sysbox
sysbox copied to clipboard
nestybox
Installing nix package manager in sandbox - Operation not permitted error
os=ubuntu 20.04, kernel=5.4, docker=20.10.8, sysbox=0.5.2 EE
Attempting to install the "nix" package manager within a system container sandbox results in the following error.
error: Operation not permitted /tmp/nix-binary-tarball-unpack.7LnOR81LIv/unpack/nix-2.11.1-x86_64-linux/install: unable to register valid paths
Installation instructions for "nix".
- https://nix.dev/tutorials/install-nix
Example commands (each command below individually reproduces the error).
- curl -L https://nixos.org/nix/install | sh
- docker run --privileged nixos/nix nix --version
- sh <(curl -L https://nixos.org/nix/install) --daemon
Multi user installation instructions refer to specific user ID's and group ID's.
- https://nixos.org/manual/nix/stable/installation/installing-binary.html#multi-user-installation
The multi-user installation of Nix will create build users between the user IDs 30001 and 30032, and a group with the group ID 30000. You can run this under your usual user account or root. The script will invoke sudo as needed.
And a link to a similar issue.
- https://github.com/NixOS/nix/issues/5460
Hi @matthewparkinsondes,
I'm unable to install nix through the first and third methods that you mentioned above. The second one (docker run) works fine for me.
Also, the error that i'm seeing is very different from the one you're observing. In my case, the containerized process is complaining about being unable to run the setdomainname() syscall due to EPERM, which is an error that makes sense since we're within a non-init user/network namespace and this (domainname) is a non-namespaced/system-wide resource:
admin@18677061f6e8:~$ curl -L https://nixos.org/nix/install | sh
...
Note: a multi-user installation is possible. See https://nixos.org/manual/nix/stable/installation/installing-binary.html#multi-user-installation
performing a single-user installation of Nix...
copying Nix to /nix/store...
installing 'nix-2.11.1'
error: cannot set domain name: Operation not permitted. <<<<---- here!
(use '--show-trace' to show detailed location information)
/tmp/nix-binary-tarball-unpack.2PND2F2sMx/unpack/nix-2.11.1-x86_64-linux/install: unable to install Nix into your default profile
$
We could provide a quick fix for this issue that i'm observing, but I would need to do more digging to understand the one that you are reproducing.
The fact that things seem to be working fine with the second approach (which fails for you), makes me suspect that you would probably run into this issue too if you were not facing this different problem that is likely masking the setdomainname one.
The main difference between your setup and mine is that you're running kernel 5.4 and I'm at 5.15. This is probably the reason i'm being unable to reproduce the same error.
Question. Could you please reproduce the issue once again while capturing an strace of the bash process attempting to do the nix installation? (i.e., strace -f -p <container-shell-pid-as-seen-from-host>).
Thanks.
Hi Rodny,
Thanks, I've attached an strace of the bash process attempting to do the nix installation.
Hi Rodny,
Thanks, I also now have this working with kernel 5.15.
os=ubuntu 20.04.5, kernel=5.15.0-46-generic, docker=20.10.21, sysbox=0.5.2 EE
root@sandboxparkinsonm:/# docker run nixos/nix nix --version nix (Nix) 2.11.1
Next step, I'll try the first and third installation techniques above.
I'm seeing this EPERM during clone3() execution:
[pid 3800] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7fe2cf509910, parent_tid=0x7fe2cf509910, exit_signal=0, stack=0x7fe2ced09000, stack_size=0x7ffbc0, tls=0x7fe2cf509640}, 88) = -1 EPERM (Operation not permitted)
So I'm fairly confident that problem is not with your kernel (5.4) but with your relatively old docker release, which is probably missing these commits (you need 20.10.10 at least):
https://github.com/moby/moby/pull/42836 https://github.com/moby/moby/pull/42681
I'm still expecting you to reproduce the issue I highlighted above, so we will need a fix for that anyways.
Under kernel 5.15, and within a system container sandbox.
Attempting the docker installation technique.
docker 20.10.8 reproduces the issue docker 20.10.21 works fine
Attempting the first installation technique.
copying Nix to /nix/store...
installing 'nix-2.11.1' error: cannot set domain name: Operation not permitted (use '--show-trace' to show detailed location information) /tmp/nix-binary-tarball-unpack.px0PzI83GV/unpack/nix-2.11.1-x86_64-linux/install: unable to install Nix into your default profile
Got it. We're in the same page now. Will get back to you with an ETA for this one.