I am unable to run containers with nixos images. The containers get created but there is no way to interact with them.
After seeing the release notes for incus 0.5.1, I suspect it might be related.
I have tried with 0.5.1 as well without success.
$ incus version
Client version: 0.5.1
Server version: 0.5.1
$ incus launch images:nixos/23.11 nixos
Launching nixos
$ incus exec nixos bash
Error: Command not found
$ incus exec nixos sh
sh-5.2# ls
sh: ls: command not found
Iâm not aware of anything in Incus 0.5 that would really explain this.
Most likely, something has changed in the image itself.
@adamcstephens any ideas?
The current 23.11 container image works fine for me on 0.4. Iâm preparing the 0.5.1 nixos upgrade and Iâll test again once thatâs done.
It looks like the PATH is missing for some reasonâŠ
â⯠incus launch images:nixos/23.11 test
Creating test
Starting test
â⯠incus exec test bash
[root@nixos:~]# echo $PATH
/run/wrappers/bin:/root/.nix-profile/bin:/nix/profile/bin:/root/.local/state/nix/profile/bin:/etc/profiles/per-user/root/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin
stgraber@dakara:~$ incus exec nixos sh
sh-5.2# env
PWD=/root
container=lxc
HOME=/root
LANG=C.UTF-8
TERM=xterm
USER=root
SHLVL=1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/run/current-system/sw/bin
_=/usr/bin/env
sh-5.2#
/run/current-system appears to be missing
I tested on both Ubuntu 22.04 LTS (kernel 6.5) and Ubuntu 23.10 (kernel 6.6).
Yeah, thatâs the issue, itâs the new apparmor âmediationâ of the new VFS API which is breaking NixOS on recent kernels.
Basically AppArmor just straight up rejects every single attempt at performing bind-mounts through the new VFS API because they donât have the logic to actually apply their policy.
I reported that kernel regression upstream here:
https://lore.kernel.org/all/CA+enf=u0UmgjKrd98EYkxFu7FYV8dR1SBYJn_1b0Naq=3twbbQ@mail.gmail.com/
The workaround is pertty ugly, basically to avoid this apparmor breakage, you need to disable the use of the new VFS API in your container. This can be done with:
incus stop NAME
printf "2\ndenylist\nreject_force_umount\n[all]\nfsconfig errno 38\nfsopen errno 38\n" | incus config set NAME raw.seccomp -
incus start NAME
Iâve confirmed 0.5.1 is not the issue, so it must be the host system. It works fine on the NixOS as a host system, but there is no apparmor.
â⯠incus version
Client version: 0.5.1
Server version: 0.5.1
â⯠incus launch images:nixos/23.11 test
Launching test
â⯠incus exec test bash
[root@nixos:~]# echo $PATH
/run/wrappers/bin:/root/.nix-profile/bin:/nix/profile/bin:/root/.local/state/nix/profile/bin:/etc/profiles/per-user/root/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin
[root@nixos:~]# grep BUILD_ID /etc/os-release
BUILD_ID="23.11.3640.56911ef3403a"
Another potentially easier workaround (less specific though) is to use security.nesting=true.
incus launch images:nixos/23.11 -c security.nesting=true seems to be working fine
@stgraber both of your suggested workarounds work fine, but Iâm picking -c security.nesting=true as the solution due to it being the cleaner option.
Thanks.
FYI:
Iâm currently running Incus on two Macs, with Asahi Linux on m1 Mac mini and an Ubuntu VM on m1 Macbook pro. Thanks for the hardwork.
That should take care of this out of the box once landed.
It still wonât work for privileged containers, for those I donât know that thereâs a lot we can do other than maybe automatically blocking those system calls.
But as we donât really want folks running privileged containers, automatically handling those can wait 
It is recommended to run NixOS nested containers regardless, as the Nix daemon relies on nesting to build anything.