在一个标准的多用户设置里,Guix和它的后台进程–guix-daemon
程序–是由root
用户安装的,并且guix-daemon
以root
用户身份运行。无特权的用户可以用Guix的工具构建软件包或访问仓库,这个后台进程会代替用户进行这些操作,以确保仓库保持一致的状态,并且允许构建好的软件包可以在不同用户间共享。
当guix-daemon
以root
用户身份运行时,由于安全方面的考虑,你可能不希望软件包构建进程也以root
用户身份运行。为了避免那样,我们需要创建一个构建用户池,以供后台进程启动的构建进程使用。这些构建用户不需要拥有shell和家目录:他们只会在后台进程为构建进程剥夺root
特权时使用。拥有多个这类用户使后台进程可以以不同的UID启动不同的构建进程,这保证它们不会互相干扰–这是一个重要的功能,因为构建被视为纯函数(see 介绍)。
在一个GNU/Linux系统上,可以这样创建一个构建用户池(用bash语法和shadow
命令):
# groupadd --system guixbuild # for i in $(seq -w 1 10); do useradd -g guixbuild -G guixbuild \ -d /var/empty -s $(which nologin) \ -c "Guix build user $i" --system \ guixbuilder$i; done
构建用户的数量决定了有多少个构建任务可以并行执行,即--max-jobs参数(see --max-jobs)。为了使用guix system
vm
和相关的命令,你需要把构建用户添加到kvm
用户组,以使它们访问/dev/kvm。为此,把-G
guixbuild
替换成-G guixbuild,kvm
(see Invoking guix system
)。
The guix-daemon
program may then be run as root
with the
following command6:
# guix-daemon --build-users-group=guixbuild
这样,后台进程在一个chroot环境里,以一个guixbuilder
用户组成员的身份启动构建进程。在GNU/Linux上,默认的,这个chroot环境仅包含这些东西:
/dev
独立的7,最小的/dev
文件夹;
/proc
文件夹;它只含有当前容器的进程,因为用了一个独立的进程PID命名空间;
localhost
映射到127.0.0.1
的条目;
The chroot does not contain a /home directory, and the HOME
environment variable is set to the non-existent /homeless-shelter.
This helps to highlight inappropriate uses of HOME
in the build
scripts of packages.
You can influence the directory where the daemon stores build trees via
the TMPDIR
environment variable. However, the build tree within the
chroot is always called /tmp/guix-build-name.drv-0, where
name is the derivation name—e.g., coreutils-8.24
. This way,
the value of TMPDIR
does not leak inside build environments, which
avoids discrepancies in cases where build processes capture the name of
their build tree.
The daemon also honors the http_proxy
and https_proxy
environment variables for HTTP and HTTPS downloads it performs, be it for
fixed-output derivations (see Derivations) or for substitutes
(see substitutes).
If you are installing Guix as an unprivileged user, it is still possible to
run guix-daemon
provided you pass --disable-chroot.
However, build processes will not be isolated from one another, and not from
the rest of the system. Thus, build processes may interfere with each
other, and may access programs, libraries, and other files available on the
system—making it much harder to view them as pure functions.
If your machine uses the systemd init system,
copying the prefix/lib/systemd/system/guix-daemon.service file
to /etc/systemd/system will ensure that guix-daemon
is
automatically started. Similarly, if your machine uses the Upstart init
system, copy the prefix/lib/upstart/system/guix-daemon.conf
file to /etc/init.
大致这样,因为虽然chroot环境里的/dev
包含的文件是固定的,大部分这些文件只有在主机有对应的文件时才能创建。