This section contains various snippets and tricks for running GNU Guix.
Ubuntu
Specifics for running guix on top of Ubuntu.
AppArmor
Ubuntu uses AppArmor as a mandatory access control system. In order for guix to run flowlessly, you need to configure AppArmor accordingly.
How to create/update an AppArmor profile
Note: Be sure to have the apparmor-utils package installed.
In a terminal run sudo aa-genprof guix.
When instructed to do so, run the guix command you want to profile in another terminal (e.g. guix pull).
After the command has finished, switch back to the first terminal and follow the wizzard:
Press "S" to scan the syslogs for permission errors. If aa-genprof detects something, it will ask you whether you want to allow that or not. If the path detected is "/gnu/store/foo/bar", you can use the "(G)lob" option to allow all paths starting with "/gnu/store/foo/*". Repeat that to broaden the scope even more.
Once you dealt with all those issues, run the command again and repeat the scanning in aa-genprof until no more issues are detected.
Finally save the profile and exit the wizzard.
Example profile
I've done this on my system and came up with the following profile:
abi <abi/3.0>,
include <tunables/global>
profile guix /gnu/store/{*-guix-command,*/bin/guix} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice>
include <abstractions/user-tmp>
capability dac_override,
capability net_admin, # for "guix shell -CN"
capability sys_admin, # for clone
capability sys_ptrace, # for user namespaces
mount fstype=(devpts) none -> /tmp/guix-directory.*/dev/pts/,
mount fstype=(mqueue) options=(nodev, noexec, nosuid, rw) mqueue -> /tmp/guix-directory.*/dev/mqueue/,
mount fstype=(proc) options=(nodev, noexec, nosuid, rw) none -> /tmp/guix-directory.*/proc/,
mount fstype=(sysfs) options=(nodev, noexec, nosuid, ro) none -> /tmp/guix-directory.*/sys/,
mount fstype=(tmpfs) none -> /tmp/guix-directory.*/**,
mount fstype=(tmpfs) none -> /tmp/guix-directory.*/,
mount fstype=(tmpfs) options=(nodev, noexec, nosuid, rw) tmpfs -> /tmp/guix-directory.*/dev/shm/,
mount fstype=(tmpfs) options=(noexec, rw, strictatime) none -> /tmp/guix-directory.*/dev/,
mount options=(bind, rw) /** -> /tmp/guix-directory.*/**,
mount options=(rbind, relatime, remount, ro) -> /tmp/guix-directory.*/**,
mount options=(rbind, relatime, remount, ro) -> /tmp/guix-directory.*/**/,
mount options=(rbind, rw) /** -> /tmp/guix-directory.*/**,
umount /real-root/,
pivot_root,
/etc/gitconfig r,
/etc/guix/acl r,
/etc/nsswitch.conf r,
/etc/passwd r,
/gnu/store/** r,
/gnu/store/**/** r,
/gnu/store/*-guix-*/etc/ld.so.cache r,
/gnu/store/*-guix-*/libexec/guix/guile ix,
/gnu/store/*/bin/* mrix,
/gnu/store/*/lib/**.so** mr,
/gnu/store/*/lib/lib*.so* mr,
/gnu/store/*/libexec/** ix,
/gnu/store/*/sbin/* mrix,
/gnu/store/bz7yi84jn9bbiz3k9m4b18i6w493qph8-compute-guix-derivation mrix,
/tmp/ rw,
/tmp/guix-directory** rw,
/var/guix/** r,
/var/guix/daemon-socket/socket rw,
@{PROC}/*/ns/net rw,
@{PROC}/*/ns/user rw,
@{PROC}/@{pid}/** rw,
@{PROC}/self/ rw,
@{PROC}/self/** rw,
@{PROC}/sys/kernel/unprivileged_userns_clone rw,
link /gnu/store/.links/** -> /gnu/store/**,
owner / w,
owner /bin/ w,
owner /bin/sh w,
owner /etc/ w,
owner /etc/group w,
owner /etc/group.* r,
owner /etc/group.* w,
owner /etc/hosts w,
owner /etc/passwd rw,
owner /etc/passwd.* r,
owner /etc/passwd.* w,
owner /gnu/store/** rw,
owner /home/ w,
owner /home/*/* ra,
owner /home/*/.cache/guix/** l,
owner /home/*/.cache/guix/profiles/ r,
owner /home/*/.cache/guix/profiles/* w,
owner /home/*/.cache/guix/profiles/last-expiry-cleanup r,
owner /home/nomike/ w,
owner /real-root/ w,
owner /var/guix/** rk,
owner /var/guix/** rw,
owner @{HOME}/** rwk,
allow userns,
}