| 30 Nov 2025 |
 raitobezarius | And anyone can add a plugin | 19:59:44 |
| raitobezarius | We might enable nix3 CLI to have a workable installable syntax without Flakes but we don't know yet where we will get | 20:00:16 |
| raitobezarius | In reply to @weethet:catgirl.cloud
Nix3 doesn't do that. We already agree to this and there's a nix4 CLI project | 20:01:05 |
| raitobezarius | That's not reason enough to bomb nix3 :p | 20:01:15 |
 just1602 | I'm wondering if there's gonna be a way for nix4 cli to not be written in C++, so we could use something like clap 😃 | 20:19:43 |
| raitobezarius | I don't believe it, RPC for CLI is way too far | 20:24:01 |
 WeetHet | Can't we use FFI instead? | 20:45:30 |
| WeetHet | We already do for :doc in repl? | 20:45:45 |
| raitobezarius | Exceptions and Rust is not going to be funny | 21:07:29 |
| raitobezarius | In reply to @weethet:catgirl.cloud
We already do for :doc in repl? It's not really FFI, it's cheating | 21:35:41 |
 Jules Lamur | Hi, does anyone know how to run nixcpp/lix in a podman rootless container (no caps and /proc masked)? I'll try to dig into that but I thought somebody may have had the same usecase already :) | 21:37:56 |
| raitobezarius | With sandbox or without? | 21:38:37 |
 hexa | possibly https://github.com/DavHau/nix-portable | 21:38:38 |
| Jules Lamur | yeah sorry forgot about the important part: with the sandbox :) | 21:38:49 |
| Jules Lamur | (ie. sandbox-fallback = false) | 21:39:03 |
| raitobezarius | AFAIK the podman rootless thing has a seccomp policy that prevents all unshare calls with any relevant arg | 21:39:13 |
| raitobezarius | If you get rid of that and you have subuid delegation, you can run with sandbox | 21:39:30 |
| raitobezarius | Otherwise hexa gave you the 50% performance penalty solution by using syscall interception | 21:39:46 |
| Jules Lamur | yep you're right, running with eg podman run --cap-add=SYS_ADMIN --security-opt unmask=/proc/* --rm -it works | 21:39:53 |
| raitobezarius | In reply to @jlamur:matrix.org
yep you're right, running with eg podman run --cap-add=SYS_ADMIN --security-opt unmask=/proc/* --rm -it works I think you can get remove just the unshare blacklist | 21:40:13 |
| raitobezarius | Don't need to unmask proc and cap add | 21:40:20 |
| raitobezarius | For proc, you only need a partial view, not a full view anyway, but you need a proper procfs I suppose | 21:41:03 |
| Jules Lamur | AFAIU, podman sets a policy that prevents any mount related syscall in /proc, so remounting a procfs should not work at all without the --security-opt flag above (again, if I understand correctly -- I only have a high level understanding of all that) | 21:43:18 |
| raitobezarius | Argh, yeah, we need *a* procfs | 21:44:11 |
| raitobezarius | Not necessarily *the* procfs | 21:44:16 |
| Jules Lamur | I'm not sure that I understand what you're suggesting here | 21:44:51 |
| raitobezarius | In reply to @jlamur:matrix.org
I'm not sure that I understand what you're suggesting here --security-opt seccomp reduced-seccomp.json | 21:45:29 |
| raitobezarius | The JSON file is a fine grained control of which syscall is allowed | 21:46:23 |
| raitobezarius | Allowing unshare makes sense if you want the sandbox to work at all | 21:46:45 |
| raitobezarius | Perhaps, allowing the mount procfs is sufficiently risk free too | 21:46:56 |
