With the recent changes to guix's `least-authority-wrapper` we can no longer write to the root filesystem ("/"). That is not much of a problem.
So I tried adding `#:directory (dirname gn-doc-git-checkout)` to the `make-forkexec-constructor` for the `gn-guile-shepherd-service` and that actually changes the working directory of the process, as I would expect.
In `genenetwork-activation` I add:
;; setup correct ownership for gn-docs
(for-each (lambda (file)
(chown file
(passwd:uid (getpw "genenetwork"))
(passwd:gid (getpw "genenetwork"))))
(find-files #$(dirname gn-doc-git-checkout)
#:directories? #t))
which, ideally, should change ownership of the parent directory of the bare git checkout for "gn-docs" when we build/start the container. This does not happen — the directory is still owned by root.
My thinking goes, the "genenetwork" user[1] is not yet created at the point when the activation[2] is run, leading to the service failing to start.
The reason I think this, is because, when I do:
fredm@tux04:/...$ sudo guix container exec <container-pid> /run/current-system/profile/bin/bash --login root@genenetwork-gn2-fred /# chown -R genenetwork:genenetwork /var/lib/genenetwork/ root@genenetwork-gn2-fred /# chown -R genenetwork:genenetwork /var/lib/genenetwork/
The bound directory's permissions change, and we can now enable and start the service:
root@genenetwork-gn2-fred /# herd enable gn-guile root@genenetwork-gn2-fred /# herd start gn-guile
which starts the service as expected. We can also simply restart the entire container at this point, and it works too.
This issue is fixed, with newer Guix and changes that @bonz did to the gn-machines repo.