Re: Running guix-daemon as an unprivileged user (Was: [PATCH] syscalls: setns: Skip binding if there is no such C function.)

[Thompson, David]

On Mon, Aug 17, 2015 at 4:33 AM, Eric Bavier <address@hidden> wrote:
> On Mon, 17 Aug 2015 14:45:28 +0200
> Claes Wallin (韋嘉誠) <address@hidden> wrote:
>
>> On Sun, Aug 16, 2015 at 4:01 PM, Claes Wallin (韋嘉誠)
>> <address@hidden> wrote:
>> > [Reposting with correct sender. Sorry, David.]
>> >
>> > Great! I ran into this when trying to compile and run guix on a
>> > machine at work, where I'm not root.
>> >
>> > I was planning to run guix as a stow of steroids. But I'm still
>> > wondering whether what I'm attempting is even intended to be
>> > possible? Of course, I would lose the benefits of user separation,
>> > chroot, hydra (because I can't write to /gnu) etc, but is guix even
>> > made to be able to downgrade to this situation?
>>
>> Answering myself: It is there in the Fine Manual. So it's intended to
>> work. I will try this and see how far I come.
>>
>> https://www.gnu.org/software/guix/manual/guix.html#Build-Environment-Setup
>>
>> "If you are installing Guix as an unprivileged user, it is still
>> possible to run guix-daemon provided you pass --disable-chroot."
>>
>
> I have experimented with this a bit lately.  It works to some extent,
> but I have had to apply a few patches to some package recipes.  Some
> packages have failing tests (where presumably they would pass or be
> skipped in the chroot), which I have disabled for the time being just
> to move along.

I think that to really make unprivileged use of Guix work acceptably,
we need to use the user namespaces feature first introduced in Linux
3.8.  This would allow unprivileged users to build software in the
same type of isolated environments that are used when running the
daemon as root.

- Dave