Missing "kernel namespaces that are required for sandboxing" when rebuilding for a remote Rasberry Pi 3B

theEmeraldM · November 28, 2025, 6:57pm

Hello! I am currently setting up a Raspberry Pi 3B, and after getting it up and running, I wanted to rebuild its configuration. I quickly ran into the rebuild being too slow and not having enough RAM, so I decided to try doing a remote rebuild from my main PC following the recommendations in this answer: Nix-rebuild too slow on Raspberry Pi 3B+ - #6 by Nebucatnetzer

I ran the command sudo nixos-rebuild --target-host admin@xx.xx.xx.xx --sudo --flake .#pix boot, and while it started of strong and started fetching and building some things, it afterwards failed with “error: this system does not support the kernel namespaces that are required for sandboxing; use ‘–no-sandbox’ to disable sandboxing”

What could be causing this issue?

More context:
My main machine is x86_64 and the target machine (being a Raspberry Pi 3B) is aarch64. I do have boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; enabled on my main machine to be able to build packages for the pi. I was able to build an SD card image for the raspberry pi earlier on my main machine, so that should (if I understand correctly) confirm that I am able to build aarch64 packages.

eblechschmidt · November 29, 2025, 6:39am

If you also want to build on your main machine you need to also add --build-host otherwise you just evaluate on it.

waffle8946 · November 29, 2025, 11:41am

I don’t think so, as only setting --target-host still should build locally per the manpage. Can’t hurt to try though

eblechschmidt · November 29, 2025, 12:14pm

You are absolutely right. I always thought I needed both.

eblechschmidt · November 29, 2025, 12:21pm

Can you post the whole output of the error? I’m using exactly same setup and can build just fine for an Pi 4.

theEmeraldM · November 29, 2025, 8:36pm

Here is the whole output:

$ sudo nixos-rebuild --target-host admin@192.168.0.120 --sudo --flake .#pix boot
[sudo] password for emerald: 
warning: creating lock file "/home/emerald/Raspberry/flake.lock": 
• Added input 'nixpkgs':
    'github:nixos/nixpkgs/2fad6eac6077f03fe109c4d4eb171cf96791faa4?narHash=sha256-sKoIWfnijJ0%2B9e4wRvIgm/HgE27bzwQxcEmo2J/gNpI%3D' (2025-11-27)
building the system configuration...
error: this system does not support the kernel namespaces that are required for sandboxing; use '--no-sandbox' to disable sandboxing
Command 'nix --extra-experimental-features 'nix-command flakes' build --print-out-paths '.#nixosConfigurations."pix".config.system.build.toplevel' --no-link' returned non-zero exit status 1.

It’s not a lot. If there is some kind of argument that I can add to make the command print more info during execution, please tell me!

Posting the config that I am trying to build for the Raspberry Pi might be helpful too:

# flake.nix

{
  description = "Flake for Raspberry Pi 3B";

  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
  };

  outputs = { self, nixpkgs, ... } @ inputs: 
  {
    nixosConfigurations.pix = nixpkgs.lib.nixosSystem {
      system = "aarch64-linux";
      specialArgs = { inherit inputs; };
      modules = [
        ./configuration.nix
      ];
    };
  };
}

# configuration.nix

{ config, lib, pkgs, ... }:

{
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
    ];

  # Use the extlinux boot loader. (NixOS wants to enable GRUB by default)
  boot.loader.grub.enable = false;
  # Enables the generation of /boot/extlinux/extlinux.conf
  boot.loader.generic-extlinux-compatible.enable = true;

  nix.settings.experimental-features = [ "nix-command" "flakes" ];

  ...  # Some less relevant parts excluded

  # Define a user account.
  users.users.admin = {
    hashedPassword = "...";
    isNormalUser = true;
    extraGroups = [ "wheel" ]; 
  };

  ...  # Some less relevant parts excluded

  # Enable the OpenSSH daemon.
  services.openssh.enable = true;

  # Auto generated via "sudo nixos-generate-config"
  system.stateVersion = "26.05";
}

# hardware-configuration.nix

# Do not modify this file!  It was generated by ‘nixos-generate-config’
{ config, lib, pkgs, modulesPath, ... }:

{
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];

  boot.initrd.availableKernelModules = [ "usbhid" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];

  fileSystems."/" =
    { device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
      fsType = "ext4";
    };

  swapDevices = [ ];

  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
}

Hopefully we can figure something out from this

eblechschmidt · November 30, 2025, 7:14am

So what I do is that I also include the hardware settings from nixos-hardware specific for the pi but I doubt that this solves your error. From first glance I don’t see anything else wrong with your config.

dtannock · November 30, 2025, 7:51am

Out of curiosity, does it build with —no-sandbox or do you get another error?

theEmeraldM · November 30, 2025, 3:17pm

I just tried adding that, and it unfortunately did not help

It must be an issue with the config on my main computer then. Could you possibly share anything and everything that could in any way be related to this, from your main computers config? Maybe there is some option that you have enabled that I do not

theEmeraldM · November 30, 2025, 3:39pm

It worked! However, important quirk to mention is that you can’t add “–no-sandbox” directly to nixos-rebuild, but instead to the raw build command: sudo nix --extra-experimental-features 'nix-command flakes' build --no-sandbox --print-out-paths '.#nixosConfigurations."pix".config.system.build.toplevel' --no-link, as the error message suggest.

This successfully builds the system, and after that I was able to run the previous command sudo nixos-rebuild --target-host admin@192.168.0.120 --sudo --ask-sudo-password --flake .#pix boot to send it over to the Raspberry Pi! It didn’t error this time, as the system was already built, so no extra building was needed.

I now have a Raspberry Pi 3B running my config, but, I am not quite satisfied yet. I’m not very happy with the fact that I had to do this workaround! It’s first of all unnecessary friction, and secondly, sandboxing sounds quite important. I therefore don’t consider this problem completely solved yet. And on the topic of sandboxing: What does it even do?

eblechschmidt · November 30, 2025, 3:43pm

Could you also post your flake.lock file?

Indeed it should not be necessary to do that. I definitely don’t do that. I don’t think I have anything enabled related to this.

theEmeraldM · November 30, 2025, 3:45pm

Absolutely, here is the .lock file for the Raspberry Pi system that I just built:

{
  "nodes": {
    "nixos-hardware": {
      "locked": {
        "lastModified": 1764440730,
        "narHash": "sha256-ZlJTNLUKQRANlLDomuRWLBCH5792x+6XUJ4YdFRjtO4=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
        "rev": "9154f4569b6cdfd3c595851a6ba51bfaa472d9f3",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "master",
        "repo": "nixos-hardware",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1764242076,
        "narHash": "sha256-sKoIWfnijJ0+9e4wRvIgm/HgE27bzwQxcEmo2J/gNpI=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "2fad6eac6077f03fe109c4d4eb171cf96791faa4",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "nixos-hardware": "nixos-hardware",
        "nixpkgs": "nixpkgs"
      }
    }
  },
  "root": "root",
  "version": 7
}

Tell me if you meant my main computers lock file!

eblechschmidt · November 30, 2025, 5:07pm

Works on my machine. Definitely seems to be a problem of your main machine. A quick google search reveals this issue: this system does not support the kernel namespaces that are required for sandboxing · Issue #7783 · NixOS/nix · GitHub. I have no idea if that gets you further but I will be not much help

theEmeraldM · November 30, 2025, 6:22pm

Thank you! I have read that issue already, but it wasn’t of much use as I, to be brutally honest, didn’t understand a thing in it. I simply haven’t used nix for long enough to know what they are talking about

That does however give me an idea: Hi @johnrichardrinehart @NobbZ, as the main brains behind figuring out that issue (which I assume is at least somewhat related to my issue), would you guys be able to lend a hand here? Do you have any clue what my issue could be related to? I’d be happy to provide any relevant parts from my main config if that helps!

NobbZ · November 30, 2025, 7:28pm

Unless your nix is old (nix 2.14ish) I doubt that the linked issue is related.

But still feel free to post your nix version and also try with a minor version earlier and later.

badcold · December 1, 2025, 8:49am

This issue sounds really familiar. Is your x86 cpu fairly old by any chance?

I think I had the same issue when cross building for a RPI3 and the cause might have been my aging cpu (i7-3770K). It was a long time ago I couldn’t explain you why but it would be consistent with @eblechschmidt not being able to reproduce.

eblechschmidt · December 1, 2025, 9:00am

Im using an old MacBook Pro from 2014 which Google said it has a „Intel Core i5-4278U“ which I would consider „fairly old“ as well

theEmeraldM · December 1, 2025, 3:48pm

$ nix --version
nix (Nix) 2.31.2

Yeah, I agree that it probably isn’t the same issue as the one linked. Still, the symptom is similar, and your knowledge of it is the best that we have. So, do you by any chance know where I should be digging to hopefully find a solution? I really just need to get an idea of where to start haha

theEmeraldM · December 1, 2025, 3:52pm

I “unfortunately” have a somewhat new processor. My main computer has a i7-7700, and I also tried doing the same steps on my laptop with a very new i5-1334U - getting the same error.

When you were getting the error on your computer with an older CPU, did you also try it on a different computer and got a success, or did you just try it on that one?

theEmeraldM · December 1, 2025, 4:13pm

Oo wait, I’ve read that sandboxing might work a bit differently depending on the platform. If you are using MacOS / a MacBook, that could be the main difference here!

Could you run the command nixos-option -r nix.settings and send me the values of the following options (pretty much anything related to building, the system, or sandboxing):

nix.settings.builders = null;
nix.settings.extra-platforms = [
  "aarch64-linux"
  "i686-linux"
];
nix.settings.extra-sandbox-paths = [
  "/run/binfmt"
  "/nix/store/95gqsp9r17sr224akzywjj6mjghj7zns-qemu-aarch64-binfmt-P"
];
nix.settings.require-sigs = true;
nix.settings.sandbox = true;
nix.settings.sandbox-fallback = false;
nix.settings.system-features = [
  "nixos-test"
  "benchmark"
  "big-parallel"
  "kvm"
];
nix.settings.trusted-users = [
  "root"
];

The above are my values. Could be interesting to see if there are any differences! Also, if it prints any option that has the word “sandbox” in it that I haven’t added above, please add it, as it seems to not print options that aren’t set to anything.