guix: failure on Kubuntu 24-10: error: mount: mount "none" on "/tmp/guix-directory.VEMlin": Permission denied #31202

Is there an existing issue for this?

• I have searched the existing issues

Current behaviour

contrib/guix/guix-build fails with error:

$ contrib/guix/guix-build 
Found macOS SDK at '/SDK_PATH/Xcode-15.0-15A240d-extracted-SDK-with-libcxx-headers', using...
Checking that we can connect to the guix-daemon...

Hint: If this hangs, you may want to try turning your guix-daemon off and on
      again.

WARNING: Use of `load' in declarative module (guix ui).  Add #:declarative? #f to your define-module invocation.
WARNING: (guix build python-build-system): imported module (guix build utils) overrides core binding `delete'
make: Entering directory '/BITCOIN-GUIX/depends'
make[1]: Entering directory '/BITCOIN-GUIX/depends'
Fetching sqlite-autoconf-3460100.tar.gz from https://sqlite.org/2024/
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 3189k  100 3189k    0     0   258k      0  0:00:12  0:00:12 --:--:--  487k
/BITCOIN-GUIX/depends/work/download/sqlite-3460100/sqlite-autoconf-3460100.tar.gz.temp: OK
make[1]: Leaving directory '/BITCOIN-GUIX/depends'
make: Leaving directory '/BITCOIN-GUIX/depends'
make: Entering directory '/BITCOIN-GUIX/depends'
make[1]: Entering directory '/BITCOIN-GUIX/depends'
make[1]: Leaving directory '/BITCOIN-GUIX/depends'
make: Leaving directory '/BITCOIN-GUIX/depends'
make: Entering directory '/BITCOIN-GUIX/depends'
make[1]: Entering directory '/BITCOIN-GUIX/depends'
make[1]: Leaving directory '/BITCOIN-GUIX/depends'
make: Leaving directory '/BITCOIN-GUIX/depends'
make: Entering directory '/BITCOIN-GUIX/depends'
make[1]: Entering directory '/BITCOIN-GUIX/depends'
make[1]: Leaving directory '/BITCOIN-GUIX/depends'
make: Leaving directory '/BITCOIN-GUIX/depends'
make: Entering directory '/BITCOIN-GUIX/depends'
make[1]: Entering directory '/BITCOIN-GUIX/depends'
make[1]: Leaving directory '/BITCOIN-GUIX/depends'
make: Leaving directory '/BITCOIN-GUIX/depends'
make: Entering directory '/BITCOIN-GUIX/depends'
make[1]: Entering directory '/BITCOIN-GUIX/depends'
make[1]: Leaving directory '/BITCOIN-GUIX/depends'
make: Leaving directory '/BITCOIN-GUIX/depends'
make: Entering directory '/BITCOIN-GUIX/depends'
make[1]: Entering directory '/BITCOIN-GUIX/depends'
make[1]: Leaving directory '/BITCOIN-GUIX/depends'
make: Leaving directory '/BITCOIN-GUIX/depends'
make: Entering directory '/BITCOIN-GUIX/depends'
make[1]: Entering directory '/BITCOIN-GUIX/depends'
make[1]: Leaving directory '/BITCOIN-GUIX/depends'
make: Leaving directory '/BITCOIN-GUIX/depends'
INFO: Building f07a533dfcb1 for platform triple x86_64-linux-gnu:
      ...using reference timestamp: 1730324259
      ...running at most 32 jobs
      ...from worktree directory: '/BITCOIN-GUIX'
          ...bind-mounted in container to: '/bitcoin'
      ...in build directory: '/BITCOIN-GUIX/guix-build-f07a533dfcb1/distsrc-f07a533dfcb1-x86_64-linux-gnu'
          ...bind-mounted in container to: '/distsrc-base/distsrc-f07a533dfcb1-x86_64-linux-gnu'
      ...outputting in: '/BITCOIN-GUIX/guix-build-f07a533dfcb1/output/x86_64-linux-gnu'
          ...bind-mounted in container to: '/outdir-base/x86_64-linux-gnu'
      ADDITIONAL FLAGS (if set)
          ADDITIONAL_GUIX_COMMON_FLAGS: 
          ADDITIONAL_GUIX_ENVIRONMENT_FLAGS: 
          ADDITIONAL_GUIX_TIMEMACHINE_FLAGS: 
WARNING: Use of `load' in declarative module (guix ui).  Add #:declarative? #f to your define-module invocation.
WARNING: (guix build python-build-system): imported module (guix build utils) overrides core binding `delete'
substitute: WARNING: Use of `load' in declarative module (guix ui).  Add #:declarative? #f to your define-module invocation.
substitute: updating substitutes from 'https://ci.guix.gnu.org'... 100.0%
substitute: updating substitutes from 'https://bordeaux.guix.gnu.org'... 100.0%
The following derivations will be built:
  /gnu/store/vf3g31fiv3f02b0waksjnc89f7idn4q0-gcc-cross-x86_64-linux-gnu-12.4.0.drv
  /gnu/store/2v8vzhkglwbl2b3ixg7jxq980la85wn9-glibc-cross-x86_64-linux-gnu-2.31.drv
  /gnu/store/7qazn4h80fjq8pjsg23qgfswhb15ydjj-x86_64-linux-gnu-toolchain-12.4.0.drv

building /gnu/store/2v8vzhkglwbl2b3ixg7jxq980la85wn9-glibc-cross-x86_64-linux-gnu-2.31.drv...
building /gnu/store/vf3g31fiv3f02b0waksjnc89f7idn4q0-gcc-cross-x86_64-linux-gnu-12.4.0.drv...
building /gnu/store/7qazn4h80fjq8pjsg23qgfswhb15ydjj-x86_64-linux-gnu-toolchain-12.4.0.drv...
The following derivation will be built:
  /gnu/store/ra8ffnx4x3y29myr3agwp27pcjirixs6-profile.drv

applying 10 grafts for gcc-cross-x86_64-linux-gnu-12.4.0 ...
building CA certificate bundle...
listing Emacs sub-directories...
building fonts directory...
building directory of Info manuals...
building profile with 25 packages...
guix shell: error: mount: mount "none" on "/tmp/guix-directory.VEMlin": Permission denied

Expected behaviour

Expected to produce a build

Steps to reproduce

1. get guix environment by sudo apt install guix
2. download Mac OS SDK and setup environment path for it
3. call contrib/guix/guix-build

Relevant log output

No response

How did you obtain Bitcoin Core

Other

What version of Bitcoin Core are you using?

master@f07a533dfcb172321972e5afb3b38a4bd24edb87

Operating system and version

Kubuntu 24.10

Machine specifications

$ cat /proc/cpuinfo  | grep 'model name' | head -n 1
model name      : AMD Ryzen 9 5950X 16-Core Processor

$ cat /etc/mtab  | grep  /tmp
tmpfs /tmp tmpfs rw,nosuid,nodev,size=32866460k,nr_inodes=1048576,inode64 0 0

$ guix --version
WARNING: Use of `load' in declarative module (guix ui).  Add #:declarative? #f to your define-module invocation.
guix (GNU Guix) 1.4.0
Copyright (C) 2022 the Guix authors
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

This issue happened first time after update from Kubuntu 23.10 to Kubuntu 24.04. After that I wiped guix by this instruction https://gist.github.com/dominiwe/0c8c760b53ea6bdca611dec38b40006f re-installed it again; updated from Kubuntu 24.04 to Kubuntu 24.10 but this issue still here and I can't build Bitcoin Core with guix on this machine anymore.

This problem seems familiar: https://bugs.launchpad.net/ubuntu/+source/guix/+bug/2064115.

Removing app-armor and re-installing guix + reboot helped, thanks for quick help! seems nothing to fix in bitcoin-core then.

P.S. I guess I'm moving to Manjaro; a broken AppArmor package out of the box for 2 continuous releases is disappointing.

Ubuntu 24.04.1 LTS here, at first attempt

guix shell: error: mount: mount "none" on "/tmp/guix-directory.WvZoWc": Permission denied

w/ AppArmor stopped and disabled, and reboot

          ...bind-mounted in container to: '/outdir-base/x86_64-linux-gnu'
      ADDITIONAL FLAGS (if set)
          ADDITIONAL_GUIX_COMMON_FLAGS: 
          ADDITIONAL_GUIX_ENVIRONMENT_FLAGS: 
          ADDITIONAL_GUIX_TIMEMACHINE_FLAGS: 
guix shell: error: clone: 2114060305: Permission denied

Update. I am able to build after "purging" apparmor - but this blows away all your apparmor installed apps as well, including Firefox, Brave, etc. Haven't found an interim solution that works yet. Writing up a guix apparmor profile did not work for me.

Update 2. Modifying /etc/apparmor.d/guix with

abi <abi/4.0>,
include <tunables/global>

# Profile for the guix binary
profile guix /usr/local/bin/guix flags=(unconfined) {
  userns,
  # Site-specific additions and overrides
  include if exists <local/guix>
}

# Profile for unprivileged user namespaces
profile unprivileged_userns flags=(unconfined) {
}

followed by sudo apparmor_parser -r /etc/apparmor.d/guix seems to do the trick.

In Ubuntu 26.04 LTS-alpha, I get permission denied on calling unshare. I have to add to /etc/sysctl.conf:

kernel.unprivileged_userns_clone=1

kernel.apparmor_restrict_unprivileged_userns=0