* gnu/services.scm (privileged-program->activation-gexp): Warn when a
privileged-program appears to lack all possible privilege.
Change-Id: I68ed8cb2cff88b11b090cf99a2cc7d6264b888e0
* gnu/services.scm (privileged-program->activation-gexp): Add
‘let-system’ form to define staged ‘libcap’ variable. Use
‘supported-package?’ only when not cross-compiling.
Change-Id: Ifa9bd97b5dc8c3a162d8427533b41d3c30bac18d
* gnu/system/privilege.scm (<privileged-program>): Add a field
representing the program's POSIX capabilities.
(privileged-program-capabilities): New public procedure.
* doc/guix.texi (Privileged Programs): Document it.
* gnu/build/activation.scm (activate-privileged-programs): Take a LIBCAP
package argument providing setcap(8) to apply said capabilities.
* gnu/services.scm (privileged-program->activation-gexp): Pass said
package argument where supported. Include privileged-program-capabilities
in the compatibility hack.
* gnu/system.scm (<operating-system>): Add new privileged-programs
field, that defaults to…
(%default-privileged-programs): …this new variable, renamed from…
(%setuid-programs): …this, which is now defined as the empty list.
* doc/guix.texi (Setuid Programs): Rename this…
(Privileged Programs): …to this. Adjust all refs. Update all mentions
of ‘setuid’ (whether in prose, variable names, or code samples) to use
the new ‘privilege[d]’ terminology instead.
(operating-system Reference, X Window, Invoking guix system)
(Service Reference): Adjust likewise.
* gnu/services.scm (setuid-program->activation-gexp): Rename this…
(privileged-program->activation-gexp): …to this.
Operate on a list of <privileged-program> records.
(privileged-program-service-type): New variable, renamed from
setuid-program-service-type. Rename the service-type accordingly.
(setuid-program-service-type): Redefine as an alias for the above.
* gnu/build/activation.scm (activate-setuid-programs): Rename this…
(activate-privileged-programs): …to this.
Operate on a list of <privileged-program> records.
* gnu/services.scm (setuid-program->activation-gexp): Adjust caller.
Create /run/setuid-programs compatibility symlinks so that we can
migrate all users (both package and human) piecemeal at our leisure.
Apart from being symlinks, this should be a user-invisible change.
* gnu/build/activation.scm (%privileged-program-directory): New variable.
[activate-setuid-programs]: Put privileged copies in
%PRIVILEGED-PROGRAM-DIRECTORY, with compatibility symlinks to each in
%SETUID-DIRECTORY.
* gnu/services.scm (setuid-program-service-type): Update docstring.
* doc/guix.texi (Setuid Programs): Update @file{} name accordingly.
This guides newcomers who might stick a single (service …) form
in this field.
* gnu/services.scm (validate-service-list): New macro.
(%validate-service-list): New procedure.
* gnu/system.scm (<operating-system>)[services]: Add ‘sanitize’.
* gnu/home.scm (<home-environment>)[services]: Add ‘sanitize’.
Change-Id: I9e29bd9a078e87b627ab766fd669ba9de79f8473
This patch reverts the behavior introduced in
1819512073 which caused ‘modify-services’
clauses to only match a single instance of a service.
We will now match all service instances when doing a deletion or update, while
still raising an exception when trying to match against a service that does
not exist in the services list, or which was deleted explicitly by a ‘delete’
clause (or an update clause that returns ‘#f’ for the service).
Fixes: #64106
* gnu/services.scm (%modify-services): New procedure.
(modify-services): Use it.
(apply-clauses): Add DELETED-SERVICES argument, change to modify one service
at a time.
* tests/services.scm
("modify-services: delete then modify")
("modify-services: modify then delete")
("modify-services: delete multiple services of the same type")
("modify-services: modify multiple services of the same type"): New tests.
Signed-off-by: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Modified-by: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Fixes <https://issues.guix.gnu.org/63921>.
The regression was introduced in
dbbc7e9461, which changed the order of
services. As a result, someone using 'modify-services' could find
themselves with incorrect ordering of expressions in the "boot" script,
whereby the cleanup expressions would come after (execl ".../shepherd").
This, in turn, would lead shepherd to error out at boot with EADDRINUSE
on /var/run/shepherd/socket.
* gnu/services.scm (%delete-service, %apply-clauses): Remove.
(clause-alist): New macro.
(apply-clauses): New procedure.
(modify-services): Use it. Adjust docstring.
* tests/services.scm ("modify-services: do nothing"): Remove 'sort' call.
("modify-services: delete service"): Likewise, and add 't4' service.
("modify-services: change value"): Remove 'sort' call and fix expected value.
This patch causes MODIFY-SERVICES to raise an error if a reference is made to
a service which isn't in its service list. This it to help users notice if
they have an invalid rule, which is currently silently ignored.
* gnu/services.scm (%delete-service): new procedure
(%apply-clauses): new syntax rule
(%modify-service): remove syntax rule
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Previously, build-time metadata from (guix config) would be ignored when
available--e.g., when running /run/current-system/profile/bin/guix.
This is a followup to 316fc2acbb.
* gnu/services.scm (provenance-entry): Use 'current-channels' instead of
'current-profile' + 'profile-channels'.
Previously, evaluating an OS configuration with a childhurd (for
instance) would produce tens of lines like:
guix system: warning: representing setuid programs with '#<file-append #<package shadow@4.8.1 gnu/packages/admin.scm:798 7ff97f6f7640> "/bin/passwd">' is deprecated; use 'setuid-program' instead
Now, it prints this one line:
gnu/system/hurd.scm:105:2: warning: representing setuid programs with file-like objects is deprecated; use 'setuid-program' instead
This change also means that extensions of 'setuid-program-service-type'
now have to provide a list of <setuid-program>, so it's stricter in this
sense.
* gnu/services.scm (setuid-program-file-like-deprecated): Remove.
(setuid-program-service-type)[extend]: Remove
'setuid-program-file-like-deprecated' call. Assume CONFIG and
EXTENSIONS are already lists of <setuid-program> records.
* gnu/system.scm (<operating-system>)[setuid-programs]: Add 'sanitize'
property. Change accessor name from '%operating-system-setuid-programs'
to 'operating-system-setuid-programs'.
(operating-system-default-essential-services)
(hurd-default-essential-services): Adjust accordingly.
(ensure-setuid-program-list): New macro.
(%ensure-setuid-program-list): New procedure, based on
'setuid-program-file-like-deprecated'.
New record <setuid-program> with fields for setting the specific user
and group, as well as specifically selecting the setuid and setgid bits,
for a program within the setuid-program-service.
* gnu/services.scm (setuid-program-file-like-deprecated): New function.
(setuid-program-service-type): Make use of
setuid-program->activation-gexp. Adjust the extend property to handle
<setuid-program>.
* gnu/build/activation.scm (activate-setuid-programs): Update to expect a
<setuid-record> list for each program entry.
* gnu/system.scm: (operating-system-setuid-programs): Renamed to
%operating-system-setuid-programs and replace it with new procedure.
(operating-system-default-essential-services,
hurd-default-essential-services): Replace
operating-system-setuid-programs with
%operating-system-setuid-programs.
* gnu/system/setuid.scm: New file.
* doc/guix.texi (Setuid Programs): Document <setuid-program>.
Co-authored-by: Brice Waegeneire <brice@waegenei.re>
* gnu/system.scm (operating-system-directory-base-entries): Remove code
to handle generation of "kernel" for linux-libre kernels.
(operating-system-default-essential-services): Instantiate
linux-builder-service-type.
(package-for-kernel): Move ...
* gnu/services.scm: ... to here.
(linux-builder-service-type): New variable.
(linux-builder-configuration): New type.
(linux-loadable-module-service-type): New variable.
* gnu/tests/linux-modules.scm (run-loadable-kernel-modules-test): Move
code to ...
(run-loadable-kernel-modules-test-base): ... new procedure here.
(run-loadable-kernel-modules-service-test): New procedure.
(%test-loadable-kernel-modules-service-0): New variable.
(%test-loadable-kernel-modules-service-1): New variable.
(%test-loadable-kernel-modules-service-2): New variable.
* doc/guix.texi: Document linux-loadable-module-service-type.
Signed-off-by: Danny Milosavljevic <dannym@scratchpost.org>
Fixes <https://bugs.gnu.org/44952>.
Reported by Mathieu Othacehe <othacehe@gnu.org>.
* gnu/services.scm (packages->profile-entry): Change 'with-monad' to
'mlet' with one binding.
This gets rid of a pointless 'local-file' warning when running
'guix system reconfigure FILE' and FILE is a relative file name.
* gnu/services.scm (provenance-entry): Wrap CONFIG-FILE in
'assume-valid-file-name'.
This is a follow-up of 755f365b02.
As (zlib) is autoloaded in (gnu build linux-modules), "guile-zlib" is needed
as an extension only when it is effectively used.
* gnu/installer.scm (installer-program): Remove "guile-zlib" from the extensions.
* gnu/machine/ssh.scm (machine-check-initrd-modules): Ditto.
* gnu/services.scm (activation-script): Ditto.
* gnu/services/base.scm (default-serial-port): Ditto,
(agetty-shepherd-service): ditto,
(udev-service-type): ditto.
* gnu/system/image.scm (gcrypt-sqlite3&co): Ditto.
* gnu/system/shadow.scm (account-shepherd-service): Ditto.
This commit adds support for GZIP compression for linux-libre kernel
modules. The initrd modules are kept uncompressed as the initrd is already
compressed as a whole.
The linux-libre kernel also supports XZ compression, but as Guix does not have
any available bindings for now, and the compression time is far more
significant, GZIP seems to be a better option.
* gnu/build/linux-modules.scm (modinfo-section-contents): Use
'call-with-gzip-input-port' to read from a module file using '.gz' extension,
(strip-extension): new procedure,
(dot-ko): adapt to support compression,
(ensure-dot-ko): ditto,
(file-name->module-name): ditto,
(find-module-file): ditto,
(load-linux-module*): ditto,
(module-name->file-name/guess): ditto,
(module-name-lookup): ditto,
(write-module-name-database): ditto,
(write-module-alias-database): ditto,
(write-module-device-database): ditto.
* gnu/installer.scm (installer-program): Add "guile-zlib" to the extensions.
* gnu/machine/ssh.scm (machine-check-initrd-modules): Ditto.
* gnu/services.scm (activation-script): Ditto.
* gnu/services/base.scm (default-serial-port): Ditto,
(agetty-shepherd-service): ditto,
(udev-service-type): ditto.
* gnu/system/image.scm (gcrypt-sqlite3&co): Ditto.
* gnu/system/linux-initrd.scm (flat-linux-module-directory): Add "guile-zlib"
to the extensions and make sure that the initrd only contains
uncompressed module files.
* gnu/system/shadow.scm (account-shepherd-service): Add "guile-zlib" to the
extensions.
* guix/profiles.scm (linux-module-database): Ditto.
This is a followup to 8e31736b0a.
* guix/scripts/system/reconfigure.scm (check-forward-update): Add
#:current-channels. Use it instead of OLD.
* gnu/services.scm (sexp->system-provenance): New procedure.
(system-provenance): Use it.
* gnu/machine/ssh.scm (<machine-ssh-configuration>)[allow-downgrades?]:
New field.
(machine-check-forward-update): New procedure.
(check-deployment-sanity)[assertions]: Call it.
* doc/guix.texi (Invoking guix deploy): Document 'allow-downgrades?'
field.
* gnu/services.scm (sexp->channel, system-provenance): New procedures.
* guix/scripts/system.scm (sexp->channel): Remove.
(display-system-generation): Use 'system-provenance' instead of parsing
the "provenance" file right here.
* gnu/services.scm (channel->code): Include CHANNEL's introduction, if
any, unless CHANNEL is the singleton %DEFAULT-CHANNELS.
(channel->sexp): Add comment.
* guix/scripts/system.scm (sexp->channel): Change pattern to allow for
extensibility.
This decouples startup of the Hurd from the "hurd" package, moving the RC
script into SYSTEM.
* gnu/packages/hurd.scm (hurd)[inputs]: Remove hurd-rc-script.
[arguments]: Do not substitute it. Update "runsystem.sh" to parse kernel
arguments and exec into --system=SYSTEM/rc.
(hurd-rc-script): Move to...
* gnu/services.scm (%hurd-rc-file): ...this new variable.
(hurd-rc-entry): New procedure.
(%hurd-startup-service): Use it in new variable.
* gnu/system.scm (hurd-default-essential-services): Use it.
* gnu/system/hurd.scm (%hurd-def%hurd-default-operating-system-kernel,
%hurd-default-operating-system): New exported variables.
* gnu/system/examples/bare-hurd.tmpl: New file.
* Makefile.am (EXAMPLES): Add it.
* tests/guix-system.sh: Add --target=i586-pc-gnu when testing it.
Fixes <https://bugs.gnu.org/40729>.
Reported by Christopher Baines <mail@cbaines.net>.
* gnu/services.scm (files->etc-directory)[assert-no-duplicates]: New
procedure.
Use it.
That way, more build requests are accumulated when running "guix system
build".
* gnu/services.scm (system-derivation): Use 'mapm/accumulate-builds'
rather than 'sequence'.
Previously 'fold-services' could end up traversing the same services in
the graph several times, which is what this change addresses.
The hit rate on the 'add-data-to-store' cache goves from 9% to 8% on
"guix system build desktop.tmpl -nd", and the number of lookups in that
cache goes from 4458 to 4383.
* gnu/services.scm (fold-services): Turn 'loop' into a monadic procedure
in %STATE-MONAD and use it to memoize values of visited services.
* gnu/services.scm (activation-script): Return a <program-file> rather
than a <scheme-file>.
* gnu/deploy.scm (guix-deploy): Remove handling for '--system'.
(show-help): Remove documentation for '--system'.
(%default-options): Remove default setting for 'system'.
Fixes a bug whereby services indirectly depended on would not be
automatically instantiated.
* gnu/services.scm (instantiate-missing-services): Loop back when the
length of ADJUSTED is greater than that of INSTANCES.
* tests/services.scm ("instantiate-missing-services, indirect"): New test.