in the process of getting nix-shell working inside docker and ubuntu docker environments i stumbled across a few “gotchas” that are worth documenting somewhere
reference PR - debian and ubuntu docker builds and tests by thedavidmeister · Pull Request #63 · holochain/holonix · GitHub
i thought i’d braindump here for visibility to be ported somewhere more useful later
IMPORTANT docker is a totally fresh environment and adds restrictions/assumptions that usually do not apply to a “real” work machine which is why this doesn’t appear in the “quick start” guide (e.g. it’s normally pretty weird for someone to be using the root account…)
if it turns out that any of these steps are commonly tripping people up we should update those guides 
you must run the command printed at the end of the installation script
after the installer runs it will print out a command to run
if you don’t run it then you will get “not found” errors when you try to run nix-shell
if you forget then it will take effect next time you restart your computer, but can be confusing in the meantime
apt-get
the debian and ubuntu dockers don’t even ship with basics commands like sudo, downloading and unzipping files
most people will have these installed if they have been using their machine longer than about 20 minutes, but here is the minimal apt-get for the dependencies nix-shell needs to install:
apt-get update && apt-get install -y curl sudo xz-utils
there is no harm in rerunning this if you already have these installed, so feel free to do so “just in case”
root is not supported
nix-shell does not support being installed as the root user on linux distros other than the official NixOS distro.
nobody should be using their machine as root for day to day tasks but it is worth making this clear (the installer will show errors if you try to install nix-shell as root).
this comes up for docker as there are no users other than root installed in a fresh docker box.
the ubuntu/debian dockerfiles in the linked PRs create and use a new user called docker to avoid installing under root.
to see what user you are currently logged in as run:
id -u -n
anything other than root is fine
the user installing nix-shell needs to be the one using it
there is an installation process for “multi user” nix-shell but all our instructions point towards the “single user” setup.
we expect that you are using the same user to install/run nix-shell.
the user installing nix-shell needs to be able to sudo
nix will sometimes need things done that require sudo access, i.e. the ability to temporarily act as though the user is root.
after installing the sudo command (see above) you can try running anything under sudo to see if that works for your user
sudo echo foo
should ask for your password then print foo to the terminal if you can use sudo
do NOT use sudo to run the nix-shell commands or the install script
nix-shell will automatically sudo if/when it needs to.
if you run sudo except when explicitly stated you can totally screw up the file permissions on your system and break things in ways that are difficult to undo.
this is the same for other package managers such as npm (e.g. running sudo npm install .. is very bad).
nix-shell is trying to create and manage fresh shell sessions for your user account so nothing should be happening that needs admin permissions.
(note that NixOS commands might need sudo but this is not relevant to ubuntu/debian)
you might need to setup the /nix folder manually with sudo
there are inconsistent installation instructions for nix-shell.
the “getting nix” page simply says to run the 1-liner - https://nixos.org/nix/download.html
curl https://nixos.org/nix/install | sh
the wiki has an extra step - Nix Installation Guide - NixOS Wiki
sudo install -d -m755 -o $(id -u) -g $(id -g) /nix
curl https://nixos.org/nix/install | sh
docker seems to need the extra step, but i’ve personally never seen anybody need it on a “real” machine
there would be no harm in running it “just in case” as far as i know
you might need to run nix-channel --update
the nix-shell for holonix will pin nixpkgs to a specific commit but nix might throw some warnings about wanting a $NIX_PATH set before it gets to that point
if you want to clean up the warning set the $NIX_PATH to something sensible like an official channel nixpkgs=channel:nixos-19.03 then run nix-channel --update
this also fixes any complaints about missing channels
export NIX_PATH=nixpkgs=nixpkgs=channel:nixos-19.03
nix-channel --update
as far as i know, not having this won’t break anything, it only throws a few warnings that trip up the circle CI pipelines (that are very sensitive to exit codes)
you might need to disable "sandbox"
if you start seeing cryptic errors about $srcs or missing files or “env” problems when nix-shell is building then you might need to disable sandbox
this is not necessarily needed for “real” ubuntu/debian (i have seen ubuntu working fine without it) but is required for the official docker builds to work
nix has a global configuration file at /etc/nix/nix.conf that will be automatically used if it exists
to disable sandbox for your machine:
mkdir -p /etc/nix && echo 'sandbox = false' > /etc/nix/nix.conf
you might need to add yourself to the nixbld group
i’m not so sure about this one… i did see errors/warnings about it at one point but it also could have been a symptom of an unrelated problem that i fixed elsewhere
i’ve never seen this issue outside of docker builds.
if you do see complaints from nix-shell about not being in the nixbld group during the initial install then create the group and add yourself to it
sudo addgroup --system nixbld
sudo adduser $(id -u -n) nixbld
you might need to manually set the $USER environment variable
normally this should be set automatically for you by the system
for some reason it is not set inside the official debian/ubuntu docker boxes
you can check the current value like:
echo $USER
which should be the same as:
id -u -n
we are manually adding it inside the Dockerfile but you might need to export it like:
export USER=$(id -u -n)
note that this only exports it for the current shell session so you might need to research a more permanent solution, e.g. add the above export command to your ~/.bash_profile file, or figure out why your system is failing to set it in the first place
