Nix: Rootless nix-daemon

There are chroot operations and whatnot going on. Its an unavoidable unix problem.

On Linux? Tried user namespaces?

After over a year I just figured out that not having root access doesn't hinder you from setting up a multi-user installation.
I just set up a multi-user installation in an HPC environment, with the nix-daemon running as a regular user (nix of course being installed in $HOME/nix instead of /nix), where I use it instead of the classical modules system.
It basically only involves:

• Installing nix into $HOME/nix (I did this by bootstrapping it via a nix-user-chroot-installation and an overlay nixStable = self.nixStable.override { storeDir = "/home/username/nix/store"; stateDir = "/home/username/nix/var"; };).
• Setting up correct permissions via: chmod 1777 $HOME/nix/var/nix/{profiles,gcroots}/per-user.
• Creating the per-user directory for root $HOME/nix/var/nix/profiles/per-user/root using $USER and creating a symlink to my $USER's channel (because the per-user/root profile is the one that is responsible for the nix-channel that everybody gets by default [and you want this to be set to something])
• Running nix-daemon in an environment where nix-daemon.sh was sourced (otherwise I had problems with SSL certificates)
• Letting people who want to use the installation source the nix-daemon.sh in their .bashrc.

This is basically a duplicate of https://github.com/NixOS/nix/issues/324.

The biggest problem with this is that the builds will all run as the same user, so one user can trivially run a malicious build that overwrites the rest of the store. You need namespaces (or a setuid helper that nix used to have but I think is now gone) to get around this.

In case of namespaces one needs a uid for the daemon, that would also own the store, and additional subuids for the builders, right?

@FRidh I haven't thought this through in detail, but I think one way might be to have the build process in a private mount namespaces with all the necessary store paths as read-only mounts.

Ah yeah avoiding users altogether is far more elegent.

See https://github.com/NixOS/nix/commit/e388739098cfb14a166923cd24b6140674b176f8.

The rootless Nix deployments are extremely important for enterprise environments where hundreds of servers use standard builds (most often some version of RHEL, often years old) and Nix is an ideal way for individual teams to leverage more recent (versions of) applications with zero/minimal disruption to the rest of the environment/users. I have been running multi-user "mostly rootless" Nix on a number of servers for a few years. It still uses /nix (that's why "mostly rootless", root was needed to create /nix at the very beginning) but the store is not owned by root. I have a "nix admin" user for that. The same user is running nix-daemon. The downside is I cannot use the "build users" but the inconvenience pales compared to the value the users are getting from Nix.

I was very surprised to see that the section of the manual devoted to the non-root installs was removed (https://github.com/edolstra/nix/commit/a478e8a7bb8c24da0ac91b7100bd0e422035c62f) together with nix-setuid-helper. As I mentioned, I don't really care that I cannot have the build users as long as I can run nix-daemon as non-root. Am I missing anything? Are there any place to consolidate the information for root-less multi-user Nix setups?

As long as user namespaces are enabled on the OS, the rootless nix daemon now works out of the box -- even with sandboxes and build users! This was a pleasant surprise, since last time I tried it I ran into a bunch of issues.

As long as user namespaces are enabled on the OS, the rootless nix daemon now works out of the box -- even with sandboxes and build users! This was a pleasant surprise, since last time I tried it I ran into a bunch of issues.

Is it need chroot? Can you tell more about it?