sandbox = true does not always work

[nomeata]

Your instructions instruct to put

sandbox = true

in /etc/nix/nix.config. But with this, the installation fails with

$ nix-env -f https://github.com/obsidiansystems/obelisk/archive/master.tar.gz -iA command --show-trace
error: cloning builder process: Operation not permitted
error: while evaluating 'getReflexPlatform' at /nix/store/mpzmwpq3m6w747b8cpwirrdk1864jaz4-master.tar.gz/default.nix:6:23, called from /nix/store/mpzmwpq3m6w747b8cpwirrdk1864jaz4-master.tar.gz/default.nix:7:21:
while evaluating the file '/nix/store/mpzmwpq3m6w747b8cpwirrdk1864jaz4-master.tar.gz/dep/reflex-platform/default.nix':
unable to start build process

It works without that line in nix.conf. Is sandbox = true required for oblisk?

[ryantrinkle]

I believe on mac the situation is kind of gross: some things require sandbox and sometimes cannot use it. @alexfmpe am I getting this right?

[nomeata]

Oh, I should add I am on linux (Debian unstable).

[ElvishJerricco]

@nomeata Can you post your nix version? I thought this was fixed before 2.0 was released.

[nomeata]

nix-2.0.4

[ElvishJerricco]

Strange. I have the same version, and this succeeds for me:

nix-env --sandbox -f https://github.com/obsidiansystems/obelisk/archive/master.tar.gz -iA command

It looks like an eval error, so the fact that I already had many of the dependencies cached shouldn't be relevant.

[alexfmpe]

@ryantrinkle Back when I tested this, I couldn't get Mac to work with any sandboxing: #83

[tenniscp25]

Same error on arch linux (nix 2.0.4).

[ElvishJerricco]

@nomeata @tenniscp25 Can you guys post whether you're using multi-user Nix? nix-info should tell you.

[tenniscp25]

I don't have nix-info executable but I think mine's single-user. I did a fresh install with curl https://nixos.org/nix/install | sh.

nix --version -v shows this:

evaluating file '/nix/store/0d60i73mcv8z1m8d2m74yfn84980gfsa-nix-2.0.4/share/nix/corepkgs/derivation.nix'
nix-env (Nix) 2.0.4
Features: gc, signed-caches
Configuration file: /etc/nix/nix.conf
Store directory: /nix/store
State directory: /nix/var/nix

/etc/nix/nix.conf content:

substituters = https://cache.nixos.org https://nixcache.reflex-frp.org
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= ryantrinkle.com-1:JJiAKaRv9mWgpVAz8dwewnZe0AzzEAzPkagE9SP5NWI=
sandbox = true

[ElvishJerricco]

Huh. I thought nix-info came with Nix. You can run it by doing:

nix-shell -p nix-info --run nix-info

You can also tell that you have multi-user Nix if /nix/store is owned by root.

[matthewbauer]

Some Linux kernels don't allow namespace cloning. Maybe Debian does that now?

This is probably related to nix-community/nix-bundle#31. We do need a good error message in Nix for this though.

/cc @cleverca22

[tenniscp25]

system: "x86_64-linux", multi-user?: no, version: nix-env (Nix) 2.0.4, channels(tenniscp25): "nixpkgs-18.09pre147700.03e47c388ac", nixpkgs: /home/tenniscp25/.nix-defexpr/channels/nixpkgs

[matthewbauer]

Try running:

sysctl -w kernel.unprivileged_userns_clone=1

or

sysctl -w kernel.unprivileged_userns_apparmor_policy=1

or

sysctl -w kernel.userns_restrict=0

Hopefully one of those exists!

[ElvishJerricco]

It may also just be a user permission issue. @tenniscp25 does not have multi-user nix, so everything is executed as his user rather than root.

[tenniscp25]

Setting the kernel parameter works! Thanks @matthewbauer @ElvishJerricco!