diff --git a/gnu/services/base.scm b/gnu/services/base.scm index 09e599c89ec..c43f39fe320 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -2275,10 +2275,14 @@ guix-daemon have the right ownership.")) ;; Make 'tar' and 'gzip' available so ;; that 'guix perform-download' can use ;; them when downloading from Software - ;; Heritage via '(guix swh)'. + ;; Heritage via '(guix swh)'. Last, + ;; /run/privileged/bin is needed for + ;; 'newgidmap', used by the unprivileged + ;; daemon. (string-append "PATH=" #$(file-append tar "/bin") ":" - #$(file-append gzip "/bin"))) + #$(file-append gzip "/bin") ":" + "/run/privileged/bin")) (if proxy (list (string-append "http_proxy=" proxy) (string-append "https_proxy=" proxy)) @@ -2383,7 +2387,24 @@ guix-daemon have the right ownership.")) #$(if (null? (guix-configuration-build-machines config)) #~#f (guix-machines-files-installation - #~(list #$@(guix-configuration-build-machines config))))))) + #~(list #$@(guix-configuration-build-machines config)))) + + #$(and (not (guix-configuration-privileged? config)) + ;; Augment /etc/subgid so that the "kvm" group can be mapped in + ;; the build user namespace. If a line is already present, + ;; assume it's correct. + #~(let ((port (open-file "/etc/subgid" "w+")) + (kvm (false-if-exception (getgrnam "kvm")))) + (when kvm + (let loop () + (let ((line ((@ (ice-9 rdelim) read-line) port))) + (cond ((eof-object? line) + (format port "guix-daemon:~a:1~%" + (group:gid kvm))) + ((string-prefix? "guix-daemon:" line) + #t) + (else (loop)))))) + (close-port port)))))) (define-record-type* guix-extension make-guix-extension