[judge2020]

If I’m not mistaken, Nix uses cgroups as well on non-NixOS systems, so it is basically containers. You’re probably thinking about docker as a whole, in which Nix is effectively an alternative package manager/distribution system for containers.

[callahad]

I believe you are mistaken; Nix has no intrinsic connection to cgroups / containers.

[ghostwriter]

how does it enforce FS and network isolation?

[InvaderFizz]

It doesn't.

Nix is basically a whole load of compiled dependencies pathed to /nix/hash/dependency

So you can have things that would ordinarily be dependency hell running side by side because foo that requires bar6 is compiled against that, and baz that requires bar7 is linked against that.

Both versions of bar are present in the nix structure, on a specific path that the software is compiled against.

[pxc]

To summarize this in a metaphor:

Nix 'isolates' packages by ensuring that they do not know where to look for each other, rather than ensuring that they cannot possibly see each other.

In addition to the example given by the parent poster, here are some other steps taken towards that end in the Nix ecosystem:

Nix-built programs look for their libs, they don't see libs other than what they were built with because each package has its own little FHS-shaped tree, which it thinks of in the way a 'normal' package might think of as 'the system'— that thing which has a `/usr/lib` in which to find libraries and a `/etc` in which to find config files and a `/usr/share` in which to find assets, etc.

In addition to linking against hardcoded full paths to dependencies, outlined above, maintainers also take steps to ensure that, e.g., external programs referenced in shell scripts in a Nix package also refer to full paths into the Nix store.

[ghostwriter]

How do you mean it doesn't if the manual itself says that: "In addition, on Linux, builds run in private PID, mount, network, IPC and UTS namespaces to isolate them from other processes in the system"?

https://nixos.org/manual/nix/stable/command-ref/conf-file.ht...

[callahad]

"Builds" is the operative word there: that specific isolation is optional and only applies during compilation.

[mikepurvis]

It uses some of that stuff to isolate its background build sandbox, but none of it affects a normal nix subshell.

[pxc]

Nix has configurable support for build sandboxing. On Linux, that sandboxing is enabled by default, but builds and installs and everything work fine without it.

Installing and using Nix packages doesn't generally involve any sandboxing or containerization features. But on Linux, there are some exceptions. A few proprietary packages use something called an FHSUserEnv, which leverages user namespaces to simulate an FHS-compatible environment. Additionally, Nix (through one of the new, experimental commands as well as an older third-party tool that inspired it) can also bundle any Nix package into a containerized package which can be run without Nix. I think those bundles, if you choose to create them, also use some container-y Linux features.

Anyway devenv.sh isn't built on anything container-y in Nix.