From debbugs-submit-bounces@debbugs.gnu.org Fri Apr 18 10:24:42 2025 Received: (at submit) by debbugs.gnu.org; 18 Apr 2025 14:24:43 +0000 Received: from localhost ([127.0.0.1]:52395 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u5mdx-0001iP-Vy for submit@debbugs.gnu.org; Fri, 18 Apr 2025 10:24:41 -0400 Received: from lists.gnu.org ([2001:470:142::17]:60208) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1u5mdh-0001fy-Qa for submit@debbugs.gnu.org; Fri, 18 Apr 2025 10:24:33 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u5mdb-0006v9-ER for bug-guix@gnu.org; Fri, 18 Apr 2025 10:24:15 -0400 Received: from mail3-relais-sop.national.inria.fr ([192.134.164.104]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u5mdQ-0007fo-Q2 for bug-guix@gnu.org; Fri, 18 Apr 2025 10:24:15 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inria.fr; s=dc; h=from:to:subject:date:message-id:mime-version: content-transfer-encoding; bh=R/altMsyL1+xq31n6AwKbnqshfQoxJnThzL/GWc4/30=; b=DNPd++EMY1iUGj5EOalRFuw78duaZkLHPRHawfpiKHCoyaxwPWYX1TzP Az26ZTDQZchAN0/Vv/YaKm3STF5pAl62vn8sPzNz2hBlbfgAmWJ/G6xhO gSDF4iMiZ8Uc2YcuxQiuq//Oyl2UxH2HGYe9FsMF9MbeLnTdgNfvgBz02 k=; Authentication-Results: mail3-relais-sop.national.inria.fr; dkim=none (message not signed) header.i=none; spf=SoftFail smtp.mailfrom=ludovic.courtes@inria.fr; dmarc=fail (p=none dis=none) d=inria.fr X-IronPort-AV: E=Sophos;i="6.15,222,1739833200"; d="scan'208";a="114624012" Received: from unknown (HELO ribbon) ([193.50.110.57]) by mail3-relais-sop.national.inria.fr with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 Apr 2025 16:23:51 +0200 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: bug-guix@gnu.org Subject: Unprivileged guix-daemon fails to build in Docker/relocatable pack Organization: Inria User-Agent: mu4e 1.12.9; emacs 29.4 X-URL: https://people.bordeaux.inria.fr/lcourtes/ X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu X-Revolutionary-Date: Nonidi 29 Germinal an 233 de la =?utf-8?Q?R=C3=A9vol?= =?utf-8?Q?ution=2C?= jour de la Myrtille Date: Fri, 18 Apr 2025 16:23:42 +0200 Message-ID: <87h62lv98x.fsf@inria.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=192.134.164.104; envelope-from=ludovic.courtes@inria.fr; helo=mail3-relais-sop.national.inria.fr X-Spam_score_int: -43 X-Spam_score: -4.4 X-Spam_bar: ---- X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) When running guix-daemon unprivileged in Docker (or, similarly, in a =E2=80=98guix pack -R=E2=80=99 relocatable pack), it fails to spawn the bui= ld process: --8<---------------cut here---------------start------------->8--- ludo@fencepost:~/packs/guix$ GUIX_STATE_DIRECTORY=3D$HOME/var GUIX_LOG_DIRE= CTORY=3D$HOME/var/log ./bin/guix-daemon=20 ^Z [1]+ Stopped GUIX_STATE_DIRECTORY=3D$HOME/var GUIX_LOG_DIR= ECTORY=3D$HOME/var/log ./bin/guix-daemon ludo@fencepost:~/packs/guix$ bg [1]+ GUIX_STATE_DIRECTORY=3D$HOME/var GUIX_LOG_DIRECTORY=3D$HOME/var/log ./= bin/guix-daemon & ludo@fencepost:~/packs/guix$ GUIX_DAEMON_SOCKET=3D$HOME/var/daemon-socket/s= ocket ./bin/guix build guile-bootstrap --no-substitutes accepted connection from pid 19182, user ludo The following derivation will be built: /gnu/store/d9gcqaq0mag354svxsdpkvr8swdqsny8-guile-bootstrap-2.0.drv guix build: error: cannot create process in unprivileged user namespace: Op= eration not permitted --8<---------------cut here---------------end--------------->8--- The clone(2) man page lists two reasons for getting EPERM with CLONE_NEWUSER: EPERM CLONE_NEWUSER was specified in the flags mask, but either the effective user ID or the effective group ID of the caller does not have a mapping in the parent namespace (see user_name= =E2=80=90 spaces(7)). EPERM (since Linux 3.9) CLONE_NEWUSER was specified in the flags mask and the caller is in a chroot environment (i.e., the caller's root directory does not match the root directory of the mount namespace in which it resides). Ludo=E2=80=99.