subgid so guix-daemon can map the “kvm” GID.

guix-commits Tue, 21 Oct 2025 09:47:16 -0700

guix_mirror_bot pushed a commit to branch master
in repository guix.

commit 69710d1d3aa24cab57fe1f5521efe0fa96681538
Author: Ludovic Courtès <[email protected]>
AuthorDate: Fri Jun 6 13:40:50 2025 +0200


    services: guix: Populate /etc/subgid so guix-daemon can map the “kvm” GID.
    
    * gnu/services/base.scm (guix-activation): Add a line for ‘guix-daemon’
    in /etc/subgid.
    (guix-shepherd-services): Add /run/privileged/bin to ‘PATH’.
    
    Change-Id: Ic103d86986ce2ace194b0a4296a00278bf0617eb
---
 gnu/services/base.scm | 27 ++++++++++++++++++++++++---
 1 file changed, 24 insertions(+), 3 deletions(-)

diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 09e599c89e..c43f39fe32 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -2275,10 +2275,14 @@ guix-daemon have the right ownership."))
                                   ;; Make 'tar' and 'gzip' available so
                                   ;; that 'guix perform-download' can use
                                   ;; them when downloading from Software
-                                  ;; Heritage via '(guix swh)'.
+                                  ;; Heritage via '(guix swh)'.  Last,
+                                  ;; /run/privileged/bin is needed for
+                                  ;; 'newgidmap', used by the unprivileged
+                                  ;; daemon.
                                   (string-append "PATH="
                                                  #$(file-append tar "/bin") ":"
-                                                 #$(file-append gzip "/bin")))
+                                                 #$(file-append gzip "/bin") 
":"
+                                                 "/run/privileged/bin"))
                             (if proxy
                                 (list (string-append "http_proxy=" proxy)
                                       (string-append "https_proxy=" proxy))
@@ -2383,7 +2387,24 @@ guix-daemon have the right ownership."))
         #$(if (null? (guix-configuration-build-machines config))
               #~#f
               (guix-machines-files-installation
-               #~(list #$@(guix-configuration-build-machines config)))))))
+               #~(list #$@(guix-configuration-build-machines config))))
+
+        #$(and (not (guix-configuration-privileged? config))
+               ;; Augment /etc/subgid so that the "kvm" group can be mapped in
+               ;; the build user namespace.  If a line is already present,
+               ;; assume it's correct.
+               #~(let ((port (open-file "/etc/subgid" "w+"))
+                       (kvm (false-if-exception (getgrnam "kvm"))))
+                   (when kvm
+                     (let loop ()
+                       (let ((line ((@ (ice-9 rdelim) read-line) port)))
+                         (cond ((eof-object? line)
+                                (format port "guix-daemon:~a:1~%"
+                                        (group:gid kvm)))
+                               ((string-prefix? "guix-daemon:" line)
+                                #t)
+                               (else (loop))))))
+                   (close-port port))))))
 
 (define-record-type* <guix-extension>
   guix-extension make-guix-extension

07/11: services: guix: Populate /etc/subgid so guix-daemon can map the “kvm” GID.

Reply via email to