GNU bug report logs - #77900
Unprivileged guix-daemon fails to build in Docker/relocatable pack

Previous Next

Package: guix;

Reported by: Ludovic Courtès <ludovic.courtes <at> inria.fr>

Date: Fri, 18 Apr 2025 14:25:11 UTC

Severity: normal

Full log

View this message in rfc822 format

From: Ludovic Courtès <ludovic.courtes <at> inria.fr>
To: David Elsing <david.elsing <at> posteo.net>
Cc: 77900 <at> debbugs.gnu.org, Reepca Russelstein <reepca <at> russelstein.xyz>
Subject: bug#77900: Unprivileged guix-daemon fails to build in Docker/relocatable pack
Date: Fri, 11 Jul 2025 09:34:47 +0200

Hi,

David Elsing <david.elsing <at> posteo.net> writes:

> Ludovic Courtès <ludovic.courtes <at> inria.fr> writes:
>
>> I don’t actually use podman and Docker but I think it would be nice if
>> the unprivileged guix-daemon would work out of the box in these
>> environments, particularly in CI environments like GitLab-CI where
>> passing ‘--security-opt=seccomp=unconfined’ is not an option.
>
> Is it not working using `--disable-chroot'?

It is:

  https://blog.josefsson.org/2024/12/18/guix-container-images-for-gitlab-ci-cd/

But it’s unsatisfactory: I would hope the unprivileged daemon would
allow us to address that shortcoming.

> I don't think the isolated build environment is possible when
> `unshare' is not allowed and the UID is not 0 (except by using
> something like PRoot), right?

What I meant is that there’s only one ‘unshare’ call, which is necessary
from a security viewpoint but not from a functional viewpoint.  Offering
an option to skip it in contexts where the tradeoff is acceptable could
help maybe?

Thanks,
Ludo’.
This bug report was last modified 30 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.