Daemon Running as Root

When guix-daemon runs as root, you may not want package build processes themselves to run as root too, for obvious security reasons. To avoid that, a special pool of build users should be created for use by build processes started by the daemon. Having several such users allows the daemon to launch distinct build processes under separate UIDs, which guarantees that they do not interfere with each other—an essential feature since builds are regarded as pure functions (see 介绍).

在一个GNU/Linux系统上，可以这样创建一个构建用户池（用bash语法和shadow命令）：

# groupadd --system guixbuild
# for i in $(seq -w 1 10);
  do
    useradd -g guixbuild -G guixbuild           \
            -d /var/empty -s $(which nologin)   \
            -c "Guix build user $i" --system    \
            guixbuilder$i;
  done

构建用户的数量决定了有多少个构建任务可以并行执行，即--max-jobs参数(see --max-jobs)。为了使用guix system vm和相关的命令，你需要把构建用户添加到kvm用户组，以使它们访问/dev/kvm。为此，把-G guixbuild替换成-G guixbuild,kvm（see 调用guix system）。

The guix-daemon program may then be run as root with the following command⁶:

# guix-daemon --build-users-group=guixbuild

In this setup, /gnu/store is owned by root.

Daemon Running Without Privileges

The second and preferred option is to run guix-daemon as an unprivileged user. It has the advantage of reducing the harm that can be done should a build process manage to exploit a vulnerability in the daemon. This option requires the use of Linux’s unprivileged user namespace mechanism; today it is available and enabled by most GNU/Linux distributions but can still be disabled. The installation script automatically determines whether this option is available on your system (see 二进制文件安装).

When using this option, you only need to create one user account, and guix-daemon will run with the authority of that account:

# groupadd --system guix-daemon
# useradd -g guix-daemon -G guix-daemon              \
          -d /var/empty -s $(which nologin)          \
          -c "Guix daemon privilege separation user" \
          --system guix-daemon

In this configuration, /gnu/store is owned by the guix-daemon user.

The Isolated Build Environment

In both cases, the daemon starts build processes without privileges in an isolated or hermetic build environment—a “chroot”. On GNU/Linux, by default, the build environment contains nothing but:

• 一个和主机/dev独立的⁷，最小的/dev文件夹；
• /proc文件夹；它只含有当前容器的进程，因为用了一个独立的进程PID命名空间；
• /etc/passwd，仅包含当前用户和nobody；
• /etc/group，包含用户的组；
• /etc/hosts，包含localhost映射到127.0.0.1的条目；
• 一个可写的/tmp文件夹。

The chroot does not contain a /home directory, and the HOME environment variable is set to the non-existent /homeless-shelter. This helps to highlight inappropriate uses of HOME in the build scripts of packages.

All this is usually enough to ensure details of the environment do not influence build processes. In some exceptional cases where more control is needed—typically over the date, kernel, or CPU—you can resort to a virtual build machine (see virtual build machines).

You can influence the directory where the daemon stores build trees via the TMPDIR environment variable. However, the build tree within the chroot is always called /tmp/guix-build-name.drv-0, where name is the derivation name—e.g., coreutils-8.24. This way, the value of TMPDIR does not leak inside build environments, which avoids discrepancies in cases where build processes capture the name of their build tree.

The daemon also honors the http_proxy and https_proxy environment variables for HTTP and HTTPS downloads it performs, be it for fixed-output derivations (see Derivations) or for substitutes (see substitutes).