Running podman inside derivation

gytis-ivaskevicius · June 17, 2024, 11:22am

I have some tests for which I require a container runtime, maybe someone already played around with this concept and I could copy-paste something instead of investigating it myself, it requires some nix daemon tweaks (assuming it’s even possible)

Out of the box I am getting this error:

error: builder for '/nix/store/kav1krs46nj1vala5fxq6yy9qiy04wc3-test-script.drv' failed with exit code 1;
       last 7 log lines:
       > Copy to podman image bash:vwdysbiik7x1n5gf9nkcdl96khqyjh6c
       > WARN[0000] Reading allowed ID mappings: reading subuid mappings for user "nixbld" and subgid mappings for group "nixbld": open /etc/subuid: no such file or directory
       > WARN[0000] Found no UID ranges set aside for user "nixbld" in /etc/subuid.
       > WARN[0000] Found no GID ranges set aside for user "nixbld" in /etc/subgid.
       > Error: error writing "allow" to setgroups: write /proc/16/setgroups: operation not permitted
       > ERRO[0000] opening "allow" to /proc/16/setgroups: write /proc/16/setgroups: operation not permitted
       > ERRO[0000] (Unable to determine exit status)
       For full logs, run 'nix log /nix/store/kav1krs46nj1vala5fxq6yy9qiy04wc3-test-script.drv'.

As workaround, I am using writeShellScriptBin and nix runing it

gytis-ivaskevicius · June 17, 2024, 11:34am

Right after writing this, I figured that this should be good enough:

export NIX_CONFIG='
extra-sandbox-paths = /var/run/docker.sock /var/tmp
'

unfortunately, I also had to sudo chmod 666 /var/run/docker.sock

I am still open to better ideas

MagicRB · June 17, 2024, 11:56am

If you’re really determined, you could write a new experimental feature for enabling the use of podman inside nix builds (dm me if you are, because I’d also be interested)

gytis-ivaskevicius · June 17, 2024, 12:59pm

I think thats good enough for me, I just don’t want half of my checks to be in checks and other half nix run