Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to Set Up Private Mount Namespace #2404

Closed
iamrecursion opened this Issue Sep 5, 2018 · 9 comments

Comments

Projects
None yet
5 participants
@iamrecursion
Copy link

iamrecursion commented Sep 5, 2018

I'm trying to execute the following command from the Nix Installation Guide, but it is producing an error: error: setting up a private mount namespace: Operation not permitted.

nix run --store ~/my-nix nixpkgs.nix nixpkgs.bashInteractive

This is likely due to the call to unshare here. It seems that something as simple as unshare -r whoami is failing with unshare: unshare failed: Operation not permitted.

The system is Arch Linux on kernel 4.18.5, and zgrep CONFIG_USER_NS /proc/config.gz returns CONFIG_USER_NS=y, indicating user namespace support.

Nix Version: 2.0.4

@matthewbauer

This comment has been minimized.

Copy link
Member

matthewbauer commented Sep 5, 2018

When unshare fails, Nix should probably just fall back to non-sandboxed mode. That would hopefully make things just work.

I think there are a few different points that can disable user namespaces even when Linux was compiled with their support. You can try one of these to see if they help (as root):

sysctl -w kernel.unprivileged_userns_clone=1

or

sysctl -w kernel.unprivileged_userns_apparmor_policy=1

or

sysctl -w kernel.userns_restrict=0
@copumpkin

This comment has been minimized.

Copy link
Member

copumpkin commented Sep 5, 2018

You probably don't use it given the recent drama around it, but grsecurity also disables unprivileged user namespaces by default.

@iamrecursion

This comment has been minimized.

Copy link
Author

iamrecursion commented Sep 6, 2018

Setting sysctl -w kernel.unprivileged_userns_clone=1 worked for me. Thank you!

@Pastafarianist

This comment has been minimized.

Copy link

Pastafarianist commented Jan 25, 2019

I am having this error on RHEL 7.4, where I am not root and cannot request root rights. I installed nix via proot (nix-user-chroot didn't work due to lethalman/nix-user-chroot#9). Is there a way around this issue?

@matthewbauer

This comment has been minimized.

Copy link
Member

matthewbauer commented Jan 25, 2019

You should be able to turn off sandboxing. Because you’re already in proot it should give you an okay sandbox already.

@Pastafarianist

This comment has been minimized.

Copy link

Pastafarianist commented Jan 25, 2019

Could you explain how I can turn off sandboxing?

Also, ideally, I would prefer to avoid having to use proot as some things don't work within it (such as attaching to a running process in gdb). I'm okay with modifying my .bashrc in any reasonable ways though. Is it possible to use nix under these conditions?

@matthewbauer

This comment has been minimized.

Copy link
Member

matthewbauer commented Jan 25, 2019

To turn off sandboxing you should just need to pass this to the nix-build command:

nix-build ... ---option sandbox false

You can also put that option in the ~/.config/nix/nix.conf like this:

sandbox = false

User namespaces are the best option for this case. If you aren't able to do that, I think proot is the only real alternative. It's a hack but works in lots of cases.

You can also try setting NIX_STORE_DIR=$HOME/nix when you build nix. I'm not sure if that still works, but that could at least avoid some of the issues. The issue with doing this is you can't use the official binary cache and will need to rebuild everything.

@bhipple

This comment has been minimized.

Copy link
Contributor

bhipple commented Feb 24, 2019

@Pastafarianist provided that you can update your kernel boot parameters, you can get nix sandboxes working just fine in RHEL 7.4. You do not need to modify or recompile anything on the system. See here for details:

lethalman/nix-user-chroot#9 (comment)

Of course, someone with root will need to update the system to enable this, which might be a non-starter for you. Though it's worth mentioning once they do so, a completely unprivileged user can use the nix sandboxes without any special setup.

@Pastafarianist

This comment has been minimized.

Copy link

Pastafarianist commented Feb 24, 2019

@bhipple thank you! Unfortunately, my priorities have shifted now and I am no longer trying to get nix to work on the server that I mentioned. If I ever get around to this again, I will look into getting root access, changing kernel parameters and rebooting (that last one is the hardest, actually).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.