Docker daemon inside Nix sandbox

I have a build for some scala code which runs tests against a docker container.
At the moment, the build is not sandboxed and runs thanks to the host docker daemon.
I would like to sandbox this build, How can I run a docker daemon inside the sandbox ?

It seems the solution is related to the allow-new-privileges option but I could not get it to work.
Moreover, the warning for allow-new-privileges is worrying, should I use NixOS VM tests to run my tests instead ?

To summarize:

  • How can I run a docker daemon inside the sandbox ?
  • OR Should I do something like NixOs VM tests instead ?

Hi @vquintin,
we use a similar approach to connect to the docker daemon over TCP on MacOS (e.g. socat with DockerForMac), when we build our scala projects with sbt-docker. I’ve tried previously multiple other appraoches, but failed:

Afaik, we take the docker daemon impurity for now as granted, because everything else is so much effort. I would like to test sbtix once again, but as long as our project keep using sbt-docker i have another dependency hurdle more to take.