wav
January 22, 2024, 2:15am
1
I typically clone a project in a jetbrains IDE and hack away.
Sometimes, I’ll create a VM, clone and connect with jetbrains gateway.
Is there a simpler solution that uses the nix sandbox or similar?
My primary constraints are:
make sure parts of my host filesystem are not available to the build
make commands unavailable like sudo
network access is ok
have workspace where I could develop a few projects in the same sandbox
works on darwin and nixos
How does the community approach host isolated dev environments?
I imagine there’s something along the lines of:
nix develop
idea ./
nix develop -i
cleans up env, but it’s not sandboxed.
For sandboxing
A) you can make your whole project a nix derivation (works everywhere)
B) Use nix-cage or nix-bwrap (linux only) GitHub - corpix/nix-cage: Sandboxed environments with bwrap and nix-shell nix-bubblewrap: Nix - bubblewrap integration
3 Likes
I’m using dedicated LXD / LXC containers for that matter (working on a NixOS host).
Hi everyone, great topic and thanks to all for sharing
I recently switched my whole working environment from Ubuntu to NixOS (desktop).
Prolly not re-inventing the wheel here:
I’m currently running multiple NixOS desktop containers (not VM’s) in LXD which are accessed via xrdp (e.g with Remmina) for remote desktop, all within a NixOS desktop instance (Nixos in Nixos).
Main reasons is to avoid having to do clean install whenever I need to up or down an environment. As working remotely, this c…
e.g:
container 1: for work ABC with projects X, Y, Z, etc
container 2: for work DEF with projects 1, 2, 3, etc
etc…
With some tweaks for networking and storage, you might get the isolation needed?
1 Like
wav
January 22, 2024, 11:06pm
4
Thank you @Cloudef and @JimJ92120 , I have plenty to try.
Bubblewrap seems to provide a similar result to LXC for my use case, by also using kernel name-spacing features for the filesystem and the network.
@Cloudef solution looks quite neat and lightweight (haven’t tried yet)
Few use cases where you may consider LXD / LXC (or similar):
doesn’t seem suitable for unprivileged users:
Bwrap uses user namespaces. The readme is saying systemd-nspawn, docker, etc… are not suitable for unprivileged users. However, there might be security bugs in user namespaces and there have been in the past.
“infrastructure as code” (declarative) for reproducibility e.g networking, storage, etc
Isn’t nix/nixpkgs basically this already? E.g. I build and deploy everything to AWS through terranix GitHub - terranix/terranix: terranix is a terraform.json generator with a nix-like feeling
I’d see containers still useful if you want to package complex systems that need multiple parts running separately from the host OS, like services, or need isolated VPN / Network. You can create and orchestrate containers using nix as well.