Hi everyone, I am trying to run "guix shell -C" inside another container created with "guix shell -C". I figured out that I need to take care of three aspects:
- Include the package "guix" in the outer container. - --expose=/gnu/store such that guix-in-the-container can access the store - --expose=/var/guix/daemon-socket/socket such that guix-in-the-container can connect to the daemon With those precautions, my setup works some of the time but in other conditions (which I haven't yet identified) I get the error message guix shell: error: mount: mount "none" on "/tmp/guix-directory.K4MoFR/sys": Operation not permitted when I try to run "guix shell" inside the outer container. Browsing the Guix source code, I found the probable location where this happens: in (gnu build linux-container), the procedure run-container calls (mount-file-systems root mounts #:mount-/proc? (memq 'pid namespaces) #:mount-/sys? (memq 'net namespaces)) which in turn does ;; A sysfs mount requires the user to have the CAP_SYS_ADMIN capability in ;; the current network namespace. (when mount-/sys? (mount* "none" (scope "/sys") "sysfs" (logior MS_NOEXEC MS_NOSUID MS_NODEV MS_RDONLY))) and that looks suspect in view of my error message. But I have no idea why this happens, nor what that "network namespace" is or why it is needed. In case it matters, I use -N for the outer container (in which I use wget to fetch files), but not for the inner containers (the ones whose creation causes the error). Does anybody have an idea of the cause of the error, and ideally a solution or workaround? Finally, some background as to why I am trying to do this: my outer container runs a workflow (using good old "make"), which in turn contains rules that create containers as well. I cannot run the workflow plus all of its rules in a single container because different rules require conflicting packages. Thanks in advance, Konrad