nix icon indicating copy to clipboard operation
nix copied to clipboard
verified publisher icon NixOS

sandboxed builds without user namespace should require `sandbox-fallback` set to true

Open NickCao opened this issue 3 years ago • 1 comments

Describe the bug When running builds on machines without user namespace enabled or failing to create user namespaces, nix silently fallbacks to disabling user namespace without requiring sandbox-fallback to be set to true, causing hard to debug build failures.

Steps To Reproduce

  1. sudo sysctl -w user.max_user_namespaces=0
  2. nix build --impure --expr 'with import <nixpkgs> { }; runCommand "userns" { } "id -ng; touch $out"'
  3. build errors out with id: cannot find name for group ID 30000
  4. sudo sysctl -w user.max_user_namespaces=95605
  5. run the build again, it works this time

Expected behavior

When the creation of user namespace fails for whatever reason, and sandbox-fallback is not set to true, it should be a hard failure, or at least, a warning message should be printed.

nix-env --version output

nix-env (Nix) 2.10.3

Additional context

This bug was found when debugging build failure in services.logrotate, namely at the line https://github.com/NixOS/nixpkgs/blob/6531c04987236301675ab5892117f4b799351684/nixos/modules/services/logging/logrotate.nix#L166

NickCao avatar Aug 11 '22 09:08 NickCao

While there seems to be workaround for this kind of inconsistencies in https://github.com/NixOS/nix/blob/80a960940b53d8855a772a1b4088b848316023ea/src/libstore/build/local-derivation-goal.hh#L95-L96 They are not working for gids for some reason.

NickCao avatar Aug 11 '22 09:08 NickCao

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/logrotate-config-fails-due-to-missing-group-30000/28501/1

nixos-discourse avatar May 27 '23 09:05 nixos-discourse