DavHau
commented
1 year ago I recently updated it on master, but did not yet make a release. nix-portable is broken inside docker on master. That would need to be fixed first.
Closed dnkmmr69420 closed 1 year ago
DavHau
commented
1 year ago I recently updated it on master, but did not yet make a release. nix-portable is broken inside docker on master. That would need to be fixed first.
dnkmmr69420
commented
1 year ago ok got it. Wait what is the use of docker for this project?
DavHau
commented
1 year ago To use nix ontop of arbitrary container images I'd say? But the way it's implemented is weird I admit. It uses proot inside docker, but we could just create /nix and use it. Currently it's only broken because of proot, therefore this change would also unbreak it.
heimalne
commented
3 months ago Just wanted to mention that the use case of running nix inside a docker container is needed in large companies: We want to introduce Nix inside of Gitlab CI jobs, which run on top of Docker images with a non-root user with random userid. But we haven't been able to run nix-build due to permission errors in either multi-user oder single-user installation mode.
DavHau
commented
3 months ago @heimalne I generally wouldn't recommend to run nix inside a container. It's usually better to host your own nixos based gitlab runner on a separate machine. Running it inside docker breaks some of the good things of nix like fast caching vie the /nix/store between runs. Nix becomes significantly more annoying and less enjoyable. Anyways, assuming you really have to go that route, did you try running nix with --store, to point the store to a directory which the random user has access to?
heimalne
commented
3 months ago @DavHau Yes. Unfortunately, that's our only current option. The main problem that seems to trip up the Nix binaries is that we have to run the nix-build call under a different (random) userid than the one on which nix was installed; basically, we pre-build a runner image that contains the Nix binaries under some non-root userid (resulting in a single-user mode installation), but when that image is used inside Gitlab another (random) userid is chosen for that job session, which results in
$ nix-build
warning: $HOME ('/home/nixuser') is not owned by you, falling back to the one defined in the 'passwd' file ('/<otherpath>')
error: could not set permissions on '/nix/var/nix/profiles/per-user' to 755: Operation not permittedWe tried different permissions to make the /nix and other folders like /nix/var/nix/profiles/per-user accessible but this error persists; also since that user id is random we cannot bake it in as "trusted" beforehand (needed to enable extra-sandbox-paths to access secrets for our private Python package repository.
Do you happen to know some guides, blogposts or posts that could help here? All we have found seem to assume a multi-user installation, root rights, non-Docker setup and/or a separate builder machine.
nix in nix portable is running behind. there should be a new updated version with the latest version of nix in nix portable