Hi Florian, "pelzflorian (Florian Pelz)" <pelzflor...@pelzflorian.de> skribis:
> 32476 clone(child_stack=NULL, flags=CLONE_NEWNS|CLONE_NEWUSER|SIGCHLD) = 32477 [...] > 32477 mount("//lib", "/tmp/guix-exec-eqHoYA/lib", 0x47e0c5, > MS_RDONLY|MS_BIND|MS_REC, NULL) = -1 EACCES (Permission denied) > 32477 mkdir("/tmp/guix-exec-eqHoYA/home", 0700) = 0 > 32477 mount("//home", "/tmp/guix-exec-eqHoYA/home", 0x47e0c5, > MS_RDONLY|MS_BIND|MS_REC, NULL) = -1 EACCES (Permission denied) This is weird. On a machine without Guix and with “proper” user namespace support, I see: --8<---------------cut here---------------start------------->8--- 4519 clone(child_stack=0, flags=CLONE_NEWNS|CLONE_NEWUSER|SIGCHLD) = 4520 [...] 4520 mkdir("/tmp/guix-exec-4lVNRO/tmp", 0700) = 0 4520 mount("//tmp", "/tmp/guix-exec-4lVNRO/tmp", 0x47e0cc, MS_RDONLY|MS_BIND|MS_REC, NULL) = 0 4520 mkdir("/tmp/guix-exec-4lVNRO/boot", 0700) = 0 4520 mount("//boot", "/tmp/guix-exec-4lVNRO/boot", 0x47e0cc, MS_RDONLY|MS_BIND|MS_REC, NULL) = 0 --8<---------------cut here---------------end--------------->8--- That is, all bind-mount operations in the child process, which lives in a separate namespace, succeed. Can you show the mount options of you root file system? mount | grep 'on / ' What’s the exit code of this command: guile -c '((@@ (guix scripts environment) assert-container-features))' ? Thanks for helping out! Ludo’.