Hi, David Elsing <[email protected]> writes:
> Ludovic Courtès <[email protected]> writes: > >> I don’t actually use podman and Docker but I think it would be nice if >> the unprivileged guix-daemon would work out of the box in these >> environments, particularly in CI environments like GitLab-CI where >> passing ‘--security-opt=seccomp=unconfined’ is not an option. > > Is it not working using `--disable-chroot'? It is: https://blog.josefsson.org/2024/12/18/guix-container-images-for-gitlab-ci-cd/ But it’s unsatisfactory: I would hope the unprivileged daemon would allow us to address that shortcoming. > I don't think the isolated build environment is possible when > `unshare' is not allowed and the UID is not 0 (except by using > something like PRoot), right? What I meant is that there’s only one ‘unshare’ call, which is necessary from a security viewpoint but not from a functional viewpoint. Offering an option to skip it in contexts where the tradeoff is acceptable could help maybe? Thanks, Ludo’.
