nixos-container with user namespace enabled

[uvNikita]

Issue description

When a container is created with extraFlags = [ "-U" ] (user namespace), nixos-container command doesn't behave correctly. In particular, it doesn't enter a container user namespace (note UID/GID):

$ ~ sudo nixos-container run my-container -- bash -c 'ls -ld /'    
drwxr-xr-x 14 873857024 873857024 4096 Jul 20  2018 /

This happens due to the missing argument (-U) to nsenter command:

nixpkgs/pkgs/tools/virtualization/nixos-container/nixos-container.pl

Line 264 in 92a047a

exec($nsenter, "-t", $leader, "-m", "-u", "-i", "-n", "-p", "--", @args);

Running nsenter manually with -U added fixes the issue:

$ ~ sudo nsenter -t `machinectl show my-container -p Leader | sed -e "s/Leader=//"` -m -u -U -i -n -p -- bash -c 'ls -ld /'    
drwxr-xr-x 14 root root 4096 Jul 20  2018 /

This also afects nixos-container login command. machinectl shell my-container works as expected btw.

nixos-container command among other things is used to reload containers on configuration change and I'm not sure if it will behave correctly when it doesn't use the correct user namespace.

Steps to reproduce

Declare minimal container with user namespace enabled in configuration.nix:

containers.test = {
  extraFlags = [ "-U" ];
  config = {};
};

Run nixos-container login or nixos-container run commands.

Technical details

 - system: `"x86_64-linux"`
 - host os: `Linux 4.14.104, NixOS, 18.09pre-git (Jellyfish)`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.1.3`
 - channels(root): `"nixos-server-18.09.1834.9d608a6f592, nixos-18.03"`
 - nixpkgs: `/var/src/nixpkgs`

[fpletz]

This is not fixed since #67130 was reverted. Current efforts to fix this are in #67336.

[stale]

Hello, I'm a bot and I thank you in the name of the community for opening this issue.

To help our human contributors focus on the most-relevant reports, I check up on old issues to see if they're still relevant. This issue has had no activity for 180 days, and so I marked it as stale, but you can rest assured it will never be closed by a non-human.

The community would appreciate your effort in checking if the issue is still valid. If it isn't, please close it.

If the issue persists, and you'd like to remove the stale label, you simply need to leave a comment. Your comment can be as simple as "still important to me". If you'd like it to get more attention, you can ask for help by searching for maintainers and people that previously touched related code and @ mention them in a comment. You can use Git blame or GitHub's web interface on the relevant files to find them.

Lastly, you can always ask for help at our Discourse Forum or at #nixos' IRC channel.

[uvNikita]

I'm pretty sure this is still an issue since #67332 was reverted.

[stale]

I marked this as stale due to inactivity. → More info

[mohe2015]

still an issue

[uvNikita]

I think the most recent effort related to this is happening here: #69414 (comment)

[stale]

I marked this as stale due to inactivity. → More info