GNU bug report logs - #77900
Unprivileged guix-daemon fails to build in Docker/relocatable pack

Previous Next

Package: guix;

Reported by: Ludovic Courtès <ludovic.courtes <at> inria.fr>

Date: Fri, 18 Apr 2025 14:25:11 UTC

Severity: normal

Full log

Message #14 received at 77900 <at> debbugs.gnu.org (full text, mbox):

From: David Elsing <david.elsing <at> posteo.net>
To: Ludovic Courtès <ludovic.courtes <at> inria.fr>
Cc: 77900 <at> debbugs.gnu.org, Reepca Russelstein <reepca <at> russelstein.xyz>
Subject: Re: Unprivileged guix-daemon fails to build in Docker/relocatable pack
Date: Tue, 08 Jul 2025 20:15:20 +0000

Hello,

Ludovic Courtès <ludovic.courtes <at> inria.fr> writes:

> I don’t actually use podman and Docker but I think it would be nice if
> the unprivileged guix-daemon would work out of the box in these
> environments, particularly in CI environments like GitLab-CI where
> passing ‘--security-opt=seccomp=unconfined’ is not an option.

Is it not working using `--disable-chroot'? I don't think the isolated
build environment is possible when `unshare' is not allowed and the UID
is not 0 (except by using something like PRoot), right?

> We can ‘unshare’ only once, to lock the mounts inside the build
> environment.  If that’s the only issue, we could add a command-line
> option to disable that or perhaps even detect that we’re in such an
> environment and disable it automatically.

Ah no, user namespaces can be nested (with a maximum depth of 32), or
maybe I'm misunderstanding what you mean? It is just a bit slow to bind
mount all directories (and files) in "/" in order to add (or replace)
the store, so I added an environment variable inside the chroot in [1].

Cheers,
David

[1] https://codeberg.org/guix/guix/issues/1054
This bug report was last modified 30 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.