GNU bug report logs - #77296
Unprivileged guix-daemon doesn't work on Ubuntu 24.04

Package: guix;

Reported by: Efraim Flashner <efraim <at> flashner.co.il>

Date: Wed, 26 Mar 2025 20:33:02 UTC

Severity: normal

Tags: moreinfo

View this message in rfc822 format

From: Ludovic Courtès <ludovic.courtes <at> inria.fr>
To: Efraim Flashner <efraim <at> flashner.co.il>
Cc: Ludovic Courtès <ludo <at> gnu.org>, 77296 <at> debbugs.gnu.org
Subject: bug#77296: guix fails tests on aarch64 after rootless daemon patches
Date: Fri, 06 Jun 2025 19:06:35 +0200

Hi,

Efraim Flashner <efraim <at> flashner.co.il> writes:

> (ins)ubuntu <at> ubuntu:~$ unshare -mrnf ifconfig lo up
> unshare: write failed /proc/self/uid_map: Operation not permitted
> (ins)ubuntu <at> ubuntu:~$ cat /etc/os-release
> PRETTY_NAME="Ubuntu 24.04.2 LTS"

It may have to do with Ubuntu’s restrictions on unprivileged user
namespaces:

  https://ubuntu.com/blog/whats-new-in-security-for-ubuntu-24-04-lts:
  https://discourse.ubuntu.com/t/understanding-apparmor-user-namespace-restriction/58007
  https://seclists.org/oss-sec/2025/q1/253

The solution appears to be to disable those restrictions with something like:

  sysctl kernel.apparmor_restrict_unprivileged_userns off

… or to provide a suitable AppArmor profile, as discussed for ‘guix
shell -C’:

  https://issues.guix.gnu.org/71226

Ludo’.

This bug report was last modified 6 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #77296 Unprivileged guix-daemon doesn't work on Ubuntu 24.04

GNU bug report logs - #77296
Unprivileged guix-daemon doesn't work on Ubuntu 24.04