guix-install.sh: Add the “kvm” GID to /etc/subgid.
* etc/guix-install.sh (SYSTEMD_REQUIRE): New variable.
(sys_create_build_user): Populate /etc/subgid.
Change-Id: I989c3ff682453d8d65e313c89fb751a20aa48bb8
daemon: Attempt to map the “kvm” group inside the build user namespace.
Fixes <https://issues.guix.gnu.org/77862>.
Previously, the ‘guix-daemon’ account (for unprivileged execution) would
typically have “kvm” as a supplementary group, but that group would not
be mapped in the build user namespace. Consequently, attempts to
‘chown’ a file to that supplementary group would fail with EINVAL.
The test suites of Coreutils, Python, and Go (among others) exercise
this chown-to-supplementary-group behavior, so they would all fail when
started by the unprivileged ‘guix-daemon’ even though they succeed when
started by ‘guix-daemon’ running as root.
Thanks to keinflue <keinflue@posteo.net> and Reepca Russelstein
<reepca@russelstein.xyz> for helping out.
* nix/libstore/build.cc (initializeUserNamespace): Add ‘extraGIDs’ and
‘haveCapSetGID’ parameters. Invoke ‘newgidmap’ when ‘extraGIDs’ is
non-empty and ‘haveCapSetGID’ is false. Honor ‘extraGIDs’ when
‘haveCapSetGID’ is true.
(maxGroups, guestKVMGID): New variables.
(kvmGIDMapping): New function.
(DerivationGoal::startBuilder): Set ‘ctx.lockMountsMapAll’ in the
CLONE_NEWUSER case. Pass ‘extraGIDs’ to ‘initializeUserNamespace’.
* tests/store.scm ("kvm GID is mapped"): New test.
Change-Id: I10ba710fc1b9ca1e3cd3122be1ec8ede5df18b40
daemon: Export as little as needed from libutil/spawn.cc.
* nix/libutil/spawn.cc (reset_writeToStderrAction, restoreAffinityAction)
(setsidAction, earlyIOSetupAction, dropAmbientCapabilitiesAction)
(chrootAction, chdirAction, closeMostFDsAction, setPersonalityAction)
(oomSacrificeAction, setIDsAction, setNoNewPrivsAction)
(addSeccompFilterAction, restoreSIGPIPEAction, setupSuccessAction)
(usernsInitSyncAction, usernsSetIDsAction, initLoopbackAction)
(setHostAndDomainAction, makeFilesystemsPrivateAction)
(makeChrootSeparateFilesystemAction, bindMount)
(mountIntoChroot, mountIntoChrootAction, mountProcAction)
(mountDevshmAction, mountDevptsAction, pivotRootAction)
(idMapToIdentityMap, lockMountsAction, runChildSetupEntry): Add ‘static’
qualifier.
* nix/libutil/spawn.hh: Remove the corresponding ‘extern’ declarations.
Change-Id: I3156d72d866f22fa31aa9a843f116771763ccb61
daemon: ‘runProgram’ exits with 127 upon ENOENT or similar.
This is in accordance with widespread conventions. Previously it would
exit with code 1, which was misleading.
* nix/libutil/util.cc (runProgram): Exit with 127 if ‘execv’ or ‘execvp’
fails.
Change-Id: I5df214afffda69aa329a25afbc48f6cbfdd0961c
gnu: wireshark: Build with lua@5.4
In this current version, wireshark needs lua-5.3 or higher to build with
lua scripting support.
* gnu/packages/networking.scm (wireshark)[inputs]: Remove lua-5.2;
add lua-5.4.
Change-Id: Ib37aec86b7e95ffc4196dabb0fd48ae6a69dcd1a
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
gnu: labwc: Update to 0.9.2.
* gnu/packages/wm.scm (labwc): Update to 0.9.2.
Change-Id: I5aeae9bae6b0acaea5168ec4317fc29b1e4dee3a
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
gnu: snac: Update to 2.83.
* gnu/packages/fediverse.scm (snac2): Update to 2.83.
Change-Id: Ice54f40f831953947763b1efa14d809a7826139e
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
services: cuirass: Start ‘cuirass register’ eagerly.
* gnu/services/cuirass.scm (cuirass-shepherd-service): Pass #:lazy-start?.
Change-Id: Ib91c82e74ce9c80616a3de693d858939e670a03d
services: cuirass: Validate specifications at build time.
This ensures problems in the spec are caught before the system is
instantiated.
* gnu/services/cuirass.scm (cuirass-configuration->specification-file):
New procedure.
(cuirass-shepherd-service): Use it instead of ‘scheme-file’.
Change-Id: I90187ed4ed1a51958159741a55b6dc635c97312a
gnu: n2p2: Update to 2.3.0.
* gnu/packages/maths.scm (n2p2): Update to 2.3.0.
Change-Id: Iffa53548eb91488a3610a243cb474fd020e476a9
gnu: n2p2: Fix build.
* gnu/packages/maths.scm (n2p2)[arguments]<#:phases>{post-unpack}:
Patch "shell" to "bash" in makefile.
Change-Id: Ib4973c195197415e1ac514b449247bc7f750a359
gnu: scregseg: Update to 0.1.3-0.78ebff8.
* gnu/packages/bioinformatics.scm (scregseg): Update to
78ebff8c3507752c3bfbc4db3f72f7e8a733e92f commit.
[arguments] <test-flags>: Provide "--pyargs".
<phases>: Remove 'build-extensions, and 'do-not-fail-to-find-sklearn.
[propagated-inputs]: Remove python-scikit-learn; add
python-scikit-learn-1.6.
[native-inputs]: Remove python-wheel; add python-setuptools.
Change-Id: Ic29e6be3b1fda0d664ed74dfc21da75cb5bcd656
gnu: Add python-scikit-learn-1.6.
* gnu/packages/machine-learning.scm (python-scikit-learn-1.6): New variable.
Change-Id: Ife1120b602163bd2ab316f0047d458480dabb947
gnu: python-zarr: Remove extra propagated-inputs.
* gnu/packages/python-xyz.scm (python-zarr):
[propagated-inputs]: Remove python-ipywidgets,
python-notebook, python-numpydoc, pyhon-pydata-sphinx-theme.
Change-Id: Ie6161fb3fd3ff989cb09f0d1e7bb4c94aaad8fab
Signed-off-by: Sharlatan Hellseher <sharlatanus@gmail.com>
gnu: python-numcodecs: Remove extra propagated-inputs.
* gnu/packages/python-xyz.scm (python-numcodecs):
[propagated-inputs]: Remove python-coverage and python-numpydoc.
Change-Id: Ia7f7e52dea7460c37b3eb5a64c23e1c53507fc68
Signed-off-by: Sharlatan Hellseher <sharlatanus@gmail.com>
gnu: python-anndata: Add test dependency python-filelock.
It was found this build issue while building dependents of python-zarr.
* gnu/packages/python-science.scm (python-anndata):
[native-inputs]: Add python-filelock; missing for tests.
Change-Id: Ia83b631bc321f43e7a51fa558753f6189530bd76
Signed-off-by: Sharlatan Hellseher <sharlatanus@gmail.com>
gnu: Add python-durationpy.
* gnu/packages/python-xyz.scm (python-durationpy): New variable.
Change-Id: Ibb3ee965a1f121dc0301f3fdaaea2a432cad5010
Modified-by: Sharlatan Hellseher <sharlatanus@gmail.com>
Signed-off-by: Sharlatan Hellseher <sharlatanus@gmail.com>
gnu: aerich: Update to 0.9.2.
As it's a final program all propagated inputs moved to inputs.
* gnu/packages/databases.scm (aerich): Update to 0.9.2.
[arguments] <test-flags>: Skip one tests searching for "uvx".
[inputs]: Add python-anyio, python-asyncclick, python-dictdiffer,
python-tortoise-orm, python-aiomysql, python-asyncmy, python-asyncpg,
python-psycopg, and python-tomli-w.
[propagated-inputs]: Remove python-asyncclick, python-asyncmy,
python-asyncpg, python-dictdiffer, python-pydantic, python-tomli-w, and
python-tortoise-orm.
[native-inputs]: Remove python-poetry-core; add python-pdm-backend,
python-pydantic-2, python-pydantic-settings, and python-tortoise-vector.
Change-Id: I9bcb13f0fc9f70428b5f794893d1a4bddf611a5d
gnu: Add python-tortoise-vector.
* gnu/packages/databases.scm (python-tortoise-vector): New variable.
Change-Id: Ib6646bc813fe04ba6e55b2b78dff373d2b52268e