bug#54786: Installation tests are failing

[Maxim Cournoyer]

Hi Ludovic!

Ludovic Courtès  writes:

> Howdy!
>
> Maxim Cournoyer  skribis:

[...]

>> I reviewed how that works, and it'd be easy; I just didn't see the
>> incentive yet (there's no composition needed for the service, and it'd
>> make the definition slightly less readable).  If you tell me
>> mark+forkexec-constructor/container is going the way of the Dodo though,
>> that's a good enough incentive :-).

That turns out to be bit problematic; dbus-daemon must not run in its
own user namespace (CLONE_NEWUSER) as it wants to validate user/group
IDs.  That's probably the reason it was working with
'make-forkexec-constructor/container', as this was dropping the user and
net namespaces, contrary to least-authority, which uses them all.

The problem then seems to be that since we need CAP_SYS_ADMIN when
dropping the user namespace, as CLONE_NEWUSER is what gives us
superpowers.  Per 'man user_namespaces':

  The child process created by clone(2) with the CLONE_NEWUSER flag starts
  out with a complete set of capabilities in the new user namespace.

Which means that if we combine something like (untested):

--8<---cut here---start->8---
(make-forkexec-constructor
  (least-authority
(list (file-append coreutils "/bin/true"))
(mappings (delq 'user %namespaces))
  #:user  "nobody"
  #:group "nobody"))
--8<---cut here---end--->8---

the make-forkexec-constructor will switch to the non-privileged user
before the clone call is made, and it will fail with EPERM.

When using 'make-forkexec-constructor/container', the clone(2) call
happens before switching user, thus as 'root' in Shepherd, which
explains why it works.

I'm not sure how it could be fixed; it seems the user changing business
would need to be handled by the least-authority-wrapper code?  And the
make-forkexec-constructor would probably need to detect that command is
a pola wrapper and then avoid changing the user/group itself to not
interfere.

To be continued!

Maxim

bug#55707: bug#55488: GDM, GNOME: Can't start desktop session after upgrade

[Ludovic Courtès]

Hi,

Luis Felipe  skribis:

> It seems nothing changed. I'm still unable to start a GNOME session, and 
> booting time is about the same.

Indeed.

Here’s another debugging trick; would be great if you could try this:

--8<---cut here---start->8---
(define strace-syslogd
  (program-file "strace-syslogd"
#~(apply execl #$(file-append strace "/bin/strace")
 "strace" ;argv[0]
 "-f" "-Tt" "-o" "/syslogd.log" "-s" "80"
 #$(file-append inetutils "/libexec/syslogd")
 (cdr (command-line)
--8<---cut here---end--->8---

and then:

--8<---cut here---start->8---
(modify-services %desktop-services
  (syslog-service-type
   _ => (syslog-configuration
 (syslogd strace-syslogd
--8<---cut here---end--->8---

This creates a log file, /syslogd.log, which will allow us to see the
time it takes syslogd to read from /proc/kmsg and hopefully to determine
the origin of delays.

TIA!

Ludo’.

bug#55326: libgit2 1.3.0 includes a time-dependent test

[Maxime Devos]

I noticed that the latest core-updates evaluations fail because of the
test failure in libgit2@1.3.0:

https://ci.guix.gnu.org/jobset/core-updates

so I recommend merging 'master' into 'core-updates'.

Greetings,
Maxime.


signature.asc
Description: This is a digitally signed message part

bug#55781: thunar/thunar-volman won't recognize gvfs is installed

[Till Robin Zickel]

When trying to use thunar-volman to manage removable media, thunar tells the 
user in its settings that gvfs cannot be found.

Running

```
guix shell --pure dbus hicolor-icon-theme gdk-pixbuf gvfs thunar-volman thunar 
-- thunar
```

has the same problem, so there's probably a bug with one of the packages.