The manual gives the following example of guix pack -RR: guix pack -RR -S /mybin=bin bash tar xf pack.tar.gz ./mybin/sh
This fails on my university’s server for students which uses Linux container “VMs” with Ubuntu and has no user namespace support and Guix is not installed. This single line is all output: $ ./mybin/sh sh: run.c:162: bind_mount: Unexpected error: Permission denied. Note that PROOT_NO_SECCOMP=1 ~/gnu/store/iyd2ikxadcp89j5919pwja6swnx00493-proot-static-5.1.0/bin/proot -w $(pwd | sed 's/${HOME}//') -r ${HOME} -b /proc /mybin/sh works just fine (inspired by <https://guix-hpc.bordeaux.inria.fr/blog/2017/10/using-guix-without-being-root/>). For testing purposes, I compile the wrapper gnu/packages/aux-files/run-in-namespace.c: sed -i 's|@STORE_DIRECTORY@|/gnu/store|g' run-in-namespace.c sed -i 's|@WRAPPED_PROGRAM@|/mybin/sh|g' run-in-namespace.c gcc -std=gnu99 -static -O0 -g -Wall run-in-namespace.c scp run-in-namespace.c a.out … # upload it to the university server ssh … gdb a.out […] (gdb) break main Breakpoint 1 at 0x401ea1: file run-in-namespace.c, line 260. (gdb) run Starting program: /home/f_pelz12/a.out Breakpoint 1, main (argc=1, argv=0x7fffffffe818) at run-in-namespace.c:260 260 size = readlink ("/proc/self/exe", self, sizeof self - 1); (gdb) next 261 assert (size > 0); (gdb) 265 size_t index = strlen (self) (gdb) 268 char *store = strdup (self); (gdb) 269 store[index] = '\0'; (gdb) 277 if (strcmp (store, "/gnu/store") != 0 (gdb) 278 && lstat ("/mybin/sh", &statbuf) != 0) (gdb) 283 char *new_root = mkdtemp (strdup ("/tmp/guix-exec-XXXXXX")); (gdb) 284 char *new_store = concat (new_root, "/gnu/store"); (gdb) 285 char *cwd = get_current_dir_name (); (gdb) 292 pid_t child = syscall (SYS_clone, SIGCHLD | CLONE_NEWNS | CLONE_NEWUSER, (gdb) [Detaching after fork from child process 12748] 294 switch (child) (gdb) a.out: run-in-namespace.c:162: bind_mount: Unexpected error: Permission denied. 337 disallow_setgroups (child); (gdb) a.out: run-in-namespace.c:205: disallow_setgroups: Unexpected error: Permission denied. Program received signal SIGABRT, Aborted. 0x000000000040796f in raise () I do not know how to break into the detached child’s bind_mount call, so I am unable to give details on this bind_mount error (I do not know if the bind_mount really is the cause of the crash; it is futile anyway and the binary should just try proot after all and not crash before). A breakpoint from `break bind_mount` is ignored. Can I get more information out of this somehow? For completeness: $ uname -a Linux tux6 4.15.18-14-pve #1 SMP PVE 4.15.18-38 (Tue, 30 Apr 2019 10:51:33 +0200) x86_64 x86_64 x86_64 GNU/Linux Regards, Florian