From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id CBYVE2n9zWC+AQEAgWs5BA (envelope-from ) for ; Sat, 19 Jun 2021 16:21:29 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id SCLIDmn9zWCOVgAA1q6Kng (envelope-from ) for ; Sat, 19 Jun 2021 14:21:29 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 928F81FD2D for ; Sat, 19 Jun 2021 16:21:28 +0200 (CEST) Received: from localhost ([::1]:48300 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lubqh-0001dj-Ib for larch@yhetil.org; Sat, 19 Jun 2021 10:21:27 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:49786) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lubqW-0001da-5r for help-guix@gnu.org; Sat, 19 Jun 2021 10:21:16 -0400 Received: from sender4-op-o11.zoho.com ([136.143.188.11]:17153) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lubqU-0004ud-99 for help-guix@gnu.org; Sat, 19 Jun 2021 10:21:15 -0400 ARC-Seal: i=1; a=rsa-sha256; t=1624112468; cv=none; d=zohomail.com; s=zohoarc; b=fYqvlBLcfLubyGB9DoB+qPgZGkIdARCzg0hhOTc3eRNG6HAd7PgavdgAaQddUlhGSvTAAmSUp4PQEJLiIDiIrUPcdDqzB/UoWttLRMrc01yOv87NUY6AUZthiWWbDIKxk/ykknzhQPVlLmPPHvZlyUzH9BZR9uSIV/0QC0Y7BSc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1624112468; h=Content-Type:Date:From:MIME-Version:Message-ID:Subject:To; bh=E52+KSvWXZkXghqiaNlpY7zD8mbSzOzN53IMG7TtnqI=; b=cEAyB3MqolgXRyqKgdOE+ppbjXrDY+7HDCMI+/qvAa0GJo+SGI+gsdeS0a73/MHYhBJXK6TgbR6zdTSdFeF86U1wNoPRgDmMt+rowe6U/SJGwYaRQOO/6DDTW4xHG/Npi6k58Zh93cNEmwLDMcbqDv0pcEe0Znvk/sr28e4RBvw= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=rdklein.fr; spf=pass smtp.mailfrom=edou@rdklein.fr; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1624112468; s=zoho; d=rdklein.fr; i=edou@rdklein.fr; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; bh=E52+KSvWXZkXghqiaNlpY7zD8mbSzOzN53IMG7TtnqI=; b=TQjO7ctN4q/6hi5iyNnQG0J76wsM4NHRed24q072aWdygrmy9HuGEHrsBV33luAg yjQ5PiJNjEB1uUIgYYMhZXo2Qfe6pMsbtT1P/aV7dq5aARndWLm8lc1dYzI4JiPoPBp JLSyYGSZMrlO3G8COzNKLweIXSg272oSM0UeGrPM= Received: from Rasoir (lfbn-idf3-1-600-168.w86-252.abo.wanadoo.fr [86.252.177.168]) by mx.zohomail.com with SMTPS id 1624112465278865.4698308299922; Sat, 19 Jun 2021 07:21:05 -0700 (PDT) User-agent: mu4e 1.4.15; emacs 27.2 From: Edouard Klein To: help-guix@gnu.org Subject: Systemd guix containers: unable to execute Permission denied Message-ID: <8735te9br4.fsf@rdklein.fr> Date: Sat, 19 Jun 2021 16:20:47 +0200 MIME-Version: 1.0 Content-Type: text/plain X-ZohoMailClient: External Received-SPF: pass client-ip=136.143.188.11; envelope-from=edou@rdklein.fr; helo=sender4-op-o11.zoho.com X-Spam_score_int: -16 X-Spam_score: -1.7 X-Spam_bar: - X-Spam_report: (-1.7 / 5.0 requ) BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1624112489; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=E52+KSvWXZkXghqiaNlpY7zD8mbSzOzN53IMG7TtnqI=; b=Ht2y+DxiuBlppiPovkdgg6VDdubnJ63GrF11e566ONxHl3B5sy72x1cEDmOoBjRKnndxKo nOdBNI0MdYa4HjcLlIlkhMi1Fi8/SGQxOIlI0HeMMNFZYZncCOCKZujdiFaLnv7Fh0kCY6 G4iMHrOA5EaAV24KChWyx7d0eYGO5y3sKq0ZSvGCr3crvZs2V0fF6RKUynSwJbO4EXomoG 9hXeX+maRASoJ2OQlssJzkuU2fHLUyDBDYv+Lhv+Ah3Z+l5cgNcCd/pKGLJ+ZBdVZ/ybU7 piJSOx6eXSGvoPSpPZX/04VZQP/JWtx7B8XaK0O+J6Lp0/JO3jPPxleh7Zl4AA== ARC-Seal: i=2; s=key1; d=yhetil.org; t=1624112489; a=rsa-sha256; cv=pass; b=FN810mWUgh6yCk+p0KpCmyYZF6R/dU3M59Sgcn7N515XN0YH41SKdCTnC4Bzwdbau+7t21 YVtMByD8tziaE5LZTqlivwF79x3+ObyCAwm9lQmLqyYfEsEdNj9/ra90NEx5dLUN1QnEGC KMA+kS+OhQAUnoNf0YnITtjxRM2HSN1huF6Jr+Hvqy8HON5aemOCrO6gQgJZ7X37igV+k/ L4IK4LSGer3/03/Q9ZgRxHDSrmwJnHaR6kDbABGFp8XO4WMUsZZZq2HjCrFOY/e09S3y7a 6riINFA8JFhuOi1wJ8mxTsts5794drDT1g7ouVgrNDpLO9+3pn0q/IWsPJJqWA== ARC-Authentication-Results: i=2; aspmx1.migadu.com; dkim=none ("invalid DKIM record") header.d=rdklein.fr header.s=zoho header.b=TQjO7ctN; arc=pass ("zohomail.com:s=zohoarc:i=1"); dmarc=none; spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Migadu-Spam-Score: -3.42 Authentication-Results: aspmx1.migadu.com; dkim=none ("invalid DKIM record") header.d=rdklein.fr header.s=zoho header.b=TQjO7ctN; arc=pass ("zohomail.com:s=zohoarc:i=1"); dmarc=none; spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Migadu-Queue-Id: 928F81FD2D X-Spam-Score: -3.42 X-Migadu-Scanner: scn0.migadu.com X-TUID: yxAgHe3Pu4XC Hi, I'm running a container using a systemd unit. This unit calls a script that call guix system container and calls the returned script. When I launch this script by itself, everything works as expected. When I launch this script with systemd, I can launch any command except as root in the container. For example, once I get a shell in the container with guix container exec, I can do: sudo -u nginx echo toto And it will succeed when the container is launched by hand, but failed when launched with systemd. Any idea, even far fetched, will be appreciated. I have a burning hatred for systemd (not my choice) that this incident is fueling. I've tried everything I could think of: - activating and deactivating various systemd flags - changing the uid of nginx to match a user on the host system - changing the uid of nginx to avoid matching a user on the host system - stopping nscd on the container, etc. I'm looking into other means of achieving what I want, but this SHOULD work, and it WOULD if it wasn't for effing systemd. Cheers, Edouard.