Ubuntu, cannot set loopback interface flags

Guix
1

Hi, again. Fedora was working fine, but now I have to switch to Ubuntu.

OK, so I’m using Ubuntu 24.04 LTS. I installed the Guix package manager with the install script from the manual: https://guix.gnu.org/install.sh

I was able to do a guix pull to update my user’s packages. I also was able to run sudo guix pull to update the root user’s packages.

I was even able to do guix shell htop and that seemed to be working…

However, now I tried doing a guix home reconfigure and here’s where I’m running into trouble.

The command guix home fails. Then I checked the log and found this interesting bit.

$ zcat /var/log/...guix-1.4.0-41.826e305
+ guix build guile-bootstrap
accepted connection from pid 19192, user nixbld
substitute: guix substitute: warning: ACL for archive imports seems to be uninitialized, substitutes may be unavailable
substitute: guix substitute: warning: authentication and authorization of substitutes disabled!
The following derivation will be built:
  /tmp/guix-tests/store/vk5c5brcjy2nz0w72zd41zv31i3vsrkq-guile-bootstrap-2.0.drv
substitute: guix substitute: warning: authentication and authorization of substitutes disabled!
killing process 19223
guix build: error: while setting up the child process: in phase initLoopback: cannot set loopback interface flags: Operation not permitted
+ rm -r t-guix-graph-19031
FAIL tests/guix-graph.sh (exit status: 1)

SKIP: tests/guix-describe

My home.scm just has (home-environment), empty.

My gut is telling me this has to do with AppArmor, but I’m not sure… but I remember where was some extra config to do with Fedora, so maybe?

2

Ooooh, it is AppArmor.

[ 8181.700287] audit: type=1400 audit(1754363649.223:1257): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=93945 comm="guix-daemon" requested="userns_create" target="unprivileged_userns"
[ 8181.700960] audit: type=1400 audit(1754363649.224:1258): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=93966 comm="guix-daemon" capability=12  capname="net_admin"
3

Hm… disabling AppArmor allowed guix home reconfigure to work.

I’m on Ubuntu 24.04.2 LTS, I had to run these commands.

sudo systemctl stop apparmor
sudo systemctl disable apparmor

Then I had to edit /etc/default/grub to add apparmor=0 to my kernel parameters.

GRUB_CMDLINE_LINUX_DEFAULT="apparmor=0"
GRUB_CMDLINE_LINUX="apparmor=0"

Then I ran these commands.

sudo update-grub
sudo reboot

Although, this is a very heavy-handed solution… I guess I need to write some sort of AppArmor profile for guix and/or guix-daemon, so I don’t have to disable AppArmor system-wide?

1 Like
4

Found another link that may be relevant.

I guess it’s just a matter of writing the correct AppArmor profile. Maybe something like this?

# File: /etc/apparmor.d/guix
abi <abi/3.0>,

include <tunables/global>

profile guix /gnu/store/{*-guix-command,*/bin/guix,*/libexec/guix/guile,*/bin/guile} flags=(attach_disconnected) {
  # Allow all rules
  capability,
  network,
  mount,
  remount,
  umount,
  pivot_root,
  ptrace,
  signal,
  dbus,
  unix,
  file,
}