From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: Non-privileged daemons and offloading Date: Mon, 20 Jun 2016 10:05:49 +0200 Message-ID: <87y460709u.fsf@gnu.org> References: <5766991A.1020505@uq.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:38990) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bEuDY-0007kJ-38 for help-guix@gnu.org; Mon, 20 Jun 2016 04:06:01 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bEuDS-0007bd-Rd for help-guix@gnu.org; Mon, 20 Jun 2016 04:05:58 -0400 In-Reply-To: <5766991A.1020505@uq.edu.au> (Ben Woodcroft's message of "Sun, 19 Jun 2016 23:07:38 +1000") List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org Sender: "Help-Guix" To: Ben Woodcroft Cc: help-guix Hello! What you describe here is a hot topic and definitely a commonly requested feature. The difficulty here is that we=E2=80=99re hitting limitations of the kernel, which requires root privileges to set up a chroot and so on. The way around it is Linux=E2=80=99 unprivileged =E2=80=9Cuser namespaces= =E2=80=9D, as used by =E2=80=98guix environment --container=E2=80=99: they allow users to set up = isolated environments similar to what guix-daemon does, but without being root. Unfortunately, this feature is disabled on some distros out of security concerns (user namespaces are young and have a relatively bad track record.) You can check whether a system supports it like this: if [ -f /proc/self/ns/user ] then if [ -f /proc/sys/kernel/unprivileged_userns_clone ] then if [ `cat /proc/sys/kernel/unprivileged_userns_clone` -ne 0 ] then echo "unprivileged user namespaces supported" fi else echo "unprivileged user namespaces supported" fi fi Regardless, it remains our best hope to support unprivileged daemons. It would be nice to get stats on typical HPC systems. Roel has been looking into these issues recently, so perhaps he has some ideas. The Nix daemon recently switch to user namespaces: https://github.com/NixOS/nix/commit/c68e5913c71badc89ff346d1c6948517ba720= c93 We could backport this. However, running builds with UID 0 is potentially disruptive: some packages are sensitive to this and behave differently under UID 0 (I remember Coreutils=E2=80=99 test suite does.) A= lso, this patch switches to user namespaces, but not specifically _unprivileged_ user namespaces. Using offloading as you suggest doesn=E2=80=99t help: you would still need a daemon with access to /gnu/store. (Thinking out loud.) There=E2=80=99s a fun hack mind that could kinda work provided you use only substitutes, where you wouldn=E2=80=99t even need a daemon: 1. Compute the derivation of the package you want; normally that requires a daemon to which we make =E2=80=98add-to-store=E2=80=99 RPCs= , but we should be able to fake them altogether; 2. Use (guix scripts substitute) to download a substitute for that package, and unpack it under ~/.local, say; 3. Use =E2=80=98call-with-container=E2=80=99 (thus, unprivileged user nam= espace) to put yourself in an environment where /gnu/store/foo inside is a bind-mount to ~/.local/gnu/store/foo outside. There would remain the problem of profiles and grafts, which are normal derivations. When you think about it, it amounts to reimplementing (part of) the daemon functionality as a library, which is probably the way to go. That is, we could implement =E2=80=98add-to-store=E2=80=99 and =E2=80=98bui= ld-derivations=E2=80=99 such that they would operate locally under ~/.local. As a first milestone, =E2=80=98build-derivations=E2=80=99 could fail unless there=E2=80=99s a sub= stitute available. Food for thought! It would probably help if one of us could work on it full time at some point=E2=80=A6 Thanks, Ludo=E2=80=99.