GNU bug report logs - #77900
Unprivileged guix-daemon fails to build in Docker/relocatable pack

Package: guix;

Reported by: Ludovic Courtès <ludovic.courtes <at> inria.fr>

Date: Fri, 18 Apr 2025 14:25:11 UTC

Severity: normal

Message #8 received at 77900 <at> debbugs.gnu.org (full text, mbox):

From: David Elsing <david.elsing <at> posteo.net>
To: Ludovic Courtès <ludovic.courtes <at> inria.fr>
Cc: 77900 <at> debbugs.gnu.org
Subject: Re: Unprivileged guix-daemon fails to build in Docker/relocatable pack
Date: Mon, 07 Jul 2025 19:10:54 +0000

Hello,

Ludovic Courtès <ludovic.courtes <at> inria.fr> writes:

> When running guix-daemon unprivileged in Docker (or, similarly, in a
> ‘guix pack -R’ relocatable pack), it fails to spawn the build process:
> [...]
> The clone(2) man page lists two reasons for getting EPERM with
> CLONE_NEWUSER:

I'm not sure about `guix pack -R', but I think in the default Docker
seccomp profile, the unshare system call [1] requires CAP_SYS_ADMIN,
otherwise EPERM is also return. I just tested the Docker seccomp profile
with podman, and indeed the unshare command fails because the unshare
system call returns EPERM. Maybe you can try with
"--security-opt=seccomp=unconfined"?

Best,
David

[1] https://github.com/moby/moby/blob/master/profiles/seccomp/default.json

This bug report was last modified 30 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #77900 Unprivileged guix-daemon fails to build in Docker/relocatable pack

GNU bug report logs - #77900
Unprivileged guix-daemon fails to build in Docker/relocatable pack