From unknown Sat Aug 16 15:55:59 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#77900 <77900@debbugs.gnu.org> To: bug#77900 <77900@debbugs.gnu.org> Subject: Status: Unprivileged guix-daemon fails to build in Docker/relocatable pack Reply-To: bug#77900 <77900@debbugs.gnu.org> Date: Sat, 16 Aug 2025 22:55:59 +0000 retitle 77900 Unprivileged guix-daemon fails to build in Docker/relocatable= pack reassign 77900 guix submitter 77900 Ludovic Court=C3=A8s severity 77900 normal thanks From debbugs-submit-bounces@debbugs.gnu.org Fri Apr 18 10:24:42 2025 Received: (at submit) by debbugs.gnu.org; 18 Apr 2025 14:24:43 +0000 Received: from localhost ([127.0.0.1]:52395 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u5mdx-0001iP-Vy for submit@debbugs.gnu.org; Fri, 18 Apr 2025 10:24:41 -0400 Received: from lists.gnu.org ([2001:470:142::17]:60208) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1u5mdh-0001fy-Qa for submit@debbugs.gnu.org; Fri, 18 Apr 2025 10:24:33 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u5mdb-0006v9-ER for bug-guix@gnu.org; Fri, 18 Apr 2025 10:24:15 -0400 Received: from mail3-relais-sop.national.inria.fr ([192.134.164.104]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u5mdQ-0007fo-Q2 for bug-guix@gnu.org; Fri, 18 Apr 2025 10:24:15 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inria.fr; s=dc; h=from:to:subject:date:message-id:mime-version: content-transfer-encoding; bh=R/altMsyL1+xq31n6AwKbnqshfQoxJnThzL/GWc4/30=; b=DNPd++EMY1iUGj5EOalRFuw78duaZkLHPRHawfpiKHCoyaxwPWYX1TzP Az26ZTDQZchAN0/Vv/YaKm3STF5pAl62vn8sPzNz2hBlbfgAmWJ/G6xhO gSDF4iMiZ8Uc2YcuxQiuq//Oyl2UxH2HGYe9FsMF9MbeLnTdgNfvgBz02 k=; Authentication-Results: mail3-relais-sop.national.inria.fr; dkim=none (message not signed) header.i=none; spf=SoftFail smtp.mailfrom=ludovic.courtes@inria.fr; dmarc=fail (p=none dis=none) d=inria.fr X-IronPort-AV: E=Sophos;i="6.15,222,1739833200"; d="scan'208";a="114624012" Received: from unknown (HELO ribbon) ([193.50.110.57]) by mail3-relais-sop.national.inria.fr with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 Apr 2025 16:23:51 +0200 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: bug-guix@gnu.org Subject: Unprivileged guix-daemon fails to build in Docker/relocatable pack Organization: Inria User-Agent: mu4e 1.12.9; emacs 29.4 X-URL: https://people.bordeaux.inria.fr/lcourtes/ X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu X-Revolutionary-Date: Nonidi 29 Germinal an 233 de la =?utf-8?Q?R=C3=A9vol?= =?utf-8?Q?ution=2C?= jour de la Myrtille Date: Fri, 18 Apr 2025 16:23:42 +0200 Message-ID: <87h62lv98x.fsf@inria.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=192.134.164.104; envelope-from=ludovic.courtes@inria.fr; helo=mail3-relais-sop.national.inria.fr X-Spam_score_int: -43 X-Spam_score: -4.4 X-Spam_bar: ---- X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) When running guix-daemon unprivileged in Docker (or, similarly, in a =E2=80=98guix pack -R=E2=80=99 relocatable pack), it fails to spawn the bui= ld process: --8<---------------cut here---------------start------------->8--- ludo@fencepost:~/packs/guix$ GUIX_STATE_DIRECTORY=3D$HOME/var GUIX_LOG_DIRE= CTORY=3D$HOME/var/log ./bin/guix-daemon=20 ^Z [1]+ Stopped GUIX_STATE_DIRECTORY=3D$HOME/var GUIX_LOG_DIR= ECTORY=3D$HOME/var/log ./bin/guix-daemon ludo@fencepost:~/packs/guix$ bg [1]+ GUIX_STATE_DIRECTORY=3D$HOME/var GUIX_LOG_DIRECTORY=3D$HOME/var/log ./= bin/guix-daemon & ludo@fencepost:~/packs/guix$ GUIX_DAEMON_SOCKET=3D$HOME/var/daemon-socket/s= ocket ./bin/guix build guile-bootstrap --no-substitutes accepted connection from pid 19182, user ludo The following derivation will be built: /gnu/store/d9gcqaq0mag354svxsdpkvr8swdqsny8-guile-bootstrap-2.0.drv guix build: error: cannot create process in unprivileged user namespace: Op= eration not permitted --8<---------------cut here---------------end--------------->8--- The clone(2) man page lists two reasons for getting EPERM with CLONE_NEWUSER: EPERM CLONE_NEWUSER was specified in the flags mask, but either the effective user ID or the effective group ID of the caller does not have a mapping in the parent namespace (see user_name= =E2=80=90 spaces(7)). EPERM (since Linux 3.9) CLONE_NEWUSER was specified in the flags mask and the caller is in a chroot environment (i.e., the caller's root directory does not match the root directory of the mount namespace in which it resides). Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Mon Jul 07 15:11:22 2025 Received: (at 77900) by debbugs.gnu.org; 7 Jul 2025 19:11:22 +0000 Received: from localhost ([127.0.0.1]:37950 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uYrFK-0005ah-Al for submit@debbugs.gnu.org; Mon, 07 Jul 2025 15:11:22 -0400 Received: from mout01.posteo.de ([185.67.36.65]:41943) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uYrFH-0005a1-2e for 77900@debbugs.gnu.org; Mon, 07 Jul 2025 15:11:20 -0400 Received: from submission (posteo.de [185.67.36.169]) by mout01.posteo.de (Postfix) with ESMTPS id B3FD4240027 for <77900@debbugs.gnu.org>; Mon, 7 Jul 2025 21:11:12 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=posteo.net; s=1984.ea087b; t=1751915472; bh=yH065Yb4bhK4TQzXN6QTF4ITrqQeWa33rYcnExyhi9Y=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type: Content-Transfer-Encoding:From; b=XGkwh6Ufjfqb1kyaaDET6LcfDiBoEAzPCn/WY3M3Zm4KPW3pafbvcOQi/MsHzsLZt 7wQpYOO7eEJuzmjYEEElrd7dccvIdHMNINvrVdGHtwQyzhquaZn91A7LD4A9CYz+ax Hsoedx/KsZEnPymsL7OS15cwGZlqeYfH6MCT6owl1uFe/nvP1//My5ccLGzGCKX4vL VTB7vkeWWNpynQ6ggxrs2Xn9Y0poZFqjZJW/HD5Me0WUHqpGBH84KVYvQFdFhTwPuM VJWiJvk33wbssP0FpTXviX3RE1k7F0wYnlx2nmvq5ZCS/7Qt8QMOGFYu0gQdov0hgO BvlutB8jMm0Il5t1ZnvC/0gd1yPm93EHzYdmQJSMPZiemB978wtlBhEWODRLaXM0oL 0oix27wbILSDwVkeR6O8ZARcoHtupVRhpQrqBpmln6NW6zMsAuCXsY5ghvKYA97Hn0 QAFmdCDHWRW4dMUzyALgSWN+7TVUNNAFMTNXpEbn7uzpUOAO+l+ Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4bbYk802vfz9rxG; Mon, 7 Jul 2025 21:11:11 +0200 (CEST) From: David Elsing To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: Unprivileged guix-daemon fails to build in Docker/relocatable pack In-Reply-To: <87h62lv98x.fsf@inria.fr> References: <87h62lv98x.fsf@inria.fr> Date: Mon, 07 Jul 2025 19:10:54 +0000 Message-ID: <86wm8j4y0x.fsf@posteo.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -3.3 (---) X-Debbugs-Envelope-To: 77900 Cc: 77900@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.3 (----) Hello, Ludovic Court=C3=A8s writes: > When running guix-daemon unprivileged in Docker (or, similarly, in a > =E2=80=98guix pack -R=E2=80=99 relocatable pack), it fails to spawn the b= uild process: > [...] > The clone(2) man page lists two reasons for getting EPERM with > CLONE_NEWUSER: I'm not sure about `guix pack -R', but I think in the default Docker seccomp profile, the unshare system call [1] requires CAP_SYS_ADMIN, otherwise EPERM is also return. I just tested the Docker seccomp profile with podman, and indeed the unshare command fails because the unshare system call returns EPERM. Maybe you can try with "--security-opt=3Dseccomp=3Dunconfined"? Best, David [1] https://github.com/moby/moby/blob/master/profiles/seccomp/default.json From debbugs-submit-bounces@debbugs.gnu.org Tue Jul 08 12:36:37 2025 Received: (at 77900) by debbugs.gnu.org; 8 Jul 2025 16:36:37 +0000 Received: from localhost ([127.0.0.1]:44192 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uZBJ6-0003eY-FO for submit@debbugs.gnu.org; Tue, 08 Jul 2025 12:36:37 -0400 Received: from mail2-relais-roc.national.inria.fr ([192.134.164.83]:55915) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uZ3OC-0002n0-Nc for 77900@debbugs.gnu.org; Tue, 08 Jul 2025 04:09:22 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inria.fr; s=dc; h=from:to:cc:subject:in-reply-to:references:date: message-id:mime-version:content-transfer-encoding; bh=0niS99h9ggGWwOjovrfgV5uhMdiPi4BgiwDLUtOljug=; b=JAPdtzb9lJxOzlOrncXPVIzmizdQcAjs9yGBjpiQ3Zryplygp43NdRrY GojEC4+1sZrCq97arDEXlRXBmwyl/DtX2KFP8fhPwX5erK08vfyRGLvNc HWynVXAx+t/MFuY+BHZA3fkeBgQTenUYqrlLeh0dNBM+g0uLZ1hqS5lOF Y=; Authentication-Results: mail2-relais-roc.national.inria.fr; dkim=none (message not signed) header.i=none; spf=SoftFail smtp.mailfrom=ludovic.courtes@inria.fr; dmarc=fail (p=none dis=none) d=inria.fr X-IronPort-AV: E=Sophos;i="6.16,296,1744063200"; d="scan'208";a="230754232" Received: from unknown (HELO ribbon) ([193.50.110.182]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 08 Jul 2025 10:09:11 +0200 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: David Elsing Subject: Re: Unprivileged guix-daemon fails to build in Docker/relocatable pack In-Reply-To: <86wm8j4y0x.fsf@posteo.net> (David Elsing's message of "Mon, 07 Jul 2025 19:10:54 +0000") Organization: Inria References: <87h62lv98x.fsf@inria.fr> <86wm8j4y0x.fsf@posteo.net> User-Agent: mu4e 1.12.11; emacs 30.1 X-URL: https://people.bordeaux.inria.fr/lcourtes/ X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu X-Revolutionary-Date: =?utf-8?Q?D=C3=A9cadi?= 20 Messidor an 233 de la =?utf-8?Q?R=C3=A9volution=2C?= jour du Parc Date: Tue, 08 Jul 2025 10:08:50 +0200 Message-ID: <878qkznlyl.fsf@inria.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -3.3 (---) X-Debbugs-Envelope-To: 77900 Cc: 77900@debbugs.gnu.org, Reepca Russelstein X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.3 (----) Hi David, Cc: Reepca. David Elsing writes: > Ludovic Court=C3=A8s writes: > >> When running guix-daemon unprivileged in Docker (or, similarly, in a >> =E2=80=98guix pack -R=E2=80=99 relocatable pack), it fails to spawn the = build process: >> [...] >> The clone(2) man page lists two reasons for getting EPERM with >> CLONE_NEWUSER: > > I'm not sure about `guix pack -R', but I think in the default Docker > seccomp profile, the unshare system call [1] requires CAP_SYS_ADMIN, > otherwise EPERM is also return. I just tested the Docker seccomp profile > with podman, and indeed the unshare command fails because the unshare > system call returns EPERM. Maybe you can try with > "--security-opt=3Dseccomp=3Dunconfined"? Oh I see, thanks for chiming in. I don=E2=80=99t actually use podman and Docker but I think it would be nice= if the unprivileged guix-daemon would work out of the box in these environments, particularly in CI environments like GitLab-CI where passing =E2=80=98--security-opt=3Dseccomp=3Dunconfined=E2=80=99 is not an o= ption. We can =E2=80=98unshare=E2=80=99 only once, to lock the mounts inside the b= uild environment. If that=E2=80=99s the only issue, we could add a command-line option to disable that or perhaps even detect that we=E2=80=99re in such an environment and disable it automatically. WDYT? Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Tue Jul 08 16:15:33 2025 Received: (at 77900) by debbugs.gnu.org; 8 Jul 2025 20:15:33 +0000 Received: from localhost ([127.0.0.1]:45451 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uZEiy-0004q9-6F for submit@debbugs.gnu.org; Tue, 08 Jul 2025 16:15:32 -0400 Received: from mout02.posteo.de ([185.67.36.66]:43389) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uZEiv-0004pX-1A for 77900@debbugs.gnu.org; Tue, 08 Jul 2025 16:15:30 -0400 Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id 73FBE240103 for <77900@debbugs.gnu.org>; Tue, 8 Jul 2025 22:15:22 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=posteo.net; s=1984.ea087b; t=1752005722; bh=yFOk7HMg6AysuLREJjXUOxtjs7lZ8DooG4ipdpeZH1A=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type: Content-Transfer-Encoding:From; b=eqTivWMhzKIWwL430m92qtGH2hjGdWoqORVF6N30NkK5HTX8EauQRh50GY586rOBc SDdHUlKg0XWzr0bYG6mlUdLRvVd7ChM9l9nuD0ChW0bYpQVE/Fd7x7Oa/OwVCj4IEu 7JiAIdUAzRawe6O+oedgZm0N/IMnT8fy0B/Ik54JQpZFQfehD50zq3+SQ5ZEjZVAgw 0Y2s1aKKFno2xBl3v3ag3ovxJ92qqoKmjJqd8D8n5Xghn+G/cz6dTQIh1G1I3/J2R/ tw+pIi7r3lTMJJSPk+ZlfPK8hFr8PcBQVS4IzyPxEp9mKHqOa48uO+ZgkXiUoWcyPQ d1Kjj91gX7oAIn/XY7fnGm8PSii0qZi+1O8Y2u/98AODbxzT7uqF/91SO4UqnKYeRr PVj3ntz6jrqpx2IOaxfuMrMvq2yTq+pScNVDGtVGdnGhOdOM+vWF51q5FZWIfFD23h gl8drsiGPMbA4pZ76djEvHaTPbMkuMErM2H0D+kG61UvHkkR88P Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4bcC5j1fBxz9rxP; Tue, 8 Jul 2025 22:15:21 +0200 (CEST) From: David Elsing To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: Unprivileged guix-daemon fails to build in Docker/relocatable pack In-Reply-To: <878qkznlyl.fsf@inria.fr> References: <87h62lv98x.fsf@inria.fr> <86wm8j4y0x.fsf@posteo.net> <878qkznlyl.fsf@inria.fr> Date: Tue, 08 Jul 2025 20:15:20 +0000 Message-ID: <86tt3m4exz.fsf@posteo.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 77900 Cc: 77900@debbugs.gnu.org, Reepca Russelstein X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hello, Ludovic Court=C3=A8s writes: > I don=E2=80=99t actually use podman and Docker but I think it would be ni= ce if > the unprivileged guix-daemon would work out of the box in these > environments, particularly in CI environments like GitLab-CI where > passing =E2=80=98--security-opt=3Dseccomp=3Dunconfined=E2=80=99 is not an= option. Is it not working using `--disable-chroot'? I don't think the isolated build environment is possible when `unshare' is not allowed and the UID is not 0 (except by using something like PRoot), right? > We can =E2=80=98unshare=E2=80=99 only once, to lock the mounts inside the= build > environment. If that=E2=80=99s the only issue, we could add a command-li= ne > option to disable that or perhaps even detect that we=E2=80=99re in such = an > environment and disable it automatically. Ah no, user namespaces can be nested (with a maximum depth of 32), or maybe I'm misunderstanding what you mean? It is just a bit slow to bind mount all directories (and files) in "/" in order to add (or replace) the store, so I added an environment variable inside the chroot in [1]. Cheers, David [1] https://codeberg.org/guix/guix/issues/1054 From debbugs-submit-bounces@debbugs.gnu.org Fri Jul 11 03:35:25 2025 Received: (at 77900) by debbugs.gnu.org; 11 Jul 2025 07:35:25 +0000 Received: from localhost ([127.0.0.1]:34324 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ua8I0-000682-8g for submit@debbugs.gnu.org; Fri, 11 Jul 2025 03:35:24 -0400 Received: from mail2-relais-roc.national.inria.fr ([192.134.164.83]:3687) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1ua8Hr-00062V-37 for 77900@debbugs.gnu.org; Fri, 11 Jul 2025 03:35:15 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inria.fr; s=dc; h=from:to:cc:subject:in-reply-to:references:date: message-id:mime-version:content-transfer-encoding; bh=hVUjI4wECm1N4P8eztMawoyWIL/pp3LKlYGsFdLXfe8=; b=bO794YvTtINIM4ffy5Ghvz7r5H98PBy3O9BKuOr7Hbn376MgkGoSi+y3 wib50V+oiVpDO5fTiD13WA9vnCGyRrp/lh3DT0HWA5ASvNEHaigtnFcP9 TpClZewyQJaH4OY07Qsnzn3SqDOKmQ5uDmnZc8sdxIm9kJI0Osb1/aK0S 4=; X-CSE-ConnectionGUID: vTeAUZ0vQeWwlMGKP4YrYg== X-CSE-MsgGUID: uPcIcJVrSramRbnhBE8MQA== Authentication-Results: mail2-relais-roc.national.inria.fr; dkim=none (message not signed) header.i=none; spf=SoftFail smtp.mailfrom=ludovic.courtes@inria.fr; dmarc=fail (p=none dis=none) d=inria.fr X-IronPort-AV: E=Sophos;i="6.16,303,1744063200"; d="scan'208";a="231296169" Received: from unknown (HELO ribbon) ([193.50.110.182]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Jul 2025 09:35:07 +0200 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: David Elsing Subject: Re: Unprivileged guix-daemon fails to build in Docker/relocatable pack In-Reply-To: <86tt3m4exz.fsf@posteo.net> (David Elsing's message of "Tue, 08 Jul 2025 20:15:20 +0000") Organization: Inria References: <87h62lv98x.fsf@inria.fr> <86wm8j4y0x.fsf@posteo.net> <878qkznlyl.fsf@inria.fr> <86tt3m4exz.fsf@posteo.net> User-Agent: mu4e 1.12.11; emacs 30.1 X-URL: https://people.bordeaux.inria.fr/lcourtes/ X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu X-Revolutionary-Date: Tridi 23 Messidor an 233 de la =?utf-8?Q?R=C3=A9volu?= =?utf-8?Q?tion=2C?= jour du Haricot Date: Fri, 11 Jul 2025 09:34:47 +0200 Message-ID: <87zfdbb2p4.fsf@inria.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 77900 Cc: 77900@debbugs.gnu.org, Reepca Russelstein X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi, David Elsing writes: > Ludovic Court=C3=A8s writes: > >> I don=E2=80=99t actually use podman and Docker but I think it would be n= ice if >> the unprivileged guix-daemon would work out of the box in these >> environments, particularly in CI environments like GitLab-CI where >> passing =E2=80=98--security-opt=3Dseccomp=3Dunconfined=E2=80=99 is not a= n option. > > Is it not working using `--disable-chroot'? It is: https://blog.josefsson.org/2024/12/18/guix-container-images-for-gitlab-ci= -cd/ But it=E2=80=99s unsatisfactory: I would hope the unprivileged daemon would allow us to address that shortcoming. > I don't think the isolated build environment is possible when > `unshare' is not allowed and the UID is not 0 (except by using > something like PRoot), right? What I meant is that there=E2=80=99s only one =E2=80=98unshare=E2=80=99 cal= l, which is necessary from a security viewpoint but not from a functional viewpoint. Offering an option to skip it in contexts where the tradeoff is acceptable could help maybe? Thanks, Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Fri Jul 11 10:12:51 2025 Received: (at 77900) by debbugs.gnu.org; 11 Jul 2025 14:12:51 +0000 Received: from localhost ([127.0.0.1]:38193 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uaEUc-0007DF-UY for submit@debbugs.gnu.org; Fri, 11 Jul 2025 10:12:51 -0400 Received: from mout02.posteo.de ([185.67.36.66]:58029) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uaEUY-0007Ck-59 for 77900@debbugs.gnu.org; Fri, 11 Jul 2025 10:12:48 -0400 Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id AC37C240101 for <77900@debbugs.gnu.org>; Fri, 11 Jul 2025 16:12:39 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=posteo.net; s=1984.ea087b; t=1752243159; bh=BLkU00RaUQQCTHnHU0v/8TY6X0hny8wLpLIm1Y989zE=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type: Content-Transfer-Encoding:From; b=dh3EMt/TyGlvE/HdkDKnCmPZK8Ptrb1qwxku50Y/lpMeBBDZwHClDwpMs8aK8LfZO ahyFLt4R/oQXrJyilCRNV07o8lckyUSM4NRzbRExBOTGgj/N8WmwrhHZsFooJkKLMN 7XdRZf21CK1lCP6NQQxatSXguFW+SHt6KD1cfinwV6oO9duAKGirujXF3VfzhzTGJY XI4XwavuedwGM4EnuxZL+fRMd/8vZ7PqrU1rl/ADoGBS9j/RG2DNCRtBecQIgnRPPN BEOKNQDtvp5lnF66QcGW1hVPXJoF5j68TqgYDowMnuIvQ/nT1j+mySqqOWwFWp40rY Alsp9tWE/G2eEhadDz+Kmqrv6UyyGNWnlJg5J139xmiuBOfY2G7MhSYkoNp8853vLX zGB4AdhgxGens2r26C0TTiJn5N2zMYcpJCPxT48hozJsY/kgqpy/vfOi8L2Loumq6v cXWEccGygiUGRd9aNJpE8LqzXIplsgXamw5e15E3kMgGNqcWtIB Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4bdtvp31Jvz6tw2; Fri, 11 Jul 2025 16:12:38 +0200 (CEST) From: David Elsing To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: Unprivileged guix-daemon fails to build in Docker/relocatable pack In-Reply-To: <87zfdbb2p4.fsf@inria.fr> References: <87h62lv98x.fsf@inria.fr> <86wm8j4y0x.fsf@posteo.net> <878qkznlyl.fsf@inria.fr> <86tt3m4exz.fsf@posteo.net> <87zfdbb2p4.fsf@inria.fr> Date: Fri, 11 Jul 2025 14:12:39 +0000 Message-ID: <86qzym4y0a.fsf@posteo.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 77900 Cc: 77900@debbugs.gnu.org, Reepca Russelstein X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi, Ludovic Court=C3=A8s writes: > But it=E2=80=99s unsatisfactory: I would hope the unprivileged daemon wou= ld > allow us to address that shortcoming. Yes it does, as long as the needed syscalls are not restricted. I'm not sure when this will change with Docker [1]. >> I don't think the isolated build environment is possible when >> `unshare' is not allowed and the UID is not 0 (except by using >> something like PRoot), right? > > What I meant is that there=E2=80=99s only one =E2=80=98unshare=E2=80=99 c= all, which is necessary > from a security viewpoint but not from a functional viewpoint. Offering > an option to skip it in contexts where the tradeoff is acceptable could > help maybe? Ah sorry, I was conflating `unshare` and `clone`. The default Docker seccomp profile [2] of course also blocks (among other flags) CLONE_NEWUSER (0x10000000) for the `clone` syscall without CAP_SYS_ADMIN, using SCMP_CMP_MASKED_EQ. This also leads to EPERM being returned. Best, David [1] https://github.com/moby/moby/issues/42441 [2] https://github.com/moby/moby/blob/master/profiles/seccomp/default.json From debbugs-submit-bounces@debbugs.gnu.org Tue Jul 15 05:45:18 2025 Received: (at 77900) by debbugs.gnu.org; 15 Jul 2025 09:45:18 +0000 Received: from localhost ([127.0.0.1]:40184 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ubcDt-0006k0-OL for submit@debbugs.gnu.org; Tue, 15 Jul 2025 05:45:18 -0400 Received: from mail3-relais-sop.national.inria.fr ([192.134.164.104]:54851) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1ubcDp-0006fc-QG for 77900@debbugs.gnu.org; Tue, 15 Jul 2025 05:45:15 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inria.fr; s=dc; h=from:to:cc:subject:in-reply-to:references:date: message-id:mime-version:content-transfer-encoding; bh=fNBRbtfpdc/HbIo6DKAgvbLfqTwxdsib7xUnykMug1E=; b=JF/mMc9hQmNTT5ewY3xgvyXdM4nvid6FKMNtopZUC7YZQQHIpkIFF0m4 KD+QZ7vaODDIHnNO0i8A4xMwg23qE7pXaL6oTL1Nor6Y6j8Rh0aicH1TP TkMfatp3SouD9SeCP+JSy+YF0urYq+FoVxIeE68bQew+SyGUuTtv9bnF3 8=; X-CSE-ConnectionGUID: 3NznlE+lQfGpwItu2Oba6w== X-CSE-MsgGUID: rFxz3t2oSo658he04GeyPA== Authentication-Results: mail3-relais-sop.national.inria.fr; dkim=none (message not signed) header.i=none; spf=SoftFail smtp.mailfrom=ludovic.courtes@inria.fr; dmarc=fail (p=none dis=none) d=inria.fr X-IronPort-AV: E=Sophos;i="6.16,313,1744063200"; d="scan'208";a="121400480" Received: from unknown (HELO ribbon) ([193.50.110.182]) by mail3-relais-sop.national.inria.fr with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 15 Jul 2025 11:45:07 +0200 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: David Elsing Subject: Re: Unprivileged guix-daemon fails to build in Docker/relocatable pack In-Reply-To: <86qzym4y0a.fsf@posteo.net> (David Elsing's message of "Fri, 11 Jul 2025 14:12:39 +0000") Organization: Inria References: <87h62lv98x.fsf@inria.fr> <86wm8j4y0x.fsf@posteo.net> <878qkznlyl.fsf@inria.fr> <86tt3m4exz.fsf@posteo.net> <87zfdbb2p4.fsf@inria.fr> <86qzym4y0a.fsf@posteo.net> User-Agent: mu4e 1.12.11; emacs 30.1 X-URL: https://people.bordeaux.inria.fr/lcourtes/ X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu X-Revolutionary-Date: Septidi 27 Messidor an 233 de la =?utf-8?Q?R=C3=A9vo?= =?utf-8?Q?lution=2C?= jour de l'Ail Date: Tue, 15 Jul 2025 11:36:42 +0200 Message-ID: <87y0sp23th.fsf@inria.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 77900 Cc: 77900@debbugs.gnu.org, Reepca Russelstein X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi, David Elsing writes: > Ludovic Court=C3=A8s writes: > >> But it=E2=80=99s unsatisfactory: I would hope the unprivileged daemon wo= uld >> allow us to address that shortcoming. > > Yes it does, as long as the needed syscalls are not restricted. I'm not > sure when this will change with Docker [1]. > >>> I don't think the isolated build environment is possible when >>> `unshare' is not allowed and the UID is not 0 (except by using >>> something like PRoot), right? >> >> What I meant is that there=E2=80=99s only one =E2=80=98unshare=E2=80=99 = call, which is necessary >> from a security viewpoint but not from a functional viewpoint. Offering >> an option to skip it in contexts where the tradeoff is acceptable could >> help maybe? > > Ah sorry, I was conflating `unshare` and `clone`. The default Docker > seccomp profile [2] of course also blocks (among other flags) > CLONE_NEWUSER (0x10000000) for the `clone` syscall without > CAP_SYS_ADMIN, using SCMP_CMP_MASKED_EQ. This also leads to EPERM being > returned. Oh OK. > [1] https://github.com/moby/moby/issues/42441 > [2] https://github.com/moby/moby/blob/master/profiles/seccomp/default.json So hmm, it looks like in practice we=E2=80=99re left with no choice but to = keep using =E2=80=98--disable-chroot=E2=80=99 in Docker? Do you happen to know what people running Docker-in-Docker (or similar) do? Thanks, Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Thu Jul 17 13:09:14 2025 Received: (at 77900) by debbugs.gnu.org; 17 Jul 2025 17:09:14 +0000 Received: from localhost ([127.0.0.1]:56145 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ucS6c-0005JF-BK for submit@debbugs.gnu.org; Thu, 17 Jul 2025 13:09:14 -0400 Received: from mout02.posteo.de ([185.67.36.66]:46721) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1ucS6X-0005IY-SK for 77900@debbugs.gnu.org; Thu, 17 Jul 2025 13:09:11 -0400 Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id 2DCF4240101 for <77900@debbugs.gnu.org>; Thu, 17 Jul 2025 19:09:02 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=posteo.net; s=1984.ea087b; t=1752772143; bh=CDQ9aKNBuN5YF4bnk9c2re99UsOzpXXrn/fsRlm/vSY=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type: Content-Transfer-Encoding:From; b=MSwXAngfqZH66hde+C6u/qdLsXZVu1OxnE0Ls2QXss6txAJCWaqNBJK3akMtF088u UHouwoUO//M9+MduQciMNyFyDoOeYhlp1RpIFnZcPRDydvmiCMw4IvhlDLhQKX1qq4 LLylT7nbMAted/+Wb2RB1goaVY3AJMEFvmGP52/KtdAc9e7o4GXwUp9WKKQktBMJAz 7m6x3rt1ds0/xezLHDgdaxtLjphDgV8hSoDZXOisbKuI1aJPC5rgi7RZyZuILC52ZY kJ48856epFw2N25hoq+N04JCrpVqrDFyOto3ePZkoqLcCJvTey/PQhp7N+tczDp8aH KVYz5f+4hLKTTiiVhF9W+oTKaP85eKPYfGz4aYA9ElXUbn+D/rtT2AjJgTn7SYXGtY PrGD17SWsNFLOC1IMoZAG9uITDQLIk3EvxSiYRgab8nq1v2fOYwXcTjuV4piyEf9MD D5dcgj8e5C2S9oPP/wrICVCax/7NPjeveZS/YZtgB1f+n0PHq+B Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4bjfXY70vlz6twH; Thu, 17 Jul 2025 19:09:01 +0200 (CEST) From: David Elsing To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: Unprivileged guix-daemon fails to build in Docker/relocatable pack In-Reply-To: <87y0sp23th.fsf@inria.fr> References: <87h62lv98x.fsf@inria.fr> <86wm8j4y0x.fsf@posteo.net> <878qkznlyl.fsf@inria.fr> <86tt3m4exz.fsf@posteo.net> <87zfdbb2p4.fsf@inria.fr> <86qzym4y0a.fsf@posteo.net> <87y0sp23th.fsf@inria.fr> Date: Thu, 17 Jul 2025 17:09:02 +0000 Message-ID: <7yldompwwi.fsf@posteo.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 77900 Cc: 77900@debbugs.gnu.org, Reepca Russelstein X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi, Ludovic Court=C3=A8s writes: > So hmm, it looks like in practice we=E2=80=99re left with no choice but t= o keep > using =E2=80=98--disable-chroot=E2=80=99 in Docker? Without unprivileged user namespaces being allowed, the situation hasn't changed I think. > Do you happen to know what people running Docker-in-Docker (or similar) > do? No, but I found this [1] and this [2], so using `--privileged` (or at least allowing unprivileged user namespaces) seems to be necessary. Cheers, David [1] https://docs.docker.com/engine/security/rootless/#rootless-docker-in-do= cker [2] https://github.com/moby/moby/issues/22139