IRC channel logs
2024-10-17.log
back to list of logs
<amano>Can I run xdg-dbus-proxy in guix shell --container to filter dbus calls? <amano>I also think there should be profiles for guix shell containers. <amano>Just like firejail profiles. <amano>It seems to me that guix shell --container can be made to substitute for firejail and apparmor. <amano>How can I choose a network namespace for guix shell --container? <civodul>amano: you cannot choose; ‘guix shell -CN’ creates a shell in the parent network namespace, if that helps <civodul>would be nice to have something more fine-grain <amano>Firejail calls xdg-dbus-proxy in response to firejail profiles. <civodul>i’m not familiar with xdg-dbus-proxy so i’m not sure <civodul>but note that ‘guix shell’ was not initially designed as a replacement for things like Firejail <civodul>there are plans to do something like that with ‘least-authority-wrapper’ though <amano>I wish guix shell was able to just restrict /gnu/store so that firejail can restrict the rest. <amano>Firejail cannot restrict /gnu/store. <amano>--container restricts /gnu/store and knocks out the rest. <civodul>maybe Firejail could run inside ‘guix shell -CN’? <amano>guix shell --container knocks out the entire filesystem outside /gnu/store. <amano>Perhaps, I can --share and --expose everything outside /gnu/store so that firejail can restrict the rest. <amano>But, I don't know whether firejail can run inside guix shell --container. <amano>Where can I find least-authority-wrapper? <civodul>it’s only used for a few system services so far <amano>least authority wrapper is not fleshed out. <amano>it's just there to remind someone to work on it. <civodul>in a way yes, but it’s also actually used for system/home services <amano>If firejail can be run inside guix shell --container, the easiest way would be to --share and --expose everything and let firejail restrict everything. <civodul>in which case ‘guix shell’ becomes much less useful, no? <civodul>dunno, maybe worth discussing on the mailing list <decfed>just came in: patch #73842 enabling to generate AppImage files directly with guix pack. Would be great to get some review. <vhns>The documentation to etc-service-type mentions extending it with an example of a change to the /etc/issue file. But, upon trying so, I get 'guix system: error: duplicate 'issue' entry for /etc'. Am I perhaps extending it wrongfully? Snippet: https://paste.debian.net/plain/1332534 <Rutherther>vhns: something already extends etc with "issue", so now you have two files named "issue" in there. There has to be just one <vhns>Hmm. Could it be the default %desktop-services? <Rutherther>vhns: no, it is actually directly in the definition of etc service configuration, being part of the default value operating-system-default-essential-services that goes into essential-services of your operating-system. So you would have to use modify-services on operating-system-default-essential-services and put that to essential-services of operating-system, not to services <vhns>I see. I don't think I got quite there yet in scheme/guix skills to know how to do that right now. <vhns>Rutherther: all is well, upon inspecting 'operating-system reference' documentation, it already has a 'issue' option available. My bad. <vhns>Tho I wonder if that /etc/issue even is a good example for etc-service-type then <vhns>Rutherther: one last question, how did you manage to follow the definition/dependency source of it like you did? <Rutherther>vhns: oh right I skimmed over that issue field and missed the point of it. The way I did it, I just grepped the source for "issue" and followed it back to operating-system <apteryx>is it typical of UEFI firmware upgrades to erase the UEFI boot menu entries? <apteryx>post upgrade it no longer saw my nvme drives as bootable; I had to do the chroot thing and reconfigure to have the UEFI boot menu restored. <User-42>hello, i'm trying to set up a script to be run from mcron as a service, but finding it difficult to debug. Here is my setup: https://pastebin.com/AB5dVvYc - it should be running at the beginning of each minute and at least log something to ~/.synclog, but it does not! how could i find out what goes wrong? <attila_lendvai>if you ask me, the state of logging in guix (or lack thereof?), and inspectability in general is not up to what i'd like it to be <Rutherther>User-42: I think the home mcron service doesn't have a log dir set up by default, at least that was what I concluded when I tried searching for that. So you can set the home-mcron-service-type log-file option so the output is somewhere you can reach it, and check that <User-42>i only see log? boolean and log-format as options to home-mcron-service-type <Rutherther>it has log-file option, see the mcron-configuration, it is basically the same <User-42>i have not set a log-file for the home service configuration, with an absolute path, but no log is created <Rutherther>User-42: and the service has been restarted, yes? <Franciman>hi, did you make any progress on jemalloc and glibc issues? <Franciman>i was not able to do much more, maybe i will try to bump to version 5.5.6 of telegram-desktop <yvs>Hi evetyone, what's a proper way to use linux capabilities on guix system? Calling ping, got % ping 127.1 <yvs>ping: socktype: SOCK_RAW <yvs>ping: socket: Operation not permitted <yvs>ping: => missing cap_net_raw+p capability or setuid? <yvs>Then: % sudo setcap cap_net_raw+ep $(readlink $(which ping)) <yvs>Failed to set capabilities on file '/gnu/store/gw2ynznvw7rj5dypdb1qxrfc72agmvb8-iputils-20221126/bin/ping': Read-only file system <z572>see privileged-program-service-type <Rutherther>yvs: are you by any chance in a container? on guix system this is solved by privileged programs service. Ping is there by default. It copies files from the store to /run/privileged/bin and sets setuid/setgid/capabilities. It is not possible to get capabilities on programs from store, as that would be inherently dangerous <yvs>No idea about container, it's on guix linux which I've used for testing for a while. Just can can sort out how to use basic ping ... <yvs>typo "can can" -> "cannot" <Rutherther>yvs: did you by any chance change privileged-programs of operating-system? if not, do you have /run/privileged/bin/ping present? <yvs>shell says: no such file or directory (system is recently updated with recommended `git pull; git package -u` <yvs>i.e. guix pull; guix package -u <Rutherther>yvs: that doesn't update your system. That updates your user profile packages <yvs>What's a system config in terms of Guix system? /etc? <yvs>Is it system.scm? `locate gnu/system.scm | wc -l` returns 8 files <Rutherther>yvs: it's the declaration that says what your system looks like, what services there are and such. No, it's not /etc, most of /etc is made from the configuration. Though it's true that when you install guix it is usually put to /etc/guix <Rutherther>yvs: that is likely a file from guix channel having the operating-system record definition. So that can't be your system config <yvs>% sudo ls -l /etc/guix <yvs>lrwxrwxrwx 1 root root 47 Oct 17 11:00 acl -> /gnu/store/yw6cagjnf29rrklagxxisqmb0s9jw82v-acl <yvs>-rw------- 1 root root 528 Jun 13 2023 acl.bak <yvs>-r--r--r-- 1 root root 118 Jun 13 2023 signing-key.pub <yvs>-r-------- 1 root root 192 Jun 13 2023 signing-key.sec <Rutherther>how long have you been using guix system that you don't know what config is? did you use the tui installer to install it so you completely missed what the config is? <janneke>civodul: fwiw, my old hurd installer patch tried to also cross build the installer system for the Hurd <janneke>maybe we want to do that later some time :) <Rutherther>yvs: if you really don't know, your last configuration should be also provided in /var/guix/profiles/system/configuration.scm, so you can copy that. That is if you used just that file for your own configuration, otherwise it might not work. <yvs>@Rutherther it was installed maybe one year ago for a couple tests and look at how it works. I forgot details, just recently turn it on again <Rutherther>yvs: okay. I am not sure when ping was put to default privileged programs, would guess more than a year ago, but maybe it wasn't there. To update your system use guix system reconfigure. <Rutherther>yvs: Also I realized it is /etc/system.scm, not under /etc/guix by default. <yvs>there's no /etc/system.scm, but something like that in /etc/config.scm. I've run reconfigure with that file.. suppose it'll take a lot of time.. <civodul>janneke: surely! does that no longer work? <janneke>civodul: it never worked and i gave up...smaller steps now <yvs>@Rutherther after reconfiguring and rebooting, now there's privileged a new ping in /run/privileged/bin/ping with setuid... It works, but wanted a bit more std ping like iputils-ping with linux std caps... <yvs>So, probably it needs to find `privileged-program-service-type` config example somewhere, and set setcap on iputils ping in some way <Rutherther>yvs the default one is inetutils one. If you want different one, use privileged-programs field of operating system. You can modify "%default-privileged-programs" - remove ping from there and provide your own <yvs>thanks, that one is from std iputils-ping package (a bit more functional), just trying to google out some example of config for privileged program with linux capabilities and not to use the full root setuid <yvs>Yes, it is (at least look like that). Thank you very much for hints. <amano>Does guix shell --container wipe supplementary groups? <Rutherther>amano it has different user and group namespace. I dont think it can be changed with guix shell options. You seem to have requirements where it would be better to use custom solution <amano>Firejail has granular control over groups. <amano>At least, firejail lets me keep supplementary groups. <amano>Seatd requires a user to be in seatd group. guix shell --container breaks that. <amano>Not using logind means dropping supplementary groups will lead to issues because logind turns the logged-in user into a second owner of device files. <amano>I wish guix shell lets me just restrict /gnu/store and doesn't modify the rest of the filesystem. <amano>Then, firejail can easily take over the rest. <amano>I don't want to do something customized. I don't have time to create everything. <gabber>amano: what are you trying to do, exactly? <amano>Perhaps, guix shell can be made to replace firejail <amano>Guix deevelop = guix shell + shepherd service <gabber>use the package? upgrade it? make use of it within a container? not sure i can follow just yet <amano>I wish guix shell replaced firejail entirely. <amano>guix shell --container drops supplementary groups which I may need. <amano>It doesn't pick a network namespace. <gabber>amano: sooo, you might write a patch for that? does not sound too complicated ;) <amano>I am not God. I can't create everything.... <gabber>nobody asks you to create everything <gabber>maybe (i am not an expert) this is not even /that/ hard to accomplish <amano>Making pencils from scratch requires millions of people. Writing guix from scratch requires millions of people. If you try to add more and more, eventually you will be paralyzed. <amano>I don't think I can earn enough money as a guix developer. <amano>I want to move fast in other areas of life. <dthompson>I'm unsure what "a network namespace" means exactly. when you fork a process to establish a container, there are many namespaces to choose from: mount, pid, network, user, etc. <amano>dthompson: sudo ip netns list <amano>firejail --netns=network-namespace ... <amano>In theory, you can run `sudo ip netns exec network-namespace guix shell --container ...`, but that requires sudo privilege. <dthompson>I'd have to double-check the code but I think our --network flag just establishes a new namespace <amano>--network flag just prevents guix shell from creating a new unshared network namespace. <amano>Without --network, guix shell --container creates a new unshared network namespace. <yelninei>hi, is the install-script currently broken for sysvinit? I am getting this error : ./guix-install.sh: line 163 sysv-init_REQUIRE[@]: invalid variable name <dthompson>--network sets CLONE_NEWNET in the bitmask passed to the 'clone' syscall <amano>Is there a way to make guix fiddle with network namespace and do various `ip xxx` trickery before creating a guix shell? <amano>I mean doing so without root privilege. <amano>Firejail is a SETUID binary which can fiddle with network namespace and network interface and firewall before executing a program. <amano>I usually just use a pre-made network namespace, but firejail can do root operations before executing a program. <dthompson>guix shell is not setuid and likely should not be <yelninei>i think bash does not like the - in the variable name and the thing should expand to SYSV_INIT_REQUIRE instead of sysv-init_REQUIRE <amano>I thoguht guix daemon has root privilege? <amano>guix shell can communicate with guix daemon to fiddle with network namespace and network interfaces. <amano>Or, can guix shell pick an existing network namespace without root privilege? <dthompson>allowing for choosing an existing named namespace makes sense to me <Rutherther>amano guix daemon is for building derivations. This is not building, so daemon has no play here. <dthompson>maybe --network would do the current thing of creating a new namespace, but --network=foo would instead use an existing namespace <amano>But, firejail uses SETUID root privilege to pick a network namespace. <amano>Will `guix develop` be able to run xdg-dbus-proxy in a guix shell container? <amano>xdg-dbus-proxy can be run as a service in guix shell container. <dthompson>setuid binaries are dangerous and would be a whole can of worms because only binaries can be setuid and guix is a script <amano>guix develop = guix shell + shepherd service <dthompson>I mean... that's a tool that doesn't exist so sure :) <dthompson>yeah but I don't think amano is talking about that <amano>If I can pick a network namespace and run an xdg-dbus-proxy shepherd service in guix container, guix will be a firejail substitute for me personally. <dthompson>it would be good to outline all the necessary changes for this on the mailing list or something <amano>I already sent an email about this to dev mailing list, but I haven't yet talked about keeping supplementary groups. <amano>`guix develop` with the ability to pick a network namespace will be an apparmor substitute, too. <amano>Then, I shall just write application profiles. <dthompson>what's the use-case for joining an existing network namespace? want to write a patch that allows it? <amano>Each network namespace has a different network interface for a different VPN server. <amano>I have a network namespace for a VPN server. <amano>A network namespace for tor. <amano>A network namespace for raw internet. <amano>A network namespace for a VPN server. <amano>This prevents VPN leak, and it is convenient. <amano>dthompson: I still don't know how to write guile scheme. So, even if I wanted to, you will have to wait a few yeras. <yelninei>seems to be already reported with a potential fix #71695, ill try something like that for now <shcv>hello; I'm trying to work on a simple guile program I intend to run probably as a cron-style task (doesn't really need a daemon). How does logging / error handling work in that context? <shcv>is that handled by the mcron service? do I need to figure out how to syslog from my program? <shcv>what about other services? I had a hard time figuring anything out from the documentation <shcv>I.e., I looked for syslog libraries, but the best I found was (logging logger), and it doesn't actually say how to add syslog as a handler <roptat>sneek, later tell apteryx lieserl is back on 10.0.0.14, its wireguard service was down <yvs>to sum up: it certainly works, thanks, got iputils-ping with linux caps in my case: <yvs>% getcap /run/privileged/bin/ping <yvs>% /run/privileged/bin/ping -c1 -OD 127.1 <yvs>PING 127.1 (127.0.0.1) 56(84) bytes of data. <yvs>[1729192737.316014] 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.026 ms <Rutherther>yvs: you shouldn't send multiple lines like that, irc is line based protocol, the messages got removed. Use a paste site next time. Glad to hear it works though <yvs>got it, sorry, I'm not familiar with irc <yvs>and other small question, `man ping` returns "man: outdated mandoc.db lacks ping(8) entry, run makewhatis /gnu/store/<uuid>-profile/share/man", then typing "sudo makewhatis /gnu/store/<uuid>-profile/share/man" there's "/gnu/store/<uuid>-profile/share/man//mandoc.db: unlink: Read-only file system" <yvs>What's a proper way to rebuild mandb on Guix system? <civodul>yvs: an index for use by ‘man -k’ is created for each profile that contains ‘man-db’ <yvs>@civodul > but ‘makewhatis’? < readlink `which makewhatis` says it's in mandoc package/profile <yvs>@civodul "an index for use by ‘man -k’ is created for each profile that contains ‘man-db’" -- I haven't got it, ping(8) is provided by iputils-ping package that installed system-wide <yvs>i.e. iputils is installed system-wide in my case <civodul>‘man -k ping’ returns a dozen of matches here <podiki>i'm wondering what to do with mesa-updates...last i saw on QA no progress on bordeaux (for non-x86) in at least a few weeks <yvs>typing 'man ping': got one line mentioned above (outdated madoc.db lacks ping(8) entry, run makewhatis ...) plus a couple screens of unreadable binary output <civodul>i don’t use mandoc, no idea how it’s supposed to work <civodul>podiki: so qa.guix doesn’t respond right now, but i think there’s a couple of branches queued before mesa-updates, no? <civodul>‘fonts-split-outputs’ is almost ready <podiki>i think the others had merged? i didn't see them i thought last time, but i might be misremembering <podiki>there's another mesa bugfix release i could use, and a rebase from master <yvs>@civodul apropos output is not too helpful: "man: nothing appropriate" <civodul>yeah this is annoying but i think we should kinda follow the branch order, unless the original submitters stop responding <civodul>yvs: ‘apropos’ is equivalent to ‘man -k’; it works for me <civodul>but again, you need to have the ‘man-db’ package in that profile <yvs>okay, I got it that it works, and can read that on other os <yvs>"otherwise there's no index.db" ... a moment <yvs>thanks, reinstalled man-db (maybe with recreation mandoc db at that) and got readable man pages, it's a bit more workable option than man's "run makewhatis ..." ) <Rutherther>yvs: there is no "recreation", only creation. The db is created for individual profiles. The profiles are never edited, only new ones are created. The same goes for all stuff in /gnu/store <yvs>no idea how I got that mess, but some unreadable bin output was displayed for sure <yvs>sorry for disturbing again, after upgrade with system reconfigure, started to get coredump in home dir, gdb bt reads "file format is not recognized", `file` says it's something related to wayland stuff. Is there a way to find out what caused this coredump? <yvs>a bit more from logs: Xwayland coredump has come with a lot warnings from gnome-shell and libmutter (before its termination)