Ludovic Courtès <[email protected]> writes: > Hello, > > Tomas Volf <[email protected]> skribis: > >> I have package which does not build on a single machine, and only >> relevant difference I can think of is that the guix-daemon is running in >> unprivileged mode. I do not have access to a second system with >> unprivileged daemon to verify. >> >> I can reproduce the problem reliably, so if more information is needed, >> just let me know. > > Is there are a chance you could boil it down to a standalone package > definition? (I didn’t expect ‘copy-build-system’ to be sensitive to > the the few observable differences between root and unprivileged.)
I am not sure how many observable differences there actually are, but we have decided to restrict the build in many interesting ways using the apparmor and now we are just paying that off. ¯\_(ツ)_/¯ At $DAYJOB, I installed this patch https://issues.guix.gnu.org/80696, which fixes the issue for me. Now, standalone package definition. The smallest definition I came up with is the following: --8<---------------cut here---------------start------------->8--- (use-modules (guix build-system copy) (guix download) (guix gexp) (guix packages)) (package (name "helm-kubernetes") (version "3.15.4") (source (origin (method url-fetch) (uri (string-append "https://get.helm.sh/helm-v"; version "-linux-amd64.tar.gz")) (sha256 (base32 "1afgf08z6hgy07kjk8fj7xkr8ma4qk2f1r33901nzz87zkn0yh0i")))) (build-system copy-build-system) (arguments (list #:phases #~(modify-phases %standard-phases (replace 'unpack (lambda* (#:key source #:allow-other-keys) (invoke "tar" "-xvf" source)))))) (home-page #f) (synopsis #f) (description #f) (license #f)) --8<---------------cut here---------------end--------------->8--- The source does not really matter, it just needs to be a tarball. The key is replacing the 'unpack phase. The built-in phase ends with the following: --8<---------------cut here---------------start------------->8--- ;; Attempt to change into child directory. (and=> (first-subdirectory ".") chdir) --8<---------------cut here---------------end--------------->8--- The one used by the package above though does not change the current working directory. So when the install-license-files phase is looking for the files to install, there is an apparmor deny resulting in scandir returning #f, which fails to be matched. Reproducing this is easy, I have simply install Ubuntu Desktop 24.04 into a QEMU virtual machine, installed Guix and tried to build the package above. Build should fail in the install-license-files phase. Tomas -- There are only two hard things in Computer Science: cache invalidation, naming things and off-by-one errors.
signature.asc
Description: PGP signature
