Re: udev-rules for my FST-01 gnuk security token

[Chris Marusich <cmmarusich@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 5163 bytes --]

Chris Marusich <cmmarusich@gmail.com> writes:

> Arun Isaac <arunisaac@systemreboot.net> writes:
>
>> I am trying to get my FST-01 gnuk security token working on
>> GuixSD. According to their documentation
>> (https://www.fsij.org/doc-gnuk/udev-rules.html), I need to add a custom
>> udev-rule. I am trying to use the configuration shown below to achieve
>> the same. But, I don't see any file by the name "60-gnupg.rules" created
>> in my /run/current-system/profile/lib/udev/rules.d/. Am I doing
>> something wrong or is my expectation incorrect? Has anyone successfully
>> used a FST-01 gnuk security token in GuixSD?
>>
>> (use-modules (gnu))
>>
>> (define %gnuk-udev-rule
>>   (udev-rule
>>    "60-gnupg.rules"
>>    "ATTR{idVendor}==\"234b\", ATTR{idProduct}==\"0000\", ENV{ID_SMARTCARD_READER}=\"1\", ENV{ID_SMARTCARD_READER_DRIVER}=\"gnupg\""))
>>
>> (operating-system
>>  (host-name "adamantium")
>>  (timezone "Asia/Kolkata")
>>  (locale "en_US.utf8")
>>  (bootloader (bootloader-configuration
>> 	      (bootloader grub-bootloader)
>> 	      (target "/dev/sda")))
>>  (file-systems (cons (file-system
>> 		      (device "my-root")
>> 		      (mount-point "/")
>> 		      (type "ext4"))
>> 		     %base-file-systems))
>>  (users %base-user-accounts)
>>  (packages %base-packages)
>>  (services
>>   (modify-services %base-services
>> 		   (udev-service-type
>> 		    config =>
>> 		    (udev-configuration
>> 		     (inherit config)
>> 		     (rules
>> 		      (append (udev-configuration-rules config)
>> 			      (list %gnuk-udev-rule))))))))
>>
>
> I was able to reproduce your issue by using "guix system build" and
> inspecting the profile of the built system.  It's missing the udev rule
> you added, like you said.  What's more concerning is the fact that it's
> missing the file "90-kvm.rules", which are supposed to be part of the
> default rules included in our udev service (see gnu/services/base.scm).
>
> Maybe it's a bug.  Could you open a bug report by emailing bug-guix@?

I understand what's happening, now.  It isn't a bug.  In short, your
rules are being used.  It's just a little confusing because Guix starts
udevd in a way that causes it to use a specific configuration directory
in the store, which is built to contain the union of all the specified
rules.  I'll explain more below.

If you run a VM with your OS configuration (via "guix system vm
my-os.scm"), you can follow along.  You have the following directories:

/run/current-system/profile/lib/udev/rules.d
/run/current-system/profile/etc/udev/rules.d

These come from the eudev package, as shown here (store item hash
abbreviated, since I cannot easily copy/paste from QEMU at the moment):

--8<---------------cut here---------------start------------->8---
# readlink /run/current-system/profile/lib/udev/rules.d
/gnu/store/...hv9c-eudev-3.2.5/etc/udev
# readlink /run/current-system/profile/etc/udev/rules.d
/gnu/store/...hv9c-eudev-3.2.5/etc/udev
--8<---------------cut here---------------end--------------->8---

However, udevd doesn't use these directories.  Examine its arguments:

--8<---------------cut here---------------start------------->8---
# ps -wwfe | grep udevd
root       251     1  0 10:12 ?         00:00:00 /gnu/store/...hv9c-eudev-3.2.5/sbin/udevd
--8<---------------cut here---------------end--------------->8---

It doesn't have any arguments.  In fact, we configure it via environment
variables.  Check them:

--8<---------------cut here---------------start------------->8---
# cat /proc/251/environ | tr '\000' '\n'
...
UDEV_CONFIG_FILE=/gnu/store/...f32r-udev.conf
EUDEV_RULES_DIRECTORY=/gnu/store/...cx44-udev-rules/lib/udev/rules.d
--8<---------------cut here---------------end--------------->8---

If you check that rules.d directory, you'll find your rules:

--8<---------------cut here---------------start------------->8---
# ls /gnu/store/...cx44-udev-rules/lib/udev/rules.d | grep gnupg
60-gnupg.rules
--8<---------------cut here---------------end--------------->8---

So, all is well.  If you run tools like udevadm to test the rules, you
should be able to confirm that your custom rules are being used.  By the
way, the kvm rules are here, too (thank goodness!):

--8<---------------cut here---------------start------------->8---
# ls /gnu/store/...cx44-udev-rules/lib/udev/rules.d | grep kvm
90-kvm.rules
--8<---------------cut here---------------end--------------->8---

But why does your system have rules.d directories in
/run/current/system/profile, if udevd isn't using them?  It's because
eudev happens to be included in the %base-packages (defined in (gnu
system)), which causes eudev (and its rules.d directories) to be
installed into your system profile.  The purpose of installing eudev
into the system profile is probably not to add these rules.d
directories, but rather to make things like the usual tools (e.g.,
udevadm) available to all users.

For more details on how all of this fits together, check out
gnu/services/base.scm and gnu/system.scm in the Guix source.  I hope
that helps!

-- 
Chris

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]