Hello, Ludovic Courtès <[email protected]> writes:
> When running guix-daemon unprivileged in Docker (or, similarly, in a > ‘guix pack -R’ relocatable pack), it fails to spawn the build process: > [...] > The clone(2) man page lists two reasons for getting EPERM with > CLONE_NEWUSER: I'm not sure about `guix pack -R', but I think in the default Docker seccomp profile, the unshare system call [1] requires CAP_SYS_ADMIN, otherwise EPERM is also return. I just tested the Docker seccomp profile with podman, and indeed the unshare command fails because the unshare system call returns EPERM. Maybe you can try with "--security-opt=seccomp=unconfined"? Best, David [1] https://github.com/moby/moby/blob/master/profiles/seccomp/default.json
