Allow disabling network namespace sandbox when using a different storepath #14619
Description
Is your feature request related to a problem?
I tried to use nix on a machine where I have no root access and network namespaces are disabled.
In nix.conf I included:
sandbox = false
store = <my_store_path>
However, when I try to build something with nix, it fails with the error "No space left on device". strace reveals that this is because nix tries to create a new network namespace:
clone(child_stack=0x7f0a32013ff8, flags=CLONE_PARENT|CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET|SIGCHLD) = -1 ENOSPC (No space left on device)
I checked the latest sources and it seems like the sandbox is turned on automatically, when the user defines his own storeDir. (src/libstore/unix/build/derivation-builder.cc:1950)
if (store.storeDir != store.config->realStoreDir.get()) {
#ifdef __linux__
useSandbox = true;
#else
throw Error("building using a diverted store is not supported on this platform");
#endif
}
Proposed solution
Another configuration option, like for example networkSandbox, which allows the user to turn off the use of network namespaces and which works no matter whether a user-defined store is used or not.
Additional context
Network namespaces are often turned off by administrators because of security issues. Having an option like networkSandbox would allow nix to be used on these machines.
Checklist
- checked latest Nix manual (source)
- checked open feature issues and pull requests for possible duplicates
Add 👍 to issues you find important.