From 33ec536b90549488379a3dc80b5e23337cc9fac2 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Tue, 16 May 2017 15:09:57 +0200 Subject: gnu: guix: Update snapshot. * gnu/packages/package-management.scm (guix): Update to ce92d26. --- gnu/packages/package-management.scm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'gnu') diff --git a/gnu/packages/package-management.scm b/gnu/packages/package-management.scm index 8ebf6b0578..ceaf51b676 100644 --- a/gnu/packages/package-management.scm +++ b/gnu/packages/package-management.scm @@ -73,8 +73,8 @@ ;; Note: the 'update-guix-package.scm' script expects this definition to ;; start precisely like this. (let ((version "0.12.0") - (commit "ba2260dbbc5a3c915e2cbd54d93f2f3af2a864c3") - (revision 10)) + (commit "ce92d269fea0a2bfac0ac20414f77127d2f07500") + (revision 11)) (package (name "guix") @@ -90,7 +90,7 @@ (commit commit))) (sha256 (base32 - "0nkwbblsnl7kv2n8jf8c6rl3a7dynaqxizhhni18vbnmvza35c79")) + "17l9r2mdzzv8vfxb3bc5zkdqkl472q979iwsarp7lcqss1jxys7w")) (file-name (string-append "guix-" version "-checkout")))) (build-system gnu-build-system) (arguments -- cgit 1.4.1 From ed5e3ab8abe994d584465afdfe9102fc74ef7e85 Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Tue, 16 May 2017 22:26:22 +0300 Subject: gnu: tor: Update to 0.3.0.7. * gnu/packages/tor.scm (tor): Update to 0.3.0.7. --- gnu/packages/tor.scm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'gnu') diff --git a/gnu/packages/tor.scm b/gnu/packages/tor.scm index 83e49a1536..b31b58a26f 100644 --- a/gnu/packages/tor.scm +++ b/gnu/packages/tor.scm @@ -1,7 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2013, 2014, 2015 Ludovic Courtès ;;; Copyright © 2014, 2015 Mark H Weaver -;;; Copyright © 2016 Efraim Flashner +;;; Copyright © 2016, 2017 Efraim Flashner ;;; Copyright © 2016, 2017 ng0 ;;; Copyright © 2017 Tobias Geerinckx-Rice ;;; Copyright © 2017 Eric Bavier @@ -43,14 +43,14 @@ (define-public tor (package (name "tor") - (version "0.3.0.6") + (version "0.3.0.7") (source (origin (method url-fetch) (uri (string-append "https://dist.torproject.org/tor-" version ".tar.gz")) (sha256 (base32 - "057vq8wagppmrlg85dgbsrk1v67yqpbi9n87s8gn0mdm7kli5rd3")))) + "00kxa83bn0axh7479fynp6r8znq5wy26kvb8ghixgjpkir2c8h4n")))) (build-system gnu-build-system) (arguments `(#:configure-flags (list "--enable-expensive-hardening" -- cgit 1.4.1 From 5d6e38a6c37eced3f545a5afdcba3db20ec95869 Mon Sep 17 00:00:00 2001 From: Ricardo Wurmus Date: Tue, 16 May 2017 21:59:18 +0200 Subject: gnu: glibc/hurd: Use modify-phases syntax. * gnu/packages/base.scm (glibc/hurd)[arguments]: Use modify-phases syntax. --- gnu/packages/base.scm | 56 +++++++++++++++++++++++++-------------------------- 1 file changed, 27 insertions(+), 29 deletions(-) (limited to 'gnu') diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm index 59a9acd67e..8a48cadf7b 100644 --- a/gnu/packages/base.scm +++ b/gnu/packages/base.scm @@ -778,35 +778,33 @@ with the Linux kernel.") ((#:phases original-phases) ;; Add libmachuser.so and libhurduser.so to libc.so's search path. ;; See . - `(alist-cons-after - 'install 'augment-libc.so - (lambda* (#:key outputs #:allow-other-keys) - (let* ((out (assoc-ref outputs "out"))) - (substitute* (string-append out "/lib/libc.so") - (("/[^ ]+/lib/libc.so.0.3") - (string-append out "/lib/libc.so.0.3" " libmachuser.so" " libhurduser.so")))) - #t) - (alist-cons-after - 'pre-configure 'pre-configure-set-pwd - (lambda _ - ;; Use the right 'pwd'. - (substitute* "configure" - (("/bin/pwd") "pwd"))) - (alist-replace - 'build - (lambda _ - ;; Force mach/hurd/libpthread subdirs to build first in order to avoid - ;; linking errors. - ;; See - (let ((-j (list "-j" (number->string (parallel-job-count))))) - (let-syntax ((make (syntax-rules () - ((_ target) - (zero? (apply system* "make" target -j)))))) - (and (make "mach/subdir_lib") - (make "hurd/subdir_lib") - (make "libpthread/subdir_lib") - (zero? (apply system* "make" -j)))))) - ,original-phases)))) + `(modify-phases ,original-phases + (add-after 'install 'augment-libc.so + (lambda* (#:key outputs #:allow-other-keys) + (let* ((out (assoc-ref outputs "out"))) + (substitute* (string-append out "/lib/libc.so") + (("/[^ ]+/lib/libc.so.0.3") + (string-append out "/lib/libc.so.0.3" " libmachuser.so" " libhurduser.so")))) + #t)) + (add-after 'pre-configure 'pre-configure-set-pwd + (lambda _ + ;; Use the right 'pwd'. + (substitute* "configure" + (("/bin/pwd") "pwd")) + #t)) + (replace 'build + (lambda _ + ;; Force mach/hurd/libpthread subdirs to build first in order to avoid + ;; linking errors. + ;; See + (let ((-j (list "-j" (number->string (parallel-job-count))))) + (let-syntax ((make (syntax-rules () + ((_ target) + (zero? (apply system* "make" target -j)))))) + (and (make "mach/subdir_lib") + (make "hurd/subdir_lib") + (make "libpthread/subdir_lib") + (zero? (apply system* "make" -j))))))))) ((#:configure-flags original-configure-flags) `(append (list "--host=i586-pc-gnu" -- cgit 1.4.1 From d03b34cf190b5790ee1884ae551634f5f736f4f1 Mon Sep 17 00:00:00 2001 From: Ricardo Wurmus Date: Tue, 16 May 2017 22:11:41 +0200 Subject: gnu: glibc/hurd: Do not apply i686 patch. This is a follow-up to commit c2e4f14ac8cd3e1ce7f46a192ad0c9acc084b210. * gnu/packages/base.scm (glibc/hurd)[arguments]: Override pre-configure phase with a copy that does not include the patch application. --- gnu/packages/base.scm | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) (limited to 'gnu') diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm index 8a48cadf7b..d135a18bf8 100644 --- a/gnu/packages/base.scm +++ b/gnu/packages/base.scm @@ -779,6 +779,71 @@ with the Linux kernel.") ;; Add libmachuser.so and libhurduser.so to libc.so's search path. ;; See . `(modify-phases ,original-phases + ;; TODO: This is almost an exact copy of the phase of the same name + ;; in glibc/linux. The only difference is that the i686 patch is + ;; not applied here. In the next update cycle the patch moves to + ;; the patches field and this overwritten phase won't be needed any + ;; more. + (replace 'pre-configure + (lambda* (#:key inputs native-inputs outputs + #:allow-other-keys) + (let* ((out (assoc-ref outputs "out")) + (bin (string-append out "/bin")) + ;; FIXME: Normally we would look it up only in INPUTS + ;; but cross-base uses it as a native input. + (bash (or (assoc-ref inputs "static-bash") + (assoc-ref native-inputs "static-bash")))) + ;; Install the rpc data base file under `$out/etc/rpc'. + ;; FIXME: Use installFlags = [ "sysconfdir=$(out)/etc" ]; + (substitute* "sunrpc/Makefile" + (("^\\$\\(inst_sysconfdir\\)/rpc(.*)$" _ suffix) + (string-append out "/etc/rpc" suffix "\n")) + (("^install-others =.*$") + (string-append "install-others = " out "/etc/rpc\n"))) + + (substitute* "Makeconfig" + ;; According to + ;; , + ;; linking against libgcc_s is not needed with GCC + ;; 4.7.1. + ((" -lgcc_s") "")) + + ;; Have `system' use that Bash. + (substitute* "sysdeps/posix/system.c" + (("#define[[:blank:]]+SHELL_PATH.*$") + (format #f "#define SHELL_PATH \"~a/bin/bash\"\n" + bash))) + + ;; Same for `popen'. + (substitute* "libio/iopopen.c" + (("/bin/sh") + (string-append bash "/bin/sh"))) + + ;; Same for the shell used by the 'exec' functions for + ;; scripts that lack a shebang. + (substitute* (find-files "." "^paths\\.h$") + (("#define[[:blank:]]+_PATH_BSHELL[[:blank:]].*$") + (string-append "#define _PATH_BSHELL \"" + bash "/bin/sh\"\n"))) + + ;; Nscd uses __DATE__ and __TIME__ to create a string to + ;; make sure the client and server come from the same + ;; libc. Use something deterministic instead. + (substitute* "nscd/nscd_stat.c" + (("static const char compilation\\[21\\] =.*$") + (string-append + "static const char compilation[21] = \"" + (string-take (basename out) 20) "\";\n"))) + + ;; Make sure we don't retain a reference to the + ;; bootstrap Perl. + (substitute* "malloc/mtrace.pl" + (("^#!.*") + ;; The shebang can be omitted, because there's the + ;; "bilingual" eval/exec magic at the top of the file. + "") + (("exec @PERL@") + "exec perl"))))) (add-after 'install 'augment-libc.so (lambda* (#:key outputs #:allow-other-keys) (let* ((out (assoc-ref outputs "out"))) -- cgit 1.4.1 From c90fd5564cf67f75e28276129d37a0d9128cadda Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Wed, 17 May 2017 07:28:09 -0400 Subject: gnu: qemu: Fix CVE-2017-7493. * gnu/packages/patches/qemu-CVE-2017-7493.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/qemu.scm (qemu)[source]: Use it. --- gnu/local.mk | 1 + gnu/packages/patches/qemu-CVE-2017-7493.patch | 182 ++++++++++++++++++++++++++ gnu/packages/qemu.scm | 1 + 3 files changed, 184 insertions(+) create mode 100644 gnu/packages/patches/qemu-CVE-2017-7493.patch (limited to 'gnu') diff --git a/gnu/local.mk b/gnu/local.mk index c560c71725..2da002b379 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -939,6 +939,7 @@ dist_patch_DATA = \ %D%/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch \ %D%/packages/patches/python-pygpgme-fix-pinentry-tests.patch \ %D%/packages/patches/python2-subprocess32-disable-input-test.patch \ + %D%/packages/patches/qemu-CVE-2017-7493.patch \ %D%/packages/patches/qt4-ldflags.patch \ %D%/packages/patches/quickswitch-fix-dmenu-check.patch \ %D%/packages/patches/rapicorn-isnan.patch \ diff --git a/gnu/packages/patches/qemu-CVE-2017-7493.patch b/gnu/packages/patches/qemu-CVE-2017-7493.patch new file mode 100644 index 0000000000..67b26fad81 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-7493.patch @@ -0,0 +1,182 @@ +Fix CVE-2017-7493: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7493 + +Patch copied from upstream source repository: + +http://git.qemu.org/?p=qemu.git;a=commit;h=7a95434e0ca8a037fd8aa1a2e2461f92585eb77b + +From 7a95434e0ca8a037fd8aa1a2e2461f92585eb77b Mon Sep 17 00:00:00 2001 +From: Greg Kurz +Date: Fri, 5 May 2017 14:48:08 +0200 +Subject: [PATCH] 9pfs: local: forbid client access to metadata (CVE-2017-7493) + +When using the mapped-file security mode, we shouldn't let the client mess +with the metadata. The current code already tries to hide the metadata dir +from the client by skipping it in local_readdir(). But the client can still +access or modify it through several other operations. This can be used to +escalate privileges in the guest. + +Affected backend operations are: +- local_mknod() +- local_mkdir() +- local_open2() +- local_symlink() +- local_link() +- local_unlinkat() +- local_renameat() +- local_rename() +- local_name_to_path() + +Other operations are safe because they are only passed a fid path, which +is computed internally in local_name_to_path(). + +This patch converts all the functions listed above to fail and return +EINVAL when being passed the name of the metadata dir. This may look +like a poor choice for errno, but there's no such thing as an illegal +path name on Linux and I could not think of anything better. + +This fixes CVE-2017-7493. + +Reported-by: Leo Gaspard +Signed-off-by: Greg Kurz +Reviewed-by: Eric Blake +--- + hw/9pfs/9p-local.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 56 insertions(+), 2 deletions(-) + +diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c +index f3ebca4f7a..a2486566af 100644 +--- a/hw/9pfs/9p-local.c ++++ b/hw/9pfs/9p-local.c +@@ -452,6 +452,11 @@ static off_t local_telldir(FsContext *ctx, V9fsFidOpenState *fs) + return telldir(fs->dir.stream); + } + ++static bool local_is_mapped_file_metadata(FsContext *fs_ctx, const char *name) ++{ ++ return !strcmp(name, VIRTFS_META_DIR); ++} ++ + static struct dirent *local_readdir(FsContext *ctx, V9fsFidOpenState *fs) + { + struct dirent *entry; +@@ -465,8 +470,8 @@ again: + if (ctx->export_flags & V9FS_SM_MAPPED) { + entry->d_type = DT_UNKNOWN; + } else if (ctx->export_flags & V9FS_SM_MAPPED_FILE) { +- if (!strcmp(entry->d_name, VIRTFS_META_DIR)) { +- /* skp the meta data directory */ ++ if (local_is_mapped_file_metadata(ctx, entry->d_name)) { ++ /* skip the meta data directory */ + goto again; + } + entry->d_type = DT_UNKNOWN; +@@ -559,6 +564,12 @@ static int local_mknod(FsContext *fs_ctx, V9fsPath *dir_path, + int err = -1; + int dirfd; + ++ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE && ++ local_is_mapped_file_metadata(fs_ctx, name)) { ++ errno = EINVAL; ++ return -1; ++ } ++ + dirfd = local_opendir_nofollow(fs_ctx, dir_path->data); + if (dirfd == -1) { + return -1; +@@ -605,6 +616,12 @@ static int local_mkdir(FsContext *fs_ctx, V9fsPath *dir_path, + int err = -1; + int dirfd; + ++ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE && ++ local_is_mapped_file_metadata(fs_ctx, name)) { ++ errno = EINVAL; ++ return -1; ++ } ++ + dirfd = local_opendir_nofollow(fs_ctx, dir_path->data); + if (dirfd == -1) { + return -1; +@@ -694,6 +711,12 @@ static int local_open2(FsContext *fs_ctx, V9fsPath *dir_path, const char *name, + int err = -1; + int dirfd; + ++ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE && ++ local_is_mapped_file_metadata(fs_ctx, name)) { ++ errno = EINVAL; ++ return -1; ++ } ++ + /* + * Mark all the open to not follow symlinks + */ +@@ -752,6 +775,12 @@ static int local_symlink(FsContext *fs_ctx, const char *oldpath, + int err = -1; + int dirfd; + ++ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE && ++ local_is_mapped_file_metadata(fs_ctx, name)) { ++ errno = EINVAL; ++ return -1; ++ } ++ + dirfd = local_opendir_nofollow(fs_ctx, dir_path->data); + if (dirfd == -1) { + return -1; +@@ -826,6 +855,12 @@ static int local_link(FsContext *ctx, V9fsPath *oldpath, + int ret = -1; + int odirfd, ndirfd; + ++ if (ctx->export_flags & V9FS_SM_MAPPED_FILE && ++ local_is_mapped_file_metadata(ctx, name)) { ++ errno = EINVAL; ++ return -1; ++ } ++ + odirfd = local_opendir_nofollow(ctx, odirpath); + if (odirfd == -1) { + goto out; +@@ -1096,6 +1131,12 @@ static int local_lremovexattr(FsContext *ctx, V9fsPath *fs_path, + static int local_name_to_path(FsContext *ctx, V9fsPath *dir_path, + const char *name, V9fsPath *target) + { ++ if (ctx->export_flags & V9FS_SM_MAPPED_FILE && ++ local_is_mapped_file_metadata(ctx, name)) { ++ errno = EINVAL; ++ return -1; ++ } ++ + if (dir_path) { + v9fs_path_sprintf(target, "%s/%s", dir_path->data, name); + } else if (strcmp(name, "/")) { +@@ -1116,6 +1157,13 @@ static int local_renameat(FsContext *ctx, V9fsPath *olddir, + int ret; + int odirfd, ndirfd; + ++ if (ctx->export_flags & V9FS_SM_MAPPED_FILE && ++ (local_is_mapped_file_metadata(ctx, old_name) || ++ local_is_mapped_file_metadata(ctx, new_name))) { ++ errno = EINVAL; ++ return -1; ++ } ++ + odirfd = local_opendir_nofollow(ctx, olddir->data); + if (odirfd == -1) { + return -1; +@@ -1206,6 +1254,12 @@ static int local_unlinkat(FsContext *ctx, V9fsPath *dir, + int ret; + int dirfd; + ++ if (ctx->export_flags & V9FS_SM_MAPPED_FILE && ++ local_is_mapped_file_metadata(ctx, name)) { ++ errno = EINVAL; ++ return -1; ++ } ++ + dirfd = local_opendir_nofollow(ctx, dir->data); + if (dirfd == -1) { + return -1; +-- +2.13.0 + diff --git a/gnu/packages/qemu.scm b/gnu/packages/qemu.scm index 30b9908aa0..0734b6d0f7 100644 --- a/gnu/packages/qemu.scm +++ b/gnu/packages/qemu.scm @@ -74,6 +74,7 @@ (method url-fetch) (uri (string-append "http://wiki.qemu-project.org/download/qemu-" version ".tar.xz")) + (patches (search-patches "qemu-CVE-2017-7493.patch")) (sha256 (base32 "08mhfs0ndbkyqgw7fjaa9vjxf4dinrly656f6hjzvmaz7hzc677h")))) -- cgit 1.4.1 From 56a03975eb287796128e80feb6799bc07f4b8185 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Wed, 17 May 2017 16:10:48 +0200 Subject: gnu: aspell: 'dict-dir' set to ~/.guix-profile/lib/aspell or $ASPELL_DICT_DIR. See for background. * gnu/packages/patches/aspell-default-dict-dir.patch: New file. * gnu/packages/aspell.scm (aspell)[source](patches): New field. [native-search-paths]: New field. * gnu/local.mk (dist_patch_DATA): Add it. --- gnu/local.mk | 1 + gnu/packages/aspell.scm | 18 +++++++++++++++--- gnu/packages/patches/aspell-default-dict-dir.patch | 20 ++++++++++++++++++++ 3 files changed, 36 insertions(+), 3 deletions(-) create mode 100644 gnu/packages/patches/aspell-default-dict-dir.patch (limited to 'gnu') diff --git a/gnu/local.mk b/gnu/local.mk index 2da002b379..ca26bcd812 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -499,6 +499,7 @@ dist_patch_DATA = \ %D%/packages/patches/antiword-CVE-2014-8123.patch \ %D%/packages/patches/apr-skip-getservbyname-test.patch \ %D%/packages/patches/artanis-fix-Makefile.in.patch \ + %D%/packages/patches/aspell-default-dict-dir.patch \ %D%/packages/patches/ath9k-htc-firmware-binutils.patch \ %D%/packages/patches/ath9k-htc-firmware-gcc.patch \ %D%/packages/patches/ath9k-htc-firmware-objcopy.patch \ diff --git a/gnu/packages/aspell.scm b/gnu/packages/aspell.scm index 06ba2ce472..509d428f64 100644 --- a/gnu/packages/aspell.scm +++ b/gnu/packages/aspell.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2013, 2014, 2015 Ludovic Courtès +;;; Copyright © 2013, 2014, 2015, 2017 Ludovic Courtès ;;; Copyright © 2015, 2016 Alex Kost ;;; Copyright © 2016 John Darrington ;;; Copyright © 2016 Efraim Flashner @@ -26,6 +26,7 @@ #:use-module (guix download) #:use-module (guix build-system gnu) #:use-module (guix licenses) + #:use-module (gnu packages) #:use-module (gnu packages perl) #:use-module (gnu packages base)) @@ -40,7 +41,8 @@ version ".tar.gz")) (sha256 (base32 - "1qgn5psfyhbrnap275xjfrzppf5a83fb67gpql0kfqv37al869gm")))) + "1qgn5psfyhbrnap275xjfrzppf5a83fb67gpql0kfqv37al869gm")) + (patches (search-patches "aspell-default-dict-dir.patch")))) (build-system gnu-build-system) (arguments `(#:phases @@ -53,6 +55,15 @@ '("ASPELL_CONF" "" = ("${ASPELL_CONF:-\"dict-dir ${GUIX_PROFILE:-$HOME/.guix-profile}/lib/aspell\"}"))))))))) (inputs `(("perl" ,perl))) + + (native-search-paths + ;; This is a Guix-specific environment variable that takes a single + ;; entry, not an actual search path. + (list (search-path-specification + (variable "ASPELL_DICT_DIR") + (separator #f) + (files '("lib/aspell"))))) + (home-page "http://aspell.net/") (synopsis "Spell checker") (description @@ -66,7 +77,8 @@ dictionaries, including personal ones.") ;;; Dictionaries. ;;; ;;; Use 'export ASPELL_CONF="dict-dir $HOME/.guix-profile/lib/aspell"' to use -;;; them. +;;; them, or set the Guix-specific 'ASPELL_DICT_DIR', or just do nothing (as +;;; long as 'HOME' is set, that's fine!). ;;; (define* (aspell-dictionary dict-name full-name diff --git a/gnu/packages/patches/aspell-default-dict-dir.patch b/gnu/packages/patches/aspell-default-dict-dir.patch new file mode 100644 index 0000000000..17a6ff606f --- /dev/null +++ b/gnu/packages/patches/aspell-default-dict-dir.patch @@ -0,0 +1,20 @@ +This patch changes the default value of 'dict-dir' to correspond +to ~/.guix-profile/lib/aspell rather than $prefix/lib/aspell-X.Y. + +This is not strictly necessary for the 'aspell' program itself since +one can simply set "ASPELL_CONF=dict-dir $HOME/.guix-profile/lib/aspell". +However it is necessary for applications that use libaspell since +'ASPELL_CONF' is not honored in this case. See . + +--- a/common/config.cpp ++++ b/common/config.cpp +@@ -1349,6 +1349,9 @@ namespace acommon { + # define REPL ".aspell..prepl" + #endif + ++#undef DICT_DIR ++#define DICT_DIR "<$ASPELL_DICT_DIR|home-dir/.guix-profile/lib/aspell>" ++ + static const KeyInfo config_keys[] = { + // the description should be under 50 chars + {"actual-dict-dir", KeyInfoString, "", 0} -- cgit 1.4.1 From a6c642ef63012508f755a1329aa66e4b09da72b5 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Sat, 13 May 2017 20:44:36 -0400 Subject: maint: The 'release' target builds a VM image. * gnu/system/examples/vm-image.tmpl: New file. * Makefile.am (GUIXSD_VM_SYSTEMS, GUIXSD_VM_IMAGE_BASE, GUIXSD_VM_IMAGE_SIZE): New variables. (release): Add logic to build a VM image. (EXAMPLES): Add 'gnu/system/examples/vm-image.tmpl'. * doc/guix.texi (Running GuixSD in a VM, Installing GuixSD in a VM): Mention the pre-built VM image. --- Makefile.am | 27 +++++++++++++++++++- doc/guix.texi | 29 +++++++++++++-------- gnu/system/examples/vm-image.tmpl | 53 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 97 insertions(+), 12 deletions(-) create mode 100644 gnu/system/examples/vm-image.tmpl (limited to 'gnu') diff --git a/Makefile.am b/Makefile.am index b90f419b14..c2fc2642a7 100644 --- a/Makefile.am +++ b/Makefile.am @@ -5,6 +5,7 @@ # Copyright © 2016 Mathieu Lirzin # Copyright © 2016, 2017 Mark H Weaver # Copyright © 2017 Mathieu Othacehe +# Copyright © 2017 Leo Famulari # # This file is part of GNU Guix. # @@ -224,7 +225,8 @@ AUX_FILES = \ EXAMPLES = \ gnu/system/examples/bare-bones.tmpl \ gnu/system/examples/desktop.tmpl \ - gnu/system/examples/lightweight-desktop.tmpl + gnu/system/examples/lightweight-desktop.tmpl \ + gnu/system/examples/vm-image.tmpl GOBJECTS = $(MODULES:%.scm=%.go) guix/config.go $(dist_noinst_DATA:%.scm=%.go) @@ -572,12 +574,21 @@ BINARY_TARBALLS = \ # Systems supported by GuixSD. GUIXSD_SUPPORTED_SYSTEMS ?= x86_64-linux i686-linux +# Systems for which we build GuixSD VMs. +GUIXSD_VM_SYSTEMS ?= x86_64-linux + # Prefix of the GuixSD installation image file name. GUIXSD_IMAGE_BASE = guixsd-usb-install-$(PACKAGE_VERSION) +# Prefix of the GuixSD VM image file name. +GUIXSD_VM_IMAGE_BASE = guixsd-vm-image-$(PACKAGE_VERSION) + # Size of the installation image (for x86_64 typically). GUIXSD_INSTALLATION_IMAGE_SIZE ?= 950MiB +# Size of the VM image (for x86_64 typically). +GUIXSD_VM_IMAGE_SIZE ?= 2GiB + # The release process works in several phases: # # 0. We assume the developer created a 'vX.Y' tag. @@ -632,6 +643,20 @@ release: dist mv "$(releasedir)/$(GUIXSD_IMAGE_BASE).$$system.xz.tmp" \ "$(releasedir)/$(GUIXSD_IMAGE_BASE).$$system.xz" ; \ done + for system in $(GUIXSD_VM_SYSTEMS) ; do \ + image=`$(top_builddir)/pre-inst-env \ + guix system vm-image \ + --system=$$system \ + --image-size=$(GUIXSD_VM_IMAGE_SIZE) \ + gnu/system/examples/vm-image.tmpl` ; \ + if [ ! -f "$$image" ] ; then \ + echo "failed to produced GuixSD VM image for $$system" >&2 ; \ + exit 1 ; \ + fi ; \ + xz < "$$image" > "$(releasedir)/$(GUIXSD_VM_IMAGE_BASE).$$system.xz.tmp" ; \ + mv "$(releasedir)/$(GUIXSD_VM_IMAGE_BASE).$$system.xz.tmp" \ + "$(releasedir)/$(GUIXSD_VM_IMAGE_BASE).$$system.xz" ; \ + done @echo @echo "Congratulations! All the release files are now in $(releasedir)." @echo diff --git a/doc/guix.texi b/doc/guix.texi index 7baf6ee38a..3523937030 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -7634,8 +7634,11 @@ good. @subsection Installing GuixSD in a Virtual Machine @cindex virtual machine, GuixSD installation -If you'd like to install GuixSD in a virtual machine (VM) rather than on -your beloved machine, this section is for you. +@cindex virtual private server (VPS) +@cindex VPS (virtual private server) +If you'd like to install GuixSD in a virtual machine (VM) or on a +virtual private server (VPS) rather than on your beloved machine, this +section is for you. To boot a @uref{http://qemu.org/,QEMU} VM for installing GuixSD in a disk image, follow these steps: @@ -15693,17 +15696,21 @@ example graph. @subsection Running GuixSD in a Virtual Machine @cindex virtual machine -One way to run GuixSD in a virtual machine (VM) is to build a GuixSD -virtual machine image using @command{guix system vm-image} -(@pxref{Invoking guix system}). The returned image is in qcow2 format, -which the @uref{http://qemu.org/, QEMU emulator} can efficiently use. +To run GuixSD in a virtual machine (VM), one can either use the +pre-built GuixSD VM image distributed at +@indicateurl{ftp://alpha.gnu.org/guix/guixsd-vm-image-@value{VERSION}.@var{system}.tar.xz} +, or build their own virtual machine image using @command{guix system +vm-image} (@pxref{Invoking guix system}). The returned image is in +qcow2 format, which the @uref{http://qemu.org/, QEMU emulator} can +efficiently use. @cindex QEMU -To run the image in QEMU, copy it out of the store (@pxref{The Store}) -and give yourself permission to write to the copy. When invoking QEMU, -you must choose a system emulator that is suitable for your hardware -platform. Here is a minimal QEMU invocation that will boot the result -of @command{guix system vm-image} on x86_64 hardware: +If you built your own image, you must copy it out of the store +(@pxref{The Store}) and give yourself permission to write to the copy +before you can use it. When invoking QEMU, you must choose a system +emulator that is suitable for your hardware platform. Here is a minimal +QEMU invocation that will boot the result of @command{guix system +vm-image} on x86_64 hardware: @example $ qemu-system-x86_64 \ diff --git a/gnu/system/examples/vm-image.tmpl b/gnu/system/examples/vm-image.tmpl new file mode 100644 index 0000000000..57ac71c535 --- /dev/null +++ b/gnu/system/examples/vm-image.tmpl @@ -0,0 +1,53 @@ +;;; This is an operating system configuration template for a "bare-bones" setup, +;;; suitable for booting in a virtualized environment, including virtual private +;;; servers (VPS). + +(use-modules (gnu)) +(use-package-modules bootloaders disk nvi) + +(define vm-image-motd (plain-file "motd" " +This is the GNU system. Welcome! + +This instance of GuixSD is a bare-bones template for virtualized environments. + +You will probably want to do these things first if you booted in a virtual +private server (VPS): + +* Set a password for 'root'. +* Set up networking. +* Expand the root partition to fill the space available by 0) deleting and +recreating the partition with fdisk, 1) reloading the partition table with +partprobe, and then 2) resizing the filesystem with resize2fs.\n")) + +(operating-system + (host-name "gnu") + (timezone "Etc/UTC") + (locale "en_US.utf8") + + ;; Assuming /dev/sdX is the target hard disk, and "my-root" is + ;; the label of the target root file system. + (bootloader (grub-configuration (device "/dev/sda") + (terminal-outputs '(console)))) + (file-systems (cons (file-system + (device "my-root") + (title 'label) + (mount-point "/") + (type "ext4")) + %base-file-systems)) + + ;; This is where user accounts are specified. The "root" + ;; account is implicit, and is initially created with the + ;; empty password. + (users %base-user-accounts) + + ;; Globally-installed packages. + (packages (cons* nvi fdisk + grub ; mostly so xrefs to its manual work + parted ; partprobe + %base-packages)) + + (services (modify-services %base-services + (login-service-type config => + (login-configuration + (inherit config) + (motd vm-image-motd)))))) -- cgit 1.4.1 From e13b55ae797c8da2b06811d25e21abd173295b8d Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Wed, 17 May 2017 13:36:17 +0200 Subject: services: openssh: Don't depend on networking. * gnu/services/ssh.scm (openssh-shepherd-service): Drop requirement. --- gnu/services/ssh.scm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'gnu') diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm index 9917c311c7..2a6c8d45c2 100644 --- a/gnu/services/ssh.scm +++ b/gnu/services/ssh.scm @@ -385,7 +385,7 @@ The other options should be self-descriptive." (list (shepherd-service (documentation "OpenSSH server.") - (requirement '(networking syslogd)) + (requirement '(syslogd)) (provision '(ssh-daemon)) (start #~(make-forkexec-constructor #$openssh-command #:pid-file #$pid-file)) -- cgit 1.4.1 From f3f8938fe0c07d221ebccdf5a9a0029fda01f036 Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Mon, 17 Apr 2017 22:49:23 +0200 Subject: install: Enable SSH in installation image. * gnu/system/install.scm (%installation-services): Add OPENSSH-SERVICE-TYPE. * doc/guix.texi (Preparing for Installation)[Networking]: Document it. --- doc/guix.texi | 14 +++++++++++++- gnu/system/install.scm | 12 ++++++++++++ 2 files changed, 25 insertions(+), 1 deletion(-) (limited to 'gnu') diff --git a/doc/guix.texi b/doc/guix.texi index 3523937030..12fc806e17 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -36,7 +36,8 @@ Copyright @copyright{} 2017 Federico Beffa@* Copyright @copyright{} 2017 Carlo Zancanaro@* Copyright @copyright{} 2017 Thomas Danckaert@* Copyright @copyright{} 2017 humanitiesNerd@* -Copyright @copyright{} 2017 Christopher Allan Webber +Copyright @copyright{} 2017 Christopher Allan Webber@* +Copyright @copyright{} 2017 Marius Bakke Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or @@ -7452,6 +7453,17 @@ ping -c 3 gnu.org Setting up network access is almost always a requirement because the image does not contain all the software and tools that may be needed. +@cindex installing over SSH +If you want to, you can continue the installation remotely by starting +an SSH server: + +@example +herd start ssh-daemon +@end example + +Make sure to either set a password with @command{passwd}, or configure +OpenSSH public key authentication before logging in. + @subsubsection Disk Partitioning Unless this has already been done, the next step is to partition, and diff --git a/gnu/system/install.scm b/gnu/system/install.scm index 191ccf1680..9a6febfeba 100644 --- a/gnu/system/install.scm +++ b/gnu/system/install.scm @@ -2,6 +2,7 @@ ;;; Copyright © 2014, 2015, 2016, 2017 Ludovic Courtès ;;; Copyright © 2015 Mark H Weaver ;;; Copyright © 2016 Andreas Enge +;;; Copyright © 2017 Marius Bakke ;;; ;;; This file is part of GNU Guix. ;;; @@ -25,6 +26,7 @@ #:use-module (guix monads) #:use-module ((guix store) #:select (%store-prefix)) #:use-module (gnu services shepherd) + #:use-module (gnu services ssh) #:use-module (gnu packages admin) #:use-module (gnu packages bash) #:use-module (gnu packages bootloaders) @@ -262,6 +264,16 @@ You have been warned. Thanks for being so brave. ;; To facilitate copy/paste. (gpm-service) + ;; Add an SSH server to facilitate remote installs. + (service openssh-service-type + (openssh-configuration + (port-number 22) + (permit-root-login #t) + ;; The root account is passwordless, so make sure + ;; a password is set before allowing logins. + (allow-empty-passwords? #f) + (password-authentication? #t))) + ;; Since this is running on a USB stick with a unionfs as the root ;; file system, use an appropriate cache configuration. (nscd-service (nscd-configuration -- cgit 1.4.1 From 51fe9cd38d4d64b5fade8a899d5323da0e217d5c Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Thu, 18 May 2017 10:08:55 +0200 Subject: services: user-homes: Do not create home directories marked as no-create. Fixes a bug whereby GuixSD would create the /nonexistent directory, from user 'nobody', even though it has 'create-home-directory?' set to #f. * gnu/build/activation.scm (activate-users+groups): Add comment for \#:create-home?. (activate-user-home)[ensure-user-home]: Skip when CREATE-HOME? is #f or SYSTEM? is #t. * gnu/tests/base.scm (run-basic-test)["no extra home directories"]: New tests. --- gnu/build/activation.scm | 9 ++++++++- gnu/tests/base.scm | 22 ++++++++++++++++++++++ 2 files changed, 30 insertions(+), 1 deletion(-) (limited to 'gnu') diff --git a/gnu/build/activation.scm b/gnu/build/activation.scm index beee56d437..a1d2a9cc7d 100644 --- a/gnu/build/activation.scm +++ b/gnu/build/activation.scm @@ -227,7 +227,11 @@ numeric gid or #f." #:supplementary-groups supplementary-groups #:comment comment #:home home + + ;; Home directories of non-system accounts are created by + ;; 'activate-user-home'. #:create-home? (and create-home? system?) + #:shell shell #:password password) @@ -282,7 +286,10 @@ they already exist." (match-lambda ((name uid group supplementary-groups comment home create-home? shell password system?) - (unless (or (not home) (directory-exists? home)) + ;; The home directories of system accounts are created during + ;; activation, not here. + (unless (or (not home) (not create-home?) system? + (directory-exists? home)) (let* ((pw (getpwnam name)) (uid (passwd:uid pw)) (gid (passwd:gid pw))) diff --git a/gnu/tests/base.scm b/gnu/tests/base.scm index 37aab8ef67..e5ac320b74 100644 --- a/gnu/tests/base.scm +++ b/gnu/tests/base.scm @@ -199,6 +199,28 @@ info --version") ',users+homes)) marionette))) + (test-equal "no extra home directories" + '() + + ;; Make sure the home directories that are not supposed to be + ;; created are indeed not created. + (let ((nonexistent + '#$(filter-map (lambda (user) + (and (not + (user-account-create-home-directory? + user)) + (user-account-home-directory user))) + (operating-system-user-accounts os)))) + (marionette-eval + `(begin + (use-modules (srfi srfi-1)) + + ;; Note: Do not flag "/var/empty". + (filter file-exists? + ',(remove (cut string-prefix? "/var/" <>) + nonexistent))) + marionette))) + (test-equal "login on tty1" "root\n" (begin -- cgit 1.4.1 From c383dc520f4b71bcb99115768bfafa00df85f9d1 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Fri, 19 May 2017 10:50:20 +0200 Subject: gnu: guile-ssh: Fix potential double-free/use-after-free issue. Fixes . Reported by Mark H Weaver . * gnu/packages/patches/guile-ssh-double-free.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/ssh.scm (guile-ssh)[source](patches): Add it. --- gnu/local.mk | 1 + gnu/packages/patches/guile-ssh-double-free.patch | 37 ++++++++++++++++++++++++ gnu/packages/ssh.scm | 3 +- 3 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/guile-ssh-double-free.patch (limited to 'gnu') diff --git a/gnu/local.mk b/gnu/local.mk index ca26bcd812..f1a3cf6dba 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -651,6 +651,7 @@ dist_patch_DATA = \ %D%/packages/patches/guile-relocatable.patch \ %D%/packages/patches/guile-rsvg-pkgconfig.patch \ %D%/packages/patches/guile-ssh-rexec-bug.patch \ + %D%/packages/patches/guile-ssh-double-free.patch \ %D%/packages/patches/gtk2-respect-GUIX_GTK2_PATH.patch \ %D%/packages/patches/gtk2-respect-GUIX_GTK2_IM_MODULE_FILE.patch \ %D%/packages/patches/gtk2-theme-paths.patch \ diff --git a/gnu/packages/patches/guile-ssh-double-free.patch b/gnu/packages/patches/guile-ssh-double-free.patch new file mode 100644 index 0000000000..9692b81d39 --- /dev/null +++ b/gnu/packages/patches/guile-ssh-double-free.patch @@ -0,0 +1,37 @@ +Fix a double-free or use-after-free issue with Guile-SSH used +with Guile 2.2. See . + +diff --git a/libguile-ssh/channel-type.c b/libguile-ssh/channel-type.c +index 3dd641f..0839854 100644 +--- a/libguile-ssh/channel-type.c ++++ b/libguile-ssh/channel-type.c +@@ -229,10 +229,11 @@ ptob_close (SCM channel) + ssh_channel_free (ch->ssh_channel); + } + ++ SCM_SETSTREAM (channel, NULL); ++ + #if USING_GUILE_BEFORE_2_2 + scm_gc_free (pt->write_buf, pt->write_buf_size, "port write buffer"); + scm_gc_free (pt->read_buf, pt->read_buf_size, "port read buffer"); +- SCM_SETSTREAM (channel, NULL); + + return 0; + #endif +diff --git a/libguile-ssh/sftp-file-type.c b/libguile-ssh/sftp-file-type.c +index 8879924..f87cf03 100644 +--- a/libguile-ssh/sftp-file-type.c ++++ b/libguile-ssh/sftp-file-type.c +@@ -224,10 +224,11 @@ ptob_close (SCM sftp_file) + sftp_close (fd->file); + } + ++ SCM_SETSTREAM (sftp_file, NULL); ++ + #if USING_GUILE_BEFORE_2_2 + scm_gc_free (pt->write_buf, pt->write_buf_size, "port write buffer"); + scm_gc_free (pt->read_buf, pt->read_buf_size, "port read buffer"); +- SCM_SETSTREAM (sftp_file, NULL); + + return 1; + #endif diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm index 6a074d10fa..bb1898774b 100644 --- a/gnu/packages/ssh.scm +++ b/gnu/packages/ssh.scm @@ -226,7 +226,8 @@ Additionally, various channel-specific options can be negotiated.") (sha256 (base32 "0r261i8kc3avbmbwgyzak2vnqwssjlgz37g2y2fwm80w9bmn2m7j")) - (patches (search-patches "guile-ssh-rexec-bug.patch")) + (patches (search-patches "guile-ssh-rexec-bug.patch" + "guile-ssh-double-free.patch")) (modules '((guix build utils))) (snippet ;; 'configure.ac' mistakenly tries to link files from examples/ -- cgit 1.4.1 From fd5a30ab7b999f9b1095426054b5fcdfdacddc6f Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Tue, 11 Apr 2017 10:47:38 +0200 Subject: vm: Support arbitrary partition flags. * gnu/build/vm.scm (): Change BOOTABLE? to FLAGS. (initialize-partition-table): Pass each flag to parted. (initialize-hard-disk): Locate boot partition. * gnu/system/vm.scm (qemu-image): Adjust partition flags. --- gnu/build/vm.scm | 17 ++++++++++++----- gnu/system/vm.scm | 2 +- 2 files changed, 13 insertions(+), 6 deletions(-) (limited to 'gnu') diff --git a/gnu/build/vm.scm b/gnu/build/vm.scm index 1eb9a4c45e..00d625c946 100644 --- a/gnu/build/vm.scm +++ b/gnu/build/vm.scm @@ -3,6 +3,7 @@ ;;; Copyright © 2016 Christopher Allan Webber ;;; Copyright © 2016 Leo Famulari ;;; Copyright © 2017 Mathieu Othacehe +;;; Copyright © 2017 Marius Bakke ;;; ;;; This file is part of GNU Guix. ;;; @@ -41,7 +42,7 @@ partition-size partition-file-system partition-label - partition-bootable? + partition-flags partition-initializer root-partition-initializer @@ -141,7 +142,7 @@ the #:references-graphs parameter of 'derivation'." (size partition-size) (file-system partition-file-system (default "ext4")) (label partition-label (default #f)) - (bootable? partition-bootable? (default #f)) + (flags partition-flags (default '())) (initializer partition-initializer (default (const #t)))) (define (fold2 proc seed1 seed2 lst) ;TODO: factorize @@ -168,9 +169,10 @@ actual /dev name based on DEVICE." (cons* "mkpart" "primary" "ext2" (format #f "~aB" offset) (format #f "~aB" (+ offset (partition-size part))) - (if (partition-bootable? part) - `("set" ,(number->string index) "boot" "on") - '()))) + (append-map (lambda (flag) + (list "set" (number->string index) + (symbol->string flag) "on")) + (partition-flags part)))) (define (options partitions offset) (let loop ((partitions partitions) @@ -300,6 +302,11 @@ in PARTITIONS, and using BOOTCFG as its bootloader configuration file. Each partition is initialized by calling its 'initializer' procedure, passing it a directory name where it is mounted." + + (define (partition-bootable? partition) + "Return the first partition found with the boot flag set." + (member 'boot (partition-flags partition))) + (let* ((partitions (initialize-partition-table device partitions)) (root (find partition-bootable? partitions)) (target "/fs")) diff --git a/gnu/system/vm.scm b/gnu/system/vm.scm index 2c8b954c80..71bc55d7d8 100644 --- a/gnu/system/vm.scm +++ b/gnu/system/vm.scm @@ -229,7 +229,7 @@ the image." (* 10 (expt 2 20)))) (label #$file-system-label) (file-system #$file-system-type) - (bootable? #t) + (flags '(boot)) (initializer initialize))))) (initialize-hard-disk "/dev/vda" #:partitions partitions -- cgit 1.4.1 From 03119da21172c0c969b23596bec72b8383f7584e Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Sat, 6 May 2017 22:53:58 +0200 Subject: vm: Support creating FAT partitions. * gnu/build/vm.scm (create-ext-file-system, create-fat-file-system): New procedures. (format-partition): Use them. Error for unknown file systems. * gnu/system/vm.scm (qemu-image): Include DOSFSTOOLS. * gnu/system/linux-initrd.scm (base-initrd): Always add nls_is8859-1.ko. --- gnu/build/vm.scm | 30 ++++++++++++++++++++++++++---- gnu/system/linux-initrd.scm | 4 +--- gnu/system/vm.scm | 2 +- 3 files changed, 28 insertions(+), 8 deletions(-) (limited to 'gnu') diff --git a/gnu/build/vm.scm b/gnu/build/vm.scm index 00d625c946..ef8dcc315f 100644 --- a/gnu/build/vm.scm +++ b/gnu/build/vm.scm @@ -213,10 +213,10 @@ actual /dev name based on DEVICE." (define MS_BIND 4096) ; again! -(define* (format-partition partition type - #:key label) - "Create a file system TYPE on PARTITION. If LABEL is true, use that as the -volume name." +(define* (create-ext-file-system partition type + #:key label) + "Create an ext-family filesystem of TYPE on PARTITION. If LABEL is true, +use that as the volume name." (format #t "creating ~a partition...\n" type) (unless (zero? (apply system* (string-append "mkfs." type) "-F" partition @@ -225,6 +225,28 @@ volume name." '()))) (error "failed to create partition"))) +(define* (create-fat-file-system partition + #:key label) + "Create a FAT filesystem on PARTITION. The number of File Allocation Tables +will be determined based on filesystem size. If LABEL is true, use that as the +volume name." + (format #t "creating FAT partition...\n") + (unless (zero? (apply system* "mkfs.fat" partition + (if label + `("-n" ,label) + '()))) + (error "failed to create FAT partition"))) + +(define* (format-partition partition type + #:key label) + "Create a file system TYPE on PARTITION. If LABEL is true, use that as the +volume name." + (cond ((string-prefix? "ext" type) + (create-ext-file-system partition type #:label label)) + ((or (string-prefix? "fat" type) (string= "vfat" type)) + (create-fat-file-system partition #:label label)) + (else (error "Unsupported file system.")))) + (define (initialize-partition partition) "Format PARTITION, a object with a non-#f 'device' field, mount it, run its initializer, and unmount it." diff --git a/gnu/system/linux-initrd.scm b/gnu/system/linux-initrd.scm index dfe198e43e..3a5e76034a 100644 --- a/gnu/system/linux-initrd.scm +++ b/gnu/system/linux-initrd.scm @@ -268,6 +268,7 @@ loaded at boot time in the order in which they appear." "usbhid" "hid-generic" "hid-apple" ;keyboards during early boot "dm-crypt" "xts" "serpent_generic" "wp512" ;for encrypted root partitions "nvme" ;for new SSD NVMe devices + "nls_iso8859-1" ;for `mkfs.fat`, et.al ,@(if (string-match "^(x86_64|i[3-6]86)-" (%current-system)) '("pata_acpi" "pata_atiixp" ;for ATA controllers "isci") ;for SAS controllers like Intel C602 @@ -281,9 +282,6 @@ loaded at boot time in the order in which they appear." ,@(if (find (file-system-type-predicate "9p") file-systems) virtio-9p-modules '()) - ,@(if (find (file-system-type-predicate "vfat") file-systems) - '("nls_iso8859-1") - '()) ,@(if (find (file-system-type-predicate "btrfs") file-systems) '("btrfs") '()) diff --git a/gnu/system/vm.scm b/gnu/system/vm.scm index 71bc55d7d8..2110ce68bb 100644 --- a/gnu/system/vm.scm +++ b/gnu/system/vm.scm @@ -201,7 +201,7 @@ the image." (guix build utils)) (let ((inputs - '#$(append (list qemu parted grub e2fsprogs) + '#$(append (list qemu parted grub e2fsprogs dosfstools) (map canonical-package (list sed grep coreutils findutils gawk)) (if register-closures? (list guix) '()))) -- cgit 1.4.1 From 6520904b3e79a5f59bd681931d0ae72783e43eee Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Sun, 7 May 2017 15:31:30 +0200 Subject: vm: Add UEFI loader to disk images. * gnu/build/vm.scm (install-efi): New procedure. (initialize-hard-disk): Generate EFI blob when ESP is present. * gnu/system/vm.scm (qemu-image): Append 40MiB EFI System Partition. (cherry picked from commit ecf5d5376979fadd971559367bf553df89fcc62b) --- gnu/build/vm.scm | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ gnu/system/vm.scm | 20 ++++++++++++++++--- 2 files changed, 77 insertions(+), 3 deletions(-) (limited to 'gnu') diff --git a/gnu/build/vm.scm b/gnu/build/vm.scm index ef8dcc315f..7147ce1993 100644 --- a/gnu/build/vm.scm +++ b/gnu/build/vm.scm @@ -27,6 +27,7 @@ #:use-module (gnu build linux-boot) #:use-module (gnu build install) #:use-module (guix records) + #:use-module (ice-9 format) #:use-module (ice-9 match) #:use-module (ice-9 regex) #:use-module (srfi srfi-1) @@ -315,9 +316,38 @@ SYSTEM-DIRECTORY is the name of the directory of the 'system' derivation." (mkdir-p directory) (symlink bootcfg (string-append directory "/grub.cfg")))) +(define (install-efi grub esp config-file) + "Write a self-contained GRUB EFI loader to the mounted ESP using CONFIG-FILE." + (let* ((system %host-type) + ;; Hard code the output location to a well-known path recognized by + ;; compliant firmware. See "3.5.1.1 Removable Media Boot Behaviour": + ;; http://www.uefi.org/sites/default/files/resources/UEFI%20Spec%202_6.pdf + (grub-mkstandalone (string-append grub "/bin/grub-mkstandalone")) + (efi-directory (string-append esp "/EFI/BOOT")) + ;; Map grub target names to boot file names. + (efi-targets (cond ((string-prefix? "x86_64" system) + '("x86_64-efi" . "BOOTX64.EFI")) + ((string-prefix? "i686" system) + '("i386-efi" . "BOOTIA32.EFI")) + ((string-prefix? "armhf" system) + '("arm-efi" . "BOOTARM.EFI")) + ((string-prefix? "aarch64" system) + '("arm64-efi" . "BOOTAA64.EFI"))))) + ;; grub-mkstandalone requires a TMPDIR to prepare the firmware image. + (setenv "TMPDIR" esp) + + (mkdir-p efi-directory) + (unless (zero? (system* grub-mkstandalone "-O" (car efi-targets) + "-o" (string-append efi-directory "/" + (cdr efi-targets)) + ;; Graft the configuration file onto the image. + (string-append "boot/grub/grub.cfg=" config-file))) + (error "failed to create GRUB EFI image")))) + (define* (initialize-hard-disk device #:key grub.cfg + (grub-efi #f) (partitions '())) "Initialize DEVICE as a disk containing all the objects listed in PARTITIONS, and using BOOTCFG as its bootloader configuration file. @@ -329,8 +359,13 @@ passing it a directory name where it is mounted." "Return the first partition found with the boot flag set." (member 'boot (partition-flags partition))) + (define (partition-esp? partition) + "Return the first EFI System Partition." + (member 'esp (partition-flags partition))) + (let* ((partitions (initialize-partition-table device partitions)) (root (find partition-bootable? partitions)) + (esp (find partition-esp? partitions)) (target "/fs")) (unless root (error "no bootable partition specified" partitions)) @@ -342,6 +377,31 @@ passing it a directory name where it is mounted." (mount (partition-device root) target (partition-file-system root)) (install-grub grub.cfg device target) + (when esp + ;; Mount the ESP somewhere and install GRUB UEFI image. + (let ((mount-point (string-append target "/boot/efi")) + (grub-config (string-append target "/tmp/grub-standalone.cfg"))) + (display "mounting EFI system partition...\n") + (mkdir-p mount-point) + (mount (partition-device esp) mount-point + (partition-file-system esp)) + + ;; Create a tiny configuration file telling the embedded grub + ;; where to load the real thing. + (call-with-output-file grub-config + (lambda (port) + (format port + "insmod part_msdos~@ + search --set=root --label gnu-disk-image~@ + configfile /boot/grub/grub.cfg~%"))) + + (display "creating EFI firmware image...") + (install-efi grub-efi mount-point grub-config) + (display "done.\n") + + (delete-file grub-config) + (umount mount-point))) + ;; Register GRUB.CFG as a GC root. (register-grub.cfg-root target grub.cfg) diff --git a/gnu/system/vm.scm b/gnu/system/vm.scm index 2110ce68bb..c40bb4c436 100644 --- a/gnu/system/vm.scm +++ b/gnu/system/vm.scm @@ -3,6 +3,7 @@ ;;; Copyright © 2016 Christopher Allan Webber ;;; Copyright © 2016 Leo Famulari ;;; Copyright © 2017 Mathieu Othacehe +;;; Copyright © 2017 Marius Bakke ;;; ;;; This file is part of GNU Guix. ;;; @@ -226,14 +227,27 @@ the image." #:system-directory #$os-derivation)) (partitions (list (partition (size #$(- disk-image-size - (* 10 (expt 2 20)))) + (* 50 (expt 2 20)))) (label #$file-system-label) (file-system #$file-system-type) (flags '(boot)) - (initializer initialize))))) + (initializer initialize)) + ;; Append a small EFI System Partition for + ;; use with UEFI bootloaders. + (partition + ;; The standalone grub image is about 10MiB, but + ;; leave some room for custom or multiple images. + (size (* 40 (expt 2 20))) + (label "GNU-ESP") ;cosmetic only + ;; Use "vfat" here since this property is used + ;; when mounting. The actual FAT-ness is based + ;; on filesystem size (16 in this case). + (file-system "vfat") + (flags '(esp)))))) (initialize-hard-disk "/dev/vda" #:partitions partitions - #:grub.cfg #$grub-configuration) + #:grub.cfg #$grub-configuration + #:grub-efi #$grub-efi) (reboot))))) #:system system #:make-disk-image? #t -- cgit 1.4.1 From 429046e9dd38a8cd9e569172f2f23dce3d61cbf3 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Fri, 19 May 2017 23:36:56 +0200 Subject: system: Use Guile 2.2 rather than 2.0 in %BASE-PACKAGES. * gnu/system.scm (%base-packages): Change GUILE-2.0 to GUILE-2.2. --- gnu/system.scm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'gnu') diff --git a/gnu/system.scm b/gnu/system.scm index f9a0da9a75..2fab394d23 100644 --- a/gnu/system.scm +++ b/gnu/system.scm @@ -494,7 +494,7 @@ explicitly appear in OS." ;; The packages below are also in %FINAL-INPUTS, so take them from ;; there to avoid duplication. (map canonical-package - (list guile-2.0 bash coreutils-8.27 findutils grep sed + (list guile-2.2 bash coreutils-8.27 findutils grep sed diffutils patch gawk tar gzip bzip2 xz lzip)))) (define %default-issue -- cgit 1.4.1 From 6a9defd7474f0e8b0f9030de60b1241a551ad403 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Fri, 19 May 2017 20:26:58 -0400 Subject: gnu: dropbear: Update to 2017.75 [fixes CVE-2017-{9078,9079}]. * gnu/packages/ssh.scm (dropbear): Update to 2017.75. --- gnu/packages/ssh.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'gnu') diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm index bb1898774b..b01a94f871 100644 --- a/gnu/packages/ssh.scm +++ b/gnu/packages/ssh.scm @@ -380,7 +380,7 @@ especially over Wi-Fi, cellular, and long-distance links.") (define-public dropbear (package (name "dropbear") - (version "2016.74") + (version "2017.75") (source (origin (method url-fetch) (uri (string-append @@ -388,7 +388,7 @@ especially over Wi-Fi, cellular, and long-distance links.") name "-" version ".tar.bz2")) (sha256 (base32 - "14c8f4gzixf0j9fkx68jgl85q7b05852kk0vf09gi6h0xmafl817")))) + "1309cm2aw62n9m3h38prvgsqr8bj85hfasgnvwkd42cp3k5ivg3c")))) (build-system gnu-build-system) (arguments `(#:tests? #f)) ; There is no "make check" or anything similar (inputs `(("zlib" ,zlib))) -- cgit 1.4.1 From 7dccad95b62871af048dd2d337579424f07595f2 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Fri, 19 May 2017 18:31:48 -0400 Subject: gnu: icedtea@2: Update to 2.6.10 [security fixes]. Fixes CVE-2017-{3509,3511,3512,3514,3526,3533,3539,3544}. * gnu/packages/java.scm (icedtea-7): Update to 2.6.10. --- gnu/packages/java.scm | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) (limited to 'gnu') diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm index 4a381b6a1c..85f2bb975f 100644 --- a/gnu/packages/java.scm +++ b/gnu/packages/java.scm @@ -341,12 +341,12 @@ build process and its dependencies, whereas Make uses Makefile format.") (license license:asl2.0))) (define-public icedtea-7 - (let* ((version "2.6.9") + (let* ((version "2.6.10") (drop (lambda (name hash) (origin (method url-fetch) (uri (string-append - "http://icedtea.classpath.org/download/drops/" + "http://icedtea.classpath.org/download/drops" "/icedtea7/" version "/" name ".tar.bz2")) (sha256 (base32 hash)))))) (package @@ -359,7 +359,7 @@ build process and its dependencies, whereas Make uses Makefile format.") version ".tar.xz")) (sha256 (base32 - "1slmajiakq7sk137vgqq9c93r5s620a46lw2jwbnzxhysjw3wkwf")) + "0am945k2zqrka2xn7lb5grmkad4lwncnhnwk8iq6f269birzsj8w")) (modules '((guix build utils))) (snippet '(substitute* "Makefile.in" @@ -770,25 +770,25 @@ build process and its dependencies, whereas Make uses Makefile format.") (native-inputs `(("openjdk-src" ,(drop "openjdk" - "08a4d1sg5m9l99lc7gafc7dmzmf4d8jvij5pffxv8rf6pk7psk24")) + "02klsxp9hlf5sial6mxpiq53hmrhlrg6x774j7bjjfhb7hpdvadh")) ("corba-drop" ,(drop "corba" - "12br49cfrqgvms0bnaij7fvnakvb6q8dlpqja64rg5q5r3x4gps8")) + "1vbly6khri241xda05gnwkpf2fk41d96ls96ximi084mx0a3w5rd")) ("jaxp-drop" ,(drop "jaxp" - "07v2y3pll6z2wma94qilgffwyn2n4jna01mrhqwkb27whfpjfkmz")) + "0s8zln64vdwdxwlw1vpfzm8xbpyhgsv3nqjmnv7y36qpsszg27a5")) ("jaxws-drop" ,(drop "jaxws" - "18rw64jjpq14v56d0q1xvz8knl0kf02rcday7fvlaxrbbj19km55")) + "0myd66bv8ib8krzgqv754bc564rd8xwpwabvf7my1apyb86vap3n")) ("jdk-drop" ,(drop "jdk" - "1ig7xipi3vzm6cphy5fdraxi72p27xsg2qb51yqx9qwsmlrv1zj4")) + "10b4lfv10vba07zblw0wii7mhrfhf32pf7410x5nz2q0smgszl2h")) ("langtools-drop" ,(drop "langtools" - "0sn9qv9nnhaan2smbhrv54lfhwsjhgd3b3h736p5d2hzpw8kicry")) + "0lvncxb5qzrlqkflrnd0l8vwy155cwj1jb07rkq10z2vx0bq7lq2")) ("hotspot-drop" ,(drop "hotspot" - "16ijxy8br8dla339m4i90wr9xpf7s8z3nrhfyxm7jahr8injpzyl")) + "0q6mdgbbd3681y3n0z1v783irdjhhi73z6sn5csczpyhjm318axb")) ("ant" ,ant) ("attr" ,attr) ("autoconf" ,autoconf) -- cgit 1.4.1 From a588e34e0defcb5fde48570cf3a304cb942bf743 Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Sat, 20 May 2017 21:28:20 +0200 Subject: vm: Increase default disk size to account for ESP partition. Fixes a test regression introduced by ecf5d5376979fadd971559367bf553df89fcc62b. * gnu/system/vm.scm (system-qemu-image/shared-store-script): 30MiB -> 70MiB. --- gnu/system/vm.scm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'gnu') diff --git a/gnu/system/vm.scm b/gnu/system/vm.scm index c40bb4c436..f01f68fbd3 100644 --- a/gnu/system/vm.scm +++ b/gnu/system/vm.scm @@ -485,7 +485,7 @@ with '-virtfs' options for the host file systems listed in SHARED-FS." (mappings '()) full-boot? (disk-image-size - (* (if full-boot? 500 30) + (* (if full-boot? 500 70) (expt 2 20)))) "Return a derivation that builds a script to run a virtual machine image of OS that shares its store with the host. -- cgit 1.4.1 From 324499184a13e8f27d9805d5db2b133380e69bfe Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sun, 21 May 2017 01:07:17 +0200 Subject: gnu: unionfs-fuse-static: Remove 'unionfsctl' executable. This avoids pulling in glibc & co. Fixes a regression introduced in 2f861edf5cf5118ad560737343312c9a5efe5b2f (the 'unionfsctl' executable did not exist in unionfs-fuse 0.26). * gnu/packages/linux.scm (unionfs-fuse/static)[arguments] : Remove 'unionfsctl' binary. --- gnu/packages/linux.scm | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'gnu') diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index 7bb26c72f5..cd2c833e39 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -1568,7 +1568,12 @@ UnionFS-FUSE additionally supports copy-on-write.") (exe (string-append out "/bin/unionfs"))) ;; By default, 'unionfs' keeps references to ;; $glibc/share/locale and similar stuff. Remove them. - (remove-store-references exe))) + (remove-store-references exe) + + ;; 'unionfsctl' has references to glibc as well. Since + ;; we don't need it, remove it. + (delete-file (string-append out "/bin/unionfsctl")) + #t)) %standard-phases))) (inputs `(("fuse" ,fuse-static))))) -- cgit 1.4.1 From 9d0c24d1be393d14bddd031e910b1d0e51156f58 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sun, 21 May 2017 11:56:29 +0200 Subject: tests: ssh: Use 'guile2.0-ssh'. Fixes a regression introduced in 4d8806c3d662c74e6d48d0f0d6ce423fce9a3a08. * gnu/tests/ssh.scm (run-ssh-test): Use GUILE2.0-SSH instead of GUILE-SSH. --- gnu/tests/ssh.scm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'gnu') diff --git a/gnu/tests/ssh.scm b/gnu/tests/ssh.scm index 02931e982a..5f06151081 100644 --- a/gnu/tests/ssh.scm +++ b/gnu/tests/ssh.scm @@ -51,7 +51,7 @@ When SFTP? is true, run an SFTP server test." (eval-when (expand load eval) ;; Prepare to use Guile-SSH. (set! %load-path - (cons (string-append #$guile-ssh "/share/guile/site/" + (cons (string-append #+guile2.0-ssh "/share/guile/site/" (effective-version)) %load-path))) -- cgit 1.4.1 From a6d728b7aaee09892b0b420d07ed2dbb7de5e63f Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sun, 21 May 2017 16:58:53 +0200 Subject: gnu: guix: Update to 0.13.0. --- gnu/packages/package-management.scm | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'gnu') diff --git a/gnu/packages/package-management.scm b/gnu/packages/package-management.scm index ceaf51b676..76dc9adf2e 100644 --- a/gnu/packages/package-management.scm +++ b/gnu/packages/package-management.scm @@ -72,9 +72,9 @@ ;; Latest version of Guix, which may or may not correspond to a release. ;; Note: the 'update-guix-package.scm' script expects this definition to ;; start precisely like this. - (let ((version "0.12.0") - (commit "ce92d269fea0a2bfac0ac20414f77127d2f07500") - (revision 11)) + (let ((version "0.13.0") + (commit "df671177f854da26bb171d9d5e9a6990024107a0") + (revision 0)) (package (name "guix") @@ -90,7 +90,7 @@ (commit commit))) (sha256 (base32 - "17l9r2mdzzv8vfxb3bc5zkdqkl472q979iwsarp7lcqss1jxys7w")) + "1j4b2aki7sc28bl7nahcmb02dmj4wa5g6myvc68p03rgv25cqw1d")) (file-name (string-append "guix-" version "-checkout")))) (build-system gnu-build-system) (arguments -- cgit 1.4.1 From e9c53359e71f23e24acbb0637b58c70a73289c61 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sun, 21 May 2017 16:59:04 +0200 Subject: gnu: guix: Update to a6d728b. --- gnu/packages/package-management.scm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'gnu') diff --git a/gnu/packages/package-management.scm b/gnu/packages/package-management.scm index 76dc9adf2e..246d2539d6 100644 --- a/gnu/packages/package-management.scm +++ b/gnu/packages/package-management.scm @@ -73,8 +73,8 @@ ;; Note: the 'update-guix-package.scm' script expects this definition to ;; start precisely like this. (let ((version "0.13.0") - (commit "df671177f854da26bb171d9d5e9a6990024107a0") - (revision 0)) + (commit "a6d728b7aaee09892b0b420d07ed2dbb7de5e63f") + (revision 1)) (package (name "guix") @@ -90,7 +90,7 @@ (commit commit))) (sha256 (base32 - "1j4b2aki7sc28bl7nahcmb02dmj4wa5g6myvc68p03rgv25cqw1d")) + "1nrskyk8z6w5i9cdfh5zxfgsrqf744sb30ssqi2g5xhijwagr1yq")) (file-name (string-append "guix-" version "-checkout")))) (build-system gnu-build-system) (arguments -- cgit 1.4.1