NixOS container limitations

I saw the note in NixOS manual (NixOS 23.11 manual | Nix & NixOS):

Warning: Currently, NixOS containers are not perfectly isolated from the host system. This means that a user with root access to the container can do things that affect the host. So you should not give container root access to untrusted users.

Is there any detail why there’s that limitation and if currently someone is working on that.

2 Likes

The reason for this is that it uses systemd-nspawn and at the time the implementation was written there was no support for user namespaces. Nowadays however we could add support for that…

2 Likes

Nowadays however we could add support for that…

I guess that would be a great feature and would eliminate some use cases where docker or lxc or lxd is used today.

Just found a PR that does exactly that:

https://github.com/NixOS/nixpkgs/pull/28425

Until it is merged (once the issues are resolved), you could add -U to extraFlags on a per-case basis.

3 Likes

Thanks for clearification!

A fix was merged to master 9 days before!

https://github.com/NixOS/nixpkgs/pull/67130

1 Like

It had to be reverted for now, unfortunately. The new PR is here: [WIP] nixos/containers: add unprivileged option by uvNikita · Pull Request #67336 · NixOS/nixpkgs · GitHub

3 Likes

The consensus seems to be that containers in general do not add any extra security. Be it Docker/lxc/nspawn. Do not use containers to add security. Use VMs

The consensus seems to be that containers in general do not add any extra security. Be it Docker/lxc/nspawn. Do not use containers to add security. Use VMs

Saying they never add any extra security is an overstatement. Of course there has been a security problem where root-in-container was not enough to exploit but root-in-VM was sufficient… But on average VMs are probably safer.

1 Like

Root-in-vm was sufficient.

Can you link please? You have added layer of security- breaking out of a hypervisor is a barrier too