Solvednix Error: cloning builder process: Operation not permitted installing Nix 2.2.1 in (Arch) Linux

I'm currently using Arch Linux 4.19.15-1-lts #1 SMP Sun Jan 13 13:53:52 CET 2019 x86_64 GNU/Linux. I'm trying to install Nix 2.2.1 and I'm getting some errors:

$ sh <(curl https://nixos.org/nix/install) --no-daemon 
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100  2476  100  2476    0     0   5417      0 --:--:-- --:--:-- --:--:--  5406
    downloading Nix 2.2.1 binary tarball for x86_64-linux from 'https://nixos.org/releases/nix/nix-2.2.1/nix-2.2.1-x86_64-linux.tar.bz2' to '/tmp/nix-binary-tarball-unpack.n5vqvsi4Uq'...
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100 22.5M  100 22.5M    0     0  4016k      0  0:00:05  0:00:05 --:--:-- 4377k
    Note: a multi-user installation is possible. See https://nixos.org/nix/manual/#sect-multi-user-installation
    performing a single-user installation of Nix...
    directory /nix does not exist; creating it by running 'mkdir -m 0755 /nix && chown x80486 /nix' using sudo
    [sudo] password for x80486: 
    copying Nix to /nix/store.................................
    initialising Nix database...
    Nix: creating /home/x80486/.nix-profile
    installing 'nix-2.2.1'
    error: cloning builder process: Operation not permitted
    error: unable to start build process
    /tmp/nix-binary-tarball-unpack.n5vqvsi4Uq/unpack/nix-2.2.1-x86_64-linux/install: unable to install Nix into your default profile

Truth is I've been using to have Nix for some years. This happened after a Linux/Nix upgrade, I can't really tell, all I can recap is that I started getting those errors after the Nix upgrade to version 2.2; more info in this StackExchange question.

19 Answers

✔️Accepted Answer

I had the same problem. I think it has something to do with archlinux not having kernel user namespaces enabled. Doing
sysctl kernel.unprivileged_userns_clone=1
Seems to have fixed the issue.

See this archlinux forum post

I think this issue is likely related to (at least) #2632, #2636

Other Answers:

I was just giving a small nix workshop and had two users running different distributions (arch and centos) running into this problem. I really don't think that this issue should be closed.

Anyone running the installer with a distribution where the settings are not as described here will get a weird error message with no indication what to do about it.

In order for this issue to be considered as solved I think there would have to be one/both of the below:

  • a sanity check that probes if the required settings are given
  • a helpful error message

sysctl kernel.unprivileged_userns_clone=1

worked on Debian buster/testing as well

Not sure about arch distro but in the case of CentOS, it's really the distro that is doing custom setup to disable user namespaces even if the kernel version used supports that (see #2632) so would be a bit hard to check for that as every distro can override the default behavior.

Right, we can't really fix or adjust the choices made by various distributions. But isn't there a definitive way to find out if user namespaces are available or not?

$ sysctl user.max_user_namespaces
user.max_user_namespaces = 62782

Are we good if the number returned here is >0 ? If not the only other thing would be to carry out some operation that does require user namespace support and bail out with a proper error message if this fails?

But above all: even if we can't ultimately fix this, a useful error message would be a drastic improvement.

I'm hitting this bug on a fresh installed Debian buster. sudo sysctl kernel.unprivileged_userns_clone=1 fixed it as well. I think the current situation is not satisfying because it probably affect the first impression of new users

Can we please open this issue again and find a solution?

CC: @edolstra

More Issues: