How to run `nix-build` with sandbox = false?

sebohe · February 14, 2022, 4:09pm

I have been pulling my hair over this for a long time and I just can’t see a way of doing. How do I disable the sandbox with nix-build ? I have tried the following:

1, NIX_CONF_DIR=~/.config/nix nix-build .... in which the nix.conf in the NIX_CONF_DIR has a line with sandbox = false
2. nix-build --option sandbox false ..

This is manual I’m reading to configure nix: nix.conf - Nix Reference Manual

➜ nix-info -m
 - system: `"x86_64-linux"`
 - host os: `Linux 5.16.5, NixOS, 21.11 (Porcupine)`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.6.0`
 - channels(sebas): `"stable-21.11.335883.7adc9c14ec7, unstable-22.05pre352484.1882c6b7368"`
 - channels(root): `"nixos-21.11"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

I know I can disable the sandbox by setting sandbox = false in /etc/nix/nix.conf in the configuration.nix by doing this:

    nix = {
     #useSandbox = false;
    # or
     extraOptions = ''sandbox = false'';
     package = (import (fetchTarball {
      url = "https://github.com/NixOS/nixpkgs/archive/refs/heads/nixos-unstable-small.tar.gz";
      sha256 = "1hq483rnv67i682yqr83vmpz5rw4xpx3frspslx3lzzbd6w8cbnh";
     }) {}).pkgs.nix_2_6;

What I want is for a single execution of nix-build to have sandbox disabled and not have to run nixos-rebuild switch

Thank you for reading.

NobbZ · February 14, 2022, 10:51pm

Use --option sandbox false as a trusted user.

Or even better, fix the build to not make it necessary.

tomberek · February 14, 2022, 11:19pm

Other general thought: use sandbox = relaxed instead. This allows you to specify that specific builds need to escape the sandbox using __noChroot = true in the derivation, but other builds will still be in the sandbox.

sebohe · February 15, 2022, 12:31pm

I WOULD LOVE to not have to escape the sandbox. But the problem is that for some reason npm version 8.1.2 must download metadata for the packages defined in the package-lock.json. THe command for building inside of the sandbox, npm ci --offline still seems to need network access.

I’m just never going to use npm for package management ever and I’m going to start using yarn.

This solution worked for me in configuration.nix:

{
    nix.extraOptions = ''trusted-users = root sebas''
}

NobbZ · February 15, 2022, 1:20pm

You should prefer to use nix.trustedUsers or nix.settings.trusted-users depending on your systems channel.