Warn when building without nix daemon

We need root permission to drop supplementary groups, and if we don't do that, some builds can fail in user namespace, most notably go. Related: NixOS#3245
yshui · Mar 29, 2024 · 298bfd9 · 298bfd9
1 parent b72e1c7
commit 298bfd9
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
@@ -929,8 +929,13 @@ void LocalDerivationGoal::startBuilder()
             options.cloneFlags = CLONE_NEWPID | CLONE_NEWNS | CLONE_NEWIPC | CLONE_NEWUTS | CLONE_PARENT | SIGCHLD;
             if (privateNetwork)
                 options.cloneFlags |= CLONE_NEWNET;
-            if (usingUserNamespace)
+            if (usingUserNamespace) {
+                if (getgroups(0, NULL) != 0) {
+                    warn("user namespace enabled, but we weren't able to drop supplementary groups; "
+                        "this can break some builds. consider using the nix daemon.");
+                }
                 options.cloneFlags |= CLONE_NEWUSER;
+            }
 
             pid_t child = startProcess([&]() { runChild(); }, options);