Ludovic Courtès <ludovic.cour...@inria.fr> writes: > Hello Guix! > > New blog post about this newfangled unprivileged guix-daemon: > > https://hpc.guix.info/blog/2025/03/build-daemon-drops-its-privileges/
Yay! I'm trying to adapt this for my GitLab CI/CD container images [1] but I'm having some troubles which are probably all due to my lack of understanding how things are intended to work. Is the intention that I should be able to run guix-install.sh, start guix-daemon and run guix pull from within a buildah/podman debian container without any --privileges or --cap-add? The blog suggests that, but the level of indirections and nesting tends to confuse me. If so, I'm not sure this is working right, at least not when running on GitLab CI/CD shared runners, which I believe are running on Google GCP. I still get errors if I drop the --cap-add's. In case you are looking for details not described below, log is here: https://gitlab.com/debdistutils/guix/container/-/jobs/9582033338 If I run these set of commands on a GitLab shared runner that is running a Debian 12 container: apt-get update DEBIAN_FRONTEND=noninteractive apt-get install -y buildah ca-certificates echo "$CI_REGISTRY_PASSWORD" | buildah login --password-stdin -u "$CI_REGISTRY_USER" "$CI_REGISTRY" time buildah build --debug -t $CI_REGISTRY_IMAGE:$CI_JOB_NAME debian-with-install-guix with the debian-with-install-guix container effectively doing (in another debian 12 container): apt-get update DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends wget ca-certificates libcap2-bin gnupg xz-utils netbase capsh --print wget -nv -Othe-tarball.tar.xz 'https://gitlab.com/debdistutils/guix/tarballs/-/raw/main/x86_64-linux+guix-binary-20250331.tar.xz?ref_type=heads' echo 'f6f131a54ffa6334d87fffb781b648095070d918582f5ef937316c74f9ffee26 the-tarball.tar.xz' | sha256sum -c wget -nv -Oguix-install.sh 'https://gitlab.com/debdistutils/guix/mirror/-/raw/master/etc/guix-install.sh?ref_type=heads' echo 'fcb671fd25ccfbb38036b6f61516d556bfca4ca5cbdfab74087df2adadfec941 guix-install.sh' | sha256sum -c chmod +x guix-install.sh yes '' | env GUIX_BINARY_FILE_NAME=the-tarball.tar.xz ./guix-install.sh guix describe env LC_ALL=C.UTF-8 ~/.config/guix/current/bin/guix-daemon --build-users-group=guixbuild & guix pull --url=https://gitlab.com/debdistutils/guix/mirror.git I am hoping those versions of guix-install.sh and the tarball are the intended ones? The tarball I got from https://guix.gnu.org/en/download/latest/ yesterday, but both Savannah and ci.guix.gnu.org was unaccessible many times when I tried, so I had to cache and mirror them. I get the following error: guix pull: error: cloning builder process: Operation not permitted If I add --cap-add and instead run: time buildah build --debug --cap-add=CAP_SYS_ADMIN -t $CI_REGISTRY_IMAGE:$CI_JOB_NAME debian-with-install-guix I get this error: guix pull: error: while setting up the build environment: cannot set loopback interface flags: Operation not permitted I am able to complete the guix pull if I also add the CAP_NET_ADMIN capability: $ time buildah build --debug --cap-add=CAP_SYS_ADMIN,CAP_NET_ADMIN -t $CI_REGISTRY_IMAGE:$CI_JOB_NAME debian-with-install-guix Is there any way to avoid adding these --cap-add and have 'guix pull' work? /Simon [1] https://gitlab.com/debdistutils/guix/container
signature.asc
Description: PGP signature
