devcontainers
Nix feature fails to install with Podman
I'm using the VSCode Dev Containers extension on Linux with Podman and the following devcontainer.json file
{
"name": "Ubuntu",
"image": "mcr.microsoft.com/devcontainers/base:jammy",
"features": {
"ghcr.io/devcontainers/features/nix:1": {}
}
}
Everything looks like it's working as expected until nix tries to bootstrap itself and fails with the error error: cannot set host name: Operation not permitted.
I've included some of the log output below for context, but I can't see any more information that's useful - any ideas how I could pass --show-trace to Nix?
[2022-11-17T00:40:46.659Z] ---- sudo execution ------------------------------------------------------------
I am executing:
$ sudo HOME=/root /nix/store/xdlpraypxdimjyfrr4k06narrv8nmfgh-nix-2.11.1/bin/nix-env -i /nix/store/xdlpraypxdimjyfrr4k06narrv8nmfgh-nix-2.11.1
to install a bootstrapping Nix in to the default profile
[2022-11-17T00:40:46.711Z] installing 'nix-2.11.1'
[2022-11-17T00:40:46.728Z] error: cannot set host name: Operation not permitted
(use '--show-trace' to show detailed location information)
[2022-11-17T00:40:46.738Z]
[2022-11-17T00:40:46.739Z] ---- oh no! --------------------------------------------------------------------
[2022-11-17T00:40:46.740Z] Jeeze, something went wrong. If you can take all the output and open
an issue, we'd love to fix the problem so nobody else has this issue.
:(
[2022-11-17T00:40:46.741Z]
[2022-11-17T00:40:46.741Z]
[2022-11-17T00:40:46.742Z] We'd love to help if you need it.
You can open an issue at https://github.com/nixos/nix/issues
Or feel free to contact the team:
- Matrix: #nix:nixos.org
- IRC: in #nixos on irc.libera.chat
- twitter: @nixos_org
- forum: https://discourse.nixos.org
I've tried both the single and multi user install options with the same result.
Is Podman supported? I'm only assuming it is since the Dev Containers extension picked it up without any input from me.
I'm new to both Nix and Dev Containers in general, so apologies if I'm missing something obvious!
I could successfully create a dev container with the provided config ☝️. However, I don't have podman installed which could be the difference here. Looks like it is not supported yet unless there is some local configuration causing the nix installation to fail. 🤔
We've seen variations in behaviors from Podman particularly on privs since it sets different defaults. Podman is not directly supported by the Dev Containers extension but can work in many circumstances. Most likely docker is mapped to podman on your system which is why it was picked up. (That said, community contributions to help with improve Podman support are very welcome at https://github.com/devcontainers/cli.)
That error sounds like a limitation Podman sets by default that Docker must not.
I'd try a single user install to see if that resolves the issue with Podman - this appears to be coming from the NixOS installer given the above.
"ghcr.io/devcontainers/features/nix:1": {
"multiUser": false
}
I found that the nix installation scripts (curl -L https://nixos.org/nix/install | sh) can only be ran under privileged flag on podman. Afaik currently, the nix installation feature is run during the build process, which does not have the option to run with the privileged flag. Docker does support that option in Dockerfile. Unfortunately podman does not support that option when I tried it.
Regarding the capabilities, I found that just adding SYS_ADMIN is not enough. It helps resolve the error: cannot set host name: Operation not permitted issues since the capabilities include it. However, because podman make the kernel filesystem read-only and masks them, the installation will failed with the following message:
error: mounting /proc: Operation not permitted
Tl;dr: To make this features works with podman, we will need a way to run the installation scripts with --privileged flag. On podman this is not yet possible afaik. A workaround would be to create the devcontainer with --privileged flag, then run the nix installation scripts as a postCreateCommand, though that would defeat the whole purpose of using the features.
I found that the nix installation scripts (
curl -L https://nixos.org/nix/install | sh) can only be ran under privileged flag on podman. Afaik currently, the nix installation feature is run during the build process, which does not have the option to run with the privileged flag. Docker does support that option in Dockerfile. Unfortunately podman does not support that option when I tried it. Regarding the capabilities, I found that just addingSYS_ADMINis not enough. It helps resolve theerror: cannot set host name: Operation not permittedissues since it the capabilities include it. However, because podman make the kernel filesystem read-only and masks them, the installation will failed with the following message:error: mounting /proc: Operation not permittedTl;dr: To make this features works with podman, we will need a way to run the installation scripts with --privileged flag. On podman this is not yet possible afaik. A workaround would be to create the devcontainer with --privileged flag, then run the nix installation scripts as a postCreateCommand, though that would defeat the whole purpose of using the features.
Interesting. The privileged flag is not needed when using Docker/Moby to build. Odd that it is required for podman. We could add the SYS_ADMIN option or even privileged when executing though since that is easy enough to do. That does opt everyone into privileged tho. 🤔
Related issues in the nix repo: https://github.com/NixOS/nix/issues/5460