I'm afraid there are still some issues with propagating impure dependencies, NixOS/nixpkgs#33756 (comment)

Dammit. I'll leave this here until we address those issues 😄

Meanwhile Linux-land sandbox is disabled by default despite working wonderfully 😭 .

I know, I know, performance concerns but still it's unfortunate. ("performance!!111oneone")

I think last time he looked into it, @edolstra found that it was actually the network namespaces that took most of the time. I was noodling about that it seems like we might be able to keep two persistent network namespaces: one empty one, and one that can talk to the internet for fixed-output derivations. Then we just keep reusing them and avoid paying the penalty.

Interesting! That does seem rather useful, especially if the cost is their creation/destruction.

(cc #179)

@copumpkin Can two builders talk to each other in the same empty network namespace? I suppose it's fine as long as both ends need to opt-in, but that'd be my onlly concern.

@shlevy I don't think they can unless we give them capabilities to create interfaces, right?

Well we need loopback for testing right?

Oh, yeah, that might throw a wrench in things

Well we could have a pool of namespaces then?

Yeah, that could work. Or we just accept that builds could technically talk to each other if they listen on loopback, sort of like what we have on Darwin

As long as they can't actually interfere without cooperating I think it's fine. Or we could have as many namespaces as we have build users, whatever

I marked this as stale due to inactivity. → More info

I closed this issue due to inactivity. → More info