Skip to content

Commit

Permalink
Warn when building without nix daemon
Browse files Browse the repository at this point in the history
We need root permission to drop supplementary groups, and if we don't do
that, some builds can fail in user namespace, most notably go.

Related: NixOS#3245
  • Loading branch information
yshui committed Nov 30, 2022
1 parent f91dc02 commit 470414e
Showing 1 changed file with 6 additions and 1 deletion.
7 changes: 6 additions & 1 deletion src/libstore/build/local-derivation-goal.cc
Original file line number Diff line number Diff line change
Expand Up @@ -913,8 +913,13 @@ void LocalDerivationGoal::startBuilder()
int flags = CLONE_NEWPID | CLONE_NEWNS | CLONE_NEWIPC | CLONE_NEWUTS | CLONE_PARENT | SIGCHLD;
if (privateNetwork)
flags |= CLONE_NEWNET;
if (usingUserNamespace)
if (usingUserNamespace) {
if (getgroups(0, NULL != 0) {
warn("user namespace enabled, but we weren't able to drop supplementary groups; "
"this can break some builds. consider using the nix daemon.");
}
flags |= CLONE_NEWUSER;
}

pid_t child = clone(childEntry, stack + stackSize, flags, this);
if (child == -1 && errno == EINVAL) {
Expand Down

0 comments on commit 470414e

Please sign in to comment.