Add --pure --impure in nix-build to avoid changing system-wide useSandbox

[kuznero]

Add --pure / --impure in nix-build to avoid changing system-wide useSandbox all the time.

[kuznero]

Can I please be assigned to it as I would like to try to implement it myself?

[copumpkin]

Can you elaborate on what you mean here? All nix.conf options can be set locally via --option on the command line. Do you mean when using the daemon?

[kuznero]

@copumpkin nope, my impression was that the only way to turn off/on sandboxing is through configuration.nix system-wide. But sometimes with nix-build I need to be able to run either with sandboxing or not. So, I would like to avoid rebuilding system-wide configuration all the time I need to switch. And another thing is that nix-shell already supports --pure flag. So, I thought why not do the same for nix-build.

[copumpkin]

That's certainly true if you use the daemon, and can be a security feature depending on your trust model.

[edolstra]

As @copumpkin points out this is already possibly with --option (or just --sandbox or --no-sandbox in Nix 1.12). Calling it --pure or --impure is confusing because the nix-shell flag does something else than control sandboxing; it just determines whether to pass through the user's environment.

[copumpkin]

Well, with the daemon your --option build-use-sandbox has no effect, right? There's an argument that it really shouldn't have an effect, which is what I was alluding to above with the security comment, but I guess we also have at least one example of someone wanting to be able to use it that way.

[kuznero]

@edolstra, @copumpkin thanks! Good to know it is coming with nix 1.12. Any news on when it might be released?

[copumpkin]

@kuznero that's not the takeaway I'd take from it. The 1.12 change is just a very superficial syntax change, allowing you to write a quick --no-sandbox instead of --option build-use-sandbox false. It won't change any of the actual logic deciding whether the sandbox will be used.

On a release date there isn't a firm one, but at NixCon, @edolstra said that people should start testing it and filing bugs, so that's promising and probably means "soon" 😄

[kuznero]

@copumpkin thanks for details

[orivej]

Depending on the use case, you may replace nix-build . -A pkg with nix-shell . -A pkg --pure --run genericBuild to build without sandbox. (But if /nix is writable for you, of course you can simply unset NIX_REMOTE.)

[copumpkin]

Wouldn't the nix-shell version not get registered as valid in the DB?

[orivej]

It will not even write to the store, so yes. (Only the sources and dependencies will be realized in the store by nix-daemon. nix-shell will build in the current directory, which should be empty.) @kuznero did not mention his use case: this method will not help with installing software that needs access to the network during the build, but it will help with inspection of or intervention into the build process. (I've learnt this method from @symphorien here: NixOS/nixpkgs#29947 (comment).)

[timokau]

If --option build-use-sandbox doesn't work on purpose, I think it should at least cause an error message explaining that it doesn't work and how to enable sandboxing globally.

It looks like there's already a mechanism for that (https://github.com/NixOS/nix/blob/c30330df6f67c81986dfb124631bc756c8e58c0d/src/libmain/common-args.cc), but apperently right now settings.put doesn't raise an error.