nix-portable
nix-portable copied to clipboard
DavHau
macOS support
The README lists macOS as not supported yet. As far as I understand it's difficult to do because proot/bwrap don't exist on that platform. But it would be great to discuss the possibilities.
We could assume that docker is installed on macos systems and just add support for docker as a container backend besides proot and bwrap.
I think chroot only is not enough. You want to be able to share paths between your normal system and the chrooted env. Otherwise you would end up in a completely isolated environment once executed nix-shell etc, and won't have access to any of your users files, right?
FWIW I had gathered some links discussing the limitations of sandboxing tools on macs:
- https://github.com/proot-me/proot/issues/81
- https://github.com/proot-me/proot/issues/155
- https://github.com/containers/bubblewrap/issues/393
That's interesting, I didn't know about sandbox-exec. But after a little bit of reading it seems like it doesn't have chroot-like functionality in order to make some other folder appear as /nix, which is key for a tool like nix-portable.
I think chroot only it not enough. You want to be able to share paths between your normal system and the chrooted env. Otherwise you would and up in a completely isolated environment once executed nix-shell etc, and won't have access to any of your users files, right?
After thinking about this for a bit, wouldn't you be able to just create a chroot with all the directories under / mounted along with the extra /nix so that you are basically in the real root after all?
As an alternative to native macOS integration, I am experimenting with lima + nix. It is quite nice.
As an example, I simply had to bootstrap an Ubuntu instance with:
limactl start abox
limactl shell abox
Then, you can fetch and run nix-portable within that environment:
curl -L https://github.com/DavHau/nix-portable/releases/download/v008/nix-portable -O
chmod +x nix-portable
./nix-portable nix run nixpkgs#hello
Feel free to experiment with it. The container runtime of nix-portable is determined here:
https://github.com/DavHau/nix-portable/blob/77ab0f4c2c582bfa47059e322f26bb42915d595b/default.nix#L294-L334
You can either try to add another runtime there, or just use the env variable NP_RUN to temporarily override it.
I still have the feeling, just using docker could be a good alternative. I'm not into the macos world, but I'd assume that 99% of mac users have docker installed, if they are not nix users already. Why not just use that?
Thanks for the tips @DavHau!
I still have the feeling, just using docker could be a good alternative. I'm not into the macos world, but I'd assume that 99% of mac users have docker installed, if they are not nix users already.
You are quite right. For most, just using docker is a well trodden approach.
Why not just use that?
This is a personal decision for me. Docker moved to a paid model introduced major distractions for I and team. I also wanted a sudo free way to provision entire Linux worlds on macOS.
One more reason for having native macOS support than just use docker:
With nix-portable, Nix becomes only one executable away from a new user. For example, my friend can try out a program with Nix simply by downloading the nix-portable binary release, making it executable, and copy-pasting the one-line command I send to him.
The whole thing would be much more complex for me and my friend if it has to be containerized, especially when GUI is involved.
