Skip to content

Add new VM test with unprivileged daemon user#15054

Merged
Ericson2314 merged 3 commits into
NixOS:masterfrom
obsidiansystems:unprivileged-test
Jan 23, 2026
Merged

Add new VM test with unprivileged daemon user#15054
Ericson2314 merged 3 commits into
NixOS:masterfrom
obsidiansystems:unprivileged-test

Conversation

@artemist
Copy link
Copy Markdown
Member

@artemist artemist commented Jan 22, 2026
edited
Loading

Motivation

All current NixOS functional VM tests have a daemon as root with the tests running as different unprivileged users. Users may want to run an unprivileged daemon on non-NixOS systems where the administrator does not fully trust nix, but multiple users want to use nix for their own purposes. It could also be useful in concert with an overlay-mount store, where the nix daemon cannot modify the derivations used by the system, and thus a nix vulnerability would not lead to root code execution.

Context

The new functional_unprivileged-daemon test runs the daemon and the nix functional tests as separate unprivileged users.

This relies on a read/write nix store. It may be possible to configure systemd to run the unprivileged nix in its own private mount namespace with a read/write store while the store is read-only to those outside it, but that will require more experimentation.

In order to fix garbage collection in the unprivileged test, this PR changes failure in garbage collection deletion from an error to a warning. Garbage collection is not a core part of nix evaluation, so I believe this is a reasonable change.

Add 👍 to pull requests you find important.

The Nix maintainer team uses a GitHub project board to schedule and track reviews.

@xokdvium
Copy link
Copy Markdown
Contributor

xokdvium commented Jan 22, 2026

afnix has this btw https://git.afnix.fr/afnix/infra/src/commit/dcd9d041c8a9c885b65d02ec60d3316ebe2dfe39/services/build-nix-daemon/default.nix for CI. So it is possible to run with a bind-mounted store

@artemist
Copy link
Copy Markdown
Member Author

artemist commented Jan 22, 2026

They aren't using /nix/store directly, they're bind-mounting a different /nix into the builder's unit, see the relevant BindPath config

@github-actions github-actions Bot added the store Issues and pull requests concerning the Nix store label Jan 22, 2026
@artemist artemist marked this pull request as ready for review January 23, 2026 14:06
Ericson2314
Ericson2314 reviewed Jan 23, 2026
View reviewed changes
Comment thread tests/nixos/functional/unprivileged-daemon.nix
Ericson2314
Ericson2314 reviewed Jan 23, 2026
View reviewed changes
Comment thread tests/nixos/functional/unprivileged-daemon.nix Outdated
@artemist artemist force-pushed the unprivileged-test branch 3 times, most recently from 8934329 to d08969e Compare January 23, 2026 18:14
Mic92
Mic92 reviewed Jan 23, 2026
View reviewed changes
Comment thread src/libstore/include/nix/store/local-store.hh Outdated
artemist and others added 2 commits January 23, 2026 13:31
@artemist @Ericson2314
Ignore delete failures during garbage collection
2f1ce89 
When running nix as an unprivileged user it may not be able to write to
all paths in the nix store. Ignore deletion failures to fix tests that
run `nix-collect-garbage` in this configuration.

Co-Authored-By: John Ericson <John.Ericson@Obsidian.Systems>
@artemist
Add new VM test with unprivileged daemon user
94907eb 
All current NixOS functional VM tests have a daemon as root with the
tests running as different unprivileged users.
The new `functional_unprivileged-daemon` test runs the daemon and the
nix functional tests as separate unprivileged users.
Users may want to run an unprivileged daemon on non-NixOS systems
where the administrator does not fully trust nix, but multiple users
want to use nix for their own purposes. It could also be useful in
concert with an overlay-mount store, where the nix daemon cannot
modify the derivations used by the system, and thus a nix vulnerability
would not lead to root code execution.
@Mic92 Mic92 enabled auto-merge January 23, 2026 19:01
auto-merge was automatically disabled January 23, 2026 19:08

Head branch was pushed to by a user without write access

@Ericson2314 Ericson2314 enabled auto-merge January 23, 2026 19:08
@Ericson2314 Ericson2314 added this pull request to the merge queue Jan 23, 2026
Merged via the queue into NixOS:master with commit aa17b75 Jan 23, 2026
14 checks passed
@Ericson2314 Ericson2314 deleted the unprivileged-test branch January 23, 2026 20:32
@roberth roberth mentioned this pull request Mar 2, 2026
Merged
brittonr pushed a commit to brittonr/nix that referenced this pull request Apr 1, 2026
@Ericson2314
Merge pull request NixOS#15054 from obsidiansystems/unprivileged-test
ff0bfee 
Add new VM test with unprivileged daemon user
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Ericson2314 Ericson2314 Ericson2314 left review comments

@Mic92 Mic92 Mic92 approved these changes

@edolstra edolstra Awaiting requested review from edolstra edolstra is a code owner

Assignees

No one assigned

Labels

documentation store Issues and pull requests concerning the Nix store

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@artemist @xokdvium @Mic92 @Ericson2314