Is it possible to run a sandboxed nix-shell?

I just spent some time diagnosing an issue that only occurs in the sandbox and it was fairly tedious. Is there any way to get nix-shell to spin up a sandboxed shell so I can just experiment with that directly?

This is on macOS, if that matters.

1 Like

I would first try with nix-shell --pure since it overrides all the environment variables. Sometimes it’s possible to reproduce the error that way. It doesn’t sandbox the build though.

Then the next best thing that I know of is only available on Linux: add breakpointHook to the derivation buildInputs. Once the build fails it will halt and display the instructions to run cntr and enter the build sandbox directly.

1 Like

nix-shell --pure isn’t sufficient for my issue, I was specifically seeing an issue that only reproduced in the sandbox and I was trying to report an upstream bug (the package had failing tests when run in the sandbox).