nixpkgs
nixpkgs copied to clipboard
NixOS
Documentation: Debian package states that sandbox must equal false for it to work on Debian but issue does not exist
Problem
This is on Debian 11 Bullseye (after having installed Nix)
https://github.com/NixOS/nixpkgs/pull/47794#issuecomment-429575989 (404)
Proposal
Link the proper issue that explains why or build documentation that explains what are the current blockers for this feature.
Checklist
- [X] checked latest Nixpkgs manual (source) and latest NixOS manual (source)
- [X] checked open documentation issues for possible duplicates
- [X] checked open documentation pull requests for possible solutions
Trying with sandbox=true, does fail I guess if bash is not present :
debian11:~$ nix-channel --update
unpacking channels...
while setting up the build environment: executing '/bin/bash': No such file or directory
builder for '/nix/store/c35hpqm9y66k75drlin48z16j6ljslyd-nixpkgs-23.11pre516257.3476a1047858.drv' failed with exit code 1
error: build of '/nix/store/c35hpqm9y66k75drlin48z16j6ljslyd-nixpkgs-23.11pre516257.3476a1047858.drv' failed
error: program '/usr/bin/nix-env' failed with exit code 100
With sandbox=false, it does indeed work, now as to why this is I'm clueless.
FYI, original link https://web.archive.org/web/20220112084213/https://github.com/NixOS/nixpkgs/pull/47794
I don't understand how it is related to this : dhcp: fix build with sandbox=false #47794 dhcp still does not build with sandbox=true under Debian with Nix ?
There was someone that talked about a source of impurity maybe at hand here making the need to disable the sandbox so this issue should be documented and may need to be fixed at some point, no ? Or I'm misunderstanding something here ?
I am not sure if this has been discussed elsewhere. I found a comment in Debian's /etc/nix/nix.conf, searched for an explanation, and only found this issue and a link on the web archive.
From my experiments, it works in most cases but breaks in some. For example, this derivation works on Debian without sandbox and on NixOS with sandbox, but fails on Debian with sandbox:
initDb = pkgs.stdenv.mkDerivation {
buildInputs = [pkgs.postgresql_16];
name = "init-db";
phases = ["buildPhase"];
buildPhase = ''
initdb $out
'';
};
Has anyone been able to pinpoint the reason why would the sandbox break on Debian? There must be some form of pollution/or network request something that is breaking due to the sandboxing on Debian that we don't have on NixOS.
But pinpointing exactly what isn't easy.
After some research, I found that sandboxing works differently on Debian than on NixOS because NixOS includes /bin/sh in the sandbox, while Debian does not. Adding a static BusyBox to nix.conf (extra-sandbox-paths = /bin/sh=/bin/busybox) resolved all the issues I encountered. Now, all packages I checked work on Debian with sandboxing.
Thanks for researching the root cause and finding a way to fix it, maybe we should document this in the documentation ?
May I ask where did you find more information on the sandboxing ? Did you read the source code of some specific file in this repo ?
May I ask where did you find more information on the sandboxing ?
I simply ran nix show-config --extra-experimental-features nix-command | grep sandbox on Debian and on NixOS and saw the difference.
maybe we should document this in the documentation ?
This is briefly mentioned in the nix documentation, but it’s practically impossible to find unless you know exactly what you're looking for.
Depending on how Nix was built, the default value for this option may be empty or provide /bin/sh as a bind-mount of bash.
[…] Now, all packages I checked work on Debian with sandboxing.
Thank you for your research; was going crazy when researching build-issues reported by Debian-based colleagues trying to run unit-tests executed against an ephemeral postgres…
All I could respond was "works on my machine", which is precisely the phrase we wanted to eliminate by adopting nix…
