Fixes <https://bugs.gnu.org/43039>.
Reported by Adam Griffiths <adam.lw.griffiths@gmail.com>.
Previously, a client could lead 'guix substitute' to run in a non-UTF-8
locale, such as the "C" locale. Consequently, 'guix substitute' would
now fail to decode UTF-8 file names such as those that appear in the
'nss-certs' package.
* guix/scripts/substitute.scm (guix-substitute): Set LC_MESSAGES, not LC_ALL.
When the store overlay is mounted, other processes such as kmscon, udev
and guix-daemon may open files from the store, preventing the
underlying install support from being umounted. See:
https://lists.gnu.org/archive/html/guix-devel/2018-12/msg00161.html.
To avoid this situation, mount the store overlay inside a container,
and run the installation from within that container.
* gnu/build/shepherd.scm (fork+exec-command/container): New procedure.
* gnu/services/base.scm (guix-shepherd-service): Support an optional PID
argument passed to the "start" method. If that argument is passed, ensure that
guix-daemon enters the given PID MNT namespace by using
fork+exec-command/container procedure.
* gnu/installer/final.scm (umount-cow-store): Remove it,
(install-system): run the installation from within a container.
* gnu/installer/newt/final.scm (run-install-shell): Remove the display hack.
We may want to run a container inside the MNT namespace, without jailing the
container. If RUN-CONTAINER is passed a null MOUNTS list, do not jail the
container.
* gnu/build/linux-container.scm (run-container): Do not call
MOUNT-FILE-SYSTEMS if MOUNTS list is empty.
Move the cow-store procedure from the service declaration in (gnu system
install) to (gnu build install), so that it can be called from within a
different context than Shepherd.
* gnu/build/install.scm (mount-cow-store, unmount-cow-store): New procedures.
* gnu/system/install.scm (make-cow-store): Remove it,
(cow-store-service-type): adapt it accordingly.
* gnu/packages/lisp-xyz.scm (cl-clack-handler-fcgi, sbcl-clack-handler-fcgi):
New variables.
(sbcl-clack): Extract revision and commit so that they can be factored with
sbcl-clack-handler-fcgi.
* gnu/services/virtualization.scm (secret-service-operating-system): New
procedure.
(hurd-vm-disk-image): Use it to ensure a Childhurd always includes the
secret-service.
(%hurd-vm-operating-system): Remove secret-service.
Co-authored-by: Ludovic Courtès <ludo@gnu.org>
Fixes: https://issues.guix.gnu.org/43078
These options are already enabled in the kernel configs included in guix, but
might be missing from variants using a defconfig from the upstream kernel,
such as linux-libre-arm-generic and linux-libre-arm64-generic.
* gnu/packages/linux (%default-extra-linux-options): Enable
CONFIG_CGROUP_FREEZER, CONFIG_BLK_CGROUP, CONFIG_CGROUP_WRITEBACK,
CONFIG_CGROUP_SCHED, CONFIG_CGROUP_PIDS, CONFIG_CGROUP_FREEZER,
CONFIG_CGROUP_DEVICE, CONFIG_CGROUP_CPUACCT, CONFIG_CGROUP_PERF,
CONFIG_SOCK_CGROUP_DATA, CONFIG_BLK_CGROUP_IOCOST, CONFIG_CGROUP_NET_PRIO,
CONFIG_CGROUP_NET_CLASSID, CONFIG_MEMCG, CONFIG_MEMCG_SWAP,
CONFIG_MEMCG_KMEM, CONFIG_CPUSETS and CONFIG_PROC_PID_CPUSET.
* gnu/services/virtualization.scm (%hurd-vm-operating-system): Add
secret-service.
(hurd-vm-shepherd-service): Use it to install secrets.
* doc/guix.texi (The Hurd in a Virtual Machine): Document it.
This adds a "secret-service" that can be added to a Childhurd VM to receive
out-of-band secrets (keys) sent from the host.
Co-authored-by: Ludovic Courtès <ludo@gnu.org>
* gnu/services/virtualization.scm (secret-service-activation): New procedure.
(secret-service-type): New variable.
* gnu/build/secret-service.scm: New file.
* gnu/local.mk (GNU_SYSTEM_MODULES): Add it.
