[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#36957] [PATCH v2] machine: Allow non-root users to deploy.
|
From: |
Ricardo Wurmus |
|
Subject: |
[bug#36957] [PATCH v2] machine: Allow non-root users to deploy. |
|
Date: |
Thu, 08 Aug 2019 10:33:03 +0200 |
|
User-agent: |
mu4e 1.2.0; emacs 26.2 |
Hi Jakob,
> +@code{user}. That is: the line in @code{sudoers} granting @code{user} the
> +ability to use @code{sudo} must contain the NOPASSWD tag.
Perhaps also wrap “NOPASSWD” in @code{…}.
> +(define (machine-become-command machine)
> + "Return as a list of strings the program and arguments necessary to run a
> +shell command with escalated privileges for MACHINE's configuration."
> + (if (string= "root" (machine-ssh-configuration-user
> + (machine-configuration machine)))
> + '()
> + '("/run/setuid-programs/sudo" "-n" "--")))
> +
This is a comment for future changes only: currently, we can assume that
the remote machine already runs Guix System. In the future “guix
deploy” should probably also be able to initialize a system. In that
case “sudo” may have to be searched on the target or otherwise be
provided.
(What happens if /run/setuid-programs/sudo is not available on the
target machine?)
> +(define* (%remote-eval lowered session #:optional become-command)
> "Evaluate LOWERED, a lowered gexp, in SESSION. This assumes that all the
> -prerequisites of EXP are already available on the host at SESSION."
> - (let* ((pipe (remote-pipe-for-gexp lowered session))
> +prerequisites of EXP are already available on the host at SESSION. If
> +BECOME-COMMAND is given, use that to invoke the remote Guile REPL."
> + (let* ((pipe (remote-pipe-for-gexp lowered session become-command))
> (result (read-repl-response pipe)))
> (close-port pipe)
> result))
> @@ -90,12 +104,14 @@ result to the current output port using the (guix repl)
> protocol."
> #:key
> (build-locally? #t)
> (module-path %load-path)
> - (socket-name "/var/guix/daemon-socket/socket"))
> + (socket-name "/var/guix/daemon-socket/socket")
> + (become-command #f))
I’m just stumbling upon “socket-name”. “/var/guix” is not guaranteed to
be the localstatedir. It would be better to use (guix config) to
determine the configured value.
This doesn’t block this patch, of course, but it would be good to change
this in the future.
--
Ricardo
[bug#36957] [PATCH] machine: Allow non-root users to deploy., Christopher Lemmer Webber, 2019/08/07
- [bug#36957] [PATCH v2] machine: Allow non-root users to deploy., Jakob L. Kreuze, 2019/08/07
- [bug#36957] [PATCH v2] machine: Allow non-root users to deploy.,
Ricardo Wurmus <=
- [bug#36957] [PATCH v2] machine: Allow non-root users to deploy., Jakob L. Kreuze, 2019/08/08
- [bug#36957] [PATCH v2] machine: Allow non-root users to deploy., Christopher Lemmer Webber, 2019/08/14
- [bug#36957] [PATCH 0/5] Consolidated patches for guix deploy, Jakob L. Kreuze, 2019/08/15
- [bug#36957] [PATCH 1/5] machine: Allow non-root users to deploy., Jakob L. Kreuze, 2019/08/15
- [bug#36957] [PATCH 2/5] machine: Implement 'roll-back-machine'., Jakob L. Kreuze, 2019/08/15
- [bug#36957] [PATCH 3/5] machine: Automatically authorize the coordinator's signing key., Jakob L. Kreuze, 2019/08/15
- [bug#36957] [PATCH 4/5] doc: Add description of 'build-locally?'., Jakob L. Kreuze, 2019/08/15
- [bug#36957] [PATCH 5/5] remote: Use (%daemon-socket-uri) rather than hard-coded path., Jakob L. Kreuze, 2019/08/15
- bug#36957: [PATCH 5/5] remote: Use (%daemon-socket-uri) rather than hard-coded path., Christopher Lemmer Webber, 2019/08/15
[bug#36957] [PATCH 1/5] machine: Allow non-root users to deploy., Ricardo Wurmus, 2019/08/15