Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nix in DevContainers #913

Open
daneroo opened this issue Apr 2, 2024 · 0 comments
Open

Nix in DevContainers #913

daneroo opened this issue Apr 2, 2024 · 0 comments

Comments

@daneroo
Copy link

daneroo commented Apr 2, 2024

In trying to use nix inside of Devcontainers, I encountered 2 issues, which were resolved with the helpful folks on Determinate Systems Discord (#nix-installer).

They are reported here in case they might be of further use.

1- Bad permissions on /tmp

This issue is specific to GitHub CodeSpaces, where it seems the /tmp filesystem, is injected into the development environment with problematic default ACL permissions.

This is fixed with the following snippet in the postCreateCommand script (assuming the script has sudo powers):

sudo sh -c 'apt update -qq && apt install -y -qq acl && setfacl -k /tmp'
Before/After ACL state Before fix: 
$ getfacl /tmp
# file: tmp
# owner: root
# group: root
# flags: --t
user::rwx
group::r-x
other::rwx
default:user::rwx
default:group::r-x
default:other::rw-

After fix:

$ getfacl /tmp
# file: tmp
# owner: root
# group: root
# flags: --t
user::rwx
group::r-x
other::rwx

2- Starting the nix-daemon

In our case, we are invoking the installer without an init system within a multiuser install:

curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install linux --no-confirm --init none

This means we either need to invoke nix as root or start the nix-daemon ourselves.
Unfortunately when we start the daemon process from our postCreateCommand, it would be terminated at the script's end, even when put into the background.

Starting the nix-daemon with nohup solves the problem, as we can see in this postCreateCommand snippet:

# Notice the '&' to background the process and 'nohup' to prevent the process from being killed when the shell exits
sudo -n sh -c '. /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh; nohup /nix/var/nix/profiles/default/bin/nix-daemon > /tmp/nix-daemon.log 2>&1 &'

tl;dr - Context

I am trying to establish a working general development environment based on Nix using devcontainers

I am specifically targeting both:

  • Local docker based devcontainer (MacOS/Docker Desktop/aarch64)
  • GitHub CodeSpaces / x86_64)

Devcontainers have a very flexible lifecycle which allows for many ways of preparing the development environment.

  • Start from a Docker image (can be general or based on a custom Dockerfile
    • We are using a generic debian(bookworm) image
  • Additional features, which are containerized extra initialized steps
  • Lastly there are a few slots to invoke our own commands (which can be externalized to bash scripts, as the repository contents are available at this point in the devcontainer lifecycle.
    • Most notably the "postCreateCommand" attribute of the .devcontainer/devcontainer.json
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@daneroo