Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sandbox = true does not always work #172

Open
nomeata opened this issue Jul 18, 2018 · 15 comments
Open

sandbox = true does not always work #172

nomeata opened this issue Jul 18, 2018 · 15 comments

Comments

@nomeata
Copy link

nomeata commented Jul 18, 2018

Your instructions instruct to put

sandbox = true

in /etc/nix/nix.config. But with this, the installation fails with

$ nix-env -f https://github.com/obsidiansystems/obelisk/archive/master.tar.gz -iA command --show-trace
error: cloning builder process: Operation not permitted
error: while evaluating 'getReflexPlatform' at /nix/store/mpzmwpq3m6w747b8cpwirrdk1864jaz4-master.tar.gz/default.nix:6:23, called from /nix/store/mpzmwpq3m6w747b8cpwirrdk1864jaz4-master.tar.gz/default.nix:7:21:
while evaluating the file '/nix/store/mpzmwpq3m6w747b8cpwirrdk1864jaz4-master.tar.gz/dep/reflex-platform/default.nix':
unable to start build process

It works without that line in nix.conf. Is sandbox = true required for oblisk?

@ryantrinkle
Copy link
Member

I believe on mac the situation is kind of gross: some things require sandbox and sometimes cannot use it. @alexfmpe am I getting this right?

@nomeata
Copy link
Author

nomeata commented Jul 18, 2018

Oh, I should add I am on linux (Debian unstable).

@ElvishJerricco
Copy link
Collaborator

@nomeata Can you post your nix version? I thought this was fixed before 2.0 was released.

@nomeata
Copy link
Author

nomeata commented Jul 18, 2018

nix-2.0.4

@ElvishJerricco
Copy link
Collaborator

Strange. I have the same version, and this succeeds for me:

nix-env --sandbox -f https://github.com/obsidiansystems/obelisk/archive/master.tar.gz -iA command

It looks like an eval error, so the fact that I already had many of the dependencies cached shouldn't be relevant.

@alexfmpe
Copy link
Collaborator

@ryantrinkle Back when I tested this, I couldn't get Mac to work with any sandboxing: #83

@tenniscp25
Copy link

Same error on arch linux (nix 2.0.4).

@ElvishJerricco
Copy link
Collaborator

@nomeata @tenniscp25 Can you guys post whether you're using multi-user Nix? nix-info should tell you.

@tenniscp25
Copy link

I don't have nix-info executable but I think mine's single-user. I did a fresh install with curl https://nixos.org/nix/install | sh.

nix --version -v shows this:

evaluating file '/nix/store/0d60i73mcv8z1m8d2m74yfn84980gfsa-nix-2.0.4/share/nix/corepkgs/derivation.nix'
nix-env (Nix) 2.0.4
Features: gc, signed-caches
Configuration file: /etc/nix/nix.conf
Store directory: /nix/store
State directory: /nix/var/nix

/etc/nix/nix.conf content:

substituters = https://cache.nixos.org https://nixcache.reflex-frp.org
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= ryantrinkle.com-1:JJiAKaRv9mWgpVAz8dwewnZe0AzzEAzPkagE9SP5NWI=
sandbox = true

@ElvishJerricco
Copy link
Collaborator

Huh. I thought nix-info came with Nix. You can run it by doing:

nix-shell -p nix-info --run nix-info

You can also tell that you have multi-user Nix if /nix/store is owned by root.

@matthewbauer
Copy link
Collaborator

matthewbauer commented Aug 8, 2018

Some Linux kernels don't allow namespace cloning. Maybe Debian does that now?

This is probably related to nix-community/nix-bundle#31. We do need a good error message in Nix for this though.

/cc @cleverca22

@tenniscp25
Copy link

system: "x86_64-linux", multi-user?: no, version: nix-env (Nix) 2.0.4, channels(tenniscp25): "nixpkgs-18.09pre147700.03e47c388ac", nixpkgs: /home/tenniscp25/.nix-defexpr/channels/nixpkgs

@matthewbauer
Copy link
Collaborator

matthewbauer commented Aug 8, 2018

Try running:

sysctl -w kernel.unprivileged_userns_clone=1

or

sysctl -w kernel.unprivileged_userns_apparmor_policy=1

or

sysctl -w kernel.userns_restrict=0

Hopefully one of those exists!

@ElvishJerricco
Copy link
Collaborator

It may also just be a user permission issue. @tenniscp25 does not have multi-user nix, so everything is executed as his user rather than root.

@tenniscp25
Copy link

Setting the kernel parameter works! Thanks @matthewbauer @ElvishJerricco!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

8 participants