Warn when building without nix daemon

We need root permission to drop supplementary groups, and if we don't do that, some builds can fail in user namespace, most notably go. Related: NixOS#3245
yshui · Jan 20, 2024 · 5ebc614 · 5ebc614
1 parent 50f8f1c
commit 5ebc614
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
@@ -926,8 +926,13 @@ void LocalDerivationGoal::startBuilder()
             options.cloneFlags = CLONE_NEWPID | CLONE_NEWNS | CLONE_NEWIPC | CLONE_NEWUTS | CLONE_PARENT | SIGCHLD;
             if (privateNetwork)
                 options.cloneFlags |= CLONE_NEWNET;
-            if (usingUserNamespace)
+            if (usingUserNamespace) {
+                if (getgroups(0, NULL) != 0) {
+                    warn("user namespace enabled, but we weren't able to drop supplementary groups; "
+                        "this can break some builds. consider using the nix daemon.");
+                }
                 options.cloneFlags |= CLONE_NEWUSER;
+            }
 
             pid_t child = startProcess([&]() { runChild(); }, options);