run nix in a non root container in openshift - restricted SCC

[bessalahAmar]

Describe the bug

i'm trying to deploy nix in openshift under the restricted scc.

it looks like the nix is using unshare which can't work with non root user

As i'm using restricted SCC we can't add capabilities to the pod.

From the doc I have the impression that root permission is only needed for creating the nix folder but apprently no

Also tried to disable sandboxing but same result :

Bellow my attempts

Single user installation :

Multi user installation

Steps To Reproduce

RUN useradd --create-home appuser -u 1010130000 -g 0
RUN usermod -a -G root appuser
RUN mkdir /nix
RUN chown appuser /nix
RUN mkdir -p /etc/nix
RUN echo "build-users-group = root\nsandbox = false" > /etc/nix/nix.conf
USER appuser
RUN curl -L https://nixos.org/nix/install | sh -s -- --no-daemon

Expected behavior

have this command work properly:
nix run --option sandbox false nixpkgs#htop --extra-experimental-features nix-command --extra-experimental-features flakes

nix-env --version output
nix-env (Nix) 2.22.1

[fricklerhandwerk]

Triaged in Nix maintainers meeting:

• @Ericson2314: We're currently throwing an EPERM, but Function not implemented indicates we should also do ENOSYS
  • I may make a draft PR, @bessalahAmar would you try that out?

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/2024-05-22-nix-team-meeting-minutes-147/45835/1

[Ericson2314]

@bessalahAmar Please trying building Nix master and let us know if this is not fixed!

[bessalahAmar]

Hi @Ericson2314 , @fricklerhandwerk , thanks for taking a look at this.
I'm having difficulties building it from source ( not that easy for me to setup or the dependencies required ) , i'm getting an error like the one bellow on the "make" step , not sure it's due to a dependency or if i'm missing something.

if you have the build on a tarball i can test it in the openshift sandbox.

error:

In file included from /usr/include/boost/container/vector.hpp:27,
                 from /usr/include/boost/container/small_vector.hpp:27,
                 from src/libexpr/gc-small-vector.hh:3,
                 from src/libexpr/eval.cc:21:
/usr/include/boost/container/allocator_traits.hpp: In instantiation of 'struct boost::container::allocator_traits<traceable_allocator<void> >':
/usr/include/boost/container/small_vector.hpp:121:7:   required from 'class boost::container::small_vector_allocator<nix::Value*, traceable_allocator<void>, void>'
/usr/include/boost/container/allocator_traits.hpp:136:48:   required from 'struct boost::container::allocator_traits<boost::container::small_vector_allocator<nix::Value*, traceable_allocator<void>, void> >'
/usr/include/boost/container/vector.hpp:723:88:   required from 'class boost::container::vector<nix::Value*, boost::container::small_vector_allocator<nix::Value*, traceable_allocator<void>, void>, void>'
/usr/include/boost/container/small_vector.hpp:369:7:   required from 'class boost::container::small_vector_base<nix::Value*, traceable_allocator<nix::Value*>, void>'
/usr/include/boost/container/small_vector.hpp:526:85:   required from 'struct boost::container::small_vector_storage_definer<nix::Value*, traceable_allocator<nix::Value*>, 4, void>'
/usr/include/boost/container/small_vector.hpp:549:7:   required from 'class boost::container::small_vector<nix::Value*, 4, traceable_allocator<nix::Value*>, void>'
src/libexpr/eval.cc:1780:31:   required from here
/usr/include/boost/container/allocator_traits.hpp:136:48: error: 'typedef void traceable_allocator<void>::value_type' is private within this context
  136 |    typedef typename allocator_type::value_type value_type;

[bessalahAmar]

Hi @Ericson2314 , @fricklerhandwerk , i was able to test the master version ( through the the image : nixos/nix:master ) and it's working :) thanks for your prompt resolution