Nix 2.2 enabled sandboxing on Linux by default, breaking a bunch of installations by default

[grahamc]

I think it was the right idea to enable it by default, but probably having a way to detect its support first might be good.

The change broke installations for:

• centos6
• centos7
• debian8
• debian9
• gentoo
• ubuntu12.04

Grid comparison:

• 2.1.3

• 2.2.2

  Open these up in to new tabs and swap between them to see the differences.

Full reports:

• 2.1.3: https://buildkite.com/organizations/grahamc/pipelines/nix-install-matrix/builds/33/jobs/b20b2d91-a52a-41be-b210-ca8b6a5709eb/artifacts/bdfccc3f-8bd0-4917-b266-96a5a0ce0b23
• 2.2.2: https://buildkite.com/organizations/grahamc/pipelines/nix-install-matrix/builds/32/jobs/1d2deb87-dd94-427e-b761-4cffa01462b4/artifacts/60d8117e-d878-450f-9af8-685bef65a229

[FruitieX]

Possibly related, installation under WSL 2 Ubuntu is also broken:

error: while setting up the build environment: mounting /proc: Operation not permitted
./install: unable to install Nix into your default profile

Disabling sandboxing seems to help:

mkdir ~/.config/nix
echo "sandbox = false" > ~/.config/nix/nix.conf

With this workaround in place I was able to complete installation of Nix under WSL 2 simply by re-running the installation script.

[stale[bot]]

I marked this as stale due to inactivity. → More info

[valignatev]

This is still relevant mr bot, thank you

[SuperSandro2000]

Ubuntu 12.04, centos 6 an debian 8 are really old and I don't think we should spend time on them.

debian9 and gentoo can probably be fixed by either installing rsync which should not be required on newer version IIRC.

Edit: rsync requirement got removed with https://github.com/NixOS/nix/pull/5150

[valignatev]

Ah, I had this problem yesterday on archlinux with very fresh updates, and I went to this issue from the archwiki where it was listed together with the workaound

[klarkc]

Ah, I had this problem yesterday on archlinux with very fresh updates, and I went to this issue from the archwiki where it was listed together with the workaound

The workaround there tells to disable sandbox in nix config file, this is a important thing? Should that be disabled?

[MagicRB]

@klarkc extremely, its akin to disabling sandboxing in docker, a malicious build script could read all your files send them off to a server and you'd never notice

[stale[bot]]

I marked this as stale due to inactivity. → More info

[valignatev]

bot begone