gnu: vm: Add build users.

* gnu/system/shadow.scm (guix-build-accounts): New procedure.
* gnu/system/vm.scm (system-qemu-image): Use it.  Add the "guixbuild"
  group.
* gnu/system/dmd.scm (guix-service): Add 'builder-group' parameter.
  Pass 'guix-daemon' the '--build-users-group' option.
This commit is contained in:
Ludovic Courtès 2013-09-26 23:28:17 +02:00
parent 3abf9b440b
commit d0c66871b1
3 changed files with 58 additions and 19 deletions

View File

@ -146,14 +146,16 @@
(inputs `(("inetutils" ,inetutils) (inputs `(("inetutils" ,inetutils)
("syslog.conf" ,syslog.conf)))))) ("syslog.conf" ,syslog.conf))))))
(define* (guix-service store #:key (guix guix)) (define* (guix-service store #:key (guix guix) (builder-group "guixbuild"))
"Return a service that runs the build daemon from GUIX." "Return a service that runs the build daemon from GUIX."
(let* ((drv (package-derivation store guix)) (let* ((drv (package-derivation store guix))
(daemon (string-append (derivation->output-path drv) (daemon (string-append (derivation->output-path drv)
"/bin/guix-daemon"))) "/bin/guix-daemon")))
(service (service
(provision '(guix-daemon)) (provision '(guix-daemon))
(start `(make-forkexec-constructor ,daemon)) (start `(make-forkexec-constructor ,daemon
"--build-users-group"
,builder-group))
(inputs `(("guix" ,guix)))))) (inputs `(("guix" ,guix))))))
(define* (static-networking-service store interface ip (define* (static-networking-service store interface ip

View File

@ -18,8 +18,14 @@
(define-module (gnu system shadow) (define-module (gnu system shadow)
#:use-module (guix store) #:use-module (guix store)
#:use-module (ice-9 match)
#:use-module (guix records) #:use-module (guix records)
#:use-module (guix packages)
#:use-module ((gnu packages system)
#:select (shadow))
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-26)
#:use-module (ice-9 match)
#:use-module (ice-9 format)
#:export (user-account #:export (user-account
user-account? user-account?
user-account-name user-account-name
@ -38,7 +44,8 @@
user-group-members user-group-members
passwd-file passwd-file
group-file)) group-file
guix-build-accounts))
;;; Commentary: ;;; Commentary:
;;; ;;;
@ -110,4 +117,25 @@ file."
(add-text-to-store store (if shadow? "shadow" "passwd") (add-text-to-store store (if shadow? "shadow" "passwd")
contents '())) contents '()))
(define* (guix-build-accounts store count #:key
(first-uid 30001)
(gid 30000)
(shadow shadow))
"Return a list of COUNT user accounts for Guix build users, with UIDs
starting at FIRST-UID, and under GID."
(let* ((gid* gid)
(no-login (string-append (package-output store shadow) "/sbin/nologin")))
(unfold (cut > <> count)
(lambda (n)
(user-account
(name (format #f "guixbuilder~2,'0d" n))
(password "!")
(uid (+ first-uid n -1))
(gid gid*)
(comment (format #f "Guix Build User ~2d" n))
(home-directory "/var/empty")
(shell no-login)))
1+
1)))
;;; shadow.scm ends here ;;; shadow.scm ends here

View File

@ -462,6 +462,9 @@ Happy birthday, GNU! http://www.gnu.org/gnu30
(static-networking-service store "eth0" "10.0.2.10" (static-networking-service store "eth0" "10.0.2.10"
#:gateway "10.0.2.2"))) #:gateway "10.0.2.2")))
(define build-accounts
(guix-build-accounts store 10))
(define resolv.conf (define resolv.conf
;; Name resolution for default QEMU settings. ;; Name resolution for default QEMU settings.
(add-text-to-store store "resolv.conf" (add-text-to-store store "resolv.conf"
@ -482,7 +485,7 @@ Happy birthday, GNU! http://www.gnu.org/gnu30
(dmd-file (string-append (derivation->output-path dmd-drv) (dmd-file (string-append (derivation->output-path dmd-drv)
"/bin/dmd")) "/bin/dmd"))
(dmd-conf (dmd-configuration-file store %dmd-services)) (dmd-conf (dmd-configuration-file store %dmd-services))
(accounts (list (user-account (accounts (cons* (user-account
(name "root") (name "root")
(password "") (password "")
(uid 0) (gid 0) (uid 0) (gid 0)
@ -495,7 +498,8 @@ Happy birthday, GNU! http://www.gnu.org/gnu30
(uid 1000) (gid 100) (uid 1000) (gid 100)
(comment "Guest of GNU") (comment "Guest of GNU")
(home-directory "/home/guest") (home-directory "/home/guest")
(shell bash-file)))) (shell bash-file))
build-accounts))
(passwd (passwd-file store accounts)) (passwd (passwd-file store accounts))
(shadow (passwd-file store accounts #:shadow? #t)) (shadow (passwd-file store accounts #:shadow? #t))
(group (group-file store (group (group-file store
@ -505,7 +509,12 @@ Happy birthday, GNU! http://www.gnu.org/gnu30
(user-group (user-group
(name "users") (name "users")
(id 100) (id 100)
(members '("guest")))))) (members '("guest")))
(user-group
(name "guixbuild")
(id 30000)
(members (map user-account-name
build-accounts))))))
(pam.d-drv (pam-services->directory store %pam-services)) (pam.d-drv (pam-services->directory store %pam-services))
(pam.d (derivation->output-path pam.d-drv)) (pam.d (derivation->output-path pam.d-drv))