The build error is from this line:
https://github.com/NixOS/nixpkgs/pull/55973/files#diff-0e0af17bff7614ce6822d64c6863bb1fR36
but I'm not sure what the fix is, it seems that I can't readDir "${fhs-env}" during build because that path doesn't exist yet? it's weird because this works on my test fhs-env. Do i do it at runtime or can i force this directory to exist?

ofborg only evaluates things and it's not able to evaluate the buildFHSUserEnv without building due to readDir. The easiest fix might be calculate mounts, ro_mounts and blacklist in bwrap_cmd instead.

did some more tests, most things didn't run because my host system's /etc/fonts/fonts.conf could not be read by these packages for some reason. Nothing that seems to be wrong with the FHS env itself.
also updated the docs.

@GrahamcOfBorg build houdini lightworks conda

@hedning what do I need to merge this?

It would be good to get an OK from @yegortimoshenko or @abbradar first.

@yegortimoshenko if I wanted to edit the bwrap options for my own uses, how should I implement this to make that possible? Maybe I should include it as an arg in the derivation and use overrideAttrs? Or maybe I should just make my own custom FHSUserEnv, but I want to re-use as much upstream code as I can.

It's just that I worry that we might need to switch back at some point, if we ever need anything bubblewrap doesn't implement or if it proves to be suboptimal in some regard. If we were to expose bubblewrap options, we will never be able to change underlying implementation without breaking reverse compat.

I didn't yet review the PR itself yet, only bubblewrap -- it's quite more complicated but we should definitely try using it; the code is readable too.

One concern of mine is if nested bubblewrap would work okay, especially if it would blow /proc/mounts. This needs to be tested.

Another thing -- we explicitly don't want any kind of isolation that bubblewrap does, including no automount, any other namespaces etc, and we also don't want to expose it as an implementation. I think we could hit both birds by adding buildBwrapUserEnv upon which old buildFHSUserEnv resides. The former would have all the bubblewrap options exposed and the latter would enforce the old behaviour.

Wrt naming: User seems to be redundant, maybe buildBwrapEnv? Sounds good otherwise.

Maybe; don't have big preferences here. @illegalprime can choose the naming ~_^

For reference, the relocation error messages from above are claimed to be gone since glibc 2.30, which has a WIP PR.

I'm back!
@yegortimoshenko I updated this branch to not introduce any new options and I also changed /host/etc to /host-etc because /etc/resolv.conf is symlinked to ../run/ in systemd. Fedora also stores its SSL certificates as a symlink to somewhere not included in the current etc package so that should be investigated too.

OK Fedora stores its SSL certs in /etc/pki so I've added that to the environment.

I added a commit which removes /host/etc (or /host-etc) and bind-mounts specific files or directories from the host's /etc to the chroot. It then will look inside the generated root filesystem's /etc and bind mount subdirectories of it. because this is all subdirectories of etc the generated etc and the host etc are "merged" somewhat at runtime.

This helps avoid weird symlink bugs when nesting chroots like in this commit 06f27dc and in general simplifies things (IMO)

👍 really cool work. What can I do to help finish this PR?

@illegalprime Are you still working on this. Looks very promising

Rebased on top of nixos-unstable here: https://github.com/Atemu/nixpkgs/tree/chrootenv2bubblewrap

Nice!

• I like removing our dependency on that small custom C program
• needs a simple rebase (did it in https://github.com/raboof/nixpkgs/pull/new/chrootenv-2-bwrap)
• tested, verified it indeed works for my use cases (building things with sbt-protoc, building noisemaker)

(I don't really feel qualified to review the rest so this is just a comment ;) )

Since the compatibility is not 100% yet, perhaps we should limit bubblewrap use to the programs which are known to work first and move over the rest in later PRs.

Making all of these work feels like too large of a scope to me.

We could call it v2 and migrate everything to it and at some point delete the old version.

I did some rebase magic to do just that in a transparent manner https://github.com/Atemu/nixpkgs/tree/buildFHSUserEnvBw
I also ported three of the FHS packages that I know work fine.

Should I open a new PR?

Once we've ported all packages over, we can simply rename the function to the old name. This name should be temporary.

I did some rebase magic to do just that in a transparent manner Atemu/nixpkgs@buildFHSUserEnvBw
I also ported three of the FHS packages that I know work fine.

Should I open a new PR?

Once we've ported all packages over, we can simply rename the function to the old name. This name should be temporary.

bring it on.

With #94442 merged, should this be closed now?

#94442 seems to subsume this PR, closing.