Unable to Set Up Private Mount Namespace

[iamrecursion]

I'm trying to execute the following command from the Nix Installation Guide, but it is producing an error: error: setting up a private mount namespace: Operation not permitted.

nix run --store ~/my-nix nixpkgs.nix nixpkgs.bashInteractive

This is likely due to the call to unshare here. It seems that something as simple as unshare -r whoami is failing with unshare: unshare failed: Operation not permitted.

The system is Arch Linux on kernel 4.18.5, and zgrep CONFIG_USER_NS /proc/config.gz returns CONFIG_USER_NS=y, indicating user namespace support.

Nix Version: 2.0.4

[matthewbauer]

When unshare fails, Nix should probably just fall back to non-sandboxed mode. That would hopefully make things just work.

I think there are a few different points that can disable user namespaces even when Linux was compiled with their support. You can try one of these to see if they help (as root):

sysctl -w kernel.unprivileged_userns_clone=1

or

sysctl -w kernel.unprivileged_userns_apparmor_policy=1

or

sysctl -w kernel.userns_restrict=0

[copumpkin]

You probably don't use it given the recent drama around it, but grsecurity also disables unprivileged user namespaces by default.

[iamrecursion]

Setting sysctl -w kernel.unprivileged_userns_clone=1 worked for me. Thank you!

[dniku]

I am having this error on RHEL 7.4, where I am not root and cannot request root rights. I installed nix via proot (nix-user-chroot didn't work due to lucabrunox/nix-user-chroot#9). Is there a way around this issue?

[matthewbauer]

You should be able to turn off sandboxing. Because you’re already in proot it should give you an okay sandbox already.

[dniku]

Could you explain how I can turn off sandboxing?

Also, ideally, I would prefer to avoid having to use proot as some things don't work within it (such as attaching to a running process in gdb). I'm okay with modifying my .bashrc in any reasonable ways though. Is it possible to use nix under these conditions?

[matthewbauer]

To turn off sandboxing you should just need to pass this to the nix-build command:

nix-build ... ---option sandbox false

You can also put that option in the ~/.config/nix/nix.conf like this:

sandbox = false

User namespaces are the best option for this case. If you aren't able to do that, I think proot is the only real alternative. It's a hack but works in lots of cases.

You can also try setting NIX_STORE_DIR=$HOME/nix when you build nix. I'm not sure if that still works, but that could at least avoid some of the issues. The issue with doing this is you can't use the official binary cache and will need to rebuild everything.

[bhipple]

@Pastafarianist provided that you can update your kernel boot parameters, you can get nix sandboxes working just fine in RHEL 7.4. You do not need to modify or recompile anything on the system. See here for details:

lucabrunox/nix-user-chroot#9 (comment)

Of course, someone with root will need to update the system to enable this, which might be a non-starter for you. Though it's worth mentioning once they do so, a completely unprivileged user can use the nix sandboxes without any special setup.

[dniku]

@bhipple thank you! Unfortunately, my priorities have shifted now and I am no longer trying to get nix to work on the server that I mentioned. If I ever get around to this again, I will look into getting root access, changing kernel parameters and rebooting (that last one is the hardest, actually).