Next: , Up: 设置后台进程   [Contents][Index]

2.2.1 设置构建环境


guix-daemonroot用户身份运行时,由于安全方面的考虑,你可能不希望软件包构建进程也以root用户身份运行。为了避免那样,我们需要创建一个构建用户池,以供后台进程启动的构建进程使用。这些构建用户不需要拥有shell和家目录:他们只会在后台进程为构建进程剥夺root特权时使用。拥有多个这类用户使后台进程可以以不同的UID启动不同的构建进程,这保证它们不会互相干扰–这是一个重要的功能,因为构建被视为纯函数(see 介绍)。


# groupadd --system guixbuild
# for i in $(seq -w 1 10);
    useradd -g guixbuild -G guixbuild           \
            -d /var/empty -s $(which nologin)   \
            -c "Guix build user $i" --system    \

构建用户的数量决定了有多少个构建任务可以并行执行,即--max-jobs参数(see --max-jobs)。为了使用guix system vm和相关的命令,你需要把构建用户添加到kvm用户组,以使它们访问/dev/kvm。为此,把-G guixbuild替换成-G guixbuild,kvm(see Invoking guix system)。

The guix-daemon program may then be run as root with the following command6:

# guix-daemon --build-users-group=guixbuild


The chroot does not contain a /home directory, and the HOME environment variable is set to the non-existent /homeless-shelter. This helps to highlight inappropriate uses of HOME in the build scripts of packages.

All this usually enough to ensure details of the environment do not influence build processes. In some exceptional cases where more control is needed—typically over the date, kernel, or CPU—you can resort to a virtual build machine (see virtual build machines).

You can influence the directory where the daemon stores build trees via the TMPDIR environment variable. However, the build tree within the chroot is always called /tmp/guix-build-name.drv-0, where name is the derivation name—e.g., coreutils-8.24. This way, the value of TMPDIR does not leak inside build environments, which avoids discrepancies in cases where build processes capture the name of their build tree.

The daemon also honors the http_proxy and https_proxy environment variables for HTTP and HTTPS downloads it performs, be it for fixed-output derivations (see Derivations) or for substitutes (see substitutes).

If you are installing Guix as an unprivileged user, it is still possible to run guix-daemon provided you pass --disable-chroot. However, build processes will not be isolated from one another, and not from the rest of the system. Thus, build processes may interfere with each other, and may access programs, libraries, and other files available on the system—making it much harder to view them as pure functions.



If your machine uses the systemd init system, copying the prefix/lib/systemd/system/guix-daemon.service file to /etc/systemd/system will ensure that guix-daemon is automatically started. Similarly, if your machine uses the Upstart init system, copy the prefix/lib/upstart/system/guix-daemon.conf file to /etc/init.



Next: 使用任务下发设施, Up: 设置后台进程   [Contents][Index]