Nix doesn't work in Github Codespaces

[kzvi]

Describe the bug

1. Using the default Codespaces environment/image without any configuration, it is possible to install Nix in single-user mode using the sh <(curl -L https://nixos.org/nix/install) --no-daemon command. Then the Nix commands are accessible and appear to work, but building anything fails. For example, running

   nix-build -E 'with import <nixpkgs> {}; writeText "a" "b"'
   

   produces the enigmatic error

   error: suspicious ownership or permission on '/nix/store/ywzcczbp6n4c944jrk99vi7wjws0kx2n-a.drv.chroot/nix/store/5jz2jpipwd0y7iixvi3kax0ydr9zp6cq-a' for output 'out'; rejecting this build output
   

2. Attempting to install Nix in multi-user mode fails with the error message

   error: getting attributes of path '/nix/store/lvqrpsasgr3jan8l6yfhvcv628jayk2x-busybox-static-x86_64-unknown-linux-musl-1.32.1/bin/busybox': Permission denied
   

Expected behavior

Running Nix in Github Codespaces is probably something that a lot of people will want to do. Even if it is the case that Nix can't support it, it would probably be helpful to have some documentation that states that it is unsupported and/or describes potential workarounds.

Edit: A solution found by @offlinehacker is to first run sudo apt install -y acl && sudo setfacl -k /tmp. Then Nix can be installed normally and building things will succeed. See #6680 (comment).

[k4ml]

If I found this issue first, I wouldn't bother to try nix in codespaces but since I have spent few hours trying to get nix working in codespaces, I will share here what I have got so far. This is my Dockerfile:-

# See here for image contents: https://github.com/microsoft/vscode-dev-containers/tree/v0.236.0/containers/python-3/.devcontainer/base.Dockerfile

# [Choice] Python version (use -bullseye variants on local arm64/Apple Silicon): 3, 3.10, 3.9, 3.8, 3.7, 3.6, 3-bullseye, 3.10-bullseye, 3.9-bullseye, 3.8-bullseye, 3.7-bullseye, 3.6-bullseye, 3-buster, 3.10-buster, 3.9-buster, 3.8-buster, 3.7-buster, 3.6-buster
ARG VARIANT="3.10-bullseye"
FROM mcr.microsoft.com/vscode/devcontainers/python:0-${VARIANT}

RUN apt install -y util-linux netcat

# [Choice] Node.js version: none, lts/*, 16, 14, 12, 10
ARG NODE_VERSION="none"
RUN if [ "${NODE_VERSION}" != "none" ]; then su vscode -c "umask 0002 && . /usr/local/share/nvm/nvm.sh && nvm install ${NODE_VERSION} 2>&1"; fi

RUN mkdir -m 0755 /nix && chown vscode /nix && groupadd nixbld && for n in $(seq 1 10); do useradd -c "Nix build user $n" -d /var/empty -g nixbld -G nixbld -M -N -r -s "$(command -v nologin)" "nixbld$n"; done

RUN curl -o nix-install.sh -L https://nixos.org/nix/install && su vscode -c "sh ./nix-install.sh --no-daemon"

# [Optional] If your pip requirements rarely change, uncomment this section to add them to the image.
# COPY requirements.txt /tmp/pip-tmp/
# RUN pip3 --disable-pip-version-check --no-cache-dir install -r /tmp/pip-tmp/requirements.txt \
#    && rm -rf /tmp/pip-tmp

# [Optional] Uncomment this section to install additional OS packages.
# RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
#     && apt-get -y install --no-install-recommends <your-package-list-here>

# [Optional] Uncomment this line to install global node packages.
# RUN su vscode -c "source /usr/local/share/nvm/nvm.sh && npm install -g <your-package-here>" 2>&1

For some reason, $HOME/.profile is not sourced when the workspace started so I have to do it manually in each terminal. But after that things seems to works. docker-compose also working and I managed to get our project running.

[k4ml]

Ughh, building indeed failed. Mine above is working because I'm using cachix so all our packages already built. Try running without cachix and I got similar error:-

building '/nix/store/xgyp58pvyj54d2sav72axmmg6l97456w-yarn2nix-modules-1.0.0-workspace-package.json.drv'...
error: suspicious ownership or permission on '/nix/store/xgyp58pvyj54d2sav72axmmg6l97456w-yarn2nix-modules-1.0.0-workspace-package.json.drv.chroot/nix/store/8v2b2dwwc70g184v31lnp3dcncy1m89q-yarn2nix-modules-1.0.0-workspace-package.json' for output 'out'; rejecting this build output
error: 1 dependencies of derivation '/nix/store/ag3q3bagkd67fq2svlnl0cmr4jw8rj0s-yarn2nix-modules-1.0.0.drv' failed to build
error: 1 dependencies of derivation '/nix/store/hsb2kpmm7p2d28n9lqk8pgd20f7j7c67-yarn2nix-1.0.0.drv' failed to build
error: 1 dependencies of derivation '/nix/store/4w17g7mndm92jh7jbsqn7qb9q94d44qa-yarn.nix.drv' failed to build

[cor]

@k4ml have you found a workaround yet?

[tpwrules]

This is the failing check:

nix/src/libstore/build/local-derivation-goal.cc

Lines 2178 to 2188 in 3c57db1

	#ifndef __CYGWIN__
	/* Check that the output is not group or world writable, as
	that means that someone else can have interfered with the
	build. Also, the output should be owned by the build
	user. */
	if ((!S_ISLNK(st.st_mode) && (st.st_mode & (S_IWGRP | S_IWOTH))) ||
	(buildUser && st.st_uid != buildUser->getUID()))
	throw BuildError(
	"suspicious ownership or permission on '%s' for output '%s'; rejecting this build output",
	actualPath, outputName);
	#endif

What do the permissions of that build .chroot directory look like? Does /nix have the set-uid or set-gid bits on it? I don't have access to Codespaces to check.

[k4ml]

How do I check the permissions for that .chroot directory as it doesn't exists when the command end? /nix is owned by user/group vscode, and the nix command also executed by vscode user.

ls -l /nix
total 320
drwxr-xr-x 1 vscode vscode 311296 Jul 15 00:44 store
drwxr-xr-x 1 vscode vscode   4096 Jul 14 23:33 var

I try setting the build user in /etc/nix/nix.conf but also no use:-

cat /etc/nix/nix.conf 
build-users-group = vscode

[tpwrules]

Can you use strace to run the nix command and see what it is actually doing?

[dzmitry-lahoda]

@k4ml tried same. also tried to set chown vscode:root (like on my wsl ubuntu). no help. tried variations of chmod -R 0755 /nix && chown -R vscode:root /nix (that is kind of installer does).

I think check is broken. Because it allows to install but fails then to build. But if install was suspicions and security issue, than any check later is useless - it was hacked on install. So these checks should be made on par - i.e. same level of security. NixOS/nixpkgs#82357 (comment)

[dzmitry-lahoda]

read(3, "      /nix/store/scd5n7xsn0hh0lv"..., 1024) = 1024
read(3, "8465                    /nix/sto"..., 1024) = 1024
read(3, "q0nzjp-nix-2.10.3/lib/libnixcmd."..., 1024) = 1024
read(3, "           /nix/store/3af6g226v4"..., 1024) = 1024
read(3, "hsv6x7xzh23d6wqyq0nzjp-nix-2.10."..., 1024) = 1024
read(3, "0hh0lvhhnycr9gx0h8xfzsl-glibc-2."..., 1024) = 1024
read(3, "f9a87e72000 r--p 00000000 00:33 "..., 1024) = 1024
read(3, "/3af6g226v4hsv6x7xzh23d6wqyq0nzj"..., 1024) = 1024
read(3, "7f9a88393000-7f9a88394000 r--p 0"..., 1024) = 1024
read(3, "x/store/ga9q4ikprn36wm32gqm4k521"..., 1024) = 1024
close(3)                                = 0
sched_getaffinity(13438, 32, [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15]) = 8
futex(0x7f9a87e9cae8, FUTEX_WAKE_PRIVATE, 2147483647) = 15
futex(0x7f9a87e9c6c0, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0x7f9a87e9caec, FUTEX_WAKE_PRIVATE, 2147483647) = 3
futex(0x7f9a87e9c6c0, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0x7f9a87e9cae8, FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME, 0, NULL, FUTEX_BITSET_MATCH_ANY) = 0
futex(0x7f9a87e9c6c0, FUTEX_WAKE_PRIVATE, 1) = 0
futex(0x7f9a87e9caec, FUTEX_WAKE_PRIVATE, 2147483647) = 15
sysinfo({uptime=4376, loads=[24960, 78944, 140736], totalram=33670782976, freeram=331767808, sharedram=1024000, bufferram=1309040640, totalswap=0, freeswap=0, procs=1040, totalhigh=0, freehigh=0, mem_unit=1}) = 0
mmap(0x7f9a7da8d000, 402653184, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9a65a7d000
getuid()                                = 1000
ioctl(2, TCGETS, {B38400 opost isig icanon echo ...}) = 0
mmap(NULL, 8392704, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f9a6527c000
mprotect(0x7f9a6527d000, 8388608, PROT_READ|PROT_WRITE) = 0
rt_sigprocmask(SIG_BLOCK, ~[], [HUP INT PIPE TERM WINCH], 8) = 0
clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f9a65a7c910, parent_tid=0x7f9a65a7c910, exit_signal=0, stack=0x7f9a6527c000, stack_size=0x7ffbc0, tls=0x7f9a65a7c640} => {parent_tid=[13475]}, 88) = 13475
rt_sigprocmask(SIG_SETMASK, [HUP INT PIPE TERM WINCH], NULL, 8) = 0
ioctl(2, TCGETS, {B38400 opost isig icanon echo ...}) = 0
brk(0x22d6000)                          = 0x22d6000
ioctl(2, TCGETS, {B38400 opost isig icanon echo ...}) = 0
mmap(NULL, 8392704, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f9a64a7b000
mprotect(0x7f9a64a7c000, 8388608, PROT_READ|PROT_WRITE) = 0
rt_sigprocmask(SIG_BLOCK, ~[], [HUP INT PIPE TERM WINCH], 8) = 0
clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f9a6527b910, parent_tid=0x7f9a6527b910, exit_signal=0, stack=0x7f9a64a7b000, stack_size=0x7ffbc0, tls=0x7f9a6527b640} => {parent_tid=[13476]}, 88) = 13476
rt_sigprocmask(SIG_SETMASK, [HUP INT PIPE TERM WINCH], NULL, 8) = 0
)                  = 4
futex(0x22bce80, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0x22bcd88, FUTEX_WAKE_PRIVATE, 1) = 1
write(2, "\33[31;1merror:\33[0m unrecognised f"..., 56error: unrecognised flag '-a'
) = 56
write(2, "Try 'nix --help' for more inform"..., 43Try 'nix --help' for more information.
) = 43
exit_group(1)                           = ?
+++ exited with 1 +++
@dzmitry-lahoda ➜ /workspaces/composable (dz/byog-container ✗) $ ^C
@dzmitry-lahoda ➜ /workspaces/composable (dz/byog-container ✗) $ strace nix run .#kusama-picasso-karura-devnet -L --show-trace  2>  tee -a strace.log
@dzmitry-lahoda ➜ /workspaces/composable (dz/byog-container ✗) $ strace nix run .#kusama-picasso-karura-devnet -L --show-trace  2> strace.log
@dzmitry-lahoda ➜ /workspaces/composable (dz/byog-container ✗) $ stat /nix/
  File: /nix/
  Size: 4096            Blocks: 16         IO Block: 4096   directory
Device: 33h/51d Inode: 1710736     Links: 1
Access: (0755/drwxr-xr-x)  Uid: ( 1000/  vscode)   Gid: (    0/    root)
Access: 2022-08-29 10:54:28.027138364 +0000
Modify: 2022-08-29 08:04:12.531591807 +0000
Change: 2022-08-29 11:08:25.201991716 +0000
 Birth: 2022-08-29 08:11:19.432458431 +0000
@dzmitry-lahoda ➜ /workspaces/composable (dz/byog-container ✗) $ id
uid=1000(vscode) gid=1000(vscode) groups=1000(vscode),0(root),27(sudo),102(nixbld),103(docker)
@dzmitry-lahoda ➜ /workspaces/composable (dz/byog-container ✗) $ cat /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) NOPASSWD:ALL

# See sudoers(5) for more information on "@include" directives:

@includedir /etc/sudoers.d
@dzmitry-lahoda ➜ /workspaces/composable (dz/byog-container ✗) $ cat  /etc/sudoers.d/
README  vscode  
@dzmitry-lahoda ➜ /workspaces/composable (dz/byog-container ✗) $ cat  /etc/sudoers.d/vscode 
vscode ALL=(root) NOPASSWD:ALL
@dzmitry-lahoda ➜ /workspaces/composable (dz/byog-container ✗) $ 

[dzmitry-lahoda]

UPDATE:
was cut to 10K lines, there was 20K, will update

https://gist.github.com/dzmitry-lahoda/4c9b5f4a04a855efa6fc8f5449aadede

[dzmitry-lahoda]

@dzmitry-lahoda ➜ /workspaces/composable (dz/byog-container ✗) $ 
@dzmitry-lahoda ➜ /workspaces/composable (dz/byog-container ✗) $ nix --version
nix (Nix) 2.10.3
@dzmitry-lahoda ➜ /workspaces/composable (dz/byog-container ✗) $ whoaim
bash: whoaim: command not found
@dzmitry-lahoda ➜ /workspaces/composable (dz/byog-container ✗) $ whoami
vscode
@dzmitry-lahoda ➜ /workspaces/composable (dz/byog-container ✗) $ uname -a
Linux codespaces-4e4765 5.4.0-1086-azure #91~18.04.1-Ubuntu SMP Thu Jun 23 20:33:05 UTC 2022 x86_64 GNU/Linux
@dzmitry-lahoda ➜ /workspaces/composable (dz/byog-container ✗) $ 

[dzmitry-lahoda]

Did not help

@dzmitry-lahoda ➜ /workspaces/composable (dz/byog-container ✗) $ stat /nix/
  File: /nix/
  Size: 4096            Blocks: 16         IO Block: 4096   directory
Device: 33h/51d Inode: 1710736     Links: 1
Access: (0700/drwx------)  Uid: ( 1000/  vscode)   Gid: ( 1000/  vscode)
Access: 2022-08-29 11:25:21.917014911 +0000
Modify: 2022-08-29 08:04:12.531591807 +0000
Change: 2022-08-29 11:25:25.249091399 +0000
 Birth: 2022-08-29 08:11:19.432458431 +0000

Tried to read C++ code - no comprehend. 🦀

[dzmitry-lahoda]

@dzmitry-lahoda ➜ /workspaces/composable (dz/byog-container ✗) $ nix show-config
accept-flake-config = false
access-tokens = 
allow-dirty = true
allow-import-from-derivation = true
allow-new-privileges = false
allow-symlinked-store = false
allow-unsafe-native-code-during-evaluation = false
allowed-impure-host-deps = 
allowed-uris = 
allowed-users = *
auto-optimise-store = false
bash-prompt = 
bash-prompt-prefix = 
bash-prompt-suffix = 
build-hook = /nix/store/3af6g226v4hsv6x7xzh23d6wqyq0nzjp-nix-2.10.3/bin/nix __build-remote
build-poll-interval = 5
build-users-group = 
builders = @/etc/nix/machines
builders-use-substitutes = false
commit-lockfile-summary = 
compress-build-log = true
connect-timeout = 0
cores = 16
diff-hook = 
download-attempts = 5
enforce-determinism = true
eval-cache = true
experimental-features = flakes nix-command
extra-platforms = i686-linux x86_64-v1-linux x86_64-v2-linux x86_64-v3-linux x86_64-v4-linux
fallback = false
filter-syscalls = true
flake-registry = https://channels.nixos.org/flake-registry.json
fsync-metadata = true
gc-reserved-space = 8388608
hashed-mirrors = 
http-connections = 25
http2 = true
ignore-try = false
ignored-acls = security.csm security.selinux system.nfs4_acl
impersonate-linux-26 = false
keep-build-log = true
keep-derivations = true
keep-env-derivations = false
keep-failed = false
keep-going = false
keep-outputs = false
log-lines = 10
max-build-log-size = 0
max-free = 18446744073709551615
max-jobs = 1
max-silent-time = 0
min-free = 0
min-free-check-interval = 5
nar-buffer-size = 33554432
narinfo-cache-negative-ttl = 60
narinfo-cache-positive-ttl = 2592000
netrc-file = /etc/nix/netrc
nix-path = /home/vscode/.nix-defexpr/channels
plugin-files = 
post-build-hook = 
pre-build-hook = 
preallocate-contents = false
print-missing = true
pure-eval = true
repeat = 0
require-sigs = true
restrict-eval = false
run-diff-hook = false
sandbox = relaxed
sandbox-build-dir = /build
sandbox-dev-shm-size = 50%
sandbox-fallback = true
sandbox-paths = /bin/sh=/nix/store/0296qxvn30z9b2ah1g5p97k5wr9k8y78-busybox-static-x86_64-unknown-linux-musl-1.35.0/bin/busybox
secret-key-files = 
show-trace = false
stalled-download-timeout = 300
store = auto
substitute = true
substituters = https://cache.nixos.org https://composable-community.cachix.org
sync-before-registering = false
system = x86_64-linux
system-features = benchmark big-parallel nixos-test
tarball-ttl = 3600
timeout = 0
trace-function-calls = false
trace-verbose = false
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= composable-community.cachix.org-1:GG4xJNpXJ+J97I8EyJ4qI5tRTAJ4i7h+NK2Z32I8sK8=
trusted-substituters = 
trusted-users = root
use-case-hack = false
use-registries = true
use-sqlite-wal = true
user-agent-suffix = 

[dzmitry-lahoda]

will donate 10 DOT Polkadot for fix

[hussein-aitlahcen]

This would be very interesting to build codespace based dev containers. Any chance someone experienced with the low-level issue check this out?

[cor]

It's also a big blocker for our team. We really want to use nix for our cloud based dev environments

[offlinehacker]

@cor @hussein-aitlahcen does this devcontainer image work for you https://github.com/xtruder/nix-devcontainer? I have tested in github codespaces and it seems to work without issues. Here is example project: https://github.com/xtruder/nix-devcontainer-python-jupyter

[dsyer]

It’s broken the same way for me (builds fail, but cached results are fine). Same config works locally in VSCode - only codespaces seems broken.

[SuperSandro2000]

• produces the enigmatic error

  error: suspicious ownership or permission on '/nix/store/ywzcczbp6n4c944jrk99vi7wjws0kx2n-a.drv.chroot/nix/store/5jz2jpipwd0y7iixvi3kax0ydr9zp6cq-a' for output 'out'; rejecting this build output
  

That error is very clear: The ownership of the nix store path is not what nix expects.

ls -l /nix
total 320
drwxr-xr-x 1 vscode vscode 311296 Jul 15 00:44 store
drwxr-xr-x 1 vscode vscode 4096 Jul 14 23:33 var

which is confirmed by this.

2. Attempting to install Nix in multi-user mode fails with the error message
error: getting attributes of path '/nix/store/lvqrpsasgr3jan8l6yfhvcv628jayk2x-busybox-static-x86_64-unknown-linux-musl-1.32.1/bin/busybox': Permission denied

The file nix tried to download has no executable bit set.

---

What is / in codespaces? Is this some mounted filesystem which enforces permissions and/or has noexec set? What is the output of mount?

[dzmitry-lahoda]

I bake container with nix https://github.com/ComposableFi/composable/blob/dz/byog-container/Dockerfile . Hey there is no error about mutli user.

I run it with https://github.com/ComposableFi/composable/blob/dz/byog-container/.devcontainer/devcontainer.json .
How I run?

In local VS Code -> Remote-Containers : Rebuild and Reopen. It opens. I can:

1. run all installed packages
2. call nix and build new one in my repo.
3. run them

If I open GitHub page and click Codespace. And run same configuraiton remotely.

1. same
2. can run nix, it even builds something, but fails with suspicious ownership or permission

So problem is you can build container, but cannot use nix in it.

You may look into my report. I tried many kinds of permissions and owners, did not helped.

Why remote differs from local? I do not know.

[dzmitry-lahoda]

@SuperSandro2000 what exactly nix expects? If I would know, I would chown/chmod.

[dzmitry-lahoda]

As per line,

nix/src/libstore/build/local-derivation-goal.cc

Line 2207 in ddb82ff

if ((!S_ISLNK(st.st_mode) && (st.st_mode & (S_IWGRP | S_IWOTH))) ||

need this

chmod -R a+rwx,g-w,o-w folder_name

tied. possible nix itself produced new files which are g+w?

[dzmitry-lahoda]

this tells

nix/src/libstore/build/local-derivation-goal.cc

Line 2208 in ddb82ff

(buildUser && st.st_uid != buildUser->getUID()))

there is current build user who and the files was not produced by she.
who is she

nix/src/libstore/lock.cc

Line 32 in 2fef24f

debug("found build user '%1%'", *p);

so take build group from config, and find all users in that group and take some free user.

-L --show-trace to not show debug level info. would be nice is this case. or there is more flags?

[dzmitry-lahoda]

i have ideas how to debug futher, but bad I cannot have low level logs.
plan is to build, but not not clean deleted files, catch their codes (strace also shows something). and match how files move along nix flow, and their rights.

[SuperSandro2000]

@SuperSandro2000 what exactly nix expects? If I would know, I would chown/chmod.

/nix should be owned by root:root and have 755 and /nix/store should be owned by root:nixbld and have 775.

PS It would be nice if you could edit previous comments to append new information.

[offlinehacker]

@SuperSandro2000 nix is running in single user mode here, root:nixbld is only for multi-user mode

[offlinehacker]

So it turns out default file permissions are set on /tmp. If you do getfacl /tmp you get:

$ getfacl /tmp
getfacl: Removing leading '/' from absolute path names
# file: tmp
# owner: root
# group: root
# flags: --t
user::rwx
group::rwx
other::rwx
default:user::rwx
default:group::r-x
default:other::rw-

This will set invalid permissions in temporary build files created inside /tmp:

$ ls -la /tmp/nix-build-a.drv-0
total 20
drwxrwxr-x+  2 vscode vscode 4096 Aug 29 21:23 .
drwxrwxrwt  12 root   root   4096 Aug 29 21:31 ..
-rw-rwxrw-   1 vscode vscode  215 Aug 29 21:23 .attr-0l2nkwhif96f51f4amnlf414lhl4rv9vh8iffyp431v6s28gsr90
-rw-rwxrw-   1 vscode vscode 4410 Aug 29 21:23 env-vars

To fix this you we have to remove default permissions by running

setfacl -k /tmp

This will indeed remove default permissions

$ getfacl /tmp
getfacl: Removing leading '/' from absolute path names
# file: tmp
# owner: root
# group: root
# flags: --t
user::rwx
group::rwx
other::rwx

This also requires acl package to be installed, something like

RUN sudo apt install -y acl && sudo setfacl -k /tmp

Of course we want to put this into base image. Now we can successfully run nix-build:

nix-build --keep-failed -E 'with import <nixpkgs> {}; writeText "a" "test1234"'
this derivation will be built:
  /nix/store/ijwhizywnj2z9ihw6fks35kza7v13all-a.drv
building '/nix/store/ijwhizywnj2z9ihw6fks35kza7v13all-a.drv'...
/nix/store/fkh5gjh1f76686l0zjyv482zv8874l7r-a

ls -la /nix/store/fkh5gjh1f76686l0zjyv482zv8874l7r-a
-r--r--r-- 1 vscode vscode 4 Jan  1  1970 /nix/store/fkh5gjh1f76686l0zjyv482zv8874l7r-a

[dzmitry-lahoda]

@offlinehacker we are on flake and used home-manager.

so, i see:

1. can try to hook chmod to home as in repo, so i tried to do it after start on nix - no help
2. it does not fixes tmp, which for sure issue (it is different locally - fixed).
3. also, it adds to devcontainers sudoers - good enough - will try.
4. so we rely on home-manager to bake env before vscode starts, so it starts in already env with stuff. not selector. for now.

[CSchank]

@Chuxel this workaround (using base:jammy) seems to be broken now as well - have you found another?

[dzmitry-lahoda]

by the way. devenv seems work well.

[dzmitry-lahoda]

also try zero to nix installer

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/github-codespace-support/27152/2

[drupol]

I had issue with the official Nix installer on Amazon Workspace... I reported the issue here and here... and it has been fixed in DeterminateSystem installer.

I would give it a try on Github Codespaces and see if it works: https://github.com/DeterminateSystems/nix-installer

[refroni]

side note - We've brought this up with the github team today and they will be taking a look at this

[dsyer]

It's still broken in Codespaces as far as I can tell. I tried with "jammy" and "bullseye" variants of the universal image.

[dzmitry-lahoda]

you can check attached discord comment. it works with home manager in docker build approach. the only thing i still not done, source env vars into codespace session. i need some libs to be in env. local docker seems worked too.

i was able to make vscode to consume nix installed tools, docker in docker feature works, nix run and nix build work, can bake anything into home manager for caching, code space super close to flake develop so codespace is close to local develop, sure profile install and home switch.

lacking only session variables(why it is so hard?) and generator of codespace definion from nix(super easy).

nix codespace feature miles behind this.

likely new nix installer will simplify docker setup. also, i would perfer MS to allow to run VM images. so i can run same image in codespace or in cloud or local vm created via nixos generator with modules. docker sucks. just give me good azure and hyperv image builder)

[dzmitry-lahoda]

for some reason home manager inject into session variables glibc and some locales, but does not sources this into profiles. if i source it along with my variables, vscode fails (seems like conflict of libs). so I source only i know needed

# variables are put into this file, but also some extra vars
# seems shole file conflicts with vscode startup injection
# so getting one by one for evaluation
RUN cat ~/.nix-profile/etc/profile.d/hm-session-vars.sh | grep "PROTOC" >> ~/.profile
RUN cat ~/.nix-profile/etc/profile.d/hm-session-vars.sh | grep "PROTOC" >> ~/.bashrc
RUN cat ~/.nix-profile/etc/profile.d/hm-session-vars.sh | grep "ROCKSDB_LIB_DIR" >> ~/.profile
RUN cat ~/.nix-profile/etc/profile.d/hm-session-vars.sh | grep "ROCKSDB_LIB_DIR" >> ~/.bashrc

[aryairani]

It works okay for me with this in my devcontainer.json. Granted it's not the Universal image, but the universal image doesn't have much free space and you probably don't get anything useful out of it if you are going to use Nix for your dependencies anyway.

{
  "image":"mcr.microsoft.com/devcontainers/base:alpine",
  "features": {
    "ghcr.io/devcontainers/features/nix:1": {
      "multiUser": true,
      "version": "latest"
    }
  }
}

There might be a more minimal version that works but I didn't care to try to minimize.

[dzmitry-lahoda]

It works okay for me with this in my devcontainer.json. Granted it's not the Universal image, but the universal image doesn't have much free space and you probably don't get anything useful out of it if you are going to use Nix for your dependencies anyway.

{
  "image":"mcr.microsoft.com/devcontainers/base:alpine",
  "features": {
    "ghcr.io/devcontainers/features/nix:1": {
      "multiUser": true,
      "version": "latest"
    }
  }
}

There might be a more minimal version that works but I didn't care to try to minimize.

you say that when vscode on remote codespace popups, its plugins catch up whatever tooling and environment variables you have put for people into nix shell?

the need is nix, and nix to install exact versions of all compilers, lsps, renders, optimizers, etc for users on start fast

[aryairani]

It works okay for me with this in my devcontainer.json. Granted it's not the Universal image, but the universal image doesn't have much free space and you probably don't get anything useful out of it if you are going to use Nix for your dependencies anyway.

you say that when vscode on remote codespace popups, its plugins catch up whatever tooling and environment variables you have put for people into nix shell?

the need is nix, and nix to install exact versions of all compilers, lsps, renders, optimizers, etc for users on start fast

Never mind, it isn't working for me after all, sorry.

[71]

So I've been experimenting with this starting with @aryairani's config above.

My setup now is:

1. Workspace root has a flake.nix file with devShells.${system}.default = pkgs.mkShell { ... };.
2. Workspace root has a .envrc.recommended file with use flake.
3. Devcontainer configuration is:

   {
     "image": "mcr.microsoft.com/devcontainers/base:alpine",
     "features": {
       "ghcr.io/devcontainers/features/nix:1": {
         "multiUser": true,
         "version": "latest",
         // Needed for flakes & nix-direnv:
         "extraNixConfig": "experimental-features = nix-command flakes,keep-outputs = true,keep-derivations = true"
       }
     },
     "onCreateCommand": {
       // Set up global gitignore for direnv.
       "init-git": "mkdir -p ~/.config/git && printf '.direnv/\\n.envrc\\n' > ~/.config/git/ignore && git config --global core.excludesfile ~/.config/git/ignore",
       // Install, set up and allow direnv in workspace.
       "install-direnv": "nix profile install nixpkgs#direnv nixpkgs#nix-direnv && mkdir -p ~/.config/direnv && echo 'source $HOME/.nix-profile/share/nix-direnv/direnvrc' >> ~/.config/direnv/direnvrc && cp .envrc.recommended .envrc && direnv allow",
       // Run `print-dev-env` to build `devShells.${system}.default`.
       "build-dev-env": "nix print-dev-env > /dev/null"
     },
     "customizations": {
       "vscode": {
         "extensions": [
           // Inject direnv variables into VS Code terminals and tasks:
           "mkhl.direnv",
           // Support for `.nix` files:
           "jnoortheen.nix-ide"
         ]
       }
     }
   }

   You should also add && echo 'eval \"$(direnv hook bash)\"' >> ~/.bashrc to the end of the install-direnv command, or whatever command will set up the shell you're going to be using.

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/nixos-in-github-codespaces/36065/2

[arianvp]

So everything works except that I still get this error for packages that use buildFHSEnv. They all fail with a spurious permission error. Anybody got any clue why??