Hi! As reported by Konrad¹, nested ‘guix shell -C’ fails: --8<---------------cut here---------------start------------->8--- $ guix shell -CN guix \ --expose=/var/guix/daemon-socket/socket \ --expose=/gnu/store \ -- guix shell -C coreutils -- ls / guix shell: error: mount: mount "none" on "/tmp/guix-directory.xO3FIx/sys": Operation not permitted --8<---------------cut here---------------end--------------->8--- Strace shows this: --8<---------------cut here---------------start------------->8--- 17541 clone(child_stack=NULL, flags=CLONE_NEWNS|CLONE_NEWCGROUP|CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET|SIGCHLD) = 7 […] 17551 mount("none", "/tmp/guix-directory.d6rKy1", "tmpfs", 0, NULL) = 0 17551 mkdir("/tmp", 0777) = -1 EEXIST (File exists) 17551 mkdir("/tmp/guix-directory.d6rKy1", 0777) = -1 EEXIST (File exists) 17551 mkdir("/tmp/guix-directory.d6rKy1/proc", 0777) = 0 17551 mount("none", "/tmp/guix-directory.d6rKy1/proc", "proc", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL) = 0 17551 mkdir("/tmp", 0777) = -1 EEXIST (File exists) 17551 mkdir("/tmp/guix-directory.d6rKy1", 0777) = -1 EEXIST (File exists) 17551 mkdir("/tmp/guix-directory.d6rKy1/sys", 0777) = 0 17551 mount("none", "/tmp/guix-directory.d6rKy1/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL) = -1 EPERM (Operation not permitted) --8<---------------cut here---------------end--------------->8--- It does work if the nested ‘guix shell’ uses ‘-CN’ instead of ‘-C’, thanks to this bit in (gnu build linux-container) (mount-file-systems root mounts #:mount-/proc? (memq 'pid namespaces) #:mount-/sys? (memq 'net namespaces)) ;<--- The reason for this bug seems to be given here: https://github.com/nestybox/sysbox/issues/67#issuecomment-726285026 It’s not clear whether there’s anything we can do, other than recommending ‘-CN’ as well in the nested container. Thoughts? Ludo’. ¹ https://lists.gnu.org/archive/html/guix-devel/2023-02/msg00027.html