Error: cloning builder process: Operation not permitted installing Nix 2.2.1 in (Arch) Linux

[x80486]

I'm currently using Arch Linux 4.19.15-1-lts #1 SMP Sun Jan 13 13:53:52 CET 2019 x86_64 GNU/Linux. I'm trying to install Nix 2.2.1 and I'm getting some errors:

$ sh <(curl https://nixos.org/nix/install) --no-daemon 
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100  2476  100  2476    0     0   5417      0 --:--:-- --:--:-- --:--:--  5406
    downloading Nix 2.2.1 binary tarball for x86_64-linux from 'https://nixos.org/releases/nix/nix-2.2.1/nix-2.2.1-x86_64-linux.tar.bz2' to '/tmp/nix-binary-tarball-unpack.n5vqvsi4Uq'...
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100 22.5M  100 22.5M    0     0  4016k      0  0:00:05  0:00:05 --:--:-- 4377k
    Note: a multi-user installation is possible. See https://nixos.org/nix/manual/#sect-multi-user-installation
    performing a single-user installation of Nix...
    directory /nix does not exist; creating it by running 'mkdir -m 0755 /nix && chown x80486 /nix' using sudo
    [sudo] password for x80486: 
    copying Nix to /nix/store.................................
    initialising Nix database...
    Nix: creating /home/x80486/.nix-profile
    installing 'nix-2.2.1'
    error: cloning builder process: Operation not permitted
    error: unable to start build process
    /tmp/nix-binary-tarball-unpack.n5vqvsi4Uq/unpack/nix-2.2.1-x86_64-linux/install: unable to install Nix into your default profile

Truth is I've been using to have Nix for some years. This happened after a Linux/Nix upgrade, I can't really tell, all I can recap is that I started getting those errors after the Nix upgrade to version 2.2; more info in this StackExchange question.

[m-elwin]

I had the same problem. I think it has something to do with archlinux not having kernel user namespaces enabled. Doing
sysctl kernel.unprivileged_userns_clone=1
Seems to have fixed the issue.

See this archlinux forum post

I think this issue is likely related to (at least) #2632, #2636

[x80486]

I did sudo sysctl kernel.unprivileged_userns_clone=1 and rebooted; then try to install Nix again and eventually that failed again (in the same step). I updated the kernel to uplink 4.19.16-1-lts #1 SMP Thu Jan 17 07:35:45 CET 2019 x86_64 GNU/Linux, but I don't think that matters.

[vcunat]

@x80486: I think that anything you do with sysctl won't persist across reboots (by itself).

[justinnoah]

sysctl kernel.unprivileged_userns_clone=1

worked on Debian buster/testing as well

[x80486]

OK, I updated the system's kernel to 4.20.3.arch1-1 and it works with sysctl kernel.unprivileged_userns_clone=1; it's fine for me in such a way. I'll close this issue then since it's not quite a Nix issue but something with some Linux distros – and specifically the way the kernel is built/configured.

[vcunat]

I think it might work without nprivileged_userns_clone if you disable sandboxing in nix.conf, but I wouldn't recommend that, as some packages tend to e.g. discover /usr/lib/* and use them.

[FlorianFranzen]

I think it is also important to note that the unprivileged_userns_clone flag is a Debian invention that was not upstreamed and will not exist on all systems, see for example this article on lwn.net.
On CentOS 6 for example I had to change a different flag:

echo 10000 > /proc/sys/user/max_user_namespaces

[gilligan]

I was just giving a small nix workshop and had two users running different distributions (arch and centos) running into this problem. I really don't think that this issue should be closed.

Anyone running the installer with a distribution where the settings are not as described here will get a weird error message with no indication what to do about it.

In order for this issue to be considered as solved I think there would have to be one/both of the below:

• a sanity check that probes if the required settings are given
• a helpful error message

[AmineChikhaoui]

Not sure about arch distro but in the case of CentOS, it's really the distro that is doing custom setup to disable user namespaces even if the kernel version used supports that (see #2632) so would be a bit hard to check for that as every distro can override the default behavior.

[gilligan]

Not sure about arch distro but in the case of CentOS, it's really the distro that is doing custom setup to disable user namespaces even if the kernel version used supports that (see #2632) so would be a bit hard to check for that as every distro can override the default behavior.

Right, we can't really fix or adjust the choices made by various distributions. But isn't there a definitive way to find out if user namespaces are available or not?

$ sysctl user.max_user_namespaces
user.max_user_namespaces = 62782

Are we good if the number returned here is >0 ? If not the only other thing would be to carry out some operation that does require user namespace support and bail out with a proper error message if this fails?

But above all: even if we can't ultimately fix this, a useful error message would be a drastic improvement.

[MarSoft]

Hello everybody. I have just got this same error but for a different reason.
A bit of background: I have Arch Linux installed and now am trying to install NixOS onto the different partition using chroot technique from the guide. And running nixos-rebuild switch gives this error:

...
error: cloning builder process: Operation not permitted
error: unable to start build process

UserNS is enabled in my system.
Turns out that the reason was described in clone(2) manpage:

EPERM (since Linux 3.9)
CLONE_NEWUSER was specified in flags and the caller is in a chroot environment (i.e., the caller's root directory does not match the root directory of the mount namespace in which it resides)

So I should add unshare -m call to my chroot, hope it helps.

[MarSoft]

Tried nixos-enter which should do proper unshare before chrooting. But still the same problem.

[NiklasKunkel]

Just ran into this same issue in an Ubuntu 18.04.2 docker image.

sysctl user.max_user_namespaces
user.max_user_namespaces = 7865

sysctl kernel.unprivileged_userns_clone=1
sysctl: cannot stat /proc/sys/kernel/unprivileged_userns_clone: No such file or directory```

[jgeerds]

I'm hitting this bug on a fresh installed Debian buster. sudo sysctl kernel.unprivileged_userns_clone=1 fixed it as well. I think the current situation is not satisfying because it probably affect the first impression of new users

Can we please open this issue again and find a solution?

CC: @edolstra

[mickours]

Just ran into this same issue in an Ubuntu 18.04.2 docker image.

sysctl user.max_user_namespaces
user.max_user_namespaces = 7865

sysctl kernel.unprivileged_userns_clone=1
sysctl: cannot stat /proc/sys/kernel/unprivileged_userns_clone: No such file or directory```

Same problem on an OVH rescue image which prevent me to install NixOS 19.03 on a dedicated server.
I was not able to find a workaround... Any idea on the root cause of this problem?

I'm sadly going back to Ubuntu :(

[edolstra]

I think this is fixed by #3006.

[x80486]

Not quite for all Linuxes. I use Arch Linux and I have to run sudo sysctl kernel.unprivileged_userns_clone=1 from time to time...

[xeruf]

I am on Arch, ran that command, and still got that error...