From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id YDN0EV5EzV+8bwAA0tVLHw (envelope-from ) for ; Sun, 06 Dec 2020 20:51:42 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id wCxMDV5EzV/+DAAA1q6Kng (envelope-from ) for ; Sun, 06 Dec 2020 20:51:42 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 096AC9403D3 for ; Sun, 6 Dec 2020 20:51:42 +0000 (UTC) Received: from localhost ([::1]:48114 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1km10O-0005CK-HA for larch@yhetil.org; Sun, 06 Dec 2020 15:51:40 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:34174) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1km0zz-0005AM-3r; Sun, 06 Dec 2020 15:51:18 -0500 Received: from mail1.g12.pair.com ([66.39.4.99]:38673) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1km0zu-0004B4-Od; Sun, 06 Dec 2020 15:51:14 -0500 Received: from mail1.g12.pair.com (localhost [127.0.0.1]) by mail1.g12.pair.com (Postfix) with ESMTP id 1535A73085; Sun, 6 Dec 2020 15:51:09 -0500 (EST) Received: from guix.local (w135107.ppp.asahi-net.or.jp [121.1.135.107]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mail1.g12.pair.com (Postfix) with ESMTPSA id B622F73094; Sun, 6 Dec 2020 15:51:07 -0500 (EST) Message-ID: <382923d762cf018ae9d75b3408db75abf296e543.camel@yasuaki.com> Subject: Re: BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces From: yasu To: zimoun , bug-guix@gnu.org, pgarlick@tourbillion-technology.com, Pjotr Prins Date: Mon, 07 Dec 2020 05:51:05 +0900 In-Reply-To: <86eek2an53.fsf@gmail.com> References: <20201204185537.qhapfbyaq7cr5lkr@thebird.nl> <4556420c9440a6c34df93213e3934176e214483f.camel@yasuaki.com> <86eek2an53.fsf@gmail.com> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: none client-ip=66.39.4.99; envelope-from=yasu@yasuaki.com; helo=mail1.g12.pair.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Guix Devel Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -0.80 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 096AC9403D3 X-Spam-Score: -0.80 X-Migadu-Scanner: ns3122888.ip-94-23-21.eu X-TUID: /rOv9sI/qmUq Hi Zimoun, I tried as you suggested but it didn't work... root@guix ~# echo "kernel.unprivileged_userns_clone = 1" > /etc/sysctl.d/local.conf -bash: /etc/sysctl.d/local.conf: No such file or directory root@guix ~# sysctl --system root@guix ~# logout ~$ guix environment -C guix environment: error: cannot create container: unprivileged user cannot create user namespaces guix environment: error: please set /proc/sys/kernel/unprivileged_userns_clone to "1" Now, if this posting were to be belived, I think this term kernel.unprivileged_userns_clone is specific to Debian Linux, and does not exist outside of that circle. It disables a bit of "hardening" that Debian patches into their distribution kernel. If you're not running such a kernel, it will fail and not do anything, as such a setting doesn't even exist in the mainline Linux kernel. I wonder how this term came in to Guix in the first place? -Yasu On Sun, 2020-12-06 at 17:56 +0100, zimoun wrote: > Hi, > > Please try the recommendation. Have you tried it? > > please set /proc/sys/kernel/unprivileged_userns_clone to "1" > > As root, you just do: > > echo 1 > /proc/sys/kernel/unprivileged_userns_clone > > then “guix environment -C” should work as expected. To do the trick > automatically with Sheperd, I do not know, but I am sure that the > systemd equivalent > > echo "kernel.unprivileged_userns_clone = 1" > > /etc/sysctl.d/local.conf > sysctl --system > > seems doable with Guix System. > > > On my system, and I need explanations if it does not work similarly > on > yours, I simply do: > > --8<---------------cut here---------------start------------->8--- > $ guix environment -C --ad-hoc hello -- hello > guix environment: error: cannot create container: unprivileged user > cannot create user namespaces > guix environment: error: please set > /proc/sys/kernel/unprivileged_userns_clone to "1" > > $ su - > Password: > # echo 1 > /proc/sys/kernel/unprivileged_userns_clone > # logout > > $ guix environment -C --ad-hoc hello -- hello > Hello, world! > --8<---------------cut here---------------end--------------->8--- > > Hope that helps, > simon