Cannot access internet in `nix build` even with `--no-sandbox`

kenranunderscore · February 16, 2023, 12:56pm

A colleague of mine has problems building derivations that circumvent the sandbox. For instance, a flake output that points to something that like this:

pkgs.stdenv.mkDerivation {
  name = "foobar";
  src = ./.;
  buildInputs = [ pkgs.curl ];
  installPhase = "curl www.google.de";
}

Executing nix build .#foobar --no-sandbox -L then fails with the same error as it does without the --no-sandbox flag:

10:48:41 foo:~/active/tmp/my-presentation$ nix build --no-sandbox -L .#decktapeWithDependencies
decktape-with-dependencies> unpacking sources
decktape-with-dependencies> unpacking source archive /nix/store/k2dmxzi3vcsd8qqpq7njszmag4cxrqka-source
decktape-with-dependencies> source root is source
decktape-with-dependencies> patching sources
decktape-with-dependencies> configuring
decktape-with-dependencies> no configure script, doing nothing
decktape-with-dependencies> building
decktape-with-dependencies> no Makefile or custom buildPhase, doing nothing
decktape-with-dependencies> installing
decktape-with-dependencies> ;; communications error to ::1#53: connection refused
decktape-with-dependencies> ;; communications error to ::1#53: connection refused
decktape-with-dependencies> ;; communications error to ::1#53: connection refused
decktape-with-dependencies> ;; communications error to 127.0.0.1#53: connection refused
decktape-with-dependencies> ;; no servers could be reached
error: builder for '/nix/store/kf8lxnry7hd0l0wvq3m936n12p40ihdi-decktape-with-dependencies.drv' failed with exit code 1;
       last 10 log lines:
       > building
       > no Makefile or custom buildPhase, doing nothing
       > installing
       > ;; communications error to ::1#53: connection refused
       > ;; communications error to ::1#53: connection refused
       > ;; communications error to ::1#53: connection refused
       > ;; communications error to 127.0.0.1#53: connection refused
       > ;; no servers could be reached
       >
       >
       For full logs, run 'nix log /nix/store/kf8lxnry7hd0l0wvq3m936n12p40ihdi-decktape-with-dependencies.drv'.

This is the result of nix-shell -p nix-info --run "nix-info -m":

13:44:06 foo:~$ nix-shell -p nix-info --run "nix-info -m"
this path will be fetched (0.00 MiB download, 0.00 MiB unpacked):
  /nix/store/xf4zw8cqbh9r599273cvc5rpnnkql9sh-nix-info
copying path '/nix/store/xf4zw8cqbh9r599273cvc5rpnnkql9sh-nix-info' from 'https://cache.nixos.org'...
 - system: `"x86_64-linux"`
 - host os: `Linux 6.0.0-0.deb11.6-amd64, Debian GNU/Linux, 11 (bullseye), nobuild`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.13.2`
 - channels(root): `"nixpkgs"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixpkgs`

Could you help us get an idea of what to look out for? Downloading other FODs seems to work just fine, and on the host all these curl and nslookup are working as expected as well. For completeness’ sake this is their /etc/resolv.conf, in case it might be useful:

13:44:58 foo:~$ cat /etc/resolv.conf 
# Generated by NetworkManager
search fritz.box
nameserver 192.168.178.1
nameserver fd00::3a10:d5ff:fe30:78d6

Thanks for any help/advice/pointers in advance!

NobbZ · February 16, 2023, 12:58pm

As far as I remember the user needs to be trusted to disable the sandbox.

kenranunderscore · February 16, 2023, 1:05pm

Ohh thanks @NobbZ, that might just be it and now I think I remember having had this problem a couple of years ago myself. Let me relay it and see if it fixes things