[Nix-dev] Making Nix use pivot_root in addition to chroot

[Harald van Dijk]

On 09/12/2014 21:04, Colin Walters wrote:
> On Thu, Dec 4, 2014, at 06:24 AM, Harald van Dijk wrote:
>> Hello,
>>
>> I've recently been trying to use Nix in a somewhat different way than
>> NixOS, and the builders I've got, it would be useful if they were able
>> to run unshare -r.
>
> You might be interested in
> https://git.gnome.org/browse/linux-user-chroot
>
> gnome-continuous uses it to do all builds chrooted as non-root, including buildroot construction as non-root.
 >
> It might eventually be obsoleted by user namespace support in the kernel, but it's been quite useful in the last 4 years for my higher level tools.

Thanks, I appreciate the link. Perhaps surprisingly, though, is that one 
of the dependencies I am trying to avoid is really hardcoded build 
users: I've seen builders (of mine, not checked in Nixpkgs) that create 
e.g. tar archives from files created by that same builder, so the 
contents of those tar archives store the file owner, meaning the builder 
output depends on which of the several build users is used. I've come to 
the conclusion that fixing this reliably is best done by making those 
packages think they are always the same user (0). There was already the 
fakeroot package for that, and admittedly it does have its advantages (a 
daemon that remembers faked file ownership information, for instance), 
but it has drawbacks too: at the very least, I seem to remember various 
test suites breaking if running under fakeroot, so it requires careful 
planning to determine which bits should run under fakeroot and which 
bits shouldn't. That's a reason for me to give unshare -r a try instead. 
The chroot ability is a nice bonus, and now that I've seen that it's 
possible I'm definitely making use of it, but it wasn't what led me to it.

Cheers,
Harald van Dijk