| 24 Mar 2026 |
 Vladimír Čunát | # Containers use systemd-nspawn, which requires pid 0 inside of the sandbox.
| 09:33:10 |
| Vladimír Čunát | which adds uid-range into requiredSystemFeatures | 09:33:34 |
| Vladimír Čunát | PR https://github.com/NixOS/nixpkgs/pull/478109 | 09:33:56 |
 Jeremy Fleischman (jfly) | @vcunat:matrix.org, how does https://github.com/NixOS/infra/pull/986 look? | 11:05:36 |
 hexa | diff --git a/builders/common/nix.nix b/builders/common/nix.nix
index ce13643..79249e8 100644
--- a/builders/common/nix.nix
+++ b/builders/common/nix.nix
@@ -22,8 +22,11 @@
settings = {
accept-flake-config = false;
+ auto-allocate-uids = true;
builders-use-substitutes = true;
extra-experimental-features = [
+ "auto-allocate-uids"
+ "cgroups"
"nix-command"
"no-url-literals"
"flakes"
@@ -32,6 +35,7 @@
"kvm"
"nixos-test"
"benchmark" # we may restrict this in the central /etc/nix/machines anyway
+ "uid-range"
];
trusted-users = [
"build"
| 11:06:17 |
| hexa | same changes that I did, but inline | 11:06:36 |
| hexa | still, I'm wary of cgroups in cppnix | 11:06:47 |
| Jeremy Fleischman (jfly) | Or that :) | 11:06:47 |
| hexa | elated-minsky exposes uid-range feature now | 11:07:03 |
| Jeremy Fleischman (jfly) | I thought you said we used them, but I couldn't find evidence of that | 11:07:26 |
| Jeremy Fleischman (jfly) | * | 11:07:45 |
| Jeremy Fleischman (jfly) | It's an ungodly hour here. Feel free to merge, or close my PR. Good luck! | 11:08:27 |
| hexa | we reverted cgroups use because they broke builds | 11:10:02 |
| hexa | over a year ago | 11:10:13 |
| hexa | I know lix has them fixed | 11:10:26 |
| hexa | https://github.com/NixOS/nix/pull/13135 | 11:11:07 |
| hexa | oh and cgroups xp is likely not enough, right? | 11:12:18 |
| hexa | we'd need use-cgroups, too | 11:12:23 |
| hexa | but your example in the PR didn't either, so 🤷 | 11:13:57 |
| Jeremy Fleischman (jfly) | Fun fact: the nspawn test container work uncovered a cgroups bug in lix (now fixed): https://git.lix.systems/lix-project/lix/issues/1143 | 11:15:28 |
| Jeremy Fleischman (jfly) | I don't think I have this enabled on my laptop where I have been running these tests | 11:15:57 |
| hexa | https://hydra.nixos.org/build/324725651 | 11:16:08 |
| hexa | i think it requires /dev/net still | 11:16:40 |
| hexa | is that safe to leak into the sandbox though? | 11:16:50 |
| Jeremy Fleischman (jfly) | Hmm. This is failing to do networking between a nspawn container and a "classic" qemu vm. @kmein added that feature after I last worked on these. Lemme try locally | 11:19:32 |
| hexa | nix.settings.sandbox-paths = [ "/dev/net" ]; # to make nspawn↔qemu networking work
| 11:20:03 |
| hexa | this is what the PR states | 11:20:09 |
| Jeremy Fleischman (jfly) | ooh ok | 11:20:38 |
| Jeremy Fleischman (jfly) | yeah, no idea if that's safe. perhaps it's a way to escape the sandbox | 11:21:16 |
| Jeremy Fleischman (jfly) | it looks like that didn't make it into the docs PR. i'll fix that right now | 11:22:29 |
