I‘m running NixOS on it though, so from an architecture point that shouldn‘t be any different. Sorry, I was not quite precise on that.
I’m currently on a business trip so it will take some time for me to check.
1 Like
I‘m running NixOS on it though, so from an architecture point that shouldn‘t be any different. Sorry, I was not quite precise on that.
Gotcha! That makes sense.
It would nonetheless be great if you checked what your settings are set to, as that could give us a pretty easy lead in-case they differ somewhere.
I’m currently on a business trip so it will take some time for me to check.
And of course, no hurry! We have found a workaround that works, so we’re not pressed on time here haha
Only on that cpu but it’s been a long time, I did not document anything and I might be mixing things up. I wouldn’t give too much credit to my comment.
Have you looked at "this system does not support the kernel namespaces that are required for sandboxing" when running in spawn · Issue #405256 · NixOS/nixpkgs · GitHub yet ?
1 Like
I see you have extra platforms specified for nix, but I do not see your binfmt options. What is your boot.binfmt.emulatedSystems set to?
I have a laptop with an i7-7700HQ and it can build raspberry pi images just fine.
Edit: nevermind, I see you have it set in the original post.
Could you post a copy of your host system config if you are comfortable doing so?
@theEmeraldM wrote this in their first post.
And it is in the extra sandbox path. So it seems to be set.
I have a laptop with an i7-7700HQ and it can build raspberry pi images just fine.
I want to add that I was actually able to build an image for the raspberry pi. I was able to build the following image with this command sudo nix build .#packages.aarch64-linux.sdcard:
# flake.nix
{
description = "Minimal Raspberry Pi 3B SD Card Image Builder";
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
nixos-hardware.url = "github:NixOS/nixos-hardware/master";
nixos-generators = {
url = "github:nix-community/nixos-generators";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = { self, nixpkgs, nixos-generators, nixos-hardware, ... }:
{
packages.aarch64-linux = {
sdcard = nixos-generators.nixosGenerate {
system = "aarch64-linux";
format = "sd-aarch64";
modules = [
{
# Set machine hostname
networking.hostName = "pix";
# The user account on the machine
users.users.admin = {
isNormalUser = true;
extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
hashedPassword = "$y$j9T$bRNzDgUaDfg/yTTBw9N8e1$2f2gKcA1/ZNTU2aPk/LLy3KtiA2yJlLN6aGSAslZSj6"; # This is the password that you will ssh in with
};
# This allows you to run `nixos-rebuild --target-host admin@this-machine` from a different host.
nix.settings.trusted-users = [ "admin" ];
# Add some swap memory so that we don't constantly run out of RAM when rebuilding the system
swapDevices = [{
device = "/var/lib/swapfile";
size = 2*1024; # 2 GB
}];
# Enable the OpenSSH daemon.
services.openssh.enable = true;
# Download handy utilities
environment.systemPackages = with nixpkgs.legacyPackages."aarch64-linux"; [
htop
wget
openssh
];
# Allows the use of flakes
nix.settings.experimental-features = [ "nix-command" "flakes" ];
# Explicitly specify hostplatform
nixpkgs.hostPlatform = "aarch64-linux";
}
nixos-hardware.nixosModules.raspberry-pi-3 # Hardware configuration for the Raspberry Pi 3B
];
};
};
};
}
I then flashed the image to an SD card, put it in the Raspberry Pi 3B, and it worked! However, what I’m not able to do is build the system configuration that I posted here.
Could you post a copy of your host system config if you are comfortable doing so?
Yepp! Although, to save you some time, I’ll only post what I think could be in any way relevant (aka, exclude home manager stuff, etc):
# flake.nix
{
description = "NixOS System flake";
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
chaotic.url = "github:chaotic-cx/nyx/nyxpkgs-unstable";
nix-vscode-extensions.url = "github:nix-community/nix-vscode-extensions";
nix-vscode-extensions.inputs.nixpkgs.follows = "nixpkgs";
nixos-hardware.url = "github:NixOS/nixos-hardware/master";
home-manager.url = "github:nix-community/home-manager";
home-manager.inputs.nixpkgs.follows = "nixpkgs";
};
outputs = { self, nixpkgs, ... } @ inputs:
let
system = "x86_64-linux";
lib = nixpkgs.lib;
# Creates a system based on a name and added modules
mkSystem = host-name: modules: lib.nixosSystem {
inherit system;
specialArgs = { inherit inputs host-name system; };
modules = [
{
networking.hostName = host-name;
users.mutableUsers = false;
}
] ++ modules;
};
in {
nixosConfigurations = {
main = mkSystem "main" [ ./hosts/main ]; # Main system
laptop = mkSystem "laptop" [ ./hosts/laptop ];
};
};
# ./hosts/main/default.nix
{ config, pkgs, inputs, host-name, ... }:
{
imports = [ ./hardware.nix ];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# Get the bleeding edge cachyos kernel (better for gaming, more or less)
boot.kernelPackages = pkgs.linuxPackages_cachyos;
# Enable binfmt emulation to be able to build Raspberry PI images
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
# Enable experimental features
nix.settings.experimental-features = [ "nix-command" "flakes" ];
# Don't change
system.stateVersion = "24.11";
environment.systemPackages = with pkgs; [
# For undervolting + benchmarking
undervolt
s-tui
stress
];
# Undervolting the CPU
services.undervolt = {
enable = true; # https://nixos.org/manual/nixos/stable/options.html#opt-services.undervolt.enable
coreOffset = -100; # Not pushing it a lot as the rewards are deminishing (no performance gain, just a temp decrease)
};
# --v-- Enable everything needed for steam to work --v--
# Enable OpenGL
hardware.graphics = {
# this fixes the "glXChooseVisual failed" bug, context: https://github.com/NixOS/nixpkgs/issues/47932
enable = true;
enable32Bit = true;
};
# enable 32bit pulseaudio/pipewire support if needed
services.pulseaudio.support32Bit = config.services.pulseaudio.enable;
services.pipewire.alsa.support32Bit = config.services.pipewire.alsa.enable;
# For steam to work
hardware.steam-hardware.enable = true;
# Enable gamemoderun so that it can be used for extra performance in games
programs.gamemode.enable = true;
# Install firefox browser and thunderbird email client
programs.firefox.enable = true;
programs.thunderbird.enable = true;
# GNOME stuff
services.xserver.enable = true;
services.displayManager.gdm.enable = true;
services.desktopManager.gnome.enable = true;
# Disable the GNOME3/GDM auto-suspend/hibernate feature that cannot be disabled in GUI!
# If no user is logged in, the machine will power down after 20 minutes.
systemd.targets.sleep.enable = false;
systemd.targets.suspend.enable = false;
systemd.targets.hibernate.enable = false;
systemd.targets.hybrid-sleep.enable = false;
# Nvidia stuff:
services.xserver.videoDrivers = ["nvidia"];
hardware.nvidia.open = false;
hardware.nvidia.modesetting.enable = true;
}
# ./hosts/main/hardware.nix
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/fe527005-62ed-4361-9335-ec30ee6ef47f";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/321D-14FE";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices =
[ { device = "/dev/disk/by-uuid/6cef74bb-c5d9-4363-845a-9ed9076fb311"; }
];
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}
That should include everything relevant!
I’ve read through it, but I’m a bit unsure of how the workaround is supposed to be implemented. The author wrote that the workaround snippet should be added “in the container”, but unless I’m misunderstanding things, I’m not really running things in a container? So should I just add it to my main config then?
Does commenting out the cachyos kernel on your host yield any different results?
Just tried it; it unfortunately did not help. Same error 
Does adding --no-reexec to the nixos-rebuild command line help?
1 Like
Oh wow, that worked! Running sudo nixos-rebuild --target-host admin@192.168.0.120 --no-reexec --sudo --ask-sudo-password --flake .#pix boot did it! Thank you so much!
This does however make me wonder: What does --no-reexec do under the hood to make this work?
1 Like
Thank you! I’ve now also found this answer to a similar problem Running nixos-rebuild across platforms - #10 by ElvishJerricco, and if I understand things correctly, the issue arises from nixos-rebuild “updating” itself to use the aarch64 version of nixos-rebuild, which doesn’t work on my computer. However, when adding --no-reexec it skips the in-place update, runs “normally”, and therefore works. Correct me if I’m wrong!
I think you’re basically correct, from what I can tell, reexec will cause the aarch64 nixos-rebuild to be executed (with binfmt/qemu), and this causes the build to fail, because sandboxing won’t work inside qemu.
@k0kada FYI. Maybe nixos-rebuild-ng shouldn’t reexec if the architectures differ?
1 Like
nixos-rebuild-ng will try to re-exec and bail out if it fails, but I didn’t expect that the binfmt/QEMU case to break to be honest (maybe it makes sense since we are also running a foreign nix binary and this probably is the origin of the issues).
If that is the case, yes, maybe we shouldn’t re-exec when the target architecture is different from host architecture.