Hello, Ludovic Courtès <[email protected]> writes:
> I don’t actually use podman and Docker but I think it would be nice if > the unprivileged guix-daemon would work out of the box in these > environments, particularly in CI environments like GitLab-CI where > passing ‘--security-opt=seccomp=unconfined’ is not an option. Is it not working using `--disable-chroot'? I don't think the isolated build environment is possible when `unshare' is not allowed and the UID is not 0 (except by using something like PRoot), right? > We can ‘unshare’ only once, to lock the mounts inside the build > environment. If that’s the only issue, we could add a command-line > option to disable that or perhaps even detect that we’re in such an > environment and disable it automatically. Ah no, user namespaces can be nested (with a maximum depth of 32), or maybe I'm misunderstanding what you mean? It is just a bit slow to bind mount all directories (and files) in "/" in order to add (or replace) the store, so I added an environment variable inside the chroot in [1]. Cheers, David [1] https://codeberg.org/guix/guix/issues/1054
