guix_mirror_bot pushed a commit to branch master
in repository guix.
commit 28ce4eae6b22ce566b0d35f6d7f408599a79c505
Author: Ludovic Courtès <[email protected]>
AuthorDate: Sat Jan 24 23:28:50 2026 +0100
doc: cookbook: Update for unprivileged guix-daemon execution.
* doc/guix-cookbook.texi (Setting Up a Head Node): Add note about
unprivileged
guix-daemon. Remove ‘--build-users-group=guixbuild’ flag from ‘.service’
snippets. Mention “systemd timer” next to “crontab entry”.
Change-Id: I72ac59d3ce8a5572dbeb8cb4c7764a8478f6e1ee
---
doc/guix-cookbook.texi | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi
index eea1f96bf1..a08ad1d740 100644
--- a/doc/guix-cookbook.texi
+++ b/doc/guix-cookbook.texi
@@ -22,7 +22,7 @@ Copyright @copyright{} 2020 André Batista@*
Copyright @copyright{} 2020 Christine Lemmer-Webber@*
Copyright @copyright{} 2021 Joshua Branson@*
Copyright @copyright{} 2022, 2023 Maxim Cournoyer@*
-Copyright @copyright{} 2023-2025 Ludovic Courtès@*
+Copyright @copyright{} 2023--2026 Ludovic Courtès@*
Copyright @copyright{} 2023 Thomas Ieong@*
Copyright @copyright{} 2024 Florian Pelz@*
Copyright @copyright{} 2025 45mg@*
@@ -5958,6 +5958,15 @@ installation instructions (@pxref{Binary Installation,,,
guix, GNU Guix
Reference Manual}). Thanks to the installation script, this should be
quick. Once installation is complete, we need to make some adjustments.
+@quotation Note
+Starting from Guix version 1.5.0, @command{guix-daemon} runs without
+root privileges by default; previously installed systems can also be
+migrated to this ``rootless'' mode (@pxref{Build Environment Setup,,,
+guix, GNU Guix Reference Manual}). Learn more about this change in a
+@uref{https://hpc.guix.info/blog/2025/03/build-daemon-drops-its-privileges/,
+2025 blog post}.
+@end quotation
+
Since we want @code{guix-daemon} to be reachable not just from the head
node but also from the compute nodes, we need to arrange so that it
listens for connections over TCP/IP. To do that, we'll edit the systemd
@@ -5972,13 +5981,12 @@ something like this:
@ifnothtml
@example
ExecStart=/var/guix/profiles/per-user/root/current-guix/bin/guix-daemon \
- --build-users-group=guixbuild \
--listen=/var/guix/daemon-socket/socket --listen=0.0.0.0
@end example
@end ifnothtml
@ifhtml
@example
-ExecStart=/var/guix/profiles/per-user/root/current-guix/bin/guix-daemon
--build-users-group=guixbuild --listen=/var/guix/daemon-socket/socket
--listen=0.0.0.0
+ExecStart=/var/guix/profiles/per-user/root/current-guix/bin/guix-daemon
--listen=/var/guix/daemon-socket/socket --listen=0.0.0.0
@end example
@end ifhtml
@@ -6027,7 +6035,7 @@ avoids collecting software they refer to.
It may be a good idea to periodically remove unused bits from
@file{/gnu/store} by running @command{guix gc} (@pxref{Invoking guix
gc,,, guix, GNU Guix Reference Manual}). This can be done by adding a
-crontab entry on the head node:
+systemd timer or a crontab entry on the head node:
@example
root@@master# crontab -e
