[Bug] linuxPackages_cachyos causes problems with Distrobox containers

[KingKrouch]

What happens?

When I use the CachyOS kernel, and try to run Distrobox (or anything with containers really), I get an error similar to this:

❯ distrobox enter Coding_Toolchain
Error: unable to start container "e0857ff9ce692398b488da395d143d604cf87eb5794343db3189892412e43a3a": crun: mkdir `/sys/fs/selinux`: Permission denied: OCI permission denied

What is expected to happen?

I would reasonably expect that it would work without configuring anything extra.

If possible, please attach logs

No response

More information

I was digging around to see if there was anything kernel specific that was causing this issue, and I noticed that when I revert to the NixOS kernel, it doesn't have this issue.

Based on what I've heard others discuss when I asked for some assistance with figuring this issue out, this is possibly an SELinux related error. However, when I try and run sestatus in the terminal, it says that SELinux is disabled.

So I ended up looking at the repository to see what the kernel compilation flags were set to, and I noticed that SELinux support was enabled in the kernel, so here's what I ended up trying to see if I could disable it:

boot.kernelPackages = pkgs.linuxPackages_cachyos;
boot.kernelPatches = [ { # We need to disable SELinux in the case of CachyOS, as it causes issues with Distrobox.
  name = "disable_selinux";
  patch = null;
  extraConfig = ''
    CONFIG_SECURITY_SELINUX unset
    CONFIG_SECURITY_SELINUX_BOOTPARAM unset
    CONFIG_SECURITY_SELINUX_DEVELOP unset
    CONFIG_SECURITY_SELINUX_AVC_STATS unset
    CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS unset
    CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE unset
  '';
} ];
boot.kernelParams = [ "selinux=0" ];
chaotic.scx.enable = true; # by default uses scx_rustland scheduler

This still didn't really resolve the issue.

[PedroHLC]

I must declare first that I'm not a big fan of distrobox.

But I think your guess of the culprit is wrong:

╰─λ uname -a
Linux desktop 6.10.6-cachyos #1-NixOS SMP PREEMPT_DYNAMIC Mon Aug 19 04:05:40 UTC 2024 x86_64 GNU/Linux
╭─pedrohlc at desktop in /etc/nixos
╰─λ distrobox enter archlinux
何でもは知らないわよ。知ってることだけ
╭─pedrohlc at desktop in /run/host/etc/nixos
╰─λ pacman -Sy
error: you cannot perform this operation unless you are root.
╭─pedrohlc at desktop in /run/host/etc/nixos
╰─λ sudo pacman -Sy
:: Synchronizing package databases...
 core is up to date
 extra is up to date

[KingKrouch]

But I think your guess of the culprit is wrong

That is a fair assessment to make, I'm willing to admit that I'm likely incorrect in that theory as you said, but I'm wondering, if there's any default variables that are set when you include the "inputs.chaotic.nixosModules.default" module in the flakes.nix file. When I remove that and the kernel stuff that I added to my config, distrobox works fine, but I'd suspect since from my tests SELinux returned false, that there's something likely going on.

[PedroHLC]

Related to virtualization, I have these set:

  boot.enableContainers = false;
  virtualisation.podman = {
    enable = true;
    dockerCompat = true;
  };

Nothing cgroup related to impact crun (it is running v2 which should be what everyone gets now with latest nixos-unstable). No group that should impact containerization.

As far I'm aware, we don't have modules changing any cgroup/crun/runc option.

[PedroHLC]

@KingKrouch any update?

[KingKrouch]

@KingKrouch any update?

I still haven't gotten it to work. Interestingly, an Arch distrobox works fine, it's just when I use a fedora-toolbox image when it causes that issue.

[KingKrouch]

So I recently did a system update (With the NixOS kernel this time), and for some reason, now it's causing this same exact issue there too (Not with the Arch distrobox surprisingly), so I am going to conclude by saying that it's likely a Distrobox issue at this point.

Apologies for the issue ticket.

EDIT: It looks like the quay.io Fedora image works fine, but not the toolbox images.

[Technetium1]

@KingKrouch should definitely report to Distrobox, with this linked for context.