[Nix-dev] Making Nix use pivot_root in addition to chroot

Harald van Dijk harald at gigawatt.nl
Mon Dec 8 11:23:20 CET 2014 

Thanks for the replies, all.

Looking a bit at the Darwin bits mentioned by Shea Levy in another message:

   https://github.com/NixOS/nix/issues/317
   https://github.com/NixOS/nix/issues/361

I don't think the sandbox approach will have much overlap with the 
chroot approach: pretty much all they seem to have in common is that 
they need to somehow determine which files and directories, in or 
outside the Nix store, should be available to builders. I don't see a 
possible useful common interface. Still, if there is one that I am 
simply missing right now, it might be worth waiting for the sandbox 
implementation to be finished.

On 05/12/2014 22:34, Shea Levy wrote:
> Couldn't we either a) mount our chroot over / instead of doing a chroot

That is a clever idea. It would need the equivalent of mount -o rbind, 
as the chroot contains several mounts that need to remain available.

Thinking about it a bit, I suspect that it would not work for me if the 
currently running Nix system is chrooted. It is something that might 
legitimately happen when the system fails to boot, I boot from recovery 
media, mount the file system, and chroot into it. In that case, it is 
highly desirable that builders continue to work, and I should test my 
pivot_root approach to verify that that does allow them to work.

On the upside, the pure mount approach might be a very good one for 
other systems.

 > or b) do the chroot *after* the new user namespace?

Nix does not currently use a new user namespace, so I am having trouble 
understanding what you mean by this. The unshare -r that I mentioned as 
my reason for wanting pivot_root to be used: it's a command that gets 
run by the builder. It is not something Nix does itself. Because of 
that, it is not possible to get Nix to do something after that.

It could be interesting to get Nix to start using unshare -r itself, but 
since the Nix daemon runs as root, Nix would not have any permissions 
problem in the first place, and would not need pivot_root to work around it.

>> On Dec 5, 2014, at 4:05 PM, Eelco Dolstra <eelco.dolstra at logicblox.com> wrote:
>>
>> Hi,
>>
>>> On 04/12/14 12:24, Harald van Dijk wrote:
>>>
>>> Is there any interest in getting something like this in Nix? I would be
>>> perfectly happy to clean this patch up, get it into better shape, but I'd like
>>> to avoid doing so if (for whatever reason) it is decided that Nix should not be
>>> using this.
>>
>> Looks good to me. Being able to use all that user namespace magic would be great :-)

Thank you.

I will clean up my patch, wait a bit to see in what direction the Darwin 
bits are going, and then check, based on those bits, whether I can see a 
useful common implementation. When that is done, I should probably 
submit it via a pull request, right?

Cheers,
Harald van Dijk

More information about the nix-dev mailing list