Hi Guix, I see that the container script generated by “guix system container” must be run as root. Looking at “initialize-user-namespace” in (gnu build linux-container) there is conditional code to be executed only when running as an unprivileged user, namely writing to /proc/pid/setgroups. This makes me think that this was originally meant to be usable without root privileges.
Without root privileges write access to /proc/pid/* is denied. The child process here is the result of issuing a clone syscall. Why can’t the parent process write to the child’s /proc/pid/* files? Why does the parent process need to do this at all? Can’t the child process take care of writing its /proc/self/uid_map? -- Ricardo