Here are some errors we should address before merging this. Any input is welcomed :)

nscd.service inside unprivileged container fails with:

nscd.service: Failed to set up mount namespacing; Operation not permitted
nscd.service: Failed at step NAMESPACE spawning

Starting/reloading container results in the the following log output:

machine# [   24.515687] container webserver[809]: running activation script...
machine# [   24.661600] container webserver[809]: setting up /etc...
machine# [   24.858055] container webserver[809]: install: cannot change permissions of '/nix/var/nix/temproots': No such file or directory
machine# [   24.861177] container webserver[809]: install: cannot change permissions of '/nix/var/nix/userpool': No such file or directory
machine# [   24.863719] container webserver[809]: install: cannot create directory '/nix/var/log': Permission denied
machine# [   24.871737] container webserver[809]: Activation script snippet 'nix' failed (1)
machine# [   24.888967] container webserver[809]: mount: /dev: permission denied.
machine# [   24.905158] container webserver[809]: mount: /dev/pts: permission denied.
machine# [   24.925329] container webserver[809]: mount: /dev/shm: permission denied.
machine# [   24.951388] container webserver[809]: mount: /run: permission denied.
machine# [   24.988424] container webserver[809]: Activation script snippet 'specialfs' failed (32)

Those errors do not seem critical since I've been successfully running and reloading unprivileged containers for more than half a year now. My understanding is that we should just skip the mount step when running inside a container.

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/nixos-container-limitations/1835/7

Would it help to disable DynamicUser on nscd? We recently added that and we could revert that again. Why this is not working is above me though. Franz and I will ask around with the systemd guys this weekend as we're meeting up with them.

@arianvp Yes, I guess reverting DynamicUser will help. However, we have this option set in other services too, so we will probably have to wait for the fix in upstream.

Just as a reminder: If we can't make this work for 20.03 we have to fix the documentation from #67232.

I disabled special-fs mounts inside nixos containers which fixes mount errors. Let me know if you are aware of cases when it might break things.

Also, creating $root/nix/var/nix folder fixes nix errors on container startup, but reloading still fails with:

machine# [  138.248116] systemd[1]: Reloading Container 'webserver'.
machine# [  138.437982] container webserver[1292]: mkdir: cannot create directory ‘/nix/var/nix/profiles/per-user’: Permission denied
machine# [  138.451486] container webserver[1292]: stat: cannot stat '/nix/var/nix/profiles/per-user/root': No such file or directory
machine# [  138.477357] container webserver[1292]: WARNING: the per-user profile dir /nix/var/nix/profiles/per-user/root should belong to user id 0
machine# [  138.488463] container webserver[1292]: mkdir: cannot create directory ‘/nix/var/nix/gcroots/per-user’: Permission denied
machine# [  138.505600] container webserver[1292]: stat: cannot stat '/nix/var/nix/gcroots/per-user/root': No such file or directory
machine# [  138.531320] container webserver[1292]: WARNING: the per-user gcroots dir /nix/var/nix/gcroots/per-user/root should belong to user id 0
machine# [  138.578720] container webserver[1292]: mkdir: cannot create directory ‘/nix/var/nix/profiles/per-user’: Permission denied
machine# [  138.590044] container webserver[1292]: stat: cannot stat '/nix/var/nix/profiles/per-user/root': No such file or directory
machine# [  138.613625] container webserver[1292]: WARNING: the per-user profile dir /nix/var/nix/profiles/per-user/root should belong to user id 0
machine# [  138.622335] container webserver[1292]: mkdir: cannot create directory ‘/nix/var/nix/gcroots/per-user’: Permission denied
machine# [  138.634071] container webserver[1292]: stat: cannot stat '/nix/var/nix/gcroots/per-user/root': No such file or directory
machine# [  138.657775] container webserver[1292]: WARNING: the per-user gcroots dir /nix/var/nix/gcroots/per-user/root should belong to user id 0
machine# [  139.298607] container webserver[1292]: activating the configuration...
machine# [  139.468912] container webserver[1292]: setting up /etc...
machine# [  139.632658] container webserver[1292]: install: cannot change permissions of ‘/nix/var/nix/gcroots/per-user’: No such file or directory
machine# [  139.634923] container webserver[1292]: install: cannot change permissions of ‘/nix/var/nix/profiles/per-user’: No such file or directory
machine# [  139.637108] container webserver[1292]: install: cannot change permissions of ‘/nix/var/nix/gcroots/tmp’: No such file or directory
machine# [  139.639835] container webserver[1292]: Activation script snippet 'nix' failed (1)
machine# [  140.230131] container webserver[1292]: ln: failed to create symbolic link '/nix/var/nix/gcroots/current-system': Permission denied
machine# [  140.693565] container webserver[1292]: setting up tmpfiles
machine# [  140.854959] systemd[1]: container@webserver.service: Control process exited, code=exited, status=2/INVALIDARGUMENT
machine# [  140.863708] systemd[1]: Reload failed for Container 'webserver'.

This is because /nix/var/nix/{gcroots,profiles} are not owned by the container's root user. I guess we will have to either chown it, or not mount at all if container is running in unprivileged mode.

Seems like the blocking issue has been fixed: (systemd/systemd#13622), so as long as we will get the new systemd version we can continue to work on this :)

Hello, I'm a bot and I thank you in the name of the community for your contributions.

Nixpkgs is a busy repository, and unfortunately sometimes PRs get left behind for too long. Nevertheless, we'd like to help committers reach the PRs that are still important. This PR has had no activity for 180 days, and so I marked it as stale, but you can rest assured it will never be closed by a non-human.

If this is still important to you and you'd like to remove the stale label, we ask that you leave a comment. Your comment can be as simple as "still important to me". But there's a bit more you can do:

If you received an approval by an unprivileged maintainer and you are just waiting for a merge, you can @ mention someone with merge permissions and ask them to help. You might be able to find someone relevant by using Git blame on the relevant files, or via GitHub's web interface. You can see if someone's a member of the nixpkgs-committers team, by hovering with the mouse over their username on the web interface, or by searching them directly on the list.

If your PR wasn't reviewed at all, it might help to find someone who's perhaps a user of the package or module you are changing, or alternatively, ask once more for a review by the maintainer of the package/module this is about. If you don't know any, you can use Git blame on the relevant files, or GitHub's web interface to find someone who touched the relevant files in the past.

If your PR has had reviews and nevertheless got stale, make sure you've responded to all of the reviewer's requests / questions. Usually when PR authors show responsibility and dedication, reviewers (privileged or not) show dedication as well. If you've pushed a change, it's possible the reviewer wasn't notified about your push via email, so you can always officially request them for a review, or just @ mention them and say you've addressed their comments.

Lastly, you can always ask for help at our Discourse Forum, or more specifically, at this thread or at #nixos' IRC channel.

The coresponding PR was merged in january, so we probably have the right systemd version now?
@uvNikita have you looked into it again?

@davidak yes, I think we will have the right systemd version in 20.09. However, #67332 was reverted, so we need to fix that first now. Ideally, we would also refactor the whole nixos-containers module to use .nspawn files which simplify things a lot.

@uvNikita any news on this?

@aanderse I think the best path would be to implement containers module v2.0 (see #69414) where we would use systemd-netowrkd and nspawn files which would reduce amount of scripts and workarounds necessary.

Adding unprivileged and ephemeral options support there should be a trivial task I think.

In fact, this exactly the way I'm currently using unprivileged, ephemeral containers -- a custom stripped-down nixos containers module similar to the one developed in #69414.

@uvNikita great. I'm looking forward to it. Thanks for the reply!

I marked this as stale due to inactivity. → More info