system: Add /etc/subuid and /etc/subgid support.

This commit adds a Guix System service to handle allocation of subuid and subgid requests. Users that don't care can just add themselves as a subid-range and don't need to specify anything but their user name. Users that care about specific ranges, such as possibly LXD, can specify a start and a count. * doc/guix.texi (Miscellaneous Services): Document it. * gnu/build/activation.scm (activate-subuids+subgids): New variable. * gnu/local.mk: Add gnu/tests/shadow.scm. * gnu/system/accounts.scm (sexp->subid-range): New variable. * gnu/system/shadow.scm (%root-subid): New variable; (subids-configuration): new record; (subid-range->gexp): new variable; (assert-valid-subids): new variable; (delete-duplicate-ranges): new variable; (subids-activation): new variable; (subids-extension): new record; (append-subid-ranges): new variable; (subids-extension-merge): new variable; (subids-service-type): new variable. * gnu/tests/shadow.scm (subids): New system test. Change-Id: I3755e1c75771220c74fe8ae5de1a7d90f2376635 Signed-off-by: Giacomo Leidi <[email protected]> Signed-off-by: Ludovic Courtès <[email protected]>
author: Giacomo Leidi <[email protected]> 2024-10-08 00:40:28 +0200
committer: Ludovic Courtès <[email protected]> 2024-12-18 18:32:40 +0100
commit: a1ecd7f56c4ffadc49d5501a0df7f4c4556120c2 (patch)
tree: 1584a2a34c4194b93fd3344ec4063c5de6079179 /gnu/build
parent: 337037d22cfcc7764c1ce87127166c351a91369d (diff)
1 files changed, 19 insertions, 0 deletions
diff --git a/gnu/build/activation.scm b/gnu/build/activation.scm
index a450578c24..11f7c82d67 100644
--- a/gnu/build/activation.scm
+++ b/gnu/build/activation.scm
@@ -10,6 +10,7 @@
 ;;; Copyright © 2021 Brice Waegeneire <[email protected]>
 ;;; Copyright © 2022 Tobias Geerinckx-Rice <[email protected]>
 ;;; Copyright © 2024 Nicolas Graves <[email protected]>
+;;; Copyright © 2024 Giacomo Leidi <[email protected]>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -40,6 +41,7 @@
   #:use-module (srfi srfi-11)
   #:use-module (srfi srfi-26)
   #:export (activate-users+groups
+            activate-subuids+subgids
             activate-user-home
             activate-etc
             activate-privileged-programs
@@ -229,6 +231,23 @@ group records) are all available."
               (chmod directory #o555))
             (duplicates (map user-account-home-directory system-accounts))))
 
+(define (activate-subuids+subgids subuids subgids)
+  "Make sure SUBUIDS (a list of subid range records) and SUBGIDS (a list of
+subid range records) are all available."
+
+  ;; Take same lock as Shadow while we read
+  ;; and write the databases.  This ensures there's no race condition with
+  ;; other tools that might be accessing it at the same time.
+  (with-file-lock "/etc/subgid.lock"
+    (let-values (((subuid subgid)
+                  (subuid+subgid-databases subuids subgids)))
+      (write-subgid subgid)))
+
+  (with-file-lock "/etc/subuid.lock"
+    (let-values (((subuid subgid)
+                  (subuid+subgid-databases subuids subgids)))
+      (write-subuid subuid))))
+
 (define (activate-user-home users)
   "Create and populate the home directory of USERS, a list of tuples, unless
 they already exist."
author	Giacomo Leidi <[email protected]>	2024-10-08 00:40:28 +0200
committer	Ludovic Courtès <[email protected]>	2024-12-18 18:32:40 +0100
commit	a1ecd7f56c4ffadc49d5501a0df7f4c4556120c2 (patch)
tree	1584a2a34c4194b93fd3344ec4063c5de6079179 /gnu/build
parent	337037d22cfcc7764c1ce87127166c351a91369d (diff)