Skip to content

cli: only warn about mount namespace when the store actually needs remounting#15547

Open
amaanq wants to merge 1 commit intoNixOS:masterfrom
obsidiansystems:improve-mount-ns-warning
Open

cli: only warn about mount namespace when the store actually needs remounting#15547
amaanq wants to merge 1 commit intoNixOS:masterfrom
obsidiansystems:improve-mount-ns-warning

Conversation

@amaanq
Copy link
Copy Markdown
Member

@amaanq amaanq commented Mar 24, 2026

Motivation

The previous warning in main.cc fired on every invocation as root when unshare(CLONE_NEWNS) failed, which is noisy in containers. Move the warning to makeStoreWritable() so it only triggers when the store is read-only and we lack a private mount namespace, i.e. when the remount would actually leak into the host mount table. Also switch from e.msg() to e.message() to avoid the redundant "error: " prefix.

Context

@xokdvium and I chatted about this in the Nix meeting yesterday

Add 👍 to pull requests you find important.

The Nix maintainer team uses a GitHub project board to schedule and track reviews.

@github-actions github-actions Bot added new-cli Relating to the "nix" command store Issues and pull requests concerning the Nix store labels Mar 24, 2026
@edolstra edolstra added backport 2.34-maintenance Automatically creates a PR against the branch and removed backport 2.34-maintenance Automatically creates a PR against the branch labels Mar 25, 2026
xokdvium
xokdvium reviewed Apr 20, 2026
View reviewed changes
Comment thread src/libstore/local-store.cc Outdated
xokdvium
xokdvium reviewed Apr 20, 2026
View reviewed changes
Comment thread src/libutil/linux/linux-namespaces.cc Outdated
@amaanq amaanq force-pushed the improve-mount-ns-warning branch from bb604ae to 38c67fe Compare April 20, 2026 19:06
@amaanq amaanq force-pushed the improve-mount-ns-warning branch from 38c67fe to 8e3ee73 Compare April 20, 2026 20:00
@amaanq
cli: error when remounting store without a private mount namespace
bd160f9 
Previously, when unshare(CLONE_NEWNS) failed and the store was read-only,
Nix warned but still remounted the store writable on the host mount table.
This silently affected other processes sharing the namespace. Now it throws
an error, since proceeding would mutate shared state.
@amaanq amaanq force-pushed the improve-mount-ns-warning branch from 8e3ee73 to bd160f9 Compare April 20, 2026 20:06
xokdvium
xokdvium reviewed Apr 21, 2026
View reviewed changes
Comment thread src/libutil/linux/include/nix/util/linux-namespaces.hh
@@ -13,9 +13,24 @@ namespace nix {
*/
void saveMountNamespace();
Copy link
Copy Markdown
Contributor

@xokdvium xokdvium Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can this function be made static now?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xokdvium xokdvium xokdvium left review comments

@Ericson2314 Ericson2314 Awaiting requested review from Ericson2314 Ericson2314 is a code owner

@edolstra edolstra Awaiting requested review from edolstra edolstra is a code owner

+1 more reviewer

@Eveeifyeve Eveeifyeve Eveeifyeve approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

documentation new-cli Relating to the "nix" command store Issues and pull requests concerning the Nix store

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@amaanq @Eveeifyeve @xokdvium @edolstra