linux-container: Ignore EPERM when attempting to mount /sys.

Fixes <https://issues.guix.gnu.org/61690>. Until now, this would work: guix shell --no-cwd -CWP -- guix shell -C coreutils -- ls -R /home … but this would not: $ guix shell --no-cwd -CWPN -- guix shell -C coreutils -- ls -R /home guix shell: error: mount: mount "none" on "/tmp/guix-directory.Wnc2OI/sys": Operation not permitted This is annoying and hardly understandable. Since we already disable /sys mounts when sharing the global network namespace is asked (as in ‘guix shell -CN‘), for the very same reason, we can just as well disable /sys mounts anytime it fails with EPERM. * gnu/build/linux-container.scm (mount-file-systems): Silently ignore EPERM when attempting to mount /sys. Change-Id: If85b1d703ab58a98ea9873f4f8fed71a06b7aa63
2025-01-31 06:46:50 +01:00 · 2025-01-14 17:58:12 +01:00 · 2025-01-14 17:58:12 +01:00 · 2f3b309f37
commit 2f3b309f37
parent 8e946568ea
1 changed files with 8 additions and 2 deletions
--- a/gnu/build/linux-container.scm
+++ b/gnu/build/linux-container.scm
@ -109,8 +109,14 @@ (define* (mount* source target type #:optional (flags 0) options
  ;; A sysfs mount requires the user to have the CAP_SYS_ADMIN capability in
  ;; the current network namespace.
  (when mount-/sys?
-    (mount* "none" (scope "/sys") "sysfs"
-            (logior MS_NOEXEC MS_NOSUID MS_NODEV MS_RDONLY)))
+    (catch 'system-error
+      (lambda ()
+        (mount* "none" (scope "/sys") "sysfs"
+                (logior MS_NOEXEC MS_NOSUID MS_NODEV MS_RDONLY)))
+      (lambda args
+        ;; EPERM means that CAP_SYS_ADMIN is missing.  Ignore.
+        (unless (= EPERM (system-error-errno args))
+          (apply throw args)))))

  (mount* "none" (scope "/dev") "tmpfs"
          (logior MS_NOEXEC MS_STRICTATIME)