New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix imperative containers #47917
Fix imperative containers #47917
Conversation
cc @flokli Also it would be great to have this backported to |
When logging into a container by using nixos-container root-login all nix-related commands in the container would fail, as they tried to modify the nix db and nix store, which are mounted read-only in the container. We want nixos-container to not try to modify the nix store at all, but instead delegate any build commands to the nix daemon of the host operating system. This already works for non-root users inside a nixos-container, as it doesn't 'own' the nix-store, and thus defaults to talking to the daemon socket at /nix/var/nix/daemon-socket/, which is bind-mounted to the host daemon-socket, causing all nix commands to be delegated to the host. However, when we are the root user inside the container, we have the same uid as the nix store owner, eventhough it's not actually the same root user (due to user namespaces). Nix gets confused, and is convinced it's running in single-user mode, and tries to modify the nix store directly instead. By setting `NIX_REMOTE=daemon` in `/etc/profile`, we force nix to operate in multi-user mode, so that it will talk to the host daemon instead, which will modify the nix store for the container. This fixes NixOS#40355
…rs""" nixos-container can now execute nix commands again inside the container This reverts commit 9622cd3.
8f6aacd
to
e3611bd
Compare
👍 for the backport; this is something that could sting some users. |
@arianvp, @samueldr verified this works. It's a bit tricky, as LGTM, should be merged and backported to 18.09 as well. |
Hi! I am verifying this PR, and it looks like the regression test could be failing to test the regression?
And part of the log:
|
Odd.. works for me now too. Investigating... |
e3611bd
to
0668906
Compare
Okay @samueldr I fixed it.. I ran the regression test in the vm instead of the container inside the vm. The regression test should now properly trigger a failure when you revert |
P.s. how did you get such pretty log outputs? Mine are a lot more ... verbose |
@arianvp Take a look at the `result` directory after running the tests
|
@GrahamcOfBorg test containers-imperative |
Success on aarch64-linux (full log) Attempted: tests.containers-imperative Partial log (click to expand)
|
Success on x86_64-linux (full log) Attempted: tests.containers-imperative Partial log (click to expand)
|
Backported |
Motivation for this change
When logging into a container by using
nixos-container root-login
all nix-related commands in the container would fail, as they
tried to modify the nix db and nix store, which are mounted
read-only in the container. We want nixos-container to not
try to modify the nix store at all, but instead delegate
any build commands to the nix daemon of the host operating system.
This already works for non-root users inside a nixos-container,
as it doesn't 'own' the nix-store, and thus defaults
to talking to the daemon socket at /nix/var/nix/daemon-socket/,
which is bind-mounted to the host daemon-socket, causing all nix
commands to be delegated to the host.
However, when we are the root user inside the container, we have the
same uid as the nix store owner, eventhough it's not actually
the same root user (due to user namespaces). Nix gets confused,
and is convinced it's running in single-user mode, and tries
to modify the nix store directly instead.
By setting
NIX_REMOTE=daemon
in/etc/profile
, we force nixto operate in multi-user mode, so that it will talk to the host
daemon instead, which will modify the nix store for the container.
This fixes #40355
Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)nix path-info -S
before and after)