store to /gnu/store etc. However, where I am
> struggling is the guixbuild users and group creation, and running guix
> daemon.

Yes, though PRoot relies on syscall interception using ptrace(2), which
is inefficient (which may or may not be a problem, depending on the
application).

> I am using kernel 4+, which supports namespaces.

Yes, but some distributions compile it out or turn it off by default.
See
<http://git.savannah.gnu.org/cgit/guix.git/tree/guix/scripts/environment.scm#n517>,
for a way to check whether user namespaces are enabled.

> This reminds if there is any effort to provide a lxc container for
> guixSD.

Not that I know of, but I don’t think it would help the non-root use
case.

Ludo’.

Re: How to install guix without root permission

[Ludovic Courtès]

Tobias Geerinckx-Rice <me@tobias.gr> skribis:

> On 06/01/17 14:59, rohit yadav wrote:
>> ​Thanks for the reply. ​The proot (https://proot-me.github.io/) project
>> allows you to map $HOME/gnu/store to /gnu/store etc. However, where I am
>> struggling is the guixbuild users and group creation, and running guix
>> daemon.
>
> I do exactly that as regular user on a shared shell server.

Oh, cool!

> It avoids the drawbacks mentioned by Ludo', except for the lack of hard
> build isolation: I just used --disable-chroot to side-step the build
> user group issue. There may be ways around that too.

OTOH, PRoot can presumably provide some level of isolation already,
by simply having /gnu/store visible to the guix-daemon process, and not
/usr/bin etc.

Good to hear that it works for you, I’ll have to give it a try!

Ludo’.

Re: How to install guix without root permission

[rohit yadav]

[-- Attachment #1: Type: text/plain, Size: 1764 bytes --]

​

On Fri, Jan 6, 2017 at 9:18 AM, Ludovic Courtès <ludo@gnu.org> wrote:

> rohit yadav <rohityadav@utexas.edu> skribis:
>
> > ​Thanks for the reply. ​The proot (https://proot-me.github.io/) project
> > allows you to map $HOME/gnu/store to /gnu/store etc. However, where I am
> > struggling is the guixbuild users and group creation, and running guix
> > daemon.
>
> Yes, though PRoot relies on syscall interception using ptrace(2), which
> is inefficient (which may or may not be a problem, depending on the
> application).
>
> ​ I am not greatly familiar with the lower level details of linux kernel
yet. How lot of these useful utilities work is not clear to me. I will
probably work on it sometime (any references?). For now, the performance is
not an issue. However,  the main issue how to create guixbuild group and
users?​

> > I am using kernel 4+, which supports namespaces.
>
> ​How should I check it? Currently I believe that ubuntu 16.04 LTS (host
os) supports cgroup for LXD (LXC containers).​

> Yes, but some distributions compile it out or turn it off by default.
> See
> <http://git.savannah.gnu.org/cgit/guix.git/tree/guix/
> scripts/environment.scm#n517>,
> for a way to check whether user namespaces are enabled.
>
> > This reminds if there is any effort to provide a lxc container for
> > guixSD.
>
> Not that I know of, but I don’t think it would help the non-root use
> case.
>
​Yes, I agree, it would make it really easy for people wanting to try
guixsd and infact use in production inside lxc container. Also, from
testing point it will be really easy. beside container utility provided by
guix. May be not the highest priority for the developers right now.

>
> Ludo’.
>

[-- Attachment #2: Type: text/html, Size: 3267 bytes --]

Re: How to install guix without root permission

[Ludovic Courtès]

rohit yadav <rohityadav@utexas.edu> skribis:

> ​
> On Fri, Jan 6, 2017 at 9:18 AM, Ludovic Courtès <ludo@gnu.org> wrote:
>
>  rohit yadav <rohityadav@utexas.edu> skribis:
>
>  > ​Thanks for the reply. ​The proot (https://proot-me.github.io/) project
>  > allows you to map $HOME/gnu/store to /gnu/store etc. However, where I am
>  > struggling is the guixbuild users and group creation, and running guix
>  > daemon.
>
>  Yes, though PRoot relies on syscall interception using ptrace(2), which
>  is inefficient (which may or may not be a problem, depending on the
>  application).
>
> ​ I am not greatly familiar with the lower level details of linux kernel yet. How lot of these useful utilities work is not clear to me. I will probably work on it sometime (any references?). For now, the performance
> is not an issue. However, the main issue how to create guixbuild group and users?​

As I wrote to Tobias, it’s probably OK to use --disable-chroot (which
alleviates the need for build users) and ask PRoot to restrict file
system access to /gnu/store.

Still not as good as what you get by running guix-daemon as root
(separate UIDs, access to specific /gnu/store items), but probably “good
enough” as a first approximation.

>  > I am using kernel 4+, which supports namespaces.
>
> ​How should I check it?

Like this:

>  Yes, but some distributions compile it out or turn it off by default.
>  See
>  <http://git.savannah.gnu.org/cgit/guix.git/tree/guix/scripts/environment.scm#n517>,
>  for a way to check whether user namespaces are enabled.

HTH!

Ludo’.