When running guix-daemon unprivileged in Docker (or, similarly, in a
‘guix pack -R’ relocatable pack), it fails to spawn the build process:
--8<---------------cut here---------------start------------->8---
ludo@fencepost:~/packs/guix$ GUIX_STATE_DIRECTORY=$HOME/var
GUIX_LOG_DIRECTORY=$HOME/var/log ./bin/guix-daemon
^Z
[1]+ Stopped GUIX_STATE_DIRECTORY=$HOME/var
GUIX_LOG_DIRECTORY=$HOME/var/log ./bin/guix-daemon
ludo@fencepost:~/packs/guix$ bg
[1]+ GUIX_STATE_DIRECTORY=$HOME/var GUIX_LOG_DIRECTORY=$HOME/var/log
./bin/guix-daemon &
ludo@fencepost:~/packs/guix$ GUIX_DAEMON_SOCKET=$HOME/var/daemon-socket/socket
./bin/guix build guile-bootstrap --no-substitutes
accepted connection from pid 19182, user ludo
The following derivation will be built:
/gnu/store/d9gcqaq0mag354svxsdpkvr8swdqsny8-guile-bootstrap-2.0.drv
guix build: error: cannot create process in unprivileged user namespace:
Operation not permitted
--8<---------------cut here---------------end--------------->8---
The clone(2) man page lists two reasons for getting EPERM with
CLONE_NEWUSER:
EPERM CLONE_NEWUSER was specified in the flags mask, but either the
effective user ID or the effective group ID of the caller does
not have a mapping in the parent namespace (see user_name‐
spaces(7)).
EPERM (since Linux 3.9)
CLONE_NEWUSER was specified in the flags mask and the caller is
in a chroot environment (i.e., the caller's root directory does
not match the root directory of the mount namespace in which it
resides).
Ludo’.
