GNU bug report logs - #77862
guix-daemon run as non-root sets up /etc/group incorrectly in build container

Previous Next

Full log

Message #67 received at 77862 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Reepca Russelstein <reepca <at> russelstein.xyz>
Cc: keinflue <keinflue <at> posteo.net>, 77862 <at> debbugs.gnu.org
Subject: Re: guix-daemon run as non-root sets up /etc/group incorrectly in
 build container
Date: Fri, 06 Jun 2025 17:38:49 +0200

Hello!

Reepca Russelstein <reepca <at> russelstein.xyz> writes:

> So if you'll bear with the extreme awkwardness, we could fork a helper
> process immediately prior to calling unshare, which, upon receiving a
> notification, will initialize the parent process's user namespace.  Note
> that the naming here is going to be inverted for process ancestry and
> user namespace ancestry: the child process is in the parent user
> namespace, and the parent process is in the child user namespace.

User namespaces seem to be an infinite supply of awkwardness!

I pushed a branch that implements those changes and actually works:

  https://codeberg.org/guix/guix/pulls/452

I marked it as WIP because I’m still in the process of updating the
‘guix’ package so I can actually run all the guix-daemon system tests
and there may be some adjustments to be made, such as ensuring that
‘newgidmap’ is found both on Guix System and on Debian.

Next step would be to run the test suites of Coreutils, Go, and Python
as keinflue did but I don’t have a good setup for that.

Thanks,
Ludo’.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.