From 69710d1d3aa24cab57fe1f5521efe0fa96681538 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org>
Date: Fri, 6 Jun 2025 13:40:50 +0200
Subject: [PATCH] =?UTF-8?q?services:=20guix:=20Populate=20/etc/subgid=20so?=
 =?UTF-8?q?=20guix-daemon=20can=20map=20the=20=E2=80=9Ckvm=E2=80=9D=20GID.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* gnu/services/base.scm (guix-activation): Add a line for ‘guix-daemon’
in /etc/subgid.
(guix-shepherd-services): Add /run/privileged/bin to ‘PATH’.

Change-Id: Ic103d86986ce2ace194b0a4296a00278bf0617eb
---
 gnu/services/base.scm | 27 ++++++++++++++++++++++++---
 1 file changed, 24 insertions(+), 3 deletions(-)

diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 09e599c89ec056b11e8106a066151d023859f174..c43f39fe320d85dae44dfcc77428c8b835b987a4 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -2275,10 +2275,14 @@ guix-daemon have the right ownership."))
                                   ;; Make 'tar' and 'gzip' available so
                                   ;; that 'guix perform-download' can use
                                   ;; them when downloading from Software
-                                  ;; Heritage via '(guix swh)'.
+                                  ;; Heritage via '(guix swh)'.  Last,
+                                  ;; /run/privileged/bin is needed for
+                                  ;; 'newgidmap', used by the unprivileged
+                                  ;; daemon.
                                   (string-append "PATH="
                                                  #$(file-append tar "/bin") ":"
-                                                 #$(file-append gzip "/bin")))
+                                                 #$(file-append gzip "/bin") ":"
+                                                 "/run/privileged/bin"))
                             (if proxy
                                 (list (string-append "http_proxy=" proxy)
                                       (string-append "https_proxy=" proxy))
@@ -2383,7 +2387,24 @@ guix-daemon have the right ownership."))
         #$(if (null? (guix-configuration-build-machines config))
               #~#f
               (guix-machines-files-installation
-               #~(list #$@(guix-configuration-build-machines config)))))))
+               #~(list #$@(guix-configuration-build-machines config))))
+
+        #$(and (not (guix-configuration-privileged? config))
+               ;; Augment /etc/subgid so that the "kvm" group can be mapped in
+               ;; the build user namespace.  If a line is already present,
+               ;; assume it's correct.
+               #~(let ((port (open-file "/etc/subgid" "w+"))
+                       (kvm (false-if-exception (getgrnam "kvm"))))
+                   (when kvm
+                     (let loop ()
+                       (let ((line ((@ (ice-9 rdelim) read-line) port)))
+                         (cond ((eof-object? line)
+                                (format port "guix-daemon:~a:1~%"
+                                        (group:gid kvm)))
+                               ((string-prefix? "guix-daemon:" line)
+                                #t)
+                               (else (loop))))))
+                   (close-port port))))))
 
 (define-record-type* <guix-extension>
   guix-extension make-guix-extension